grpc 1.56.2 → 1.57.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c

@@ -93,8 +93,8 @@ static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {
 
   OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR));
   wrapped->bignum.d = wrapped->scalar.words;
-  wrapped->bignum.width = group->order.width;
-  wrapped->bignum.dmax = group->order.width;
+  wrapped->bignum.width = group->order.N.width;
+  wrapped->bignum.dmax = group->order.N.width;
   wrapped->bignum.flags = BN_FLG_STATIC_DATA;
   return wrapped;
 }
@@ -485,7 +485,7 @@ int EC_KEY_generate_key(EC_KEY *key) {
   }
 
   // Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).
-  if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) {
+  if (EC_GROUP_order_bits(key->group) < 160) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c

@@ -76,67 +76,35 @@
 #include "internal.h"
 
 
-int ec_GFp_mont_group_init(EC_GROUP *group) {
-  int ok;
-
-  ok = ec_GFp_simple_group_init(group);
-  group->mont = NULL;
-  return ok;
-}
-
-void ec_GFp_mont_group_finish(EC_GROUP *group) {
-  BN_MONT_CTX_free(group->mont);
-  group->mont = NULL;
-  ec_GFp_simple_group_finish(group);
-}
-
-int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p,
-                                const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  BN_MONT_CTX_free(group->mont);
-  group->mont = BN_MONT_CTX_new_for_modulus(p, ctx);
-  if (group->mont == NULL) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    return 0;
-  }
-
-  if (!ec_GFp_simple_group_set_curve(group, p, a, b, ctx)) {
-    BN_MONT_CTX_free(group->mont);
-    group->mont = NULL;
-    return 0;
-  }
-
-  return 1;
-}
-
 static void ec_GFp_mont_felem_to_montgomery(const EC_GROUP *group,
                                             EC_FELEM *out, const EC_FELEM *in) {
-  bn_to_montgomery_small(out->words, in->words, group->field.width,
-                         group->mont);
+  bn_to_montgomery_small(out->words, in->words, group->field.N.width,
+                         &group->field);
 }
 
 static void ec_GFp_mont_felem_from_montgomery(const EC_GROUP *group,
                                               EC_FELEM *out,
                                               const EC_FELEM *in) {
-  bn_from_montgomery_small(out->words, group->field.width, in->words,
-                           group->field.width, group->mont);
+  bn_from_montgomery_small(out->words, group->field.N.width, in->words,
+                           group->field.N.width, &group->field);
 }
 
 static void ec_GFp_mont_felem_inv0(const EC_GROUP *group, EC_FELEM *out,
                                    const EC_FELEM *a) {
-  bn_mod_inverse0_prime_mont_small(out->words, a->words, group->field.width,
-                                   group->mont);
+  bn_mod_inverse0_prime_mont_small(out->words, a->words, group->field.N.width,
+                                   &group->field);
 }
 
 void ec_GFp_mont_felem_mul(const EC_GROUP *group, EC_FELEM *r,
                            const EC_FELEM *a, const EC_FELEM *b) {
-  bn_mod_mul_montgomery_small(r->words, a->words, b->words, group->field.width,
-                              group->mont);
+  bn_mod_mul_montgomery_small(r->words, a->words, b->words,
+                              group->field.N.width, &group->field);
 }
 
 void ec_GFp_mont_felem_sqr(const EC_GROUP *group, EC_FELEM *r,
                            const EC_FELEM *a) {
-  bn_mod_mul_montgomery_small(r->words, a->words, a->words, group->field.width,
-                              group->mont);
+  bn_mod_mul_montgomery_small(r->words, a->words, a->words,
+                              group->field.N.width, &group->field);
 }
 
