Roll src/third_party/boringssl/src d7421ebf6..3ac32b1ed

https://boringssl.googlesource.com/boringssl/+log/d7421ebf6cae07051caf657016f160585b64f8a6..3ac32b1eda0da7a99d9c2b6c605fe50af80ccd90

In doing so, switch crypto/curve25519.h to use the new BoringSSL curve25510
code to avoid shipping two copies. This includes a small subgroup check, so
callers need to be tweaked slightly.

BUG=none

Review URL: https://codereview.chromium.org/1459783002

Cr-Commit-Position: refs/heads/master@{#360507}

7 files changed, 82 insertions, 22 deletions

diff --git a/crypto/BUILD.gn b/crypto/BUILD.gn
index bf03af7..8d24e60 100644
--- a/crypto/BUILD.gn
+++ b/crypto/BUILD.gn
@@ -19,8 +19,9 @@ component("crypto") {
     "cssm_init.cc",
     "cssm_init.h",
     "curve25519-donna.c",
-    "curve25519.cc",
     "curve25519.h",
+    "curve25519_nss.cc",
+    "curve25519_openssl.cc",
     "ec_private_key.h",
     "ec_private_key_nss.cc",
     "ec_private_key_openssl.cc",
@@ -136,6 +137,8 @@ component("crypto") {
   if (use_openssl) {
     # Remove NSS files when using OpenSSL
     sources -= [
+      "curve25519-donna.c",
+      "curve25519_nss.cc",
       "ec_private_key_nss.cc",
       "ec_signature_creator_nss.cc",
       "encryptor_nss.cc",
@@ -157,6 +160,7 @@ component("crypto") {
     sources -= [
       "aead_openssl.cc",
       "aead_openssl.h",
+      "curve25519_openssl.cc",
       "ec_private_key_openssl.cc",
       "ec_signature_creator_openssl.cc",
       "encryptor_openssl.cc",
diff --git a/crypto/crypto.gyp b/crypto/crypto.gyp
index c1c1047..2590c4f 100644
--- a/crypto/crypto.gyp
+++ b/crypto/crypto.gyp
@@ -103,6 +103,8 @@
             # TODO(joth): Use a glob to match exclude patterns once the
             #             OpenSSL file set is complete.
             'sources!': [
+              'curve25519-donna.c',
+              'curve25519_nss.cc',
               'ec_private_key_nss.cc',
               'ec_signature_creator_nss.cc',
               'encryptor_nss.cc',
@@ -126,6 +128,7 @@
             'sources!': [
               'aead_openssl.cc',
               'aead_openssl.h',
+              'curve25519_openssl.cc',
               'ec_private_key_openssl.cc',
               'ec_signature_creator_openssl.cc',
               'encryptor_openssl.cc',
diff --git a/crypto/crypto.gypi b/crypto/crypto.gypi
index 73b3332..e5cc4f44 100644
--- a/crypto/crypto.gypi
+++ b/crypto/crypto.gypi
@@ -37,9 +37,10 @@
       'crypto_export.h',
       'cssm_init.cc',
       'cssm_init.h',
-      'curve25519.cc',
-      'curve25519.h',
       'curve25519-donna.c',
+      'curve25519.h',
+      'curve25519_nss.cc',
+      'curve25519_openssl.cc',
       'ghash.cc',
       'ghash.h',
       'ec_private_key.h',
diff --git a/crypto/curve25519.h b/crypto/curve25519.h
index ba24c92..534f0bf 100644
--- a/crypto/curve25519.h
+++ b/crypto/curve25519.h
@@ -5,7 +5,9 @@
 #ifndef CRYPTO_CURVE25519_H
 #define CRYPTO_CURVE25519_H
 
-#include "base/basictypes.h"
+#include <stddef.h>
+#include <stdint.h>
+
 #include "crypto/crypto_export.h"
 
 namespace crypto {
@@ -14,6 +16,10 @@ namespace crypto {
 // described in "Curve 25519: new Diffie-Hellman Speed Records",
 // by D.J. Bernstein. Additional information is available at
 // http://cr.yp.to/ecdh.html.
+//
+// TODO(davidben): Once iOS is switched to BoringSSL (https://crbug.com/338886),
+// remove this file altogether and switch callers to using BoringSSL's
+// curve25519.h directly.
 namespace curve25519 {
 
 // kBytes is the number of bytes in the result of the Diffie-Hellman operation,
@@ -28,18 +34,20 @@ static const size_t kScalarBytes = 32;
 // |peer_public_key|. This method is a wrapper for |curve25519_donna()|. It
 // calls that function with |private_key| as |secret| and |peer_public_key| as
 // basepoint. |private_key| should be of length |kScalarBytes| and
-// |peer_public_key| should be of length |kBytes|.
-// See "Computing shared secrets" section of/ http://cr.yp.to/ecdh.html.
-CRYPTO_EXPORT void ScalarMult(const uint8* private_key,
-                              const uint8* peer_public_key,
-                              uint8* shared_key);
+// |peer_public_key| should be of length |kBytes|. It returns true on success
+// and false if |peer_public_key| was invalid.
+// See the "Computing shared secrets" section of http://cr.yp.to/ecdh.html.
+CRYPTO_EXPORT bool ScalarMult(const uint8_t* private_key,
+                              const uint8_t* peer_public_key,
+                              uint8_t* shared_key);
 
