Merge pull request #1659 from briansmith/b/merge-boringssl-16

Merge BoringSSL through d605df5

Author: briansmith

crypto/constant_time_test.c

@@ -47,9 +47,9 @@
 
 int bssl_constant_time_test_main(void);
 
-static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
-                            crypto_word a, crypto_word b, int is_true) {
-  crypto_word c = op(a, b);
+static int test_binary_op_w(crypto_word_t (*op)(crypto_word_t a, crypto_word_t b),
+                            crypto_word_t a, crypto_word_t b, int is_true) {
+  crypto_word_t c = op(a, b);
   if (is_true && c != CONSTTIME_TRUE_W) {
     return 1;
   } else if (!is_true && c != CONSTTIME_FALSE_W) {
@@ -58,8 +58,8 @@ static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
   return 0;
 }
 
-static int test_is_zero_w(crypto_word a) {
-  crypto_word c = constant_time_is_zero_w(a);
+static int test_is_zero_w(crypto_word_t a) {
+  crypto_word_t c = constant_time_is_zero_w(a);
   if (a == 0 && c != CONSTTIME_TRUE_W) {
     return 1;
   } else if (a != 0 && c != CONSTTIME_FALSE_W) {
@@ -76,8 +76,8 @@ static int test_is_zero_w(crypto_word a) {
   return 0;
 }
 
-static int test_select_w(crypto_word a, crypto_word b) {
-  crypto_word selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
+static int test_select_w(crypto_word_t a, crypto_word_t b) {
+  crypto_word_t selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
   if (selected != a) {
     return 1;
   }
@@ -88,7 +88,7 @@ static int test_select_w(crypto_word a, crypto_word b) {
   return 0;
 }
 
-static crypto_word test_values_s[] = {
+static crypto_word_t test_values_s[] = {
   0,
   1,
   1024,
@@ -113,11 +113,11 @@ int bssl_constant_time_test_main(void) {
 
   for (size_t i = 0;
        i < sizeof(test_values_s) / sizeof(test_values_s[0]); ++i) {
-    crypto_word a = test_values_s[i];
+    crypto_word_t a = test_values_s[i];
     num_failed += test_is_zero_w(a);
     for (size_t j = 0;
          j < sizeof(test_values_s) / sizeof(test_values_s[0]); ++j) {
-      crypto_word b = test_values_s[j];
+      crypto_word_t b = test_values_s[j];
       num_failed += test_binary_op_w(&constant_time_eq_w, a, b, a == b);
       num_failed += test_binary_op_w(&constant_time_eq_w, b, a, b == a);
       num_failed += test_select_w(a, b);

crypto/curve25519/curve25519.c

@@ -180,21 +180,29 @@ static void fe_0(fe *h) {
   OPENSSL_memset(h, 0, sizeof(fe));
 }
 
+#if defined(OPENSSL_SMALL)
+
 static void fe_loose_0(fe_loose *h) {
   OPENSSL_memset(h, 0, sizeof(fe_loose));
 }
 
+#endif
+
 // h = 1
 static void fe_1(fe *h) {
   OPENSSL_memset(h, 0, sizeof(fe));
   h->v[0] = 1;
 }
 
+#if defined(OPENSSL_SMALL)
+
 static void fe_loose_1(fe_loose *h) {
   OPENSSL_memset(h, 0, sizeof(fe_loose));
   h->v[0] = 1;
 }
 
+#endif
+
 // h = f + g
 // Can overlap h with f or g.
 static void fe_add(fe_loose *h, const fe *f, const fe *g) {
@@ -319,11 +327,6 @@ static void fe_copy(fe *h, const fe *f) {
 static void fe_copy_lt(fe_loose *h, const fe *f) {
   fe_limbs_copy(h->v, f->v);
 }
-#if !defined(OPENSSL_SMALL)
-static void fe_copy_ll(fe_loose *h, const fe_loose *f) {
-  fe_limbs_copy(h->v, f->v);
-}
-#endif // !defined(OPENSSL_SMALL)
 
 static void fe_loose_invert(fe *out, const fe_loose *z) {
   fe t0;
@@ -532,12 +535,16 @@ static void ge_p3_0(ge_p3 *h) {
   fe_0(&h->T);
 }
 
+#if defined(OPENSSL_SMALL)
+
 static void ge_precomp_0(ge_precomp *h) {
   fe_loose_1(&h->yplusx);
   fe_loose_1(&h->yminusx);
   fe_loose_0(&h->xy2d);
 }
 
