grpc 1.24.0 → 1.25.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (505) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +306 -243
  3. data/etc/roots.pem +0 -100
  4. data/include/grpc/grpc_security.h +44 -18
  5. data/include/grpc/impl/codegen/grpc_types.h +15 -0
  6. data/include/grpc/impl/codegen/port_platform.h +27 -11
  7. data/include/grpc/impl/codegen/sync_generic.h +1 -1
  8. data/src/boringssl/err_data.c +695 -650
  9. data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
  10. data/src/core/ext/filters/client_channel/client_channel.h +24 -0
  11. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
  12. data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
  13. data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
  14. data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
  15. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
  17. data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
  18. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
  19. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
  20. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
  21. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
  22. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
  26. data/src/core/ext/filters/client_channel/resolver.cc +1 -2
  27. data/src/core/ext/filters/client_channel/resolver.h +8 -16
  28. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
  29. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
  30. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
  31. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
  32. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
  33. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
  34. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
  35. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
  36. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
  37. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
  38. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
  39. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
  40. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
  41. data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
  42. data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
  43. data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
  44. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
  45. data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
  46. data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
  47. data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
  48. data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
  49. data/src/core/ext/filters/client_channel/service_config.h +8 -8
  50. data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
  51. data/src/core/ext/filters/client_channel/subchannel.h +7 -9
  52. data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
  53. data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
  54. data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
  55. data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
  56. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
  57. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
  58. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
  59. data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
  60. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
  61. data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
  62. data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
  63. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
  64. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
  65. data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
  66. data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
  67. data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
  68. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
  69. data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
  70. data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
  71. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
  72. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
  73. data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
  74. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
  75. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
  76. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
  77. data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
  78. data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
  79. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
  80. data/src/core/lib/channel/channel_args.cc +16 -0
  81. data/src/core/lib/channel/channel_args.h +22 -0
  82. data/src/core/lib/channel/channelz.cc +5 -6
  83. data/src/core/lib/channel/channelz.h +1 -1
  84. data/src/core/lib/channel/connected_channel.cc +20 -20
  85. data/src/core/lib/channel/handshaker.h +3 -4
  86. data/src/core/lib/channel/handshaker_factory.h +1 -3
  87. data/src/core/lib/debug/trace.h +3 -2
  88. data/src/core/lib/gprpp/arena.cc +3 -3
  89. data/src/core/lib/gprpp/arena.h +2 -3
  90. data/src/core/lib/gprpp/inlined_vector.h +9 -0
  91. data/src/core/lib/gprpp/map.h +3 -501
  92. data/src/core/lib/gprpp/memory.h +45 -41
  93. data/src/core/lib/gprpp/mpscq.cc +108 -0
  94. data/src/core/lib/gprpp/mpscq.h +98 -0
  95. data/src/core/lib/gprpp/orphanable.h +6 -11
  96. data/src/core/lib/gprpp/ref_counted.h +25 -19
  97. data/src/core/lib/gprpp/set.h +33 -0
  98. data/src/core/lib/gprpp/thd.h +2 -4
  99. data/src/core/lib/http/httpcli.cc +1 -1
  100. data/src/core/lib/http/httpcli_security_connector.cc +15 -11
  101. data/src/core/lib/http/parser.cc +1 -1
  102. data/src/core/lib/iomgr/buffer_list.cc +4 -5
  103. data/src/core/lib/iomgr/buffer_list.h +5 -6
  104. data/src/core/lib/iomgr/call_combiner.cc +4 -5
  105. data/src/core/lib/iomgr/call_combiner.h +2 -2
  106. data/src/core/lib/iomgr/cfstream_handle.h +3 -5
  107. data/src/core/lib/iomgr/closure.h +8 -3
  108. data/src/core/lib/iomgr/combiner.cc +45 -82
  109. data/src/core/lib/iomgr/combiner.h +32 -8
  110. data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
  111. data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
  112. data/src/core/lib/iomgr/ev_poll_posix.cc +3 -1
  113. data/src/core/lib/iomgr/exec_ctx.h +4 -3
  114. data/src/core/lib/iomgr/executor.cc +4 -2
  115. data/src/core/lib/iomgr/executor.h +3 -0
  116. data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
  117. data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
  118. data/src/core/lib/iomgr/executor/threadpool.h +7 -11
  119. data/src/core/lib/iomgr/resource_quota.cc +55 -51
  120. data/src/core/lib/iomgr/resource_quota.h +13 -9
  121. data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
  122. data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
  123. data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
  124. data/src/core/lib/iomgr/tcp_custom.cc +9 -7
  125. data/src/core/lib/iomgr/tcp_posix.cc +20 -16
  126. data/src/core/lib/iomgr/tcp_server.h +1 -4
  127. data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
  128. data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
  129. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
  130. data/src/core/lib/iomgr/timer_custom.cc +2 -2
  131. data/src/core/lib/iomgr/udp_server.cc +3 -2
  132. data/src/core/lib/iomgr/udp_server.h +6 -12
  133. data/src/core/lib/json/json.h +1 -1
  134. data/src/core/lib/json/json_string.cc +2 -2
  135. data/src/core/lib/profiling/basic_timers.cc +2 -2
  136. data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
  137. data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
  138. data/src/core/lib/security/credentials/credentials.h +4 -20
  139. data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
  140. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
  141. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
  142. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
  143. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
  144. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
  145. data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
  146. data/src/core/lib/security/security_connector/security_connector.cc +1 -0
  147. data/src/core/lib/security/security_connector/security_connector.h +19 -17
  148. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
  149. data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
  150. data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
  151. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
  152. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
  153. data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
  154. data/src/core/lib/security/transport/security_handshaker.cc +29 -13
  155. data/src/core/lib/security/transport/security_handshaker.h +4 -2
  156. data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
  157. data/src/core/lib/slice/slice.cc +2 -10
  158. data/src/core/lib/slice/slice_hash_table.h +4 -6
  159. data/src/core/lib/slice/slice_intern.cc +42 -39
  160. data/src/core/lib/slice/slice_internal.h +3 -3
  161. data/src/core/lib/slice/slice_utils.h +21 -4
  162. data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
  163. data/src/core/lib/surface/call.cc +3 -3
  164. data/src/core/lib/surface/channel.cc +7 -0
  165. data/src/core/lib/surface/completion_queue.cc +12 -11
  166. data/src/core/lib/surface/completion_queue.h +4 -2
  167. data/src/core/lib/surface/init.cc +1 -0
  168. data/src/core/lib/surface/lame_client.cc +33 -18
  169. data/src/core/lib/surface/server.cc +77 -76
  170. data/src/core/lib/surface/version.cc +1 -1
  171. data/src/core/lib/transport/byte_stream.h +3 -7
  172. data/src/core/lib/transport/connectivity_state.cc +112 -98
  173. data/src/core/lib/transport/connectivity_state.h +100 -50
  174. data/src/core/lib/transport/static_metadata.cc +276 -288
  175. data/src/core/lib/transport/static_metadata.h +73 -76
  176. data/src/core/lib/transport/status_conversion.cc +1 -1
  177. data/src/core/lib/transport/status_metadata.cc +1 -1
  178. data/src/core/lib/transport/transport.cc +2 -2
  179. data/src/core/lib/transport/transport.h +12 -4
  180. data/src/core/lib/transport/transport_op_string.cc +14 -11
  181. data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
  182. data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
  183. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
  184. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
  185. data/src/core/tsi/fake_transport_security.cc +7 -5
  186. data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
  187. data/src/core/tsi/local_transport_security.cc +8 -6
  188. data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
  189. data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
  190. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
  191. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
  192. data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
  193. data/src/core/tsi/ssl_transport_security.cc +12 -12
  194. data/src/core/tsi/ssl_transport_security.h +2 -2
  195. data/src/core/tsi/transport_security_grpc.cc +7 -0
  196. data/src/core/tsi/transport_security_grpc.h +6 -0