 void ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out,
@@ -159,8 +127,8 @@ int ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,
 void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out,
                               const BN_ULONG *words, size_t num) {
   // Convert "from" Montgomery form so the value is reduced mod p.
-  bn_from_montgomery_small(out->words, group->field.width, words, num,
-                           group->mont);
+  bn_from_montgomery_small(out->words, group->field.N.width, words, num,
+                           &group->field);
   // Convert "to" Montgomery form to remove the R^-1 factor added.
   ec_GFp_mont_felem_to_montgomery(group, out, out);
   // Convert to Montgomery form to match this implementation's representation.
@@ -170,14 +138,15 @@ void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out,
 void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,
                            const EC_FELEM *a, const BN_ULONG *exp,
                            size_t num_exp) {
-  bn_mod_exp_mont_small(out->words, a->words, group->field.width, exp, num_exp,
-                        group->mont);
+  bn_mod_exp_mont_small(out->words, a->words, group->field.N.width, exp,
+                        num_exp, &group->field);
 }
 
 static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
                                                     const EC_JACOBIAN *point,
                                                     EC_FELEM *x, EC_FELEM *y) {
-  if (ec_GFp_simple_is_at_infinity(group, point)) {
+  if (constant_time_declassify_int(
+          ec_GFp_simple_is_at_infinity(group, point))) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
     return 0;
   }
@@ -317,7 +286,7 @@ void ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out,
 
   // This case will never occur in the constant-time |ec_GFp_mont_mul|.
   BN_ULONG is_nontrivial_double = ~xneq & ~yneq & z1nz & z2nz;
-  if (is_nontrivial_double) {
+  if (constant_time_declassify_w(is_nontrivial_double)) {
     ec_GFp_mont_dbl(group, out, a);
     return;
   }
@@ -456,7 +425,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
                                         const EC_JACOBIAN *p,
                                         const EC_SCALAR *r) {
   if (!group->field_greater_than_order ||
-      group->field.width != group->order.width) {
+      group->field.N.width != group->order.N.width) {
     // Do not bother optimizing this case. p > order in all commonly-used
     // curves.
     return ec_GFp_simple_cmp_x_coordinate(group, p, r);
@@ -472,7 +441,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
   EC_FELEM r_Z2, Z2_mont, X;
   ec_GFp_mont_felem_mul(group, &Z2_mont, &p->Z, &p->Z);
   // r < order < p, so this is valid.
-  OPENSSL_memcpy(r_Z2.words, r->words, group->field.width * sizeof(BN_ULONG));
+  OPENSSL_memcpy(r_Z2.words, r->words, group->field.N.width * sizeof(BN_ULONG));
   ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);
   ec_GFp_mont_felem_from_montgomery(group, &X, &p->X);
 
@@ -484,10 +453,11 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
   // Therefore there is a small possibility, less than 1/2^128, that group_order
   // < p.x < P. in that case we need not only to compare against |r| but also to
   // compare against r+group_order.
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         group->field.width)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    bn_add_words(r_Z2.words, r->words, group->order.d, group->field.width);
+  BN_ULONG carry = bn_add_words(r_Z2.words, r->words, group->order.N.d,
+                                group->field.N.width);
+  if (carry == 0 &&
+      bn_less_than_words(r_Z2.words, group->field.N.d, group->field.N.width)) {
+    // r + group_order < p, so compare (r + group_order) * Z^2 against X.
     ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);
     if (ec_felem_equal(group, &r_Z2, &X)) {
       return 1;
@@ -498,9 +468,6 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_mont_method) {
-  out->group_init = ec_GFp_mont_group_init;
-  out->group_finish = ec_GFp_mont_group_finish;
-  out->group_set_curve = ec_GFp_mont_group_set_curve;
   out->point_get_affine_coordinates = ec_GFp_mont_point_get_affine_coordinates;
   out->jacobian_to_affine_batch = ec_GFp_mont_jacobian_to_affine_batch;
   out->add = ec_GFp_mont_add;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c

@@ -23,12 +23,16 @@
 #include "../../internal.h"
 
