grpc 1.28.0 → 1.30.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +7694 -11190
- data/include/grpc/grpc.h +2 -2
- data/include/grpc/grpc_security.h +30 -9
- data/include/grpc/grpc_security_constants.h +1 -0
- data/include/grpc/impl/codegen/grpc_types.h +19 -21
- data/include/grpc/impl/codegen/port_platform.h +6 -2
- data/include/grpc/module.modulemap +24 -39
- data/src/core/ext/filters/client_channel/backend_metric.cc +7 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +212 -241
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +3 -2
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +7 -22
- data/src/core/ext/filters/client_channel/health/health_check_client.h +3 -3
- data/src/core/ext/filters/client_channel/http_proxy.cc +17 -10
- data/src/core/ext/filters/client_channel/lb_policy.cc +19 -18
- data/src/core/ext/filters/client_channel/lb_policy.h +42 -33
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +83 -0
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +99 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +10 -4
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +240 -301
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +89 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +40 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +11 -9
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +871 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +5 -11
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +734 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +84 -37
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +938 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +528 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +834 -0
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +6 -2
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +2 -1
- data/src/core/ext/filters/client_channel/parse_address.cc +22 -21
- data/src/core/ext/filters/client_channel/resolver.cc +5 -8
- data/src/core/ext/filters/client_channel/resolver.h +12 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +73 -59
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +35 -35
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +8 -7
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +16 -20
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +72 -117
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +184 -133
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +5 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +7 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +93 -102
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +0 -4
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +32 -5
- data/src/core/ext/filters/client_channel/resolver_factory.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_registry.cc +6 -3
- data/src/core/ext/filters/client_channel/resolver_registry.h +8 -8
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +16 -16
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +19 -16
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +20 -31
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +4 -3
- data/src/core/ext/filters/client_channel/server_address.cc +6 -9
- data/src/core/ext/filters/client_channel/server_address.h +6 -12
- data/src/core/ext/filters/client_channel/service_config.cc +104 -144
- data/src/core/ext/filters/client_channel/service_config.h +28 -98
- data/src/core/ext/filters/client_channel/service_config_call_data.h +68 -0
- data/src/core/ext/filters/client_channel/service_config_parser.cc +87 -0
- data/src/core/ext/filters/client_channel/service_config_parser.h +89 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +54 -24
- data/src/core/ext/filters/client_channel/subchannel.h +35 -11
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +348 -221
- data/src/core/ext/filters/client_channel/xds/xds_api.h +37 -37
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +44 -49
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +4 -3
- data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +4 -2
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +532 -339
- data/src/core/ext/filters/client_channel/xds/xds_client.h +57 -22
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +11 -12
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +31 -19
- data/src/core/ext/filters/http/client/http_client_filter.cc +23 -28
- data/src/core/ext/filters/http/client_authority_filter.cc +4 -4
- data/src/core/ext/filters/http/http_filters_plugin.cc +27 -12
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +258 -221
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +358 -0
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +29 -0
- data/src/core/ext/filters/message_size/message_size_filter.cc +7 -10
- data/src/core/ext/filters/message_size/message_size_filter.h +4 -4
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +4 -4
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +23 -22
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +1 -0
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +29 -16
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +2 -2
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
- data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +14 -21
- data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
- data/src/core/ext/transport/chttp2/transport/writing.cc +15 -8
- data/src/core/ext/transport/inproc/inproc_transport.cc +19 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.c +4 -229
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +5 -875
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.c +114 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.h +418 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.c +72 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.h +197 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.c +105 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.h +378 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +21 -8
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +43 -7
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.h +78 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +47 -26
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +115 -65
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.h +72 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.c +24 -20
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.c +38 -18
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +88 -6
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.h +89 -0
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.c +9 -6
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +12 -4
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.c +15 -10
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +16 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +63 -41
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +173 -77
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.c +48 -28
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +90 -30
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.c +51 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.h +125 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.c +4 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +4 -0
- data/src/core/ext/upb-generated/envoy/type/http.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.c +16 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/percent.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/range.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.c +1 -0
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +9 -8
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +30 -24
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +65 -0
- data/src/core/ext/upb-generated/validate/validate.upb.c +21 -20
- data/src/core/ext/upb-generated/validate/validate.upb.h +69 -63
- data/src/core/lib/channel/channel_args.cc +15 -14
- data/src/core/lib/channel/channel_args.h +3 -1
- data/src/core/lib/channel/channel_stack.h +20 -13
- data/src/core/lib/channel/channelz.cc +5 -6
- data/src/core/lib/channel/channelz.h +3 -2
- data/src/core/lib/channel/channelz_registry.cc +5 -3
- data/src/core/lib/channel/connected_channel.cc +7 -5
- data/src/core/lib/channel/context.h +1 -1
- data/src/core/lib/channel/handshaker.cc +11 -13
- data/src/core/lib/channel/handshaker.h +4 -2
- data/src/core/lib/channel/handshaker_registry.cc +5 -17
- data/src/core/lib/channel/status_util.cc +2 -3
- data/src/core/lib/compression/message_compress.cc +5 -1
- data/src/core/lib/debug/stats.cc +21 -27
- data/src/core/lib/debug/stats.h +3 -1
- data/src/core/lib/gpr/spinlock.h +2 -3
- data/src/core/lib/gpr/string.cc +2 -26
- data/src/core/lib/gpr/string.h +0 -16
- data/src/core/lib/gpr/sync_abseil.cc +2 -0
- data/src/core/lib/gpr/time.cc +4 -0
- data/src/core/lib/gpr/time_posix.cc +1 -1
- data/src/core/lib/gprpp/atomic.h +6 -6
- data/src/core/lib/gprpp/fork.cc +1 -1
- data/src/core/lib/gprpp/host_port.cc +29 -35
- data/src/core/lib/gprpp/host_port.h +14 -17
- data/src/core/lib/gprpp/map.h +5 -11
- data/src/core/lib/gprpp/ref_counted_ptr.h +5 -0
- data/src/core/lib/http/format_request.cc +46 -65
- data/src/core/lib/http/httpcli.cc +2 -3
- data/src/core/lib/http/httpcli.h +2 -3
- data/src/core/lib/http/httpcli_security_connector.cc +5 -5
- data/src/core/lib/http/parser.h +2 -3
- data/src/core/lib/iomgr/buffer_list.h +22 -21
- data/src/core/lib/iomgr/call_combiner.h +3 -2
- data/src/core/lib/iomgr/cfstream_handle.cc +3 -2
- data/src/core/lib/iomgr/closure.h +2 -3
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +47 -0
- data/src/core/lib/iomgr/endpoint_cfstream.cc +2 -3
- data/src/core/lib/iomgr/endpoint_pair.h +2 -3
- data/src/core/lib/iomgr/error.cc +6 -9
- data/src/core/lib/iomgr/error.h +0 -1
- data/src/core/lib/iomgr/ev_apple.cc +356 -0
- data/src/core/lib/iomgr/ev_apple.h +43 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +20 -23
- data/src/core/lib/iomgr/ev_epollex_linux.cc +2 -3
- data/src/core/lib/iomgr/ev_poll_posix.cc +3 -3
- data/src/core/lib/iomgr/ev_posix.cc +2 -3
- data/src/core/lib/iomgr/exec_ctx.h +14 -2
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +84 -20
- data/src/core/lib/iomgr/pollset_set_custom.cc +10 -10
- data/src/core/lib/{gprpp/optional.h → iomgr/pollset_uv.h} +11 -12
- data/src/core/lib/iomgr/port.h +1 -0
- data/src/core/lib/iomgr/python_util.h +46 -0
- data/src/core/lib/iomgr/resolve_address.h +4 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +29 -39
- data/src/core/lib/iomgr/resolve_address_custom.h +4 -2
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -11
- data/src/core/lib/iomgr/resolve_address_windows.cc +8 -17
- data/src/core/lib/iomgr/resource_quota.cc +4 -6
- data/src/core/lib/iomgr/sockaddr_utils.cc +23 -29
- data/src/core/lib/iomgr/sockaddr_utils.h +9 -14
- data/src/core/lib/iomgr/socket_factory_posix.h +2 -3
- data/src/core/lib/iomgr/socket_mutator.h +2 -3
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +7 -26
- data/src/core/lib/iomgr/socket_utils_posix.h +3 -0
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +5 -7
- data/src/core/lib/iomgr/tcp_client_posix.cc +8 -5
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -3
- data/src/core/lib/iomgr/tcp_custom.cc +2 -3
- data/src/core/lib/iomgr/tcp_server_custom.cc +5 -9