  197. data/src/ruby/ext/grpc/extconf.rb +1 -0
  198. data/src/ruby/ext/grpc/rb_call.c +1 -1
  199. data/src/ruby/ext/grpc/rb_channel.c +1 -1
  200. data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
  201. data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
  202. data/src/ruby/lib/grpc/version.rb +1 -1
  203. data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
  204. data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
  205. data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
  206. data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
  207. data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
  208. data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
  209. data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
  210. data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
  211. data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
  212. data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
  213. data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
  214. data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
  215. data/third_party/boringssl/crypto/base64/base64.c +2 -2
  216. data/third_party/boringssl/crypto/bio/bio.c +73 -9
  217. data/third_party/boringssl/crypto/bio/connect.c +4 -0
  218. data/third_party/boringssl/crypto/bio/fd.c +4 -0
  219. data/third_party/boringssl/crypto/bio/file.c +5 -2
  220. data/third_party/boringssl/crypto/bio/socket.c +4 -0
  221. data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
  222. data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
  223. data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
  224. data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
  225. data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
  226. data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
  227. data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
  228. data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
  229. data/third_party/boringssl/crypto/chacha/internal.h +45 -0
  230. data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
  231. data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
  232. data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
  233. data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
  234. data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
  235. data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
  236. data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
  237. data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
  238. data/third_party/boringssl/crypto/conf/conf.c +7 -0
  239. data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
  240. data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
  241. data/third_party/boringssl/crypto/cpu-intel.c +45 -51
  242. data/third_party/boringssl/crypto/crypto.c +39 -22
  243. data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
  244. data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
  245. data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
  246. data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
  247. data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
  248. data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
  249. data/third_party/boringssl/crypto/engine/engine.c +2 -1
  250. data/third_party/boringssl/crypto/err/err.c +2 -0
  251. data/third_party/boringssl/crypto/err/internal.h +2 -2
  252. data/third_party/boringssl/crypto/evp/evp.c +89 -8
  253. data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
  254. data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
  255. data/third_party/boringssl/crypto/evp/internal.h +18 -1
  256. data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
  257. data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
  258. data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
  259. data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
  260. data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
  261. data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
  262. data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
  263. data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
  264. data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
  265. data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
  266. data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
  267. data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
  268. data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
  269. data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
  270. data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
  271. data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
  272. data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
  273. data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
  274. data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
  275. data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
  276. data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
  277. data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
  278. data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
  279. data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
  280. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
  281. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
  282. data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
  283. data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
  284. data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
  285. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
  286. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
  287. data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
  288. data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
  289. data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
  290. data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
  291. data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
  292. data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
  293. data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
  294. data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
  295. data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
  296. data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
  297. data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
  298. data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
  299. data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
  300. data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
  301. data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
  302. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
  303. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
  304. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
  305. data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
  306. data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
  307. data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
  308. data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
  309. data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
  310. data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
  311. data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
  312. data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
  313. data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
  314. data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
  315. data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
  316. data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
  317. data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
  318. data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
  319. data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
  320. data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
  321. data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
  322. data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
  323. data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
  324. data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
  325. data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
  326. data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
  327. data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
  328. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
  329. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
  330. data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
  331. data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
  332. data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
  333. data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
  334. data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
  335. data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
  336. data/third_party/boringssl/crypto/hrss/internal.h +62 -0
  337. data/third_party/boringssl/crypto/internal.h +95 -20
  338. data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
  339. data/third_party/boringssl/crypto/mem.c +39 -2
  340. data/third_party/boringssl/crypto/obj/obj.c +4 -4
  341. data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
  342. data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
  343. data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
  344. data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
  345. data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
  346. data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
  347. data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
  348. data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
  349. data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
  350. data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
  351. data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
  352. data/third_party/boringssl/crypto/pool/internal.h +1 -1
  353. data/third_party/boringssl/crypto/pool/pool.c +21 -0
  354. data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
  355. data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
  356. data/third_party/boringssl/crypto/refcount_lock.c +2 -2
  357. data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
  358. data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
  359. data/third_party/boringssl/crypto/stack/stack.c +83 -32
  360. data/third_party/boringssl/crypto/thread_none.c +2 -2
  361. data/third_party/boringssl/crypto/thread_pthread.c +2 -2
  362. data/third_party/boringssl/crypto/thread_win.c +38 -19
  363. data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
  364. data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
  365. data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
  366. data/third_party/boringssl/crypto/x509/by_file.c +12 -10
  367. data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
  368. data/third_party/boringssl/crypto/x509/t_req.c +1 -3
  369. data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
  370. data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
  371. data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
  372. data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
