grpc 1.12.0 → 1.13.0.pre1

data/third_party/boringssl/crypto/fipsmodule/ec/{util-64.c → util.c}

@@ -14,9 +14,6 @@
 
 #include <openssl/base.h>
 
-
-#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
-
 #include <openssl/ec.h>
 
 #include "internal.h"
@@ -105,5 +102,3 @@ void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
   *sign = s & 1;
   *digit = d;
 }
-
-#endif  // 64_BIT && !WINDOWS

data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c

@@ -73,8 +73,10 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>
+#include <openssl/type_check.h>
 
 #include "internal.h"
+#include "../bn/internal.h"
 #include "../../internal.h"
 
 
@@ -83,58 +85,21 @@
 //   http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
 //   http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
 
-// Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
-// This is an array  r[]  of values that are either zero or odd with an
-// absolute value less than  2^w  satisfying
-//     scalar = \sum_j r[j]*2^j
-// where at most one of any  w+1  consecutive digits is non-zero
-// with the exception that the most significant digit may be only
-// w-1 zeros away from that next non-zero digit.
-static int8_t *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) {
-  int window_val;
-  int ok = 0;
-  int8_t *r = NULL;
-  int sign = 1;
-  int bit, next_bit, mask;
-  size_t len = 0, j;
-
-  if (BN_is_zero(scalar)) {
-    r = OPENSSL_malloc(1);
-    if (!r) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
-    r[0] = 0;
-    *ret_len = 1;
-    return r;
-  }
-
+int ec_compute_wNAF(const EC_GROUP *group, int8_t *out, const EC_SCALAR *scalar,
+                    size_t bits, int w) {
   // 'int8_t' can represent integers with absolute values less than 2^7.
-  if (w <= 0 || w > 7) {
+  if (w <= 0 || w > 7 || bits == 0) {
     OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    goto err;
-  }
-  bit = 1 << w;         // at most 128
-  next_bit = bit << 1;  // at most 256
-  mask = next_bit - 1;  // at most 255
-
-  if (BN_is_negative(scalar)) {
-    sign = -1;
+    return 0;
   }
-
-  len = BN_num_bits(scalar);
-  // The modified wNAF may be one digit longer than binary representation
-  // (*ret_len will be set to the actual length, i.e. at most
-  // BN_num_bits(scalar) + 1).
-  r = OPENSSL_malloc(len + 1);
-  if (r == NULL) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-  window_val = scalar->d[0] & mask;
-  j = 0;
-  // If j+w+1 >= len, window_val will not increase.
-  while (window_val != 0 || j + w + 1 < len) {
+  int bit = 1 << w;         // at most 128
+  int next_bit = bit << 1;  // at most 256
+  int mask = next_bit - 1;  // at most 255
+
+  int window_val = scalar->words[0] & mask;
+  size_t j = 0;
+  // If j+w+1 >= bits, window_val will not increase.
+  while (window_val != 0 || j + w + 1 < bits) {
     int digit = 0;
 
     // 0 <= window_val <= 2^(w+1)
@@ -146,7 +111,7 @@ static int8_t *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) {
         digit = window_val - next_bit;  // -2^w < digit < 0
 
 #if 1  // modified wNAF
-        if (j + w + 1 >= len) {
+        if (j + w + 1 >= bits) {
           // special case for generating modified wNAFs:
           // no new bits will be added into window_val,
           // so using a positive digit here will decrease
@@ -161,7 +126,7 @@ static int8_t *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) {
 
       if (digit <= -bit || digit >= bit || !(digit & 1)) {
         OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-        goto err;
+        return 0;
       }
 
       window_val -= digit;
@@ -170,52 +135,38 @@ static int8_t *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) {
       // for modified window NAFs, it may also be 2^w.
       if (window_val != 0 && window_val != next_bit && window_val != bit) {
         OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-        goto err;
+        return 0;
       }
     }
 
-    r[j++] = sign * digit;
+    out[j++] = digit;
 
     window_val >>= 1;
-    window_val += bit * BN_is_bit_set(scalar, j + w);
+    window_val +=
+        bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w);
 
     if (window_val > next_bit) {
       OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-      goto err;
+      return 0;
     }
   }
 
-  if (j > len + 1) {
+  // Fill the rest of the wNAF with zeros.
+  if (j > bits + 1) {
     OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    goto err;
-  }
-  len = j;
-  ok = 1;
-
-err:
-  if (!ok) {
-    OPENSSL_free(r);
-    r = NULL;
+    return 0;
   }
-  if (ok) {
-    *ret_len = len;
+  for (size_t i = j; i < bits + 1; i++) {
+    out[i] = 0;
   }
-  return r;
-}
 