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +5 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +8 -11
- data/src/core/lib/iomgr/tcp_uv.cc +3 -2
- data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
- data/src/core/lib/iomgr/timer_generic.cc +2 -3
- data/src/core/lib/{gprpp/inlined_vector.h → iomgr/timer_generic.h} +19 -17
- data/src/core/lib/iomgr/timer_heap.h +2 -3
- data/src/core/lib/iomgr/udp_server.cc +9 -14
- data/src/core/lib/json/json.h +3 -2
- data/src/core/lib/json/json_reader.cc +5 -5
- data/src/core/lib/json/json_writer.cc +13 -12
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +12 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.h +6 -3
- data/src/core/lib/security/credentials/credentials.cc +0 -84
- data/src/core/lib/security/credentials/credentials.h +8 -59
- data/src/core/lib/security/credentials/fake/fake_credentials.h +4 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +3 -8
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +8 -6
- data/src/core/lib/security/credentials/iam/iam_credentials.h +4 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +1 -1
- data/src/core/lib/security/credentials/jwt/json_token.h +2 -5
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +12 -0
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +8 -15
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +2 -3
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +55 -27
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +9 -3
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +13 -0
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +23 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +38 -11
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +21 -6
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +7 -7
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +3 -2
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +1 -1
- data/src/core/lib/security/security_connector/security_connector.h +1 -1
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +20 -25
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +4 -6
- data/src/core/lib/security/security_connector/ssl_utils.cc +59 -12
- data/src/core/lib/security/security_connector/ssl_utils.h +12 -10
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +77 -51
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +27 -5
- data/src/core/lib/security/transport/auth_filters.h +0 -5
- data/src/core/lib/security/transport/client_auth_filter.cc +1 -2
- data/src/core/lib/slice/slice_intern.cc +2 -3
- data/src/core/lib/slice/slice_internal.h +14 -0
- data/src/core/lib/slice/slice_utils.h +9 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +2 -47
- data/src/core/lib/surface/call.cc +2 -3
- data/src/core/lib/surface/call_log_batch.cc +50 -58
- data/src/core/lib/surface/channel.cc +53 -31
- data/src/core/lib/surface/channel.h +35 -4
- data/src/core/lib/surface/channel_ping.cc +2 -3
- data/src/core/lib/surface/completion_queue.cc +33 -33
- data/src/core/lib/surface/event_string.cc +18 -25
- data/src/core/lib/surface/event_string.h +3 -1
- data/src/core/lib/surface/init_secure.cc +1 -4
- data/src/core/lib/surface/server.cc +570 -369
- data/src/core/lib/surface/server.h +32 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/byte_stream.h +7 -2
- data/src/core/lib/transport/connectivity_state.cc +7 -6
- data/src/core/lib/transport/connectivity_state.h +5 -3
- data/src/core/lib/transport/metadata.cc +3 -3
- data/src/core/lib/transport/metadata_batch.h +2 -3
- data/src/core/lib/transport/static_metadata.h +1 -1
- data/src/core/lib/transport/status_conversion.cc +6 -14
- data/src/core/lib/transport/transport.cc +2 -3
- data/src/core/lib/transport/transport.h +3 -2
- data/src/core/lib/transport/transport_op_string.cc +61 -102
- data/src/core/lib/uri/uri_parser.h +2 -3
- data/src/core/plugin_registry/grpc_plugin_registry.cc +20 -4
- data/src/core/tsi/alts/crypt/aes_gcm.cc +0 -2
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +8 -1
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +8 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +32 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +9 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
- data/src/core/tsi/fake_transport_security.cc +10 -15
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +0 -2
- data/src/core/tsi/ssl_transport_security.cc +52 -39
- data/src/core/tsi/ssl_transport_security.h +8 -8
- data/src/core/tsi/ssl_types.h +0 -2
- data/src/core/tsi/transport_security.h +6 -9
- data/src/core/tsi/transport_security_grpc.h +2 -3
- data/src/core/tsi/transport_security_interface.h +3 -3
- data/src/ruby/ext/grpc/rb_call.c +9 -1
- data/src/ruby/ext/grpc/rb_call_credentials.c +3 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
- data/src/ruby/lib/grpc/errors.rb +103 -42
- data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
- data/src/ruby/lib/grpc/generic/interceptors.rb +4 -4
- data/src/ruby/lib/grpc/generic/rpc_server.rb +9 -10
- data/src/ruby/lib/grpc/generic/service.rb +5 -4
- data/src/ruby/lib/grpc/structs.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/generate_proto_ruby.sh +5 -3
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +11 -0
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +16 -0
- data/src/ruby/spec/debug_message_spec.rb +134 -0
- data/src/ruby/spec/generic/service_spec.rb +2 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto +23 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +7 -0
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +7 -1
- data/src/ruby/spec/support/services.rb +10 -4
- data/src/ruby/spec/testdata/ca.pem +18 -13
- data/src/ruby/spec/testdata/client.key +26 -14
- data/src/ruby/spec/testdata/client.pem +18 -12
- data/src/ruby/spec/testdata/server1.key +26 -14
- data/src/ruby/spec/testdata/server1.pem +20 -14
- data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
- data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
- data/third_party/abseil-cpp/absl/time/clock.cc +569 -0
- data/third_party/abseil-cpp/absl/time/clock.h +74 -0
- data/third_party/abseil-cpp/absl/time/duration.cc +922 -0
- data/third_party/abseil-cpp/absl/time/format.cc +153 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +622 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +384 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +922 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +121 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +958 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +138 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +308 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +115 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
- data/third_party/abseil-cpp/absl/time/time.cc +499 -0
- data/third_party/abseil-cpp/absl/time/time.h +1584 -0
- data/third_party/boringssl-with-bazel/err_data.c +329 -297
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +7 -5
- data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +11 -0
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519.c +18 -26
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519_tables.h +13 -21
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/internal.h +14 -22
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh/dh.c +15 -0
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +425 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +78 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +33 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +30 -154
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +289 -117
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +13 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +96 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +25 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +432 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +63 -71
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +5 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9481 -9485
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +80 -99
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +736 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +90 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +125 -148
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +189 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +61 -18
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +20 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +41 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +32 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +24 -114
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +51 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +44 -35
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +29 -12
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +278 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1474 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +720 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +4 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +9 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +20 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +16 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +2 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +31 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +26 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +172 -77
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +291 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +0 -4
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +3 -3
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +13 -4
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +146 -57
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +14 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +28 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +12 -4
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +64 -47
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +10 -10
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +21 -21
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +29 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +6 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +13 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +64 -5
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +6 -0
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +6 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +47 -53
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +23 -75
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +50 -20
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +63 -25
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +245 -175
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +135 -75
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +1593 -1672
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +512 -503
- metadata +115 -39
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -1754
- data/src/core/lib/gprpp/string_view.h +0 -60
- data/src/core/tsi/grpc_shadow_boringssl.h +0 -3311
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256.c +0 -1063
@@ -117,86 +117,73 @@ static BN_ULONG is_not_zero(BN_ULONG in) {
|
|
117
117
|
return in;
|
118
118
|
}
|
119
119
|
|
120
|
-
//
|
121
|
-
// That is, |r| is the modular inverse of |in| for input and output in
|
122
|
-
// Montgomery domain.