  373. data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
  374. data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
  375. data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
  376. data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
  377. data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
  378. data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
  379. data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
  380. data/third_party/boringssl/crypto/x509/x509name.c +2 -3
  381. data/third_party/boringssl/crypto/x509/x_all.c +109 -210
  382. data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
  383. data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
  384. data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
  385. data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
  386. data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
  387. data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
  388. data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
  389. data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
  390. data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
  391. data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
  392. data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
  393. data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
  394. data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
  395. data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
  396. data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
  397. data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
  398. data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
  399. data/third_party/boringssl/include/openssl/aead.h +45 -19
  400. data/third_party/boringssl/include/openssl/aes.h +32 -7
  401. data/third_party/boringssl/include/openssl/asn1.h +7 -77
  402. data/third_party/boringssl/include/openssl/base.h +120 -6
  403. data/third_party/boringssl/include/openssl/base64.h +4 -1
  404. data/third_party/boringssl/include/openssl/bio.h +112 -81
  405. data/third_party/boringssl/include/openssl/blowfish.h +3 -3
  406. data/third_party/boringssl/include/openssl/bn.h +55 -29
  407. data/third_party/boringssl/include/openssl/buf.h +2 -2
  408. data/third_party/boringssl/include/openssl/bytestring.h +54 -32
  409. data/third_party/boringssl/include/openssl/cast.h +2 -2
  410. data/third_party/boringssl/include/openssl/cipher.h +46 -16
  411. data/third_party/boringssl/include/openssl/cmac.h +6 -2
  412. data/third_party/boringssl/include/openssl/conf.h +3 -6
  413. data/third_party/boringssl/include/openssl/cpu.h +25 -9
  414. data/third_party/boringssl/include/openssl/crypto.h +32 -10
  415. data/third_party/boringssl/include/openssl/curve25519.h +4 -4
  416. data/third_party/boringssl/include/openssl/dh.h +3 -2
  417. data/third_party/boringssl/include/openssl/digest.h +21 -7
  418. data/third_party/boringssl/include/openssl/dsa.h +8 -2
  419. data/third_party/boringssl/include/openssl/e_os2.h +18 -0
  420. data/third_party/boringssl/include/openssl/ec.h +25 -21
  421. data/third_party/boringssl/include/openssl/ec_key.h +36 -8
  422. data/third_party/boringssl/include/openssl/ecdh.h +17 -0
  423. data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
  424. data/third_party/boringssl/include/openssl/engine.h +4 -4
  425. data/third_party/boringssl/include/openssl/err.h +3 -0
  426. data/third_party/boringssl/include/openssl/evp.h +199 -42
  427. data/third_party/boringssl/include/openssl/hmac.h +4 -4
  428. data/third_party/boringssl/include/openssl/hrss.h +100 -0
  429. data/third_party/boringssl/include/openssl/lhash.h +131 -23
  430. data/third_party/boringssl/include/openssl/md4.h +6 -4
  431. data/third_party/boringssl/include/openssl/md5.h +6 -4
  432. data/third_party/boringssl/include/openssl/mem.h +6 -2
  433. data/third_party/boringssl/include/openssl/nid.h +3 -0
  434. data/third_party/boringssl/include/openssl/obj.h +3 -0
  435. data/third_party/boringssl/include/openssl/pem.h +102 -64
  436. data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
  437. data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
  438. data/third_party/boringssl/include/openssl/pool.h +13 -2
  439. data/third_party/boringssl/include/openssl/ripemd.h +5 -4
  440. data/third_party/boringssl/include/openssl/rsa.h +46 -15
  441. data/third_party/boringssl/include/openssl/sha.h +40 -28
  442. data/third_party/boringssl/include/openssl/siphash.h +37 -0
  443. data/third_party/boringssl/include/openssl/span.h +17 -9
  444. data/third_party/boringssl/include/openssl/ssl.h +766 -393
  445. data/third_party/boringssl/include/openssl/ssl3.h +4 -3
  446. data/third_party/boringssl/include/openssl/stack.h +134 -77
  447. data/third_party/boringssl/include/openssl/thread.h +1 -1
  448. data/third_party/boringssl/include/openssl/tls1.h +25 -9
  449. data/third_party/boringssl/include/openssl/type_check.h +14 -15
  450. data/third_party/boringssl/include/openssl/x509.h +28 -3
  451. data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
  452. data/third_party/boringssl/include/openssl/x509v3.h +17 -13
  453. data/third_party/boringssl/ssl/d1_both.cc +9 -18
  454. data/third_party/boringssl/ssl/d1_lib.cc +4 -3
  455. data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
  456. data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
  457. data/third_party/boringssl/ssl/dtls_method.cc +0 -1
  458. data/third_party/boringssl/ssl/dtls_record.cc +28 -28
  459. data/third_party/boringssl/ssl/handoff.cc +295 -91
  460. data/third_party/boringssl/ssl/handshake.cc +133 -72
  461. data/third_party/boringssl/ssl/handshake_client.cc +218 -189
  462. data/third_party/boringssl/ssl/handshake_server.cc +399 -272
  463. data/third_party/boringssl/ssl/internal.h +1413 -928
  464. data/third_party/boringssl/ssl/s3_both.cc +175 -36
  465. data/third_party/boringssl/ssl/s3_lib.cc +9 -13
  466. data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
  467. data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
  468. data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
  469. data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
  470. data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
  471. data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
  472. data/third_party/boringssl/ssl/ssl_file.cc +2 -0
  473. data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
  474. data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
  475. data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
  476. data/third_party/boringssl/ssl/ssl_session.cc +230 -178
  477. data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
  478. data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
  479. data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
  480. data/third_party/boringssl/ssl/t1_enc.cc +5 -96
  481. data/third_party/boringssl/ssl/t1_lib.cc +931 -678
  482. data/third_party/boringssl/ssl/tls13_both.cc +251 -121
  483. data/third_party/boringssl/ssl/tls13_client.cc +129 -73
  484. data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
  485. data/third_party/boringssl/ssl/tls13_server.cc +259 -192
  486. data/third_party/boringssl/ssl/tls_method.cc +26 -21
  487. data/third_party/boringssl/ssl/tls_record.cc +42 -47
  488. data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
  489. data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
  490. data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
  491. data/third_party/boringssl/third_party/fiat/p256.c +238 -999
  492. data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
  493. data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
  494. data/third_party/upb/upb/port_def.inc +1 -1
  495. data/third_party/upb/upb/table.c +2 -1
  496. metadata +72 -44
  497. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
  498. data/src/core/lib/gpr/mpscq.cc +0 -117
  499. data/src/core/lib/gpr/mpscq.h +0 -88
  500. data/src/core/lib/gprpp/abstract.h +0 -47
  501. data/src/core/lib/gprpp/pair.h +0 -38
  502. data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
  503. data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
  504. data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
  505. data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -0,0 +1,84 @@
1
+ /* Copyright (c) 2018, Google Inc.
2
+ *
3
+ * Permission to use, copy, modify, and/or distribute this software for any
4
+ * purpose with or without fee is hereby granted, provided that the above
5
+ * copyright notice and this permission notice appear in all copies.
6
+ *
7
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
+
15
+ #include <openssl/ec.h>
16
+
17
+ #include <assert.h>
18
+
19
+ #include "internal.h"
20
+ #include "../bn/internal.h"
21
+ #include "../../internal.h"
22
+
23
+
24
+ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
25
+ const EC_RAW_POINT *p, const EC_SCALAR *scalar) {
26
+ // This is a generic implementation for uncommon curves that not do not
27
+ // warrant a tuned one. It uses unsigned digits so that the doubling case in
28
+ // |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity.
29
+
30
+ // Compute a table of the first 32 multiples of |p| (including infinity).
31
+ EC_RAW_POINT precomp[32];
32
+ ec_GFp_simple_point_set_to_infinity(group, &precomp[0]);
33
+ ec_GFp_simple_point_copy(&precomp[1], p);
34
+ for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
35
+ if (j & 1) {
36
+ ec_GFp_mont_add(group, &precomp[j], &precomp[1], &precomp[j - 1]);
37
+ } else {
38
+ ec_GFp_mont_dbl(group, &precomp[j], &precomp[j / 2]);
39
+ }
40
+ }
41
+
42
+ // Divide bits in |scalar| into windows.
43
+ unsigned bits = BN_num_bits(&group->order);
44
+ int r_is_at_infinity = 1;
45
+ for (unsigned i = bits - 1; i < bits; i--) {
46
+ if (!r_is_at_infinity) {
47
+ ec_GFp_mont_dbl(group, r, r);
48
+ }
49
+ if (i % 5 == 0) {
50
+ // Compute the next window value.
51
+ const size_t width = group->order.width;
52
+ uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;
53
+ window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;
54
+ window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;
55
+ window |= bn_is_bit_set_words(scalar->words, width, i + 1) << 1;
56
+ window |= bn_is_bit_set_words(scalar->words, width, i);
57
+
58
+ // Select the entry in constant-time.
59
+ EC_RAW_POINT tmp;
60
+ OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
61
+ for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
62
+ BN_ULONG mask = constant_time_eq_w(j, window);
63
+ ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);
64
+ ec_felem_select(group, &tmp.Y, mask, &precomp[j].Y, &tmp.Y);
65
+ ec_felem_select(group, &tmp.Z, mask, &precomp[j].Z, &tmp.Z);
66
+ }
67
+
68
+ if (r_is_at_infinity) {
69
+ ec_GFp_simple_point_copy(r, &tmp);
70
+ r_is_at_infinity = 0;
71
+ } else {
72
+ ec_GFp_mont_add(group, r, r, &tmp);
73
+ }
74
+ }
75
+ }
76
+ if (r_is_at_infinity) {
77
+ ec_GFp_simple_point_set_to_infinity(group, r);
78
+ }
79
+ }
80
+
81
+ void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
82
+ const EC_SCALAR *scalar) {
83
+ ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
84
+ }
@@ -18,6 +18,7 @@
18
18
 
