Merge BoringSSL through 9b8b483

briansmith · Jan 22, 2025 · a1c4623 · a1c4623
2 parents df86e77 + c48119f
commit a1c4623
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 16 deletions.
diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
@@ -92,7 +92,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe(f)                                                    \
   do {                                                                  \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \
-      dev_assert_secret(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc));  \
+      declassify_assert(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc));  \
     }                                                                   \
   } while (0)
 
@@ -109,7 +109,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe_loose(f)                                              \
   do {                                                                  \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \
-      dev_assert_secret(f[_assert_fe_i] <= UINT64_C(0x1a666666666664)); \
+      declassify_assert(f[_assert_fe_i] <= UINT64_C(0x1a666666666664)); \
     }                                                                   \
   } while (0)
 
@@ -128,8 +128,8 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe(f)                                                     \
   do {                                                                   \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \
-      dev_assert_secret(f[_assert_fe_i] <=                               \
-             ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u));            \
+      declassify_assert(f[_assert_fe_i] <=                               \
+                        ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u)); \
     }                                                                    \
   } while (0)
 
@@ -146,8 +146,8 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe_loose(f)                                               \
   do {                                                                   \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \
-      dev_assert_secret(f[_assert_fe_i] <=                               \
-             ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u));            \
+      declassify_assert(f[_assert_fe_i] <=                               \
+                        ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u)); \
     }                                                                    \
   } while (0)
 
@@ -158,7 +158,7 @@ OPENSSL_STATIC_ASSERT(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS,
 
 static void fe_frombytes_strict(fe *h, const uint8_t s[32]) {
   // |fiat_25519_from_bytes| requires the top-most bit be clear.
-  dev_assert_secret((s[31] & 0x80) == 0);
+  declassify_assert((s[31] & 0x80) == 0);
   fiat_25519_from_bytes(h->v, s);
   assert_fe(h->v);
 }

diff --git a/crypto/fipsmodule/bn/montgomery_inv.c b/crypto/fipsmodule/bn/montgomery_inv.c
@@ -98,7 +98,7 @@ uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
 
   // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
 #if BN_BITS2 == 64 && defined(BN_ULLONG)
-  dev_assert_secret(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
+  declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
 #endif
 
   return v;

diff --git a/crypto/internal.h b/crypto/internal.h
@@ -194,6 +194,7 @@ static inline int buffers_alias(const void *a, size_t a_bytes,
 #if defined(__GNUC__) || defined(__clang__)
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wconversion"
+#pragma GCC diagnostic ignored "-Wsign-conversion"
 #endif
 #if defined(_MSC_VER) && !defined(__clang__)
 #pragma warning(push)
@@ -236,6 +237,14 @@ static inline crypto_word_t value_barrier_w(crypto_word_t a) {
   return a;
 }
 
+// value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
+static inline uint32_t value_barrier_u32(uint32_t a) {
+#if defined(__GNUC__) || defined(__clang__)
+  __asm__("" : "+r"(a) : /* no inputs */);
+#endif
+  return a;
+}
+
 // |value_barrier_u8| could be defined as above, but compilers other than
 // clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM.
 
@@ -328,14 +337,6 @@ static inline void constant_time_conditional_memxor(void *dst, const void *src,
   }
 }
 
-#if defined(_MSC_VER) && !defined(__clang__)
-// '=': conversion from 'int64_t' to 'int32_t', possible loss of data
-#pragma warning(pop)
-#endif
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)
 
 // CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region
@@ -372,6 +373,28 @@ static inline crypto_word_t constant_time_declassify_w(crypto_word_t v) {
   return value_barrier_w(v);
 }
 
+static inline int constant_time_declassify_int(int v) {
+  OPENSSL_STATIC_ASSERT(sizeof(uint32_t) == sizeof(int),
+                "int is not the same size as uint32_t");
+  // See comment above.
+  CONSTTIME_DECLASSIFY(&v, sizeof(v));
+  return value_barrier_u32((uint32_t)v);
+}
+
+#if defined(_MSC_VER) && !defined(__clang__)
+// '=': conversion from 'int64_t' to 'int32_t', possible loss of data
+#pragma warning(pop)
+#endif
+#if defined(__GNUC__) || defined(__clang__)
+#pragma GCC diagnostic pop
+#endif
+
+// declassify_assert behaves like |assert| but declassifies the result of
+// evaluating |expr|. This allows the assertion to branch on the (presumably
+// public) result, but still ensures that values leading up to the computation
+// were secret.
+#define declassify_assert(expr) dev_assert_secret(constant_time_declassify_int(expr))
+
 // Endianness conversions.
 
 #if defined(__GNUC__) && __GNUC__ >= 2