 
+const EC_FELEM *ec_felem_one(const EC_GROUP *group) {
+  // We reuse generator.Z as a cache for 1 in the field.
+  return &group->generator.raw.Z;
+}
+
 int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in) {
   uint8_t bytes[EC_MAX_BYTES];
-  size_t len = BN_num_bytes(&group->field);
+  size_t len = BN_num_bytes(&group->field.N);
   assert(sizeof(bytes) >= len);
-  if (BN_is_negative(in) ||
-      BN_cmp(in, &group->field) >= 0 ||
+  if (BN_is_negative(in) || BN_cmp(in, &group->field.N) >= 0 ||
       !BN_bn2bin_padded(bytes, len, in)) {
     OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
     return 0;
@@ -57,11 +61,11 @@ int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in,
 void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) {
   // -a is zero if a is zero and p-a otherwise.
   BN_ULONG mask = ec_felem_non_zero_mask(group, a);
-  BN_ULONG borrow =
-      bn_sub_words(out->words, group->field.d, a->words, group->field.width);
+  BN_ULONG borrow = bn_sub_words(out->words, group->field.N.d, a->words,
+                                 group->field.N.width);
   assert(borrow == 0);
   (void)borrow;
-  for (int i = 0; i < group->field.width; i++) {
+  for (int i = 0; i < group->field.N.width; i++) {
     out->words[i] &= mask;
   }
 }
@@ -69,20 +73,20 @@ void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) {
 void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,
                   const EC_FELEM *b) {
   EC_FELEM tmp;
-  bn_mod_add_words(out->words, a->words, b->words, group->field.d, tmp.words,
-                   group->field.width);
+  bn_mod_add_words(out->words, a->words, b->words, group->field.N.d, tmp.words,
+                   group->field.N.width);
 }
 
 void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,
                   const EC_FELEM *b) {
   EC_FELEM tmp;
-  bn_mod_sub_words(out->words, a->words, b->words, group->field.d, tmp.words,
-                   group->field.width);
+  bn_mod_sub_words(out->words, a->words, b->words, group->field.N.d, tmp.words,
+                   group->field.N.width);
 }
 
 BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a) {
   BN_ULONG mask = 0;
-  for (int i = 0; i < group->field.width; i++) {
+  for (int i = 0; i < group->field.N.width; i++) {
     mask |= a->words[i];
   }
   return ~constant_time_is_zero_w(mask);
@@ -90,11 +94,11 @@ BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a) {
 
 void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,
                      const EC_FELEM *a, const EC_FELEM *b) {
-  bn_select_words(out->words, mask, a->words, b->words, group->field.width);
+  bn_select_words(out->words, mask, a->words, b->words, group->field.N.width);
 }
 
 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a,
                    const EC_FELEM *b) {
   return CRYPTO_memcmp(a->words, b->words,
-                       group->field.width * sizeof(BN_ULONG)) == 0;
+                       group->field.N.width * sizeof(BN_ULONG)) == 0;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h

@@ -197,6 +197,9 @@ typedef struct {
   BN_ULONG words[EC_MAX_WORDS];
 } EC_FELEM;
 
+// ec_felem_one returns one in |group|'s field.
+const EC_FELEM *ec_felem_one(const EC_GROUP *group);
+
 // ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success
 // and zero if |in| is out of range.
 int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in);
@@ -421,7 +424,7 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,
 
 // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
 // order, with |r|. It returns one if the values match and zero if |p| is the
-// point at infinity of the values do not match.
+// point at infinity of the values do not match. |p| is treated as public.
 int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
                         const EC_SCALAR *r);
 
@@ -472,14 +475,10 @@ int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,
 // Implementation details.
 
 struct ec_method_st {
-  int (*group_init)(EC_GROUP *);
-  void (*group_finish)(EC_GROUP *);
-  int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
-                         const BIGNUM *b, BN_CTX *);
-
   // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates
   // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success
-  // and zero if |p| is the point at infinity.
+  // and zero if |p| is the point at infinity. It leaks whether |p| was the
+  // point at infinity, but otherwise treats |p| as secret.
   int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p,
                                       EC_FELEM *x, EC_FELEM *y);
 