19
19
  #include "internal.h"
20
20
 
21
+
21
22
  // This function looks at 5+1 scalar bits (5 current, 1 adjacent less
22
23
  // significant bit), and recodes them into a signed digit for use in fast point
23
24
  // multiplication: the use of signed rather than unsigned digits means that
@@ -43,13 +44,13 @@
43
44
  // of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
44
45
  // by using bit-wise subtraction as follows:
45
46
  //
46
- // b_k b_(k-1) ... b_2 b_1 b_0
47
- // - b_k ... b_3 b_2 b_1 b_0
48
- // -------------------------------------
49
- // s_k b_(k-1) ... s_3 s_2 s_1 s_0
47
+ // b_k b_(k-1) ... b_2 b_1 b_0
48
+ // - b_k ... b_3 b_2 b_1 b_0
49
+ // -----------------------------------------
50
+ // s_(k+1) s_k ... s_3 s_2 s_1 s_0
50
51
  //
51
52
  // A left-shift followed by subtraction of the original value yields a new
52
- // representation of the same value, using signed bits s_i = b_(i+1) - b_i.
53
+ // representation of the same value, using signed bits s_i = b_(i-1) - b_i.
53
54
  // This representation from Booth's paper has since appeared in the
54
55
  // literature under a variety of different names including "reversed binary
55
56
  // form", "alternating greedy expansion", "mutual opposite form", and
@@ -73,7 +74,7 @@
73
74
  // (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
74
75
  // signed bits into a signed digit:
75
76
  //
76
- // s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
77
+ // s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j)
77
78
  //
78
79
  // The sign-alternating property implies that the resulting digit values are
79
80
  // integers from -16 to 16.
@@ -81,14 +82,164 @@
81
82
  // Of course, we don't actually need to compute the signed digits s_i as an
82
83
  // intermediate step (that's just a nice way to see how this scheme relates
83
84
  // to the wNAF): a direct computation obtains the recoded digit from the
84
- // six bits b_(4j + 4) ... b_(4j - 1).
85
+ // six bits b_(5j + 4) ... b_(5j - 1).
85
86
  //
86
- // This function takes those five bits as an integer (0 .. 63), writing the
87
+ // This function takes those six bits as an integer (0 .. 63), writing the
87
88
  // recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
88
- // value, in the range 0 .. 8). Note that this integer essentially provides the
89
- // input bits "shifted to the left" by one position: for example, the input to
90
- // compute the least significant recoded digit, given that there's no bit b_-1,
91
- // has to be b_4 b_3 b_2 b_1 b_0 0.
89
+ // value, in the range 0 .. 16). Note that this integer essentially provides
90
+ // the input bits "shifted to the left" by one position: for example, the input
91
+ // to compute the least significant recoded digit, given that there's no bit
92
+ // b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.
93
+ //
94
+ // DOUBLING CASE:
95
+ //
96
+ // Point addition formulas for short Weierstrass curves are often incomplete.
97
+ // Edge cases such as P + P or P + ∞ must be handled separately. This
98
+ // complicates constant-time requirements. P + ∞ cannot be avoided (any window
99
+ // may be zero) and is handled with constant-time selects. P + P (where P is not
100
+ // ∞) usually is not. Instead, windowing strategies are chosen to avoid this
101
+ // case. Whether this happens depends on the group order.
102
+ //
103
+ // Let w be the window width (in this function, w = 5). The non-trivial doubling
104
+ // case in single-point scalar multiplication may occur if and only if the
105
+ // 2^(w-1) bit of the group order is zero.
106
+ //
107
+ // Note the above only holds if the scalar is fully reduced and the group order
108
+ // is a prime that is much larger than 2^w. It also only holds when windows
109
+ // are applied from most significant to least significant, doubling between each
110
+ // window. It does not apply to more complex table strategies such as
111
+ // |EC_GFp_nistz256_method|.
112
+ //
113
+ // PROOF:
114
+ //
115
+ // Let n be the group order. Let l be the number of bits needed to represent n.
116
+ // Assume there exists some 0 <= k < n such that signed w-bit windowed
117
+ // multiplication hits the doubling case.
118
+ //
119
+ // Windowed multiplication consists of iterating over groups of s_i (defined
120
+ // above based on k's binary representation) from most to least significant. At
121
+ // iteration i (for i = ..., 3w, 2w, w, 0, starting from the most significant
122
+ // window), we:
123
+ //
124
+ // 1. Double the accumulator A, w times. Let A_i be the value of A at this
125
+ // point.
126
+ //
127
+ // 2. Set A to T_i + A_i, where T_i is a precomputed multiple of P
128
+ // corresponding to the window s_(i+w-1) ... s_i.
129
+ //
130
+ // Let j be the index such that A_j = T_j ≠ ∞. Looking at A_i and T_i as
131
+ // multiples of P, define a_i and t_i to be scalar coefficients of A_i and T_i.
132
+ // Thus a_j = t_j ≠ 0 (mod n). Note a_i and t_i may not be reduced mod n. t_i is
133