|
123
|
-
static void
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
ecp_nistz256_sqr_mont(res, res);
|
188
|
-
ecp_nistz256_sqr_mont(res, res);
|
189
|
-
ecp_nistz256_sqr_mont(res, res);
|
190
|
-
ecp_nistz256_sqr_mont(res, res);
|
191
|
-
ecp_nistz256_mul_mont(res, res, p4);
|
192
|
-
|
193
|
-
ecp_nistz256_sqr_mont(res, res);
|
194
|
-
ecp_nistz256_sqr_mont(res, res);
|
195
|
-
ecp_nistz256_mul_mont(res, res, p2);
|
196
|
-
|
197
|
-
ecp_nistz256_sqr_mont(res, res);
|
198
|
-
ecp_nistz256_sqr_mont(res, res);
|
199
|
-
ecp_nistz256_mul_mont(r, res, in);
|
120
|
+
// ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod
|
121
|
+
// p. That is, |r| is the modular inverse square of |in| for input and output in
|
122
|
+
// the Montgomery domain.
|
123
|
+
static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS],
|
124
|
+
const BN_ULONG in[P256_LIMBS]) {
|
125
|
+
// This implements the addition chain described in
|
126
|
+
// https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion
|
127
|
+
BN_ULONG x2[P256_LIMBS], x3[P256_LIMBS], x6[P256_LIMBS], x12[P256_LIMBS],
|
128
|
+
x15[P256_LIMBS], x30[P256_LIMBS], x32[P256_LIMBS];
|
129
|
+
ecp_nistz256_sqr_mont(x2, in); // 2^2 - 2^1
|
130
|
+
ecp_nistz256_mul_mont(x2, x2, in); // 2^2 - 2^0
|
131
|
+
|
132
|
+
ecp_nistz256_sqr_mont(x3, x2); // 2^3 - 2^1
|
133
|
+
ecp_nistz256_mul_mont(x3, x3, in); // 2^3 - 2^0
|
134
|
+
|
135
|
+
ecp_nistz256_sqr_mont(x6, x3);
|
136
|
+
for (int i = 1; i < 3; i++) {
|
137
|
+
ecp_nistz256_sqr_mont(x6, x6);
|
138
|
+
} // 2^6 - 2^3
|
139
|
+
ecp_nistz256_mul_mont(x6, x6, x3); // 2^6 - 2^0
|
140
|
+
|
141
|
+
ecp_nistz256_sqr_mont(x12, x6);
|
142
|
+
for (int i = 1; i < 6; i++) {
|
143
|
+
ecp_nistz256_sqr_mont(x12, x12);
|
144
|
+
} // 2^12 - 2^6
|
145
|
+
ecp_nistz256_mul_mont(x12, x12, x6); // 2^12 - 2^0
|
146
|
+
|
147
|
+
ecp_nistz256_sqr_mont(x15, x12);
|
148
|
+
for (int i = 1; i < 3; i++) {
|
149
|
+
ecp_nistz256_sqr_mont(x15, x15);
|
150
|
+
} // 2^15 - 2^3
|
151
|
+
ecp_nistz256_mul_mont(x15, x15, x3); // 2^15 - 2^0
|
152
|
+
|
153
|
+
ecp_nistz256_sqr_mont(x30, x15);
|
154
|
+
for (int i = 1; i < 15; i++) {
|
155
|
+
ecp_nistz256_sqr_mont(x30, x30);
|
156
|
+
} // 2^30 - 2^15
|
157
|
+
ecp_nistz256_mul_mont(x30, x30, x15); // 2^30 - 2^0
|
158
|
+
|
159
|
+
ecp_nistz256_sqr_mont(x32, x30);
|
160
|
+
ecp_nistz256_sqr_mont(x32, x32); // 2^32 - 2^2
|
161
|
+
ecp_nistz256_mul_mont(x32, x32, x2); // 2^32 - 2^0
|
162
|
+
|
163
|
+
BN_ULONG ret[P256_LIMBS];
|
164
|
+
ecp_nistz256_sqr_mont(ret, x32);
|
165
|
+
for (int i = 1; i < 31 + 1; i++) {
|
166
|
+
ecp_nistz256_sqr_mont(ret, ret);
|
167
|
+
} // 2^64 - 2^32
|
168
|
+
ecp_nistz256_mul_mont(ret, ret, in); // 2^64 - 2^32 + 2^0
|
169
|
+
|
170
|
+
for (int i = 0; i < 96 + 32; i++) {
|
171
|
+
ecp_nistz256_sqr_mont(ret, ret);
|
172
|
+
} // 2^192 - 2^160 + 2^128
|
173
|
+
ecp_nistz256_mul_mont(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0
|
174
|
+
|
175
|
+
for (int i = 0; i < 32; i++) {
|
176
|
+
ecp_nistz256_sqr_mont(ret, ret);
|
177
|
+
} // 2^224 - 2^192 + 2^160 + 2^64 - 2^32
|
178
|
+
ecp_nistz256_mul_mont(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0
|
179
|
+
|
180
|
+
for (int i = 0; i < 30; i++) {
|
181
|
+
ecp_nistz256_sqr_mont(ret, ret);
|
182
|
+
} // 2^254 - 2^222 + 2^190 + 2^94 - 2^30
|
183
|
+
ecp_nistz256_mul_mont(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0
|
184
|
+
|
185
|
+
ecp_nistz256_sqr_mont(ret, ret);
|
186
|
+
ecp_nistz256_sqr_mont(r, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2
|
200
187
|
}
|
201
188
|
|
202
189
|
// r = p * p_scalar
|
@@ -440,24 +427,17 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group,
|
|
440
427
|
}
|
441
428
|
|
442
429
|
BN_ULONG z_inv2[P256_LIMBS];
|
443
|
-
BN_ULONG z_inv3[P256_LIMBS];
|
444
430
|
assert(group->field.width == P256_LIMBS);
|
445
|
-
|
446
|
-
ecp_nistz256_sqr_mont(z_inv2, z_inv3);
|
447
|
-
|
448
|
-
// Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate
|
449
|
-
// and then calling |ecp_nistz256_from_mont| again to convert the |y|
|
450
|
-
// coordinate below, convert the common factor |z_inv2| once now, saving one
|
451
|
-
// reduction.
|
452
|
-
ecp_nistz256_from_mont(z_inv2, z_inv2);
|
431
|
+
ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words);
|
453
432
|
|
454
433
|
if (x != NULL) {
|
455
434
|
ecp_nistz256_mul_mont(x->words, z_inv2, point->X.words);
|
456
435
|
}
|
457
436
|
|
458
437
|
if (y != NULL) {
|
459
|
-
|
460
|
-
ecp_nistz256_mul_mont(y->words,
|
438
|
+
ecp_nistz256_sqr_mont(z_inv2, z_inv2); // z^-4
|
439
|
+
ecp_nistz256_mul_mont(y->words, point->Y.words, point->Z.words); // y * z
|
440
|
+
ecp_nistz256_mul_mont(y->words, y->words, z_inv2); // y * z^-3
|
461
441
|
}
|
462
442
|
|
463
443
|
return 1;
|
@@ -490,8 +470,8 @@ static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
|
|
490
470
|
OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
|
491
471
|
}
|
492
472
|
|
493
|
-
static void
|
494
|
-
|
473
|
+
static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
|
474
|
+
const EC_SCALAR *in) {
|
495
475
|
// table[i] stores a power of |in| corresponding to the matching enum value.
|
496
476
|
enum {
|
497
477
|
// The following indices specify the power in binary.
|
@@ -571,12 +551,12 @@ static void ecp_nistz256_inv_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
|
|
571
551
|
}
|
572
552
|
}
|
573
553
|
|
574
|
-
static int
|
554
|
+
static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
|
575
555
|
EC_SCALAR *out,
|
576
556
|
const EC_SCALAR *in) {
|
577
557
|
if ((OPENSSL_ia32cap_get()[1] & (1 << 28)) == 0) {
|
578
558
|
// No AVX support; fallback to generic code.