+  return 1;
+}
 
 // TODO: table should be optimised for the wNAF-based implementation,
 //       sometimes smaller windows will give better performance
 //       (thus the boundaries should be increased)
 static size_t window_bits_for_scalar_size(size_t b) {
-  if (b >= 2000) {
-    return 6;
-  }
-
-  if (b >= 800) {
-    return 5;
-  }
-
   if (b >= 300) {
     return 4;
   }
@@ -231,244 +182,173 @@ static size_t window_bits_for_scalar_size(size_t b) {
   return 1;
 }
 
-int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r,
-                const EC_SCALAR *g_scalar_raw, const EC_POINT *p,
-                const EC_SCALAR *p_scalar_raw, BN_CTX *ctx) {
-  BN_CTX *new_ctx = NULL;
-  const EC_POINT *generator = NULL;
-  EC_POINT *tmp = NULL;
-  size_t total_num = 0;
-  size_t i, j;
-  int k;
-  int r_is_inverted = 0;
-  int r_is_at_infinity = 1;
-  size_t *wsize = NULL;      // individual window sizes
-  int8_t **wNAF = NULL;  // individual wNAFs
-  size_t *wNAF_len = NULL;
-  size_t max_len = 0;
-  size_t num_val = 0;
-  EC_POINT **val = NULL;  // precomputation
-  EC_POINT **v;
-  EC_POINT ***val_sub = NULL;  // pointers to sub-arrays of 'val'
-  int ret = 0;
+// EC_WNAF_MAX_WINDOW_BITS is the largest value returned by
+// |window_bits_for_scalar_size|.
+#define EC_WNAF_MAX_WINDOW_BITS 4
+
+// compute_precomp sets |out[i]| to a newly-allocated |EC_POINT| containing
+// (2*i+1)*p, for i from 0 to |len|. It returns one on success and
+// zero on error.
+static int compute_precomp(const EC_GROUP *group, EC_POINT **out,
+                           const EC_POINT *p, size_t len, BN_CTX *ctx) {
+  out[0] = EC_POINT_new(group);
+  if (out[0] == NULL ||
+      !EC_POINT_copy(out[0], p)) {
+    return 0;
+  }
 
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      goto err;
-    }
+  int ret = 0;
+  EC_POINT *two_p = EC_POINT_new(group);
+  if (two_p == NULL ||
+      !EC_POINT_dbl(group, two_p, p, ctx)) {
+    goto err;
   }
-  BN_CTX_start(ctx);
-
-  // Convert from |EC_SCALAR| to |BIGNUM|. |BIGNUM| is not constant-time, but
-  // neither is the rest of this function.
-  BIGNUM *g_scalar = NULL, *p_scalar = NULL;
-  if (g_scalar_raw != NULL) {
-    g_scalar = BN_CTX_get(ctx);
-    if (g_scalar == NULL ||
-        !bn_set_words(g_scalar, g_scalar_raw->words, group->order.top)) {
+
+  for (size_t i = 1; i < len; i++) {
+    out[i] = EC_POINT_new(group);
+    if (out[i] == NULL ||
+        !EC_POINT_add(group, out[i], out[i - 1], two_p, ctx)) {
       goto err;
     }
   }
-  if (p_scalar_raw != NULL) {
-    p_scalar = BN_CTX_get(ctx);
-    if (p_scalar == NULL ||
-        !bn_set_words(p_scalar, p_scalar_raw->words, group->order.top)) {
-      goto err;
-    }
+
+  ret = 1;
+
+err:
+  EC_POINT_free(two_p);
+  return ret;
+}
+
+static int lookup_precomp(const EC_GROUP *group, EC_POINT *out,
+                          EC_POINT *const *precomp, int digit, BN_CTX *ctx) {
+  if (digit < 0) {
+    digit = -digit;
+    return EC_POINT_copy(out, precomp[digit >> 1]) &&
+           EC_POINT_invert(group, out, ctx);
   }
 
-  // TODO: This function used to take |points| and |scalars| as arrays of
-  // |num| elements. The code below should be simplified to work in terms of |p|
-  // and |p_scalar|.
-  size_t num = p != NULL ? 1 : 0;
-  const EC_POINT **points = p != NULL ? &p : NULL;
-  BIGNUM **scalars = p != NULL ? &p_scalar : NULL;
+  return EC_POINT_copy(out, precomp[digit >> 1]);
+}
 
