grpc 1.56.2 → 1.57.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c

@@ -191,7 +191,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
                                       const EC_SCALAR *p_scalar) {
   assert(p != NULL);
   assert(p_scalar != NULL);
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
 
   static const size_t kWindowSize = 5;
   static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
@@ -208,7 +208,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
   // not stored. All other values are actually stored with an offset of -1 in
   // table.
   P256_POINT *row = table;
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
   OPENSSL_memcpy(row[1 - 1].X, p->X.words, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(row[1 - 1].Y, p->Y.words, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(row[1 - 1].Z, p->Z.words, P256_LIMBS * sizeof(BN_ULONG));
@@ -305,7 +305,7 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,
   alignas(32) P256_POINT out;
   ecp_nistz256_windowed_mul(group, &out, p, scalar);
 
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
   OPENSSL_memcpy(r->X.words, out.X, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Y.words, out.Y, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG));
@@ -349,7 +349,7 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
     ecp_nistz256_point_add_affine(&p, &p, &t);
   }
 
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
   OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG));
@@ -413,7 +413,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
   ecp_nistz256_windowed_mul(group, &tmp, p_, p_scalar);
   ecp_nistz256_point_add(&p, &p, &tmp);
 
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
   OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG));
   OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG));
@@ -422,13 +422,14 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
 static int ecp_nistz256_get_affine(const EC_GROUP *group,
                                    const EC_JACOBIAN *point, EC_FELEM *x,
                                    EC_FELEM *y) {
-  if (ec_GFp_simple_is_at_infinity(group, point)) {
+  if (constant_time_declassify_int(
+          ec_GFp_simple_is_at_infinity(group, point))) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
     return 0;
   }
 
   BN_ULONG z_inv2[P256_LIMBS];
-  assert(group->field.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
   ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words);
 
   if (x != NULL) {
@@ -562,8 +563,8 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
   }
 #endif
 
-  assert(group->order.width == P256_LIMBS);
-  if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) {
+  assert(group->order.N.width == P256_LIMBS);
+  if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.N.d)) {
     return 0;
   }
 
@@ -579,8 +580,8 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
     return 0;
   }
 
-  assert(group->order.width == P256_LIMBS);
-  assert(group->field.width == P256_LIMBS);
+  assert(group->order.N.width == P256_LIMBS);
+  assert(group->field.N.width == P256_LIMBS);
 
   // We wish to compare X/Z^2 with r. This is equivalent to comparing X with
   // r*Z^2. Note that X and Z are represented in Montgomery form, while r is
@@ -598,10 +599,9 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
   // Therefore there is a small possibility, less than 1/2^128, that group_order
   // < p.x < P. in that case we need not only to compare against |r| but also to
   // compare against r+group_order.
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         P256_LIMBS)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    bn_add_words(r_Z2, r->words, group->order.d, P256_LIMBS);
+  BN_ULONG carry = bn_add_words(r_Z2, r->words, group->order.N.d, P256_LIMBS);
+  if (carry == 0 && bn_less_than_words(r_Z2, group->field.N.d, P256_LIMBS)) {
+    // r + group_order < p, so compare (r + group_order) * Z^2 against X.
     ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);
     if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
       return 1;
@@ -612,9 +612,6 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {
-  out->group_init = ec_GFp_mont_group_init;
-  out->group_finish = ec_GFp_mont_group_finish;
-  out->group_set_curve = ec_GFp_mont_group_set_curve;
   out->point_get_affine_coordinates = ecp_nistz256_get_affine;
   out->add = ecp_nistz256_add;
   out->dbl = ecp_nistz256_dbl;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c