|
579
|
-
return
|
559
|
+
return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in);
|
580
560
|
}
|
581
561
|
|
582
562
|
assert(group->order.width == P256_LIMBS);
|
@@ -640,10 +620,11 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {
|
|
640
620
|
out->mul_public = ecp_nistz256_points_mul_public;
|
641
621
|
out->felem_mul = ec_GFp_mont_felem_mul;
|
642
622
|
out->felem_sqr = ec_GFp_mont_felem_sqr;
|
643
|
-
out->
|
644
|
-
out->
|
645
|
-
out->
|
646
|
-
out->
|
623
|
+
out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;
|
624
|
+
out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;
|
625
|
+
out->scalar_inv0_montgomery = ecp_nistz256_inv0_mod_ord;
|
626
|
+
out->scalar_to_montgomery_inv_vartime =
|
627
|
+
ecp_nistz256_scalar_to_montgomery_inv_vartime;
|
647
628
|
out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate;
|
648
629
|
}
|
649
630
|
|
@@ -0,0 +1,736 @@
|
|
1
|
+
/* Copyright (c) 2020, Google Inc.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
// An implementation of the NIST P-256 elliptic curve point multiplication.
|
16
|
+
// 256-bit Montgomery form for 64 and 32-bit. Field operations are generated by
|
17
|
+
// Fiat, which lives in //third_party/fiat.
|
18
|
+
|
19
|
+
#include <openssl/base.h>
|
20
|
+
|
21
|
+
#include <openssl/bn.h>
|
22
|
+
#include <openssl/ec.h>
|
23
|
+
#include <openssl/err.h>
|
24
|
+
#include <openssl/mem.h>
|
25
|
+
#include <openssl/type_check.h>
|
26
|
+
|
27
|
+
#include <assert.h>
|
28
|
+
#include <string.h>
|
29
|
+
|
30
|
+
#include "../../internal.h"
|
31
|
+
#include "../delocate.h"
|
32
|
+
#include "./internal.h"
|
33
|
+
|
34
|
+
|
35
|
+
// MSVC does not implement uint128_t, and crashes with intrinsics
|
36
|
+
#if defined(BORINGSSL_HAS_UINT128)
|
37
|
+
#define BORINGSSL_NISTP256_64BIT 1
|
38
|
+
#include "../../../third_party/fiat/p256_64.h"
|
39
|
+
#else
|
40
|
+
#include "../../../third_party/fiat/p256_32.h"
|
41
|
+
#endif
|
42
|
+
|
43
|
+
|
44
|
+
// utility functions, handwritten
|
45
|
+
|
46
|
+
#if defined(BORINGSSL_NISTP256_64BIT)
|
47
|
+
#define FIAT_P256_NLIMBS 4
|
48
|
+
typedef uint64_t fiat_p256_limb_t;
|
49
|
+
typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS];
|
50
|
+
static const fiat_p256_felem fiat_p256_one = {0x1, 0xffffffff00000000,
|
51
|
+
0xffffffffffffffff, 0xfffffffe};
|
52
|
+
#else // 64BIT; else 32BIT
|
53
|
+
#define FIAT_P256_NLIMBS 8
|
54
|
+
typedef uint32_t fiat_p256_limb_t;
|
55
|
+
typedef uint32_t fiat_p256_felem[FIAT_P256_NLIMBS];
|
56
|
+
static const fiat_p256_felem fiat_p256_one = {
|
57
|
+
0x1, 0x0, 0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0x0};
|
58
|
+
#endif // 64BIT
|
59
|
+
|
60
|
+
|
61
|
+
static fiat_p256_limb_t fiat_p256_nz(
|
62
|
+
const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {
|
63
|
+
fiat_p256_limb_t ret;
|
64
|
+
fiat_p256_nonzero(&ret, in1);
|
65
|
+
return ret;
|
66
|
+
}
|
67
|
+
|
68
|
+
static void fiat_p256_copy(fiat_p256_limb_t out[FIAT_P256_NLIMBS],
|
69
|
+
const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {
|
70
|
+
for (int i = 0; i < FIAT_P256_NLIMBS; i++) {
|
71
|
+
out[i] = in1[i];
|
72
|
+
}
|
73
|
+
}
|
74
|
+
|
75
|
+
static void fiat_p256_cmovznz(fiat_p256_limb_t out[FIAT_P256_NLIMBS],
|
76
|
+
fiat_p256_limb_t t,
|
77
|
+
const fiat_p256_limb_t z[FIAT_P256_NLIMBS],
|
78
|
+
const fiat_p256_limb_t nz[FIAT_P256_NLIMBS]) {
|
79
|
+
fiat_p256_selectznz(out, !!t, z, nz);
|
80
|
+
}
|
81
|
+
|
82
|
+
static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) {
|
83
|
+
fiat_p256_from_bytes(out, in->bytes);
|
84
|
+
}
|
85
|
+
|
86
|
+
static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) {
|
87
|
+
// This works because 256 is a multiple of 64, so there are no excess bytes to
|
88
|
+
// zero when rounding up to |BN_ULONG|s.
|
89
|
+
OPENSSL_STATIC_ASSERT(
|
90
|
+
256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2),
|
91
|
+
"fiat_p256_to_bytes leaves bytes uninitialized");
|
92
|
+
fiat_p256_to_bytes(out->bytes, in);
|
93
|
+
}
|
94
|
+
|
95
|
+
// fiat_p256_inv_square calculates |out| = |in|^{-2}
|
96
|
+
//
|
97
|
+
// Based on Fermat's Little Theorem:
|
98
|
+
// a^p = a (mod p)
|
99
|
+
// a^{p-1} = 1 (mod p)
|
100
|
+
// a^{p-3} = a^{-2} (mod p)
|
101
|
+
static void fiat_p256_inv_square(fiat_p256_felem out,
|
102
|
+
const fiat_p256_felem in) {
|
103
|
+
// This implements the addition chain described in
|
104
|
+
// https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion
|
105
|
+
fiat_p256_felem x2, x3, x6, x12, x15, x30, x32;
|
106
|
+
fiat_p256_square(x2, in); // 2^2 - 2^1
|
107
|
+
fiat_p256_mul(x2, x2, in); // 2^2 - 2^0
|
108
|
+
|
109
|
+
fiat_p256_square(x3, x2); // 2^3 - 2^1
|
110
|
+
fiat_p256_mul(x3, x3, in); // 2^3 - 2^0
|
111
|
+
|
112
|
+
fiat_p256_square(x6, x3);
|
113
|
+
for (int i = 1; i < 3; i++) {
|
114
|
+
fiat_p256_square(x6, x6);
|
115
|
+
} // 2^6 - 2^3
|
116
|
+
fiat_p256_mul(x6, x6, x3); // 2^6 - 2^0
|
117
|
+
|
118
|
+
fiat_p256_square(x12, x6);
|
119
|
+
for (int i = 1; i < 6; i++) {
|
120
|
+
fiat_p256_square(x12, x12);
|
121
|
+
} // 2^12 - 2^6
|
122
|
+
fiat_p256_mul(x12, x12, x6); // 2^12 - 2^0
|
123
|
+
|
124
|
+
fiat_p256_square(x15, x12);
|
125
|
+
for (int i = 1; i < 3; i++) {
|
126
|
+
fiat_p256_square(x15, x15);
|
127
|
+
} // 2^15 - 2^3
|
128
|
+
fiat_p256_mul(x15, x15, x3); // 2^15 - 2^0
|
129
|
+
|
130
|
+
fiat_p256_square(x30, x15);
|
131
|
+
for (int i = 1; i < 15; i++) {
|
132
|
+
fiat_p256_square(x30, x30);
|
133
|
+
} // 2^30 - 2^15
|
134
|
+
fiat_p256_mul(x30, x30, x15); // 2^30 - 2^0
|
135
|
+
|
136
|
+
fiat_p256_square(x32, x30);
|
137
|
+
fiat_p256_square(x32, x32); // 2^32 - 2^2
|
138
|
+
fiat_p256_mul(x32, x32, x2); // 2^32 - 2^0
|
139
|
+
|
140
|
+
fiat_p256_felem ret;
|
141
|
+
fiat_p256_square(ret, x32);
|
142
|
+
for (int i = 1; i < 31 + 1; i++) {
|
143
|
+
fiat_p256_square(ret, ret);
|
144
|
+
} // 2^64 - 2^32
|
145
|
+
fiat_p256_mul(ret, ret, in); // 2^64 - 2^32 + 2^0
|
146
|
+
|
147
|
+
for (int i = 0; i < 96 + 32; i++) {
|
148
|
+
fiat_p256_square(ret, ret);
|
149
|
+
} // 2^192 - 2^160 + 2^128
|
150
|
+
fiat_p256_mul(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0
|
151
|
+
|
152
|
+
for (int i = 0; i < 32; i++) {
|
153
|
+
fiat_p256_square(ret, ret);
|
154
|
+
} // 2^224 - 2^192 + 2^160 + 2^64 - 2^32
|
155
|
+
fiat_p256_mul(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0
|
156
|
+
|
157
|
+
for (int i = 0; i < 30; i++) {
|
158
|
+
fiat_p256_square(ret, ret);
|
159
|
+
} // 2^254 - 2^222 + 2^190 + 2^94 - 2^30
|
160
|
+
fiat_p256_mul(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0
|
161
|
+
|
162
|
+
fiat_p256_square(ret, ret);
|
163
|
+
fiat_p256_square(out, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2
|
164
|
+
}
|
165
|
+
|
166
|
+
// Group operations
|
167
|
+
// ----------------
|
168
|
+
//
|
169
|
+
// Building on top of the field operations we have the operations on the
|
170
|
+
// elliptic curve group itself. Points on the curve are represented in Jacobian
|
171
|
+
// coordinates.