-  total_num = num;
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const EC_SCALAR *g_scalar,
+                const EC_POINT *p, const EC_SCALAR *p_scalar, BN_CTX *ctx) {
+  BN_CTX *new_ctx = NULL;
+  EC_POINT *precomp_storage[2 * (1 << (EC_WNAF_MAX_WINDOW_BITS - 1))] = {NULL};
+  EC_POINT **g_precomp = NULL, **p_precomp = NULL;
+  int8_t g_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
+  int8_t p_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
+  EC_POINT *tmp = NULL;
+  int ret = 0;
 
-  if (g_scalar != NULL) {
-    generator = EC_GROUP_get0_generator(group);
-    if (generator == NULL) {
-      OPENSSL_PUT_ERROR(EC, EC_R_UNDEFINED_GENERATOR);
+  if (ctx == NULL) {
+    ctx = new_ctx = BN_CTX_new();
+    if (ctx == NULL) {
       goto err;
     }
-
-    ++total_num;  // treat 'g_scalar' like 'num'-th element of 'scalars'
   }
 
+  size_t bits = BN_num_bits(&group->order);
+  size_t wsize = window_bits_for_scalar_size(bits);
+  size_t wNAF_len = bits + 1;
+  size_t precomp_len = (size_t)1 << (wsize - 1);
 
-  wsize = OPENSSL_malloc(total_num * sizeof(wsize[0]));
-  wNAF_len = OPENSSL_malloc(total_num * sizeof(wNAF_len[0]));
-  wNAF = OPENSSL_malloc(total_num * sizeof(wNAF[0]));
-  val_sub = OPENSSL_malloc(total_num * sizeof(val_sub[0]));
-
-  // Ensure wNAF is initialised in case we end up going to err.
-  if (wNAF != NULL) {
-    OPENSSL_memset(wNAF, 0, total_num * sizeof(wNAF[0]));
-  }
+  OPENSSL_COMPILE_ASSERT(
+      OPENSSL_ARRAY_SIZE(g_wNAF) == OPENSSL_ARRAY_SIZE(p_wNAF),
+      g_wNAF_and_p_wNAF_are_different_sizes);
 
-  if (!wsize || !wNAF_len || !wNAF || !val_sub) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
+  if (wNAF_len > OPENSSL_ARRAY_SIZE(g_wNAF) ||
+      2 * precomp_len > OPENSSL_ARRAY_SIZE(precomp_storage)) {
+    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
     goto err;
   }
 
-  // num_val will be the total number of temporarily precomputed points
-  num_val = 0;
-
-  for (i = 0; i < total_num; i++) {
-    size_t bits;
-
-    bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(g_scalar);
-    wsize[i] = window_bits_for_scalar_size(bits);
-    num_val += (size_t)1 << (wsize[i] - 1);
-    wNAF[i] =
-        compute_wNAF((i < num ? scalars[i] : g_scalar), wsize[i], &wNAF_len[i]);
-    if (wNAF[i] == NULL) {
+  // TODO(davidben): |mul_public| is for ECDSA verification which can assume
+  // non-NULL inputs, but this code is also used for |mul| which cannot. It's
+  // not constant-time, so replace the generic |mul| and remove the NULL checks.
+  size_t total_precomp = 0;
+  if (g_scalar != NULL) {
+    const EC_POINT *g = EC_GROUP_get0_generator(group);
+    if (g == NULL) {
+      OPENSSL_PUT_ERROR(EC, EC_R_UNDEFINED_GENERATOR);
       goto err;
     }
-    if (wNAF_len[i] > max_len) {
-      max_len = wNAF_len[i];
+    g_precomp = precomp_storage + total_precomp;
+    total_precomp += precomp_len;
+    if (!ec_compute_wNAF(group, g_wNAF, g_scalar, bits, wsize) ||
+        !compute_precomp(group, g_precomp, g, precomp_len, ctx)) {
+      goto err;
     }
   }
 
-  // All points we precompute now go into a single array 'val'. 'val_sub[i]' is
-  // a pointer to the subarray for the i-th point.
-  val = OPENSSL_malloc(num_val * sizeof(val[0]));
-  if (val == NULL) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-  OPENSSL_memset(val, 0, num_val * sizeof(val[0]));
-
-  // allocate points for precomputation
-  v = val;
-  for (i = 0; i < total_num; i++) {
-    val_sub[i] = v;
-    for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {
-      *v = EC_POINT_new(group);
-      if (*v == NULL) {
-        goto err;
-      }
-      v++;
+  if (p_scalar != NULL) {
+    p_precomp = precomp_storage + total_precomp;
+    total_precomp += precomp_len;
+    if (!ec_compute_wNAF(group, p_wNAF, p_scalar, bits, wsize) ||
+        !compute_precomp(group, p_precomp, p, precomp_len, ctx)) {
+      goto err;
     }
   }
-  if (!(v == val + num_val)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    goto err;
-  }
 