+ // the value of the w signed bits s_(i+w-1) ... s_i. a_i is computed as a_i =
134
+ // 2^w * (a_(i+w) + t_(i+w)).
135
+ //
136
+ // t_i is bounded by -2^(w-1) <= t_i <= 2^(w-1). Additionally, we may write it
137
+ // in terms of unsigned bits b_i. t_i consists of signed bits s_(i+w-1) ... s_i.
138
+ // This is computed as:
139
+ //
140
+ // b_(i+w-2) b_(i+w-3) ... b_i b_(i-1)
141
+ // - b_(i+w-1) b_(i+w-2) ... b_(i+1) b_i
142
+ // --------------------------------------------
143
+ // t_i = s_(i+w-1) s_(i+w-2) ... s_(i+1) s_i
144
+ //
145
+ // Observe that b_(i+w-2) through b_i occur in both terms. Let x be the integer
146
+ // represented by that bit string, i.e. 2^(w-2)*b_(i+w-2) + ... + b_i.
147
+ //
148
+ // t_i = (2*x + b_(i-1)) - (2^(w-1)*b_(i+w-1) + x)
149
+ // = x - 2^(w-1)*b_(i+w-1) + b_(i-1)
150
+ //
151
+ // Or, using C notation for bit operations:
152
+ //
153
+ // t_i = (k>>i) & ((1<<(w-1)) - 1) - (k>>i) & (1<<(w-1)) + (k>>(i-1)) & 1
154
+ //
155
+ // Note b_(i-1) is added in left-shifted by one (or doubled) from its place.
156
+ // This is compensated by t_(i-w)'s subtraction term. Thus, a_i may be computed
157
+ // by adding b_l b_(l-1) ... b_(i+1) b_i and an extra copy of b_(i-1). In C
158
+ // notation, this is:
159
+ //
160
+ // a_i = (k>>(i+w)) << w + ((k>>(i+w-1)) & 1) << w
161
+ //
162
+ // Observe that, while t_i may be positive or negative, a_i is bounded by
163
+ // 0 <= a_i < n + 2^w. Additionally, a_i can only be zero if b_(i+w-1) and up
164
+ // are all zero. (Note this implies a non-trivial P + (-P) is unreachable for
165
+ // all groups. That would imply the subsequent a_i is zero, which means all
166
+ // terms thus far were zero.)
167
+ //
168
+ // Returning to our doubling position, we have a_j = t_j (mod n). We now
169
+ // determine the value of a_j - t_j, which must be divisible by n. Our bounds on
170
+ // a_j and t_j imply a_j - t_j is 0 or n. If it is 0, a_j = t_j. However, 2^w
171
+ // divides a_j and -2^(w-1) <= t_j <= 2^(w-1), so this can only happen if
172
+ // a_j = t_j = 0, which is a trivial doubling. Therefore, a_j - t_j = n.
173
+ //
174
+ // Now we determine j. Suppose j > 0. w divides j, so j >= w. Then,
175
+ //
176
+ // n = a_j - t_j = (k>>(j+w)) << w + ((k>>(j+w-1)) & 1) << w - t_j
177
+ // <= k/2^j + 2^w - t_j
178
+ // < n/2^w + 2^w + 2^(w-1)
179
+ //
180
+ // n is much larger than 2^w, so this is impossible. Thus, j = 0: only the final
181
+ // addition may hit the doubling case.
182
+ //
183
+ // Finally, we consider bit patterns for n and k. Divide k into k_H + k_M + k_L
184
+ // such that k_H is the contribution from b_(l-1) .. b_w, k_M is the
185
+ // contribution from b_(w-1), and k_L is the contribution from b_(w-2) ... b_0.
186
+ // That is:
187
+ //
188
+ // - 2^w divides k_H
189
+ // - k_M is 0 or 2^(w-1)
190
+ // - 0 <= k_L < 2^(w-1)
191
+ //
192
+ // Divide n into n_H + n_M + n_L similarly. We thus have:
193
+ //
194
+ // t_0 = (k>>0) & ((1<<(w-1)) - 1) - (k>>0) & (1<<(w-1)) + (k>>(0-1)) & 1
195
+ // = k & ((1<<(w-1)) - 1) - k & (1<<(w-1))
196
+ // = k_L - k_M
197
+ //
198
+ // a_0 = (k>>(0+w)) << w + ((k>>(0+w-1)) & 1) << w
199
+ // = (k>>w) << w + ((k>>(w-1)) & 1) << w
200
+ // = k_H + 2*k_M
201
+ //
202
+ // n = a_0 - t_0
203
+ // n_H + n_M + n_L = (k_H + 2*k_M) - (k_L - k_M)
204
+ // = k_H + 3*k_M - k_L
205
+ //
206
+ // k_H - k_L < k and k < n, so k_H - k_L ≠ n. Therefore k_M is not 0 and must be
207
+ // 2^(w-1). Now we consider k_H and n_H. We know k_H <= n_H. Suppose k_H = n_H.
208
+ // Then,
209
+ //
210
+ // n_M + n_L = 3*(2^(w-1)) - k_L
211
+ // > 3*(2^(w-1)) - 2^(w-1)
212
+ // = 2^w
213
+ //
214
+ // Contradiction (n_M + n_L is the bottom w bits of n). Thus k_H < n_H. Suppose
215
+ // k_H < n_H - 2*2^w. Then,
216
+ //
217
+ // n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L
218
+ // < n_H - 2*2^w + 3*(2^(w-1)) - k_L
219
+ // n_M + n_L < -2^(w-1) - k_L
220
+ //
221
+ // Contradiction. Thus, k_H = n_H - 2^w. (Note 2^w divides n_H and k_H.) Thus,
222
+ //
223
+ // n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L
224
+ // = n_H - 2^w + 3*(2^(w-1)) - k_L
225
+ // n_M + n_L = 2^(w-1) - k_L
226
+ // <= 2^(w-1)
227
+ //
228
+ // Equality would mean 2^(w-1) divides n, which is impossible if n is prime.
229
+ // Thus n_M + n_L < 2^(w-1), so n_M is zero, proving our condition.
230
+ //
231
+ // This proof constructs k, so, to show the converse, let k_H = n_H - 2^w,
232
+ // k_M = 2^(w-1), k_L = 2^(w-1) - n_L. This will result in a non-trivial point
233
+ // doubling in the final addition and is the only such scalar.
234
+ //
235
+ // COMMON CURVES:
236
+ //
237
+ // The group orders for common curves end in the following bit patterns:
238
+ //
239
+ // P-521: ...00001001; w = 4 is okay
240
+ // P-384: ...01110011; w = 2, 5, 6, 7 are okay
241
+ // P-256: ...01010001; w = 5, 7 are okay
242
+ // P-224: ...00111101; w = 3, 4, 5, 6 are okay
92
243
  void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
93
244
  uint8_t in) {
94
245
  uint8_t s, d;
@@ -67,13 +67,12 @@
67
67
 