@@ -324,7 +324,7 @@ static void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3,
   fiat_p256_limb_t is_nontrivial_double = constant_time_is_zero_w(xneq | yneq) &
                                           ~constant_time_is_zero_w(z1nz) &
                                           ~constant_time_is_zero_w(z2nz);
-  if (is_nontrivial_double) {
+  if (constant_time_declassify_w(is_nontrivial_double)) {
     fiat_p256_point_double(x3, y3, z3, x1, y1, z1);
     return;
   }
@@ -416,7 +416,8 @@ static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) {
 static int ec_GFp_nistp256_point_get_affine_coordinates(
     const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out,
     EC_FELEM *y_out) {
-  if (ec_GFp_simple_is_at_infinity(group, point)) {
+  if (constant_time_declassify_int(
+          ec_GFp_simple_is_at_infinity(group, point))) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
     return 0;
   }
@@ -709,12 +710,12 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
   // Therefore there is a small possibility, less than 1/2^128, that group_order
   // < p.x < P. in that case we need not only to compare against |r| but also to
   // compare against r+group_order.
-  assert(group->field.width == group->order.width);
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         group->field.width)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    EC_FELEM tmp;
-    bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
+  assert(group->field.N.width == group->order.N.width);
+  EC_FELEM tmp;
+  BN_ULONG carry =
+      bn_add_words(tmp.words, r->words, group->order.N.d, group->field.N.width);
+  if (carry == 0 &&
+      bn_less_than_words(tmp.words, group->field.N.d, group->field.N.width)) {
     fiat_p256_from_generic(r_Z2, &tmp);
     fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
     if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
@@ -726,9 +727,6 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
-  out->group_init = ec_GFp_mont_group_init;
-  out->group_finish = ec_GFp_mont_group_finish;
-  out->group_set_curve = ec_GFp_mont_group_set_curve;
   out->point_get_affine_coordinates =
       ec_GFp_nistp256_point_get_affine_coordinates;
   out->add = ec_GFp_nistp256_add;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c

@@ -23,8 +23,8 @@
 
 int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                         const BIGNUM *in) {
-  if (!bn_copy_words(out->words, group->order.width, in) ||
-      !bn_less_than_words(out->words, group->order.d, group->order.width)) {
+  if (!bn_copy_words(out->words, group->order.N.width, in) ||
+      !bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
     return 0;
   }
@@ -34,12 +34,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
 int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
                             const EC_SCALAR *b) {
   return OPENSSL_memcmp(a->words, b->words,
-                        group->order.width * sizeof(BN_ULONG)) == 0;
+                        group->order.N.width * sizeof(BN_ULONG)) == 0;
 }
 
 int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
   BN_ULONG mask = 0;
-  for (int i = 0; i < group->order.width; i++) {
+  for (int i = 0; i < group->order.N.width; i++) {
     mask |= a->words[i];
   }
   return mask == 0;
@@ -47,27 +47,27 @@ int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
 
 int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
                              const uint8_t additional_data[32]) {
-  return bn_rand_range_words(out->words, 1, group->order.d, group->order.width,
-                             additional_data);
+  return bn_rand_range_words(out->words, 1, group->order.N.d,
+                             group->order.N.width, additional_data);
 }
 
 void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,
                         const EC_SCALAR *in) {
-  size_t len = BN_num_bytes(&group->order);
-  bn_words_to_big_endian(out, len, in->words, group->order.width);
+  size_t len = BN_num_bytes(&group->order.N);
+  bn_words_to_big_endian(out, len, in->words, group->order.N.width);
   *out_len = len;
 }
 
 int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
                          const uint8_t *in, size_t len) {
-  if (len != BN_num_bytes(&group->order)) {
+  if (len != BN_num_bytes(&group->order.N)) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
     return 0;
   }
 
-  bn_big_endian_to_words(out->words, group->order.width, in, len);
+  bn_big_endian_to_words(out->words, group->order.N.width, in, len);
 