-  if (!(tmp = EC_POINT_new(group))) {
+  tmp = EC_POINT_new(group);
+  if (tmp == NULL ||
+      // |window_bits_for_scalar_size| assumes we do this step.
+      !EC_POINTs_make_affine(group, total_precomp, precomp_storage, ctx)) {
     goto err;
   }
 
-  // prepare precomputed values:
-  //    val_sub[i][0] :=     points[i]
-  //    val_sub[i][1] := 3 * points[i]
-  //    val_sub[i][2] := 5 * points[i]
-  //    ...
-  for (i = 0; i < total_num; i++) {
-    if (i < num) {
-      if (!EC_POINT_copy(val_sub[i][0], points[i])) {
-        goto err;
-      }
-    } else if (!EC_POINT_copy(val_sub[i][0], generator)) {
+  int r_is_at_infinity = 1;
+  for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {
+    if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
       goto err;
     }
 
-    if (wsize[i] > 1) {
-      if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) {
-        goto err;
-      }
-      for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {
-        if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) {
+    if (g_scalar != NULL) {
+      if (g_wNAF[k] != 0) {
+        if (!lookup_precomp(group, tmp, g_precomp, g_wNAF[k], ctx)) {
+          goto err;
+        }
+        if (r_is_at_infinity) {
+          if (!EC_POINT_copy(r, tmp)) {
+            goto err;
+          }
+          r_is_at_infinity = 0;
+        } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
           goto err;
         }
       }
     }
-  }
 
-#if 1  // optional; window_bits_for_scalar_size assumes we do this step
-  if (!EC_POINTs_make_affine(group, num_val, val, ctx)) {
-    goto err;
-  }
-#endif
-
-  r_is_at_infinity = 1;
-
-  for (k = max_len - 1; k >= 0; k--) {
-    if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
-      goto err;
-    }
-
-    for (i = 0; i < total_num; i++) {
-      if (wNAF_len[i] > (size_t)k) {
-        int digit = wNAF[i][k];
-        int is_neg;
-
-        if (digit) {
-          is_neg = digit < 0;
-
-          if (is_neg) {
-            digit = -digit;
-          }
-
-          if (is_neg != r_is_inverted) {
-            if (!r_is_at_infinity && !EC_POINT_invert(group, r, ctx)) {
-              goto err;
-            }
-            r_is_inverted = !r_is_inverted;
-          }
-
-          // digit > 0
-
-          if (r_is_at_infinity) {
-            if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) {
-              goto err;
-            }
-            r_is_at_infinity = 0;
-          } else {
-            if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) {
-              goto err;
-            }
+    if (p_scalar != NULL) {
+      if (p_wNAF[k] != 0) {
+        if (!lookup_precomp(group, tmp, p_precomp, p_wNAF[k], ctx)) {
+          goto err;
+        }
+        if (r_is_at_infinity) {
+          if (!EC_POINT_copy(r, tmp)) {
+            goto err;
           }
+          r_is_at_infinity = 0;
+        } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
+          goto err;
         }
       }
     }
   }
 
-  if (r_is_at_infinity) {
-    if (!EC_POINT_set_to_infinity(group, r)) {
-      goto err;
-    }
-  } else if (r_is_inverted && !EC_POINT_invert(group, r, ctx)) {
+  if (r_is_at_infinity &&
+      !EC_POINT_set_to_infinity(group, r)) {
     goto err;
   }
 
   ret = 1;
 
 err:
-  if (ctx != NULL) {
-    BN_CTX_end(ctx);
-  }
   BN_CTX_free(new_ctx);
   EC_POINT_free(tmp);
-  OPENSSL_free(wsize);
-  OPENSSL_free(wNAF_len);
-  if (wNAF != NULL) {
-    for (i = 0; i < total_num; i++) {
-      OPENSSL_free(wNAF[i]);
-    }
-
-    OPENSSL_free(wNAF);
-  }
-  if (val != NULL) {
-    for (i = 0; i < num_val; i++) {
-      EC_POINT_free(val[i]);
-    }
-
-    OPENSSL_free(val);
+  OPENSSL_cleanse(&g_wNAF, sizeof(g_wNAF));
+  OPENSSL_cleanse(&p_wNAF, sizeof(p_wNAF));
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(precomp_storage); i++) {
+    EC_POINT_free(precomp_storage[i]);
   }
-  OPENSSL_free(val_sub);
   return ret;
 }