@@ -587,60 +586,54 @@ struct ec_method_st {
 
 const EC_METHOD *EC_GFp_mont_method(void);
 
+struct ec_point_st {
+  // group is an owning reference to |group|, unless this is
+  // |group->generator|.
+  EC_GROUP *group;
+  // raw is the group-specific point data. Functions that take |EC_POINT|
+  // typically check consistency with |EC_GROUP| while functions that take
+  // |EC_JACOBIAN| do not. Thus accesses to this field should be externally
+  // checked for consistency.
+  EC_JACOBIAN raw;
+} /* EC_POINT */;
+
 struct ec_group_st {
   const EC_METHOD *meth;
 
   // Unlike all other |EC_POINT|s, |generator| does not own |generator->group|
   // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X
-  // and Y are suitable for use as an |EC_AFFINE|.
-  EC_POINT *generator;
-  BIGNUM order;
-
-  int curve_name;  // optional NID for named curve
+  // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z
+  // is one, but X and Y are uninitialized.
+  EC_POINT generator;
 
-  BN_MONT_CTX *order_mont;  // data for ECDSA inverse
+  BN_MONT_CTX order;
+  BN_MONT_CTX field;
 
-  // The following members are handled by the method functions,
-  // even if they appear generic
+  EC_FELEM a, b;  // Curve coefficients.
 
-  BIGNUM field;  // For curves over GF(p), this is the modulus.
+  // comment is a human-readable string describing the curve.
+  const char *comment;
 
-  EC_FELEM a, b;  // Curve coefficients.
+  int curve_name;  // optional NID for named curve
+  uint8_t oid[9];
+  uint8_t oid_len;
 
   // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point
   // arithmetic is optimized for -3.
   int a_is_minus3;
 
+  // has_order is one if |generator| and |order| have been initialized.
+  int has_order;
+
   // field_greater_than_order is one if |field| is greate than |order| and zero
   // otherwise.
   int field_greater_than_order;
 
-  // field_minus_order, if |field_greater_than_order| is true, is |field| minus
-  // |order| represented as an |EC_FELEM|. Otherwise, it is zero.
-  //
-  // Note: unlike |EC_FELEM|s used as intermediate values internal to the
-  // |EC_METHOD|, this value is not encoded in Montgomery form.
-  EC_FELEM field_minus_order;
-
   CRYPTO_refcount_t references;
-
-  BN_MONT_CTX *mont;  // Montgomery structure.
-
-  EC_FELEM one;  // The value one.
 } /* EC_GROUP */;
 
-struct ec_point_st {
-  // group is an owning reference to |group|, unless this is
-  // |group->generator|.
-  EC_GROUP *group;
-  // raw is the group-specific point data. Functions that take |EC_POINT|
-  // typically check consistency with |EC_GROUP| while functions that take
-  // |EC_JACOBIAN| do not. Thus accesses to this field should be externally
-  // checked for consistency.
-  EC_JACOBIAN raw;
-} /* EC_POINT */;
-
-EC_GROUP *ec_group_new(const EC_METHOD *meth);
+EC_GROUP *ec_group_new(const EC_METHOD *meth, const BIGNUM *p, const BIGNUM *a,
+                       const BIGNUM *b, BN_CTX *ctx);
 
 void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
                      const EC_JACOBIAN *p, const EC_SCALAR *scalar);
@@ -679,8 +672,6 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
                                  const EC_SCALAR *scalars, size_t num);
 
 // method functions in simple.c
-int ec_GFp_simple_group_init(EC_GROUP *);
-void ec_GFp_simple_group_finish(EC_GROUP *);
 int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
                                   const BIGNUM *b, BN_CTX *);
 int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
@@ -712,10 +703,6 @@ int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,
                                    const uint8_t *in, size_t len);
 
 // method functions in montgomery.c
-int ec_GFp_mont_group_init(EC_GROUP *);
-int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
-                                const BIGNUM *b, BN_CTX *);
-void ec_GFp_mont_group_finish(EC_GROUP *);
 void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
                            const EC_FELEM *b);
 void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a);
@@ -761,31 +748,6 @@ struct ec_key_st {
   CRYPTO_EX_DATA ex_data;
 } /* EC_KEY */;
 