-  if (!bn_less_than_words(out->words, group->order.d, group->order.width)) {
+  if (!bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
     return 0;
   }
@@ -78,15 +78,15 @@ int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,
 void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,
                       const BN_ULONG *words, size_t num) {
   // Convert "from" Montgomery form so the value is reduced modulo the order.
-  bn_from_montgomery_small(out->words, group->order.width, words, num,
-                           group->order_mont);
+  bn_from_montgomery_small(out->words, group->order.N.width, words, num,
+                           &group->order);
   // Convert "to" Montgomery form to remove the R^-1 factor added.
   ec_scalar_to_montgomery(group, out, out);
 }
 
 void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
                    const EC_SCALAR *b) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   BN_ULONG tmp[EC_MAX_WORDS];
   bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);
   OPENSSL_cleanse(tmp, sizeof(tmp));
@@ -94,7 +94,7 @@ void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
 
 void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
                    const EC_SCALAR *b) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   BN_ULONG tmp[EC_MAX_WORDS];
   bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width);
   OPENSSL_cleanse(tmp, sizeof(tmp));
@@ -108,35 +108,35 @@ void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) {
 
 void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask,
                       const EC_SCALAR *a, const EC_SCALAR *b) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   bn_select_words(out->words, mask, a->words, b->words, order->width);
 }
 
 void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
                              const EC_SCALAR *a) {
-  const BIGNUM *order = &group->order;
-  bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont);
+  const BIGNUM *order = &group->order.N;
+  bn_to_montgomery_small(r->words, a->words, order->width, &group->order);
 }
 
 void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
                                const EC_SCALAR *a) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   bn_from_montgomery_small(r->words, order->width, a->words, order->width,
-                           group->order_mont);
+                           &group->order);
 }
 
 void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
                               const EC_SCALAR *a, const EC_SCALAR *b) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,
-                              group->order_mont);
+                              &group->order);
 }
 
 void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,
                                       const EC_SCALAR *a) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = &group->order.N;
   bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width,
-                                   group->order_mont);
+                                   &group->order);
 }
 
 int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c

@@ -88,16 +88,6 @@
 // used, it is a Montgomery representation (i.e. 'encoding' means multiplying
 // by some factor R).
 
-int ec_GFp_simple_group_init(EC_GROUP *group) {
-  BN_init(&group->field);
-  group->a_is_minus3 = 0;
-  return 1;
-}
-
-void ec_GFp_simple_group_finish(EC_GROUP *group) {
-  BN_free(&group->field);
-}
-
 int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
                                   const BIGNUM *a, const BIGNUM *b,
                                   BN_CTX *ctx) {
@@ -114,17 +104,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
     goto err;
   }
 
-  // group->field
-  if (!BN_copy(&group->field, p)) {
-    goto err;
-  }
-  BN_set_negative(&group->field, 0);
-  // Store the field in minimal form, so it can be used with |BN_ULONG| arrays.
-  bn_set_minimal_width(&group->field);
-
-  if (!ec_bignum_to_felem(group, &group->a, a) ||
+  if (!BN_MONT_CTX_set(&group->field, p, ctx) ||
+      !ec_bignum_to_felem(group, &group->a, a) ||
       !ec_bignum_to_felem(group, &group->b, b) ||
-      !ec_bignum_to_felem(group, &group->one, BN_value_one())) {
+      // Reuse Z from the generator to cache the value one.
+      !ec_bignum_to_felem(group, &group->generator.raw.Z, BN_value_one())) {
     goto err;
   }
 
@@ -133,7 +117,7 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
       !BN_add_word(tmp, 3)) {
     goto err;
   }
-  group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field));
+  group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field.N));
 
   ret = 1;
 
@@ -144,7 +128,7 @@ err:
 