68
68
  #include <openssl/ec.h>
69
69
 
70
+ #include <assert.h>
70
71
  #include <string.h>
71
72
 
72
73
  #include <openssl/bn.h>
73
74
  #include <openssl/err.h>
74
- #include <openssl/mem.h>
75
75
  #include <openssl/thread.h>
76
- #include <openssl/type_check.h>
77
76
 
78
77
  #include "internal.h"
79
78
  #include "../bn/internal.h"
@@ -85,270 +84,144 @@
85
84
  // http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
86
85
  // http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
87
86
 
88
- int ec_compute_wNAF(const EC_GROUP *group, int8_t *out, const EC_SCALAR *scalar,
89
- size_t bits, int w) {
87
+ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
88
+ const EC_SCALAR *scalar, size_t bits, int w) {
90
89
  // 'int8_t' can represent integers with absolute values less than 2^7.
91
- if (w <= 0 || w > 7 || bits == 0) {
92
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
93
- return 0;
94
- }
95
- int bit = 1 << w; // at most 128
96
- int next_bit = bit << 1; // at most 256
90
+ assert(0 < w && w <= 7);
91
+ assert(bits != 0);
92
+ int bit = 1 << w; // 2^w, at most 128
93
+ int next_bit = bit << 1; // 2^(w+1), at most 256
97
94
  int mask = next_bit - 1; // at most 255
98
95
 
99
96
  int window_val = scalar->words[0] & mask;
100
- size_t j = 0;
101
- // If j+w+1 >= bits, window_val will not increase.
102
- while (window_val != 0 || j + w + 1 < bits) {
97
+ for (size_t j = 0; j < bits + 1; j++) {
98
+ assert(0 <= window_val && window_val <= next_bit);
103
99
  int digit = 0;
104
-
105
- // 0 <= window_val <= 2^(w+1)
106
-
107
100
  if (window_val & 1) {
108
- // 0 < window_val < 2^(w+1)
109
-
101
+ assert(0 < window_val && window_val < next_bit);
110
102
  if (window_val & bit) {
111
- digit = window_val - next_bit; // -2^w < digit < 0
103
+ digit = window_val - next_bit;
104
+ // We know -next_bit < digit < 0 and window_val - digit = next_bit.
112
105
 
113
- #if 1 // modified wNAF
106
+ // modified wNAF
114
107
  if (j + w + 1 >= bits) {
115
108
  // special case for generating modified wNAFs:
116
109
  // no new bits will be added into window_val,
117
110
  // so using a positive digit here will decrease
118
111
  // the total length of the representation
119
112
 