-struct built_in_curve {
-  int nid;
-  const uint8_t *oid;
-  uint8_t oid_len;
-  // comment is a human-readable string describing the curve.
-  const char *comment;
-  // param_len is the number of bytes needed to store a field element.
-  uint8_t param_len;
-  // params points to an array of 6*|param_len| bytes which hold the field
-  // elements of the following (in big-endian order): prime, a, b, generator x,
-  // generator y, order.
-  const uint8_t *params;
-  const EC_METHOD *method;
-};
-
-#define OPENSSL_NUM_BUILT_IN_CURVES 4
-
-struct built_in_curves {
-  struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES];
-};
-
-// OPENSSL_built_in_curves returns a pointer to static information about
-// standard curves. The array is terminated with an entry where |nid| is
-// |NID_undef|.
-const struct built_in_curves *OPENSSL_built_in_curves(void);
 
 #if defined(__cplusplus)
 }  // extern C

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c

@@ -80,7 +80,7 @@ size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form) {
     return 0;
   }
 
-  const size_t field_len = BN_num_bytes(&group->field);
+  const size_t field_len = BN_num_bytes(&group->field.N);
   size_t output_len = 1 /* type byte */ + field_len;
   if (form == POINT_CONVERSION_UNCOMPRESSED) {
     // Uncompressed points have a second coordinate.
@@ -100,11 +100,11 @@ size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point,
 
   size_t field_len;
   ec_felem_to_bytes(group, buf + 1, &field_len, &point->X);
-  assert(field_len == BN_num_bytes(&group->field));
+  assert(field_len == BN_num_bytes(&group->field.N));
 
   if (form == POINT_CONVERSION_UNCOMPRESSED) {
     ec_felem_to_bytes(group, buf + 1 + field_len, &field_len, &point->Y);
-    assert(field_len == BN_num_bytes(&group->field));
+    assert(field_len == BN_num_bytes(&group->field.N));
     buf[0] = form;
   } else {
     uint8_t y_buf[EC_MAX_BYTES];
@@ -117,7 +117,7 @@ size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point,
 
 int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out,
                                const uint8_t *in, size_t len) {
-  const size_t field_len = BN_num_bytes(&group->field);
+  const size_t field_len = BN_num_bytes(&group->field.N);
   if (len != 1 + 2 * field_len || in[0] != POINT_CONVERSION_UNCOMPRESSED) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING);
     return 0;
@@ -155,7 +155,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
   }
 
   const int y_bit = form & 1;
-  const size_t field_len = BN_num_bytes(&group->field);
+  const size_t field_len = BN_num_bytes(&group->field.N);
   form = form & ~1u;
   if (form != POINT_CONVERSION_COMPRESSED ||
       len != 1 /* type byte */ + field_len) {
@@ -182,7 +182,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
   if (x == NULL || !BN_bin2bn(buf + 1, field_len, x)) {
     goto err;
   }
-  if (BN_ucmp(x, &group->field) >= 0) {
+  if (BN_ucmp(x, &group->field.N) >= 0) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING);
     goto err;
   }
@@ -260,7 +260,8 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
     return 0;
   }
 
-  if (BN_is_negative(x) || BN_cmp(x, &group->field) >= 0) {
+  const BIGNUM *field = &group->field.N;
+  if (BN_is_negative(x) || BN_cmp(x, field) >= 0) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT);
     return 0;
   }
@@ -295,31 +296,31 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
   // so  y  is one of the square roots of  x^3 + a*x + b.
 