|
172
|
+
//
|
173
|
+
// Both operations were transcribed to Coq and proven to correspond to naive
|
174
|
+
// implementations using Affine coordinates, for all suitable fields. In the
|
175
|
+
// Coq proofs, issues of constant-time execution and memory layout (aliasing)
|
176
|
+
// conventions were not considered. Specification of affine coordinates:
|
177
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Spec/WeierstrassCurve.v#L28>
|
178
|
+
// As a sanity check, a proof that these points form a commutative group:
|
179
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/AffineProofs.v#L33>
|
180
|
+
|
181
|
+
// fiat_p256_point_double calculates 2*(x_in, y_in, z_in)
|
182
|
+
//
|
183
|
+
// The method is taken from:
|
184
|
+
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
|
185
|
+
//
|
186
|
+
// Coq transcription and correctness proof:
|
187
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L93>
|
188
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L201>
|
189
|
+
//
|
190
|
+
// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
|
191
|
+
// while x_out == y_in is not (maybe this works, but it's not tested).
|
192
|
+
static void fiat_p256_point_double(fiat_p256_felem x_out, fiat_p256_felem y_out,
|
193
|
+
fiat_p256_felem z_out,
|
194
|
+
const fiat_p256_felem x_in,
|
195
|
+
const fiat_p256_felem y_in,
|
196
|
+
const fiat_p256_felem z_in) {
|
197
|
+
fiat_p256_felem delta, gamma, beta, ftmp, ftmp2, tmptmp, alpha, fourbeta;
|
198
|
+
// delta = z^2
|
199
|
+
fiat_p256_square(delta, z_in);
|
200
|
+
// gamma = y^2
|
201
|
+
fiat_p256_square(gamma, y_in);
|
202
|
+
// beta = x*gamma
|
203
|
+
fiat_p256_mul(beta, x_in, gamma);
|
204
|
+
|
205
|
+
// alpha = 3*(x-delta)*(x+delta)
|
206
|
+
fiat_p256_sub(ftmp, x_in, delta);
|
207
|
+
fiat_p256_add(ftmp2, x_in, delta);
|
208
|
+
|
209
|
+
fiat_p256_add(tmptmp, ftmp2, ftmp2);
|
210
|
+
fiat_p256_add(ftmp2, ftmp2, tmptmp);
|
211
|
+
fiat_p256_mul(alpha, ftmp, ftmp2);
|
212
|
+
|
213
|
+
// x' = alpha^2 - 8*beta
|
214
|
+
fiat_p256_square(x_out, alpha);
|
215
|
+
fiat_p256_add(fourbeta, beta, beta);
|
216
|
+
fiat_p256_add(fourbeta, fourbeta, fourbeta);
|
217
|
+
fiat_p256_add(tmptmp, fourbeta, fourbeta);
|
218
|
+
fiat_p256_sub(x_out, x_out, tmptmp);
|
219
|
+
|
220
|
+
// z' = (y + z)^2 - gamma - delta
|
221
|
+
fiat_p256_add(delta, gamma, delta);
|
222
|
+
fiat_p256_add(ftmp, y_in, z_in);
|
223
|
+
fiat_p256_square(z_out, ftmp);
|
224
|
+
fiat_p256_sub(z_out, z_out, delta);
|
225
|
+
|
226
|
+
// y' = alpha*(4*beta - x') - 8*gamma^2
|
227
|
+
fiat_p256_sub(y_out, fourbeta, x_out);
|
228
|
+
fiat_p256_add(gamma, gamma, gamma);
|
229
|
+
fiat_p256_square(gamma, gamma);
|
230
|
+
fiat_p256_mul(y_out, alpha, y_out);
|
231
|
+
fiat_p256_add(gamma, gamma, gamma);
|
232
|
+
fiat_p256_sub(y_out, y_out, gamma);
|
233
|
+
}
|
234
|
+
|
235
|
+
// fiat_p256_point_add calculates (x1, y1, z1) + (x2, y2, z2)
|
236
|
+
//
|
237
|
+
// The method is taken from:
|
238
|
+
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
|
239
|
+
// adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
|
240
|
+
//
|
241
|
+
// Coq transcription and correctness proof:
|
242
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L135>
|
243
|
+
// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L205>
|
244
|
+
//
|
245
|
+
// This function includes a branch for checking whether the two input points
|
246
|
+
// are equal, (while not equal to the point at infinity). This case never
|
247
|
+
// happens during single point multiplication, so there is no timing leak for
|
248
|
+
// ECDH or ECDSA signing.
|
249
|
+
static void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3,
|
250
|
+
fiat_p256_felem z3, const fiat_p256_felem x1,
|
251
|
+
const fiat_p256_felem y1,
|
252
|
+
const fiat_p256_felem z1, const int mixed,
|
253
|
+
const fiat_p256_felem x2,
|
254
|
+
const fiat_p256_felem y2,
|
255
|
+
const fiat_p256_felem z2) {
|
256
|
+
fiat_p256_felem x_out, y_out, z_out;
|
257
|
+
fiat_p256_limb_t z1nz = fiat_p256_nz(z1);
|
258
|
+
fiat_p256_limb_t z2nz = fiat_p256_nz(z2);
|
259
|
+
|
260
|
+
// z1z1 = z1z1 = z1**2
|
261
|
+
fiat_p256_felem z1z1;
|
262
|
+
fiat_p256_square(z1z1, z1);
|
263
|
+
|
264
|
+
fiat_p256_felem u1, s1, two_z1z2;
|
265
|
+
if (!mixed) {
|
266
|
+
// z2z2 = z2**2
|
267
|
+
fiat_p256_felem z2z2;
|
268
|
+
fiat_p256_square(z2z2, z2);
|
269
|
+
|
270
|
+
// u1 = x1*z2z2
|
271
|
+
fiat_p256_mul(u1, x1, z2z2);
|
272
|
+
|
273
|
+
// two_z1z2 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2
|
274
|
+
fiat_p256_add(two_z1z2, z1, z2);
|
275
|
+
fiat_p256_square(two_z1z2, two_z1z2);
|
276
|
+
fiat_p256_sub(two_z1z2, two_z1z2, z1z1);
|
277
|
+
fiat_p256_sub(two_z1z2, two_z1z2, z2z2);
|
278
|
+
|
279
|
+
// s1 = y1 * z2**3
|
280
|
+
fiat_p256_mul(s1, z2, z2z2);
|
281
|
+
fiat_p256_mul(s1, s1, y1);
|
282
|
+
} else {
|
283
|
+
// We'll assume z2 = 1 (special case z2 = 0 is handled later).