120
- digit = window_val & (mask >> 1); // 0 < digit < 2^w
113
+ digit = window_val & (mask >> 1);
114
+ // We know 0 < digit < bit and window_val - digit = bit.
121
115
  }
122
- #endif
123
116
  } else {
124
- digit = window_val; // 0 < digit < 2^w
125
- }
126
-
127
- if (digit <= -bit || digit >= bit || !(digit & 1)) {
128
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
129
- return 0;
117
+ digit = window_val;
118
+ // We know 0 < digit < bit and window_val - digit = 0.
130
119
  }
131
120
 
132
121
  window_val -= digit;
133
122
 
134
- // Now window_val is 0 or 2^(w+1) in standard wNAF generation;
135
- // for modified window NAFs, it may also be 2^w.
136
- if (window_val != 0 && window_val != next_bit && window_val != bit) {
137
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
138
- return 0;
139
- }
123
+ // Now window_val is 0 or 2^(w+1) in standard wNAF generation.
124
+ // For modified window NAFs, it may also be 2^w.
125
+ //
126
+ // See the comments above for the derivation of each of these bounds.
127
+ assert(window_val == 0 || window_val == next_bit || window_val == bit);
128
+ assert(-bit < digit && digit < bit);
129
+
130
+ // window_val was odd, so digit is also odd.
131
+ assert(digit & 1);
140
132
  }
141
133
 
142
- out[j++] = digit;
134
+ out[j] = digit;
143
135
 
136
+ // Incorporate the next bit. Previously, |window_val| <= |next_bit|, so if
137
+ // we shift and add at most one copy of |bit|, this will continue to hold
138
+ // afterwards.
144
139
  window_val >>= 1;
145
140
  window_val +=
146
- bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w);
147
-
148
- if (window_val > next_bit) {
149
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
150
- return 0;
151
- }
152
- }
153
-
154
- // Fill the rest of the wNAF with zeros.
155
- if (j > bits + 1) {
156
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
157
- return 0;
158
- }
159
- for (size_t i = j; i < bits + 1; i++) {
160
- out[i] = 0;
141
+ bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1);
142
+ assert(window_val <= next_bit);
161
143
  }
162
144
 
163
- return 1;
145
+ // bits + 1 entries should be sufficient to consume all bits.
146
+ assert(window_val == 0);
164
147
  }
165
148
 
166
- // TODO: table should be optimised for the wNAF-based implementation,
167
- // sometimes smaller windows will give better performance
168
- // (thus the boundaries should be increased)
169
- static size_t window_bits_for_scalar_size(size_t b) {
170
- if (b >= 300) {
171
- return 4;
172
- }
173
-
174
- if (b >= 70) {
175
- return 3;
176
- }
177
-
178
- if (b >= 20) {
179
- return 2;
180
- }
181
-
182
- return 1;
183
- }
184
-
185
- // EC_WNAF_MAX_WINDOW_BITS is the largest value returned by
186
- // |window_bits_for_scalar_size|.
187
- #define EC_WNAF_MAX_WINDOW_BITS 4
188
-
189
- // compute_precomp sets |out[i]| to a newly-allocated |EC_POINT| containing
190
- // (2*i+1)*p, for i from 0 to |len|. It returns one on success and
191
- // zero on error.
192
- static int compute_precomp(const EC_GROUP *group, EC_POINT **out,
193
- const EC_POINT *p, size_t len, BN_CTX *ctx) {
194
- out[0] = EC_POINT_new(group);
195
- if (out[0] == NULL ||
196
- !EC_POINT_copy(out[0], p)) {
197
- return 0;
198
- }
199
-
200
- int ret = 0;
201
- EC_POINT *two_p = EC_POINT_new(group);
202
- if (two_p == NULL ||
203
- !EC_POINT_dbl(group, two_p, p, ctx)) {
204
- goto err;
205
- }
206
-
149
+ // compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|.
150
+ static void compute_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
151
+ const EC_RAW_POINT *p, size_t len) {
152
+ ec_GFp_simple_point_copy(&out[0], p);
153
+ EC_RAW_POINT two_p;
154
+ ec_GFp_mont_dbl(group, &two_p, p);
207
155
  for (size_t i = 1; i < len; i++) {
208
- out[i] = EC_POINT_new(group);
209
- if (out[i] == NULL ||
210
- !EC_POINT_add(group, out[i], out[i - 1], two_p, ctx)) {
211
- goto err;
212
- }
156
+ ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p);
213
157
  }
214
-
215
- ret = 1;
216
-
217
- err:
218
- EC_POINT_free(two_p);
219
- return ret;
220
158
  }
221
159
 
222
- static int lookup_precomp(const EC_GROUP *group, EC_POINT *out,
223
- EC_POINT *const *precomp, int digit, BN_CTX *ctx) {
160
+ static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
161
+ const EC_RAW_POINT *precomp, int digit) {
224
162
  if (digit < 0) {
225
163
  digit = -digit;
226
- return EC_POINT_copy(out, precomp[digit >> 1]) &&
227
- EC_POINT_invert(group, out, ctx);
164
+ ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
165
+ ec_GFp_simple_invert(group, out);
166
+ } else {
167
+ ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);
228
168
  }
229
-
230
- return EC_POINT_copy(out, precomp[digit >> 1]);
231
169
  }
232
170
 
233
- int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const EC_SCALAR *g_scalar,
234
- const EC_POINT *p, const EC_SCALAR *p_scalar, BN_CTX *ctx) {
235
- BN_CTX *new_ctx = NULL;
236
- EC_POINT *precomp_storage[2 * (1 << (EC_WNAF_MAX_WINDOW_BITS - 1))] = {NULL};
237
- EC_POINT **g_precomp = NULL, **p_precomp = NULL;
238
- int8_t g_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
239
- int8_t p_wNAF[EC_MAX_SCALAR_BYTES * 8 + 1];
240
- EC_POINT *tmp = NULL;
241
- int ret = 0;
171
+ // EC_WNAF_WINDOW_BITS is the window size to use for |ec_GFp_mont_mul_public|.
172
+ #define EC_WNAF_WINDOW_BITS 4
242
173
 
243
- if (ctx == NULL) {
244
- ctx = new_ctx = BN_CTX_new();
245
- if (ctx == NULL) {
246
- goto err;
247
- }
248
- }
174
+ // EC_WNAF_TABLE_SIZE is the table size to use for |ec_GFp_mont_mul_public|.
175
+ #define EC_WNAF_TABLE_SIZE (1 << (EC_WNAF_WINDOW_BITS - 1))
249
176
 