   // tmp1 := x^3
-  if (!BN_mod_sqr(tmp2, x, &group->field, ctx) ||
-      !BN_mod_mul(tmp1, tmp2, x, &group->field, ctx)) {
+  if (!BN_mod_sqr(tmp2, x, field, ctx) ||
+      !BN_mod_mul(tmp1, tmp2, x, field, ctx)) {
     goto err;
   }
 
   // tmp1 := tmp1 + a*x
   if (group->a_is_minus3) {
-    if (!bn_mod_lshift1_consttime(tmp2, x, &group->field, ctx) ||
-        !bn_mod_add_consttime(tmp2, tmp2, x, &group->field, ctx) ||
-        !bn_mod_sub_consttime(tmp1, tmp1, tmp2, &group->field, ctx)) {
+    if (!bn_mod_lshift1_consttime(tmp2, x, field, ctx) ||
+        !bn_mod_add_consttime(tmp2, tmp2, x, field, ctx) ||
+        !bn_mod_sub_consttime(tmp1, tmp1, tmp2, field, ctx)) {
       goto err;
     }
   } else {
-    if (!BN_mod_mul(tmp2, a, x, &group->field, ctx) ||
-        !bn_mod_add_consttime(tmp1, tmp1, tmp2, &group->field, ctx)) {
+    if (!BN_mod_mul(tmp2, a, x, field, ctx) ||
+        !bn_mod_add_consttime(tmp1, tmp1, tmp2, field, ctx)) {
       goto err;
     }
   }
 
   // tmp1 := tmp1 + b
-  if (!bn_mod_add_consttime(tmp1, tmp1, b, &group->field, ctx)) {
+  if (!bn_mod_add_consttime(tmp1, tmp1, b, field, ctx)) {
     goto err;
   }
 
-  if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
+  if (!BN_mod_sqrt(y, tmp1, field, ctx)) {
     uint32_t err = ERR_peek_last_error();
     if (ERR_GET_LIB(err) == ERR_LIB_BN &&
         ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
@@ -336,7 +337,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
       OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT);
       goto err;
     }
-    if (!BN_usub(y, &group->field, y)) {
+    if (!BN_usub(y, field, y)) {
       goto err;
     }
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c

@@ -734,8 +734,8 @@ static void p224_point_add(p224_felem x3, p224_felem y3, p224_felem z3,
   // tmp[i] < 2^116 + 2^64 + 8 < 2^117
   p224_felem_reduce(ftmp, tmp);
 
-  // the formulae are incorrect if the points are equal
-  // so we check for this and do doubling if this happens
+  // The formulae are incorrect if the points are equal, so we check for this
+  // and do doubling if this happens.
   x_equal = p224_felem_is_zero(ftmp);
   y_equal = p224_felem_is_zero(ftmp3);
   z1_is_zero = p224_felem_is_zero(z1);
@@ -743,7 +743,7 @@ static void p224_point_add(p224_felem x3, p224_felem y3, p224_felem z3,
   // In affine coordinates, (X_1, Y_1) == (X_2, Y_2)
   p224_limb is_nontrivial_double =
       x_equal & y_equal & (1 - z1_is_zero) & (1 - z2_is_zero);
-  if (is_nontrivial_double) {
+  if (constant_time_declassify_w(is_nontrivial_double)) {
     p224_point_double(x3, y3, z3, x1, y1, z1);
     return;
   }
@@ -862,7 +862,8 @@ static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) {
 static int ec_GFp_nistp224_point_get_affine_coordinates(
     const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x,
     EC_FELEM *y) {
-  if (ec_GFp_simple_is_at_infinity(group, point)) {
+  if (constant_time_declassify_int(
+          ec_GFp_simple_is_at_infinity(group, point))) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
     return 0;
   }
@@ -1141,9 +1142,6 @@ static void ec_GFp_nistp224_felem_sqr(const EC_GROUP *group, EC_FELEM *r,
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
-  out->group_init = ec_GFp_simple_group_init;
-  out->group_finish = ec_GFp_simple_group_finish;
-  out->group_set_curve = ec_GFp_simple_group_set_curve;
   out->point_get_affine_coordinates =
       ec_GFp_nistp224_point_get_affine_coordinates;
   out->add = ec_GFp_nistp224_add;