|
284
|
+
|
285
|
+
// u1 = x1*z2z2
|
286
|
+
fiat_p256_copy(u1, x1);
|
287
|
+
// two_z1z2 = 2z1z2
|
288
|
+
fiat_p256_add(two_z1z2, z1, z1);
|
289
|
+
// s1 = y1 * z2**3
|
290
|
+
fiat_p256_copy(s1, y1);
|
291
|
+
}
|
292
|
+
|
293
|
+
// u2 = x2*z1z1
|
294
|
+
fiat_p256_felem u2;
|
295
|
+
fiat_p256_mul(u2, x2, z1z1);
|
296
|
+
|
297
|
+
// h = u2 - u1
|
298
|
+
fiat_p256_felem h;
|
299
|
+
fiat_p256_sub(h, u2, u1);
|
300
|
+
|
301
|
+
fiat_p256_limb_t xneq = fiat_p256_nz(h);
|
302
|
+
|
303
|
+
// z_out = two_z1z2 * h
|
304
|
+
fiat_p256_mul(z_out, h, two_z1z2);
|
305
|
+
|
306
|
+
// z1z1z1 = z1 * z1z1
|
307
|
+
fiat_p256_felem z1z1z1;
|
308
|
+
fiat_p256_mul(z1z1z1, z1, z1z1);
|
309
|
+
|
310
|
+
// s2 = y2 * z1**3
|
311
|
+
fiat_p256_felem s2;
|
312
|
+
fiat_p256_mul(s2, y2, z1z1z1);
|
313
|
+
|
314
|
+
// r = (s2 - s1)*2
|
315
|
+
fiat_p256_felem r;
|
316
|
+
fiat_p256_sub(r, s2, s1);
|
317
|
+
fiat_p256_add(r, r, r);
|
318
|
+
|
319
|
+
fiat_p256_limb_t yneq = fiat_p256_nz(r);
|
320
|
+
|
321
|
+
fiat_p256_limb_t is_nontrivial_double = constant_time_is_zero_w(xneq | yneq) &
|
322
|
+
~constant_time_is_zero_w(z1nz) &
|
323
|
+
~constant_time_is_zero_w(z2nz);
|
324
|
+
if (is_nontrivial_double) {
|
325
|
+
fiat_p256_point_double(x3, y3, z3, x1, y1, z1);
|
326
|
+
return;
|
327
|
+
}
|
328
|
+
|
329
|
+
// I = (2h)**2
|
330
|
+
fiat_p256_felem i;
|
331
|
+
fiat_p256_add(i, h, h);
|
332
|
+
fiat_p256_square(i, i);
|
333
|
+
|
334
|
+
// J = h * I
|
335
|
+
fiat_p256_felem j;
|
336
|
+
fiat_p256_mul(j, h, i);
|
337
|
+
|
338
|
+
// V = U1 * I
|
339
|
+
fiat_p256_felem v;
|
340
|
+
fiat_p256_mul(v, u1, i);
|
341
|
+
|
342
|
+
// x_out = r**2 - J - 2V
|
343
|
+
fiat_p256_square(x_out, r);
|
344
|
+
fiat_p256_sub(x_out, x_out, j);
|
345
|
+
fiat_p256_sub(x_out, x_out, v);
|
346
|
+
fiat_p256_sub(x_out, x_out, v);
|
347
|
+
|
348
|
+
// y_out = r(V-x_out) - 2 * s1 * J
|
349
|
+
fiat_p256_sub(y_out, v, x_out);
|
350
|
+
fiat_p256_mul(y_out, y_out, r);
|
351
|
+
fiat_p256_felem s1j;
|
352
|
+
fiat_p256_mul(s1j, s1, j);
|
353
|
+
fiat_p256_sub(y_out, y_out, s1j);
|
354
|
+
fiat_p256_sub(y_out, y_out, s1j);
|
355
|
+
|
356
|
+
fiat_p256_cmovznz(x_out, z1nz, x2, x_out);
|
357
|
+
fiat_p256_cmovznz(x3, z2nz, x1, x_out);
|
358
|
+
fiat_p256_cmovznz(y_out, z1nz, y2, y_out);
|
359
|
+
fiat_p256_cmovznz(y3, z2nz, y1, y_out);
|
360
|
+
fiat_p256_cmovznz(z_out, z1nz, z2, z_out);
|
361
|
+
fiat_p256_cmovznz(z3, z2nz, z1, z_out);
|
362
|
+
}
|
363
|
+
|
364
|
+
#include "./p256_table.h"
|
365
|
+
|
366
|
+
// fiat_p256_select_point_affine selects the |idx-1|th point from a
|
367
|
+
// precomputation table and copies it to out. If |idx| is zero, the output is
|
368
|
+
// the point at infinity.
|
369
|
+
static void fiat_p256_select_point_affine(
|
370
|
+
const fiat_p256_limb_t idx, size_t size,
|
371
|
+
const fiat_p256_felem pre_comp[/*size*/][2], fiat_p256_felem out[3]) {
|
372
|
+
OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);
|
373
|
+
for (size_t i = 0; i < size; i++) {
|
374
|
+
fiat_p256_limb_t mismatch = i ^ (idx - 1);
|
375
|
+
fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);
|
376
|
+
fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);
|
377
|
+
}
|
378
|
+
fiat_p256_cmovznz(out[2], idx, out[2], fiat_p256_one);
|
379
|
+
}
|
380
|
+
|
381
|
+
// fiat_p256_select_point selects the |idx|th point from a precomputation table
|
382
|
+
// and copies it to out.
|
383
|
+
static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size,
|
384
|
+
const fiat_p256_felem pre_comp[/*size*/][3],
|
385
|
+
fiat_p256_felem out[3]) {
|
386
|
+
OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);
|
387
|
+
for (size_t i = 0; i < size; i++) {
|
388
|
+
fiat_p256_limb_t mismatch = i ^ idx;
|
389
|
+
fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);
|
390
|
+
fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);
|
391
|
+
fiat_p256_cmovznz(out[2], mismatch, pre_comp[i][2], out[2]);
|
392
|
+
}
|
393
|
+
}
|
394
|
+
|
395
|
+
// fiat_p256_get_bit returns the |i|th bit in |in|
|
396
|
+
static char fiat_p256_get_bit(const uint8_t *in, int i) {
|
397
|
+
if (i < 0 || i >= 256) {
|
398
|
+
return 0;
|
399
|
+
}
|
400
|
+
return (in[i >> 3] >> (i & 7)) & 1;
|
401
|
+
}
|
402
|
+
|
403
|
+
// OPENSSL EC_METHOD FUNCTIONS
|
404
|
+
|
405
|
+
// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
|
406
|
+
// (X/Z^2, Y/Z^3).
|
407
|
+
static int ec_GFp_nistp256_point_get_affine_coordinates(
|
408
|
+
const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x_out,
|
409
|
+
EC_FELEM *y_out) {
|
410
|
+
if (ec_GFp_simple_is_at_infinity(group, point)) {
|
411
|
+
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
|
412
|
+
return 0;
|
413
|
+
}
|
414
|
+
|
415
|
+
fiat_p256_felem z1, z2;
|
416
|
+
fiat_p256_from_generic(z1, &point->Z);
|
417
|
+
fiat_p256_inv_square(z2, z1);
|
418
|
+
|
419
|
+
if (x_out != NULL) {
|
420
|
+
fiat_p256_felem x;
|
421
|
+
fiat_p256_from_generic(x, &point->X);
|
422
|
+
fiat_p256_mul(x, x, z2);
|
423
|
+
fiat_p256_to_generic(x_out, x);
|
424
|
+
}
|
425
|
+
|
426
|
+
if (y_out != NULL) {
|
427
|
+
fiat_p256_felem y;
|
428
|
+
fiat_p256_from_generic(y, &point->Y);
|
429
|
+
fiat_p256_square(z2, z2); // z^-4
|
430
|
+
fiat_p256_mul(y, y, z1); // y * z
|
431
|
+
fiat_p256_mul(y, y, z2); // y * z^-3
|
432
|
+
fiat_p256_to_generic(y_out, y);
|
433
|
+
}
|
434
|
+
|
435
|
+
return 1;
|
436
|
+
}
|
437
|
+
|
438
|
+
static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r,
|
439
|
+
const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
|
440
|
+
fiat_p256_felem x1, y1, z1, x2, y2, z2;
|
441
|
+
fiat_p256_from_generic(x1, &a->X);
|
442
|
+
fiat_p256_from_generic(y1, &a->Y);
|
443
|
+
fiat_p256_from_generic(z1, &a->Z);
|
444
|
+
fiat_p256_from_generic(x2, &b->X);
|
445
|
+
fiat_p256_from_generic(y2, &b->Y);
|
446
|
+
fiat_p256_from_generic(z2, &b->Z);
|
447
|
+
fiat_p256_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2,
|
448
|
+
z2);
|
449
|
+
fiat_p256_to_generic(&r->X, x1);
|
450
|
+
fiat_p256_to_generic(&r->Y, y1);
|
451
|
+
fiat_p256_to_generic(&r->Z, z1);
|
452
|
+
}
|
453
|
+
|
454
|
+
static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
|
455
|
+
const EC_RAW_POINT *a) {
|
456
|
+
fiat_p256_felem x, y, z;
|
457
|
+
fiat_p256_from_generic(x, &a->X);
|
458
|
+
fiat_p256_from_generic(y, &a->Y);
|
459
|
+
fiat_p256_from_generic(z, &a->Z);
|
460
|
+
fiat_p256_point_double(x, y, z, x, y, z);
|
461
|
+
fiat_p256_to_generic(&r->X, x);
|
462
|
+
fiat_p256_to_generic(&r->Y, y);
|
463
|
+
fiat_p256_to_generic(&r->Z, z);
|
464
|
+
}
|
465
|
+
|
466
|
+
static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
|
467
|
+
const EC_RAW_POINT *p,
|
468
|
+
const EC_SCALAR *scalar) {
|
469
|
+
fiat_p256_felem p_pre_comp[17][3];
|
470
|
+
OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
|
471
|
+
// Precompute multiples.