+#endif
+
 // r = p
 static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
   fe_copy(&r->X, &p->X);
@@ -664,16 +671,6 @@ static void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
   fe_add(&r->T, &trZ, &trT);
 }
 
-static uint8_t equal(signed char b, signed char c) {
-  uint8_t ub = b;
-  uint8_t uc = c;
-  uint8_t x = ub ^ uc;  // 0: yes; 1..255: no
-  uint32_t y = x;       // 0: yes; 1..255: no
-  y -= 1;               // 4294967295: yes; 0..254: no
-  y >>= 31;             // 1: yes; 0: no
-  return y;
-}
-
 static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {
   fe_cmov(&t->yplusx, &u->yplusx, b);
   fe_cmov(&t->yminusx, &u->yminusx, b);
@@ -722,7 +719,7 @@ static void x25519_ge_scalarmult_small_precomp(
     ge_precomp_0(&e);
 
     for (j = 1; j < 16; j++) {
-      cmov(&e, &multiples[j-1], equal(index, j));
+      cmov(&e, &multiples[j-1], 1&constant_time_eq_w(index, j));
     }
 
     ge_cached cached;
@@ -742,35 +739,36 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
 
 #else
 
-static uint8_t negative(signed char b) {
-  uint32_t x = b;
-  x >>= 31;  // 1: yes; 0: no
-  return x;
-}
+static void table_select(ge_precomp *t, const int pos, const signed char b) {
+  uint8_t bnegative = constant_time_msb_w(b);
+  uint8_t babs = b - ((bnegative & b) << 1);
 
-static void table_select(ge_precomp *t, int pos, signed char b) {
-  ge_precomp minust;
-  uint8_t bnegative = negative(b);
-  uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1);
+  uint8_t t_bytes[3][32] = {
+      {constant_time_is_zero_w(b) & 1}, {constant_time_is_zero_w(b) & 1}, {0}};
+#if defined(__clang__) // materialize for vectorization, 6% speedup
+  __asm__("" : "+m" (t_bytes) : /*no inputs*/);
+#endif
+  OPENSSL_STATIC_ASSERT(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), "");
+  for (int i = 0; i < 8; i++) {
+    constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i],
+                                     sizeof(t_bytes),
+                                     constant_time_eq_w(babs, 1 + i));
+  }
 
-  ge_precomp_0(t);
-  cmov(t, &k25519Precomp[pos][0], equal(babs, 1));
-  cmov(t, &k25519Precomp[pos][1], equal(babs, 2));
-  cmov(t, &k25519Precomp[pos][2], equal(babs, 3));
-  cmov(t, &k25519Precomp[pos][3], equal(babs, 4));
-  cmov(t, &k25519Precomp[pos][4], equal(babs, 5));
-  cmov(t, &k25519Precomp[pos][5], equal(babs, 6));
-  cmov(t, &k25519Precomp[pos][6], equal(babs, 7));
-  cmov(t, &k25519Precomp[pos][7], equal(babs, 8));
-  fe_copy_ll(&minust.yplusx, &t->yminusx);
-  fe_copy_ll(&minust.yminusx, &t->yplusx);
+  fe yplusx, yminusx, xy2d;
+  fe_frombytes_strict(&yplusx, t_bytes[0]);
+  fe_frombytes_strict(&yminusx, t_bytes[1]);
+  fe_frombytes_strict(&xy2d, t_bytes[2]);
 
-  // NOTE: the input table is canonical, but types don't encode it
-  fe tmp;
-  fe_carry(&tmp, &t->xy2d);
-  fe_neg(&minust.xy2d, &tmp);
+  fe_copy_lt(&t->yplusx, &yplusx);
+  fe_copy_lt(&t->yminusx, &yminusx);
+  fe_copy_lt(&t->xy2d, &xy2d);
 
-  cmov(t, &minust, bnegative);
+  ge_precomp minust;
+  fe_copy_lt(&minust.yplusx, &yminusx);
+  fe_copy_lt(&minust.yminusx, &yplusx);
+  fe_neg(&minust.xy2d, &xy2d);
+  cmov(t, &minust, bnegative>>7);
 }
 
 // h = a * B
@@ -1870,6 +1868,7 @@ void x25519_public_from_private_generic_masked(uint8_t out_public_value[32],
   fe_loose_invert(&zminusy_inv, &zminusy);
   fe_mul_tlt(&zminusy_inv, &zplusy, &zminusy_inv);
   fe_tobytes(out_public_value, &zminusy_inv);
+  CONSTTIME_DECLASSIFY(out_public_value, 32);
 }
 
 void x25519_fe_invert(fe *out, const fe *z) {