 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
                                   BIGNUM *b) {
-  if ((p != NULL && !BN_copy(p, &group->field)) ||
+  if ((p != NULL && !BN_copy(p, &group->field.N)) ||
       (a != NULL && !ec_felem_to_bignum(group, a, &group->a)) ||
       (b != NULL && !ec_felem_to_bignum(group, b, &group->b))) {
     return 0;
@@ -329,21 +313,21 @@ int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
 
 void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,
                                   size_t *out_len, const EC_FELEM *in) {
-  size_t len = BN_num_bytes(&group->field);
-  bn_words_to_big_endian(out, len, in->words, group->field.width);
+  size_t len = BN_num_bytes(&group->field.N);
+  bn_words_to_big_endian(out, len, in->words, group->field.N.width);
   *out_len = len;
 }
 
 int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,
                                    const uint8_t *in, size_t len) {
-  if (len != BN_num_bytes(&group->field)) {
+  if (len != BN_num_bytes(&group->field.N)) {
     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
     return 0;
   }
 
-  bn_big_endian_to_words(out->words, group->field.width, in, len);
+  bn_big_endian_to_words(out->words, group->field.N.width, in, len);
 
-  if (!bn_less_than_words(out->words, group->field.d, group->field.width)) {
+  if (!bn_less_than_words(out->words, group->field.N.d, group->field.N.width)) {
     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c

@@ -40,7 +40,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
   }
 
   // Divide bits in |scalar| into windows.
-  unsigned bits = BN_num_bits(&group->order);
+  unsigned bits =  EC_GROUP_order_bits(group);
   int r_is_at_infinity = 1;
   for (unsigned i = bits - 1; i < bits; i--) {
     if (!r_is_at_infinity) {
@@ -48,7 +48,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
     }
     if (i % 5 == 0) {
       // Compute the next window value.
-      const size_t width = group->order.width;
+      const size_t width = group->order.N.width;
       uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;
       window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;
       window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;
@@ -78,7 +78,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,
 
 void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,
                           const EC_SCALAR *scalar) {
-  ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
+  ec_GFp_mont_mul(group, r, &group->generator.raw, scalar);
 }
 
 static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out,
@@ -99,7 +99,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
                                          EC_JACOBIAN *out,
                                          const EC_JACOBIAN precomp[17],
                                          const EC_SCALAR *scalar, unsigned i) {
-  const size_t width = group->order.width;
+  const size_t width = group->order.N.width;
   uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
   window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4;
   window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3;
@@ -138,7 +138,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
   }
 
   // Divide bits in |scalar| into windows.
-  unsigned bits = BN_num_bits(&group->order);
+  unsigned bits = EC_GROUP_order_bits(group);
   int r_is_at_infinity = 1;
   for (unsigned i = bits; i <= bits; i--) {
     if (!r_is_at_infinity) {
@@ -169,7 +169,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,
 }
 
 static unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) {
-  return (BN_num_bits(&group->field) + EC_MONT_PRECOMP_COMB_SIZE - 1) /
+  return (EC_GROUP_get_degree(group) + EC_MONT_PRECOMP_COMB_SIZE - 1) /
          EC_MONT_PRECOMP_COMB_SIZE;
 }
 
@@ -212,7 +212,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
                                         EC_JACOBIAN *out,
                                         const EC_PRECOMP *precomp,
                                         const EC_SCALAR *scalar, unsigned i) {
-  const size_t width = group->order.width;
+  const size_t width = group->order.N.width;
   unsigned stride = ec_GFp_mont_comb_stride(group);
   // Select the bits corresponding to the comb shifted up by |i|.
   unsigned window = 0;
@@ -230,7 +230,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
     ec_felem_select(group, &out->Y, match, &precomp->comb[j].Y, &out->Y);
   }
   BN_ULONG is_infinity = constant_time_is_zero_w(window);
-  ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one);
+  ec_felem_select(group, &out->Z, is_infinity, &out->Z, ec_felem_one(group));
 }
 
 void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c

@@ -138,8 +138,8 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out,
     // we shift and add at most one copy of |bit|, this will continue to hold
     // afterwards.
     window_val >>= 1;
-    window_val +=
-        bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1);
+    window_val += bit * bn_is_bit_set_words(scalar->words, group->order.N.width,
+                                            j + w + 1);
     assert(window_val <= next_bit);
   }
 