|
472
|
+
fiat_p256_from_generic(p_pre_comp[1][0], &p->X);
|
473
|
+
fiat_p256_from_generic(p_pre_comp[1][1], &p->Y);
|
474
|
+
fiat_p256_from_generic(p_pre_comp[1][2], &p->Z);
|
475
|
+
for (size_t j = 2; j <= 16; ++j) {
|
476
|
+
if (j & 1) {
|
477
|
+
fiat_p256_point_add(p_pre_comp[j][0], p_pre_comp[j][1], p_pre_comp[j][2],
|
478
|
+
p_pre_comp[1][0], p_pre_comp[1][1], p_pre_comp[1][2],
|
479
|
+
0, p_pre_comp[j - 1][0], p_pre_comp[j - 1][1],
|
480
|
+
p_pre_comp[j - 1][2]);
|
481
|
+
} else {
|
482
|
+
fiat_p256_point_double(p_pre_comp[j][0], p_pre_comp[j][1],
|
483
|
+
p_pre_comp[j][2], p_pre_comp[j / 2][0],
|
484
|
+
p_pre_comp[j / 2][1], p_pre_comp[j / 2][2]);
|
485
|
+
}
|
486
|
+
}
|
487
|
+
|
488
|
+
// Set nq to the point at infinity.
|
489
|
+
fiat_p256_felem nq[3] = {{0}, {0}, {0}}, ftmp, tmp[3];
|
490
|
+
|
491
|
+
// Loop over |scalar| msb-to-lsb, incorporating |p_pre_comp| every 5th round.
|
492
|
+
int skip = 1; // Save two point operations in the first round.
|
493
|
+
for (size_t i = 255; i < 256; i--) {
|
494
|
+
// double
|
495
|
+
if (!skip) {
|
496
|
+
fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
|
497
|
+
}
|
498
|
+
|
499
|
+
// do other additions every 5 doublings
|
500
|
+
if (i % 5 == 0) {
|
501
|
+
uint64_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5;
|
502
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 3) << 4;
|
503
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 2) << 3;
|
504
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 1) << 2;
|
505
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i) << 1;
|
506
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i - 1);
|
507
|
+
uint8_t sign, digit;
|
508
|
+
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
|
509
|
+
|
510
|
+
// select the point to add or subtract, in constant time.
|
511
|
+
fiat_p256_select_point(digit, 17, (const fiat_p256_felem(*)[3])p_pre_comp,
|
512
|
+
tmp);
|
513
|
+
fiat_p256_opp(ftmp, tmp[1]); // (X, -Y, Z) is the negative point.
|
514
|
+
fiat_p256_cmovznz(tmp[1], sign, tmp[1], ftmp);
|
515
|
+
|
516
|
+
if (!skip) {
|
517
|
+
fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
|
518
|
+
0 /* mixed */, tmp[0], tmp[1], tmp[2]);
|
519
|
+
} else {
|
520
|
+
fiat_p256_copy(nq[0], tmp[0]);
|
521
|
+
fiat_p256_copy(nq[1], tmp[1]);
|
522
|
+
fiat_p256_copy(nq[2], tmp[2]);
|
523
|
+
skip = 0;
|
524
|
+
}
|
525
|
+
}
|
526
|
+
}
|
527
|
+
|
528
|
+
fiat_p256_to_generic(&r->X, nq[0]);
|
529
|
+
fiat_p256_to_generic(&r->Y, nq[1]);
|
530
|
+
fiat_p256_to_generic(&r->Z, nq[2]);
|
531
|
+
}
|
532
|
+
|
533
|
+
static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
|
534
|
+
EC_RAW_POINT *r,
|
535
|
+
const EC_SCALAR *scalar) {
|
536
|
+
// Set nq to the point at infinity.
|
537
|
+
fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3];
|
538
|
+
|
539
|
+
int skip = 1; // Save two point operations in the first round.
|
540
|
+
for (size_t i = 31; i < 32; i--) {
|
541
|
+
if (!skip) {
|
542
|
+
fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
|
543
|
+
}
|
544
|
+
|
545
|
+
// First, look 32 bits upwards.
|
546
|
+
uint64_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3;
|
547
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 160) << 2;
|
548
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 96) << 1;
|
549
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 32);
|
550
|
+
// Select the point to add, in constant time.
|
551
|
+
fiat_p256_select_point_affine(bits, 15, fiat_p256_g_pre_comp[1], tmp);
|
552
|
+
|
553
|
+
if (!skip) {
|
554
|
+
fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
|
555
|
+
1 /* mixed */, tmp[0], tmp[1], tmp[2]);
|
556
|
+
} else {
|
557
|
+
fiat_p256_copy(nq[0], tmp[0]);
|
558
|
+
fiat_p256_copy(nq[1], tmp[1]);
|
559
|
+
fiat_p256_copy(nq[2], tmp[2]);
|
560
|
+
skip = 0;
|
561
|
+
}
|
562
|
+
|
563
|
+
// Second, look at the current position.
|
564
|
+
bits = fiat_p256_get_bit(scalar->bytes, i + 192) << 3;
|
565
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 128) << 2;
|
566
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i + 64) << 1;
|
567
|
+
bits |= fiat_p256_get_bit(scalar->bytes, i);
|
568
|
+
// Select the point to add, in constant time.
|
569
|
+
fiat_p256_select_point_affine(bits, 15, fiat_p256_g_pre_comp[0], tmp);
|
570
|
+
fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
|
571
|
+
tmp[0], tmp[1], tmp[2]);
|
572
|
+
}
|
573
|
+
|
574
|
+
fiat_p256_to_generic(&r->X, nq[0]);
|
575
|
+
fiat_p256_to_generic(&r->Y, nq[1]);
|
576
|
+
fiat_p256_to_generic(&r->Z, nq[2]);
|
577
|
+
}
|
578
|
+
|
579
|
+
static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
|
580
|
+
EC_RAW_POINT *r,
|
581
|
+
const EC_SCALAR *g_scalar,
|
582
|
+
const EC_RAW_POINT *p,
|
583
|
+
const EC_SCALAR *p_scalar) {
|
584
|
+
#define P256_WSIZE_PUBLIC 4
|
585
|
+
// Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|.