177
+ void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
178
+ const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
179
+ const EC_SCALAR *p_scalar) {
250
180
  size_t bits = BN_num_bits(&group->order);
251
- size_t wsize = window_bits_for_scalar_size(bits);
252
181
  size_t wNAF_len = bits + 1;
253
- size_t precomp_len = (size_t)1 << (wsize - 1);
254
182
 
255
- OPENSSL_COMPILE_ASSERT(
256
- OPENSSL_ARRAY_SIZE(g_wNAF) == OPENSSL_ARRAY_SIZE(p_wNAF),
257
- g_wNAF_and_p_wNAF_are_different_sizes);
183
+ int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
184
+ EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE];
185
+ assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
186
+ const EC_RAW_POINT *g = &group->generator->raw;
187
+ ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
188
+ compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
258
189
 
259
- if (wNAF_len > OPENSSL_ARRAY_SIZE(g_wNAF) ||
260
- 2 * precomp_len > OPENSSL_ARRAY_SIZE(precomp_storage)) {
261
- OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
262
- goto err;
263
- }
264
-
265
- // TODO(davidben): |mul_public| is for ECDSA verification which can assume
266
- // non-NULL inputs, but this code is also used for |mul| which cannot. It's
267
- // not constant-time, so replace the generic |mul| and remove the NULL checks.
268
- size_t total_precomp = 0;
269
- if (g_scalar != NULL) {
270
- const EC_POINT *g = EC_GROUP_get0_generator(group);
271
- if (g == NULL) {
272
- OPENSSL_PUT_ERROR(EC, EC_R_UNDEFINED_GENERATOR);
273
- goto err;
274
- }
275
- g_precomp = precomp_storage + total_precomp;
276
- total_precomp += precomp_len;
277
- if (!ec_compute_wNAF(group, g_wNAF, g_scalar, bits, wsize) ||
278
- !compute_precomp(group, g_precomp, g, precomp_len, ctx)) {
279
- goto err;
280
- }
281
- }
282
-
283
- if (p_scalar != NULL) {
284
- p_precomp = precomp_storage + total_precomp;
285
- total_precomp += precomp_len;
286
- if (!ec_compute_wNAF(group, p_wNAF, p_scalar, bits, wsize) ||
287
- !compute_precomp(group, p_precomp, p, precomp_len, ctx)) {
288
- goto err;
289
- }
290
- }
291
-
292
- tmp = EC_POINT_new(group);
293
- if (tmp == NULL ||
294
- // |window_bits_for_scalar_size| assumes we do this step.
295
- !EC_POINTs_make_affine(group, total_precomp, precomp_storage, ctx)) {
296
- goto err;
297
- }
190
+ int8_t p_wNAF[EC_MAX_BYTES * 8 + 1];
191
+ EC_RAW_POINT p_precomp[EC_WNAF_TABLE_SIZE];
192
+ assert(wNAF_len <= OPENSSL_ARRAY_SIZE(p_wNAF));
193
+ ec_compute_wNAF(group, p_wNAF, p_scalar, bits, EC_WNAF_WINDOW_BITS);
194
+ compute_precomp(group, p_precomp, p, EC_WNAF_TABLE_SIZE);
298
195
 
196
+ EC_RAW_POINT tmp;
299
197
  int r_is_at_infinity = 1;
300
198
  for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {
301
- if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
302
- goto err;
199
+ if (!r_is_at_infinity) {
200
+ ec_GFp_mont_dbl(group, r, r);
303
201
  }
304
202
 
305
- if (g_scalar != NULL) {
306
- if (g_wNAF[k] != 0) {
307
- if (!lookup_precomp(group, tmp, g_precomp, g_wNAF[k], ctx)) {
308
- goto err;
309
- }
310
- if (r_is_at_infinity) {
311
- if (!EC_POINT_copy(r, tmp)) {
312
- goto err;
313
- }
314
- r_is_at_infinity = 0;
315
- } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
316
- goto err;
317
- }
203
+ if (g_wNAF[k] != 0) {
204
+ lookup_precomp(group, &tmp, g_precomp, g_wNAF[k]);
205
+ if (r_is_at_infinity) {
206
+ ec_GFp_simple_point_copy(r, &tmp);
207
+ r_is_at_infinity = 0;
208
+ } else {
209
+ ec_GFp_mont_add(group, r, r, &tmp);
318
210
  }
319
211
  }
320
212
 
321
- if (p_scalar != NULL) {
322
- if (p_wNAF[k] != 0) {
323
- if (!lookup_precomp(group, tmp, p_precomp, p_wNAF[k], ctx)) {
324
- goto err;
325
- }
326
- if (r_is_at_infinity) {
327
- if (!EC_POINT_copy(r, tmp)) {
328
- goto err;
329
- }
330
- r_is_at_infinity = 0;
331
- } else if (!EC_POINT_add(group, r, r, tmp, ctx)) {
332
- goto err;
333
- }
213
+ if (p_wNAF[k] != 0) {
214
+ lookup_precomp(group, &tmp, p_precomp, p_wNAF[k]);
215
+ if (r_is_at_infinity) {
216
+ ec_GFp_simple_point_copy(r, &tmp);
217
+ r_is_at_infinity = 0;
218
+ } else {
219
+ ec_GFp_mont_add(group, r, r, &tmp);
334
220
  }
335
221
  }
336
222
  }
337
223
 
338
- if (r_is_at_infinity &&
339
- !EC_POINT_set_to_infinity(group, r)) {
340
- goto err;
341
- }
342
-
343
- ret = 1;
344
-
345
- err:
346
- BN_CTX_free(new_ctx);
347
- EC_POINT_free(tmp);
348
- OPENSSL_cleanse(&g_wNAF, sizeof(g_wNAF));
349
- OPENSSL_cleanse(&p_wNAF, sizeof(p_wNAF));
350
- for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(precomp_storage); i++) {
351
- EC_POINT_free(precomp_storage[i]);
224
+ if (r_is_at_infinity) {
225
+ ec_GFp_simple_point_set_to_infinity(group, r);
352
226
  }
353
- return ret;
354
227
  }