@@ -183,7 +183,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
                                  const EC_SCALAR *g_scalar,
                                  const EC_JACOBIAN *points,
                                  const EC_SCALAR *scalars, size_t num) {
-  size_t bits = BN_num_bits(&group->order);
+  size_t bits = EC_GROUP_order_bits(group);
   size_t wNAF_len = bits + 1;
 
   int ret = 0;
@@ -214,7 +214,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
   int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
   EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE];
   assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
-  const EC_JACOBIAN *g = &group->generator->raw;
+  const EC_JACOBIAN *g = &group->generator.raw;
   if (g_scalar != NULL) {
     ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
     compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c

@@ -71,7 +71,7 @@
 // ECDSA.
 static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                              const uint8_t *digest, size_t digest_len) {
-  const BIGNUM *order = &group->order;
+  const BIGNUM *order = EC_GROUP_get0_order(group);
   size_t num_bits = BN_num_bits(order);
   // Need to truncate digest if it is too long: first truncate whole bytes.
   size_t num_bytes = (num_bits + 7) / 8;
@@ -223,7 +223,7 @@ static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry,
     return NULL;
   }
 
-  if (ec_scalar_is_zero(group, &r)) {
+  if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {
     *out_retry = 1;
     return NULL;
   }
@@ -250,11 +250,13 @@ static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry,
   ec_scalar_inv0_montgomery(group, &tmp, k);     // tmp = k^-1 R^2
   ec_scalar_from_montgomery(group, &tmp, &tmp);  // tmp = k^-1 R
   ec_scalar_mul_montgomery(group, &s, &s, &tmp);
-  if (ec_scalar_is_zero(group, &s)) {
+  if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {
     *out_retry = 1;
     return NULL;
   }
 
+  CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));
+  CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));
   ECDSA_SIG *ret = ECDSA_SIG_new();
   if (ret == NULL ||  //
       !bn_set_words(ret->r, r.words, order->width) ||
@@ -347,6 +349,10 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
       goto out;
     }
 
+    // TODO(davidben): Move this inside |ec_random_nonzero_scalar| or lower, so
+    // that all scalars we generate are, by default, secret.
+    CONSTTIME_SECRET(k.words, sizeof(k.words));
+
     int retry;
     ret = ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len);
     if (ret != NULL || !retry) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hkdf/hkdf.c

@@ -94,7 +94,7 @@ int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
     }
 
     todo = digest_len;
-    if (done + todo > out_len) {
+    if (todo > out_len - done) {
       todo = out_len - done;
     }
     OPENSSL_memcpy(out_key + done, previous, todo);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c

@@ -38,7 +38,7 @@ static_assert(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18");
 
 DEFINE_STATIC_ONCE(g_fork_detect_once);
 DEFINE_STATIC_MUTEX(g_fork_detect_lock);
-DEFINE_BSS_GET(volatile char *, g_fork_detect_addr);
+DEFINE_BSS_GET(CRYPTO_atomic_u32 *, g_fork_detect_addr);
 DEFINE_BSS_GET(uint64_t, g_fork_generation);
 DEFINE_BSS_GET(int, g_force_madv_wipeonfork);
 DEFINE_BSS_GET(int, g_force_madv_wipeonfork_enabled);
@@ -70,7 +70,7 @@ static void init_fork_detect(void) {
     return;
   }
 
-  *((volatile char *) addr) = 1;
+  CRYPTO_atomic_store_u32(addr, 1);
   *g_fork_detect_addr_bss_get() = addr;
   *g_fork_generation_bss_get() = 1;
 }
@@ -83,16 +83,12 @@ uint64_t CRYPTO_get_fork_generation(void) {
   // is initialised atomically, even if multiple threads enter this function
   // concurrently.
   //
-  // In the limit, the kernel may clear WIPEONFORK pages while a multi-threaded
-  // process is running. (For example, because a VM was cloned.) Therefore a
-  // lock is used below to synchronise the potentially multiple threads that may
-  // concurrently observe the cleared flag.
+  // Additionally, while the kernel will only clear WIPEONFORK at a point when a
+  // child process is single-threaded, the child may become multi-threaded
+  // before it observes this. Therefore, we must synchronize the logic below.
 
   CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect);
-  // This pointer is |volatile| because the value pointed to may be changed by
-  // external forces (i.e. the kernel wiping the page) thus the compiler must
-  // not assume that it has exclusive access to it.
-  volatile char *const flag_ptr = *g_fork_detect_addr_bss_get();
+  CRYPTO_atomic_u32 *const flag_ptr = *g_fork_detect_addr_bss_get();
   if (flag_ptr == NULL) {
     // Our kernel is too old to support |MADV_WIPEONFORK| or
     // |g_force_madv_wipeonfork| is set.
@@ -105,30 +101,36 @@ uint64_t CRYPTO_get_fork_generation(void) {
     return 0;
   }
 
-  struct CRYPTO_STATIC_MUTEX *const lock = g_fork_detect_lock_bss_get();
+  // In the common case, try to observe the flag without taking a lock. This
+  // avoids cacheline contention in the PRNG.
   uint64_t *const generation_ptr = g_fork_generation_bss_get();
-
-  CRYPTO_STATIC_MUTEX_lock_read(lock);
-  uint64_t current_generation = *generation_ptr;
-  if (*flag_ptr) {
-    CRYPTO_STATIC_MUTEX_unlock_read(lock);
-    return current_generation;
+  if (CRYPTO_atomic_load_u32(flag_ptr) != 0) {
+    // If we observe a non-zero flag, it is safe to read |generation_ptr|
+    // without a lock. The flag and generation number are fixed for this copy of
+    // the address space.
+    return *generation_ptr;
   }
 
-  CRYPTO_STATIC_MUTEX_unlock_read(lock);
-  CRYPTO_STATIC_MUTEX_lock_write(lock);
-  current_generation = *generation_ptr;
-  if (*flag_ptr == 0) {
+  // The flag was zero. The generation number must be incremented, but other
+  // threads may have concurrently observed the zero, so take a lock before
+  // incrementing.
+  CRYPTO_MUTEX *const lock = g_fork_detect_lock_bss_get();
+  CRYPTO_MUTEX_lock_write(lock);
+  uint64_t current_generation = *generation_ptr;
+  if (CRYPTO_atomic_load_u32(flag_ptr) == 0) {
     // A fork has occurred.
-    *flag_ptr = 1;
-
     current_generation++;
     if (current_generation == 0) {
+      // Zero means fork detection isn't supported, so skip that value.
       current_generation = 1;
     }
+
+    // We must update |generation_ptr| before |flag_ptr|. Other threads may
+    // observe |flag_ptr| without taking a lock.
     *generation_ptr = current_generation;
+    CRYPTO_atomic_store_u32(flag_ptr, 1);
   }
-  CRYPTO_STATIC_MUTEX_unlock_write(lock);
+  CRYPTO_MUTEX_unlock_write(lock);
 
   return current_generation;
 }
@@ -138,8 +140,20 @@ void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) {
   *g_force_madv_wipeonfork_enabled_bss_get() = on;
 }
 
-#else   // !OPENSSL_LINUX
+#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY)
 
+// These platforms are guaranteed not to fork, and therefore do not require
+// fork detection support. Returning a constant non zero value makes BoringSSL
+// assume address space duplication is not a concern and adding entropy to
+// every RAND_bytes call is not needed.
+uint64_t CRYPTO_get_fork_generation(void) { return 0xc0ffee; }
+
+#else
+
+// These platforms may fork, but we do not have a mitigation mechanism in
+// place.  Returning a constant zero value makes BoringSSL assume that address
+// space duplication could have occured on any call entropy must be added to
+// every RAND_bytes call.
 uint64_t CRYPTO_get_fork_generation(void) { return 0; }
 
-#endif  // OPENSSL_LINUX
+#endif