|
586
|
+
fiat_p256_felem p_pre_comp[1 << (P256_WSIZE_PUBLIC - 1)][3];
|
587
|
+
fiat_p256_from_generic(p_pre_comp[0][0], &p->X);
|
588
|
+
fiat_p256_from_generic(p_pre_comp[0][1], &p->Y);
|
589
|
+
fiat_p256_from_generic(p_pre_comp[0][2], &p->Z);
|
590
|
+
fiat_p256_felem p2[3];
|
591
|
+
fiat_p256_point_double(p2[0], p2[1], p2[2], p_pre_comp[0][0],
|
592
|
+
p_pre_comp[0][1], p_pre_comp[0][2]);
|
593
|
+
for (size_t i = 1; i < OPENSSL_ARRAY_SIZE(p_pre_comp); i++) {
|
594
|
+
fiat_p256_point_add(p_pre_comp[i][0], p_pre_comp[i][1], p_pre_comp[i][2],
|
595
|
+
p_pre_comp[i - 1][0], p_pre_comp[i - 1][1],
|
596
|
+
p_pre_comp[i - 1][2], 0 /* not mixed */, p2[0], p2[1],
|
597
|
+
p2[2]);
|
598
|
+
}
|
599
|
+
|
600
|
+
// Set up the coefficients for |p_scalar|.
|
601
|
+
int8_t p_wNAF[257];
|
602
|
+
ec_compute_wNAF(group, p_wNAF, p_scalar, 256, P256_WSIZE_PUBLIC);
|
603
|
+
|
604
|
+
// Set |ret| to the point at infinity.
|
605
|
+
int skip = 1; // Save some point operations.
|
606
|
+
fiat_p256_felem ret[3] = {{0}, {0}, {0}};
|
607
|
+
for (int i = 256; i >= 0; i--) {
|
608
|
+
if (!skip) {
|
609
|
+
fiat_p256_point_double(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2]);
|
610
|
+
}
|
611
|
+
|
612
|
+
// For the |g_scalar|, we use the precomputed table without the
|
613
|
+
// constant-time lookup.
|
614
|
+
if (i <= 31) {
|
615
|
+
// First, look 32 bits upwards.
|
616
|
+
uint64_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3;
|
617
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i + 160) << 2;
|
618
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i + 96) << 1;
|
619
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i + 32);
|
620
|
+
if (bits != 0) {
|
621
|
+
fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
|
622
|
+
1 /* mixed */, fiat_p256_g_pre_comp[1][bits - 1][0],
|
623
|
+
fiat_p256_g_pre_comp[1][bits - 1][1],
|
624
|
+
fiat_p256_one);
|
625
|
+
skip = 0;
|
626
|
+
}
|
627
|
+
|
628
|
+
// Second, look at the current position.
|
629
|
+
bits = fiat_p256_get_bit(g_scalar->bytes, i + 192) << 3;
|
630
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i + 128) << 2;
|
631
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i + 64) << 1;
|
632
|
+
bits |= fiat_p256_get_bit(g_scalar->bytes, i);
|
633
|
+
if (bits != 0) {
|
634
|
+
fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
|
635
|
+
1 /* mixed */, fiat_p256_g_pre_comp[0][bits - 1][0],
|
636
|
+
fiat_p256_g_pre_comp[0][bits - 1][1],
|
637
|
+
fiat_p256_one);
|
638
|
+
skip = 0;
|
639
|
+
}
|
640
|
+
}
|
641
|
+
|
642
|
+
int digit = p_wNAF[i];
|
643
|
+
if (digit != 0) {
|
644
|
+
assert(digit & 1);
|
645
|
+
int idx = digit < 0 ? (-digit) >> 1 : digit >> 1;
|
646
|
+
fiat_p256_felem *y = &p_pre_comp[idx][1], tmp;
|
647
|
+
if (digit < 0) {
|
648
|
+
fiat_p256_opp(tmp, p_pre_comp[idx][1]);
|
649
|
+
y = &tmp;
|
650
|
+
}
|
651
|
+
if (!skip) {
|
652
|
+
fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
|
653
|
+
0 /* not mixed */, p_pre_comp[idx][0], *y,
|
654
|
+
p_pre_comp[idx][2]);
|
655
|
+
} else {
|
656
|
+
fiat_p256_copy(ret[0], p_pre_comp[idx][0]);
|
657
|
+
fiat_p256_copy(ret[1], *y);
|
658
|
+
fiat_p256_copy(ret[2], p_pre_comp[idx][2]);
|
659
|
+
skip = 0;
|
660
|
+
}
|
661
|
+
}
|
662
|
+
}
|
663
|
+
|
664
|
+
fiat_p256_to_generic(&r->X, ret[0]);
|
665
|
+
fiat_p256_to_generic(&r->Y, ret[1]);
|
666
|
+
fiat_p256_to_generic(&r->Z, ret[2]);
|
667
|
+
}
|
668
|
+
|
669
|
+
static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
|
670
|
+
const EC_RAW_POINT *p,
|
671
|
+
const EC_SCALAR *r) {
|
672
|
+
if (ec_GFp_simple_is_at_infinity(group, p)) {
|
673
|
+
return 0;
|
674
|
+
}
|
675
|
+
|
676
|
+
// We wish to compare X/Z^2 with r. This is equivalent to comparing X with
|
677
|
+
// r*Z^2. Note that X and Z are represented in Montgomery form, while r is
|
678
|
+
// not.
|
679
|
+
fiat_p256_felem Z2_mont;
|
680
|
+
fiat_p256_from_generic(Z2_mont, &p->Z);
|
681
|
+
fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont);
|
682
|
+
|
683
|
+
fiat_p256_felem r_Z2;
|
684
|
+
fiat_p256_from_bytes(r_Z2, r->bytes); // r < order < p, so this is valid.
|
685
|
+
fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
|
686
|
+
|
687
|
+
fiat_p256_felem X;
|
688
|
+
fiat_p256_from_generic(X, &p->X);
|
689
|
+
fiat_p256_from_montgomery(X, X);
|
690
|
+
|
691
|
+
if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
|
692
|
+
return 1;
|
693
|
+
}
|
694
|
+
|
695
|
+
// During signing the x coefficient is reduced modulo the group order.
|
696
|
+
// Therefore there is a small possibility, less than 1/2^128, that group_order
|
697
|
+
// < p.x < P. in that case we need not only to compare against |r| but also to
|
698
|
+
// compare against r+group_order.
|
699
|
+
assert(group->field.width == group->order.width);
|
700
|
+
if (bn_less_than_words(r->words, group->field_minus_order.words,
|
701
|
+
group->field.width)) {
|
702
|
+
// We can ignore the carry because: r + group_order < p < 2^256.
|
703
|
+
EC_FELEM tmp;
|
704
|
+
bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
|
705
|
+
fiat_p256_from_generic(r_Z2, &tmp);
|
706
|
+
fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
|
707
|
+
if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
|
708
|
+
return 1;
|
709
|
+
}
|
710
|
+
}
|
711
|
+
|
712
|
+
return 0;
|
713
|
+
}
|
714
|
+
|
715
|
+
DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
|
716
|
+
out->group_init = ec_GFp_mont_group_init;
|
717
|
+
out->group_finish = ec_GFp_mont_group_finish;
|
718
|
+
out->group_set_curve = ec_GFp_mont_group_set_curve;
|
719
|
+
out->point_get_affine_coordinates =
|
720
|
+
ec_GFp_nistp256_point_get_affine_coordinates;
|
721
|
+
out->add = ec_GFp_nistp256_add;
|
722
|
+
out->dbl = ec_GFp_nistp256_dbl;
|
723
|
+
out->mul = ec_GFp_nistp256_point_mul;
|
724
|
+
out->mul_base = ec_GFp_nistp256_point_mul_base;
|
725
|
+
out->mul_public = ec_GFp_nistp256_point_mul_public;
|
726
|
+
out->felem_mul = ec_GFp_mont_felem_mul;
|
727
|
+
out->felem_sqr = ec_GFp_mont_felem_sqr;
|
728
|
+
out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;
|
729
|
+
out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;
|
730
|
+
out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery;
|
731
|
+
out->scalar_to_montgomery_inv_vartime =
|
732
|
+
ec_simple_scalar_to_montgomery_inv_vartime;
|
733
|
+
out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate;
|
734
|
+
}
|
735
|
+
|
736
|
+
#undef BORINGSSL_NISTP256_64BIT
|