 // ScalarBaseMult computes the |public_key| from |private_key|. This method is a
 // wrapper for |curve25519_donna()|. It calls that function with |private_key|
 // as |secret| and |kBasePoint| as basepoint. |private_key| should be of length
 // |kScalarBytes|. See "Computing public keys" section of
 // http://cr.yp.to/ecdh.html.
-CRYPTO_EXPORT void ScalarBaseMult(const uint8* private_key, uint8* public_key);
+CRYPTO_EXPORT void ScalarBaseMult(const uint8_t* private_key,
+                                  uint8_t* public_key);
 
 }  // namespace curve25519
 
diff --git a/crypto/curve25519.cc b/crypto/curve25519_nss.cc
index 3346df9..746356f 100644
--- a/crypto/curve25519.cc
+++ b/crypto/curve25519_nss.cc
@@ -4,30 +4,36 @@
 
 #include "crypto/curve25519.h"
 
+#include "crypto/secure_util.h"
+
 // Curve25519 is specified in terms of byte strings, not numbers, so all
 // implementations take and return the same sequence of bits. So the byte
 // order is implicitly specified as in, say, SHA1.
 //
 // Prototype for |curve25519_donna| function in
 // third_party/curve25519-donna/curve25519-donna.c
-extern "C" int curve25519_donna(uint8*, const uint8*, const uint8*);
+extern "C" int curve25519_donna(uint8_t*, const uint8_t*, const uint8_t*);
 
 namespace crypto {
 
 namespace curve25519 {
 
-void ScalarMult(const uint8* private_key,
-                const uint8* peer_public_key,
-                uint8* shared_key) {
+bool ScalarMult(const uint8_t* private_key,
+                const uint8_t* peer_public_key,
+                uint8_t* shared_key) {
   curve25519_donna(shared_key, private_key, peer_public_key);
+
+  // The all-zero output results when the input is a point of small order.
+  static const uint8_t kZeros[32] = {0};
+  return !SecureMemEqual(shared_key, kZeros, 32);
 }
 
 // kBasePoint is the base point (generator) of the elliptic curve group.
 // It is little-endian version of '9' followed by 31 zeros.
 // See "Computing public keys" section of http://cr.yp.to/ecdh.html.
-static const unsigned char kBasePoint[32] = {9};
+static const uint8_t kBasePoint[32] = {9};
 
-void ScalarBaseMult(const uint8* private_key, uint8* public_key) {
+void ScalarBaseMult(const uint8_t* private_key, uint8_t* public_key) {
   curve25519_donna(public_key, private_key, kBasePoint);
 }
 
diff --git a/crypto/curve25519_openssl.cc b/crypto/curve25519_openssl.cc
new file mode 100644
index 0000000..067e19c
--- /dev/null
+++ b/crypto/curve25519_openssl.cc
@@ -0,0 +1,25 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "crypto/curve25519.h"
+
+#include <openssl/curve25519.h>
+
+namespace crypto {
+
+namespace curve25519 {
+
+bool ScalarMult(const uint8_t* private_key,
+                const uint8_t* peer_public_key,
+                uint8_t* shared_key) {
+  return !!X25519(shared_key, private_key, peer_public_key);
+}
+
+void ScalarBaseMult(const uint8_t* private_key, uint8_t* public_key) {
+  X25519_public_from_private(public_key, private_key);
+}
+
+}  // namespace curve25519
+
+}  // namespace crypto
diff --git a/crypto/curve25519_unittest.cc b/crypto/curve25519_unittest.cc
index 0ddc422..48144ba 100644
--- a/crypto/curve25519_unittest.cc
+++ b/crypto/curve25519_unittest.cc
@@ -17,28 +17,41 @@ namespace crypto {
 // public key and shared key for alice and bob. It asserts that alice and bob
 // have the same shared key.
 TEST(Curve25519, SharedKeyIdentity) {
-  uint8 alice_private_key[curve25519::kScalarBytes] = {3};
-  uint8 bob_private_key[curve25519::kScalarBytes] = {5};
+  uint8_t alice_private_key[curve25519::kScalarBytes] = {3};
+  uint8_t bob_private_key[curve25519::kScalarBytes] = {5};
 
   // Get public key for alice and bob.
-  uint8 alice_public_key[curve25519::kBytes];
+  uint8_t alice_public_key[curve25519::kBytes];
   curve25519::ScalarBaseMult(alice_private_key, alice_public_key);
 
-  uint8 bob_public_key[curve25519::kBytes];
+  uint8_t bob_public_key[curve25519::kBytes];
   curve25519::ScalarBaseMult(bob_private_key, bob_public_key);
 
   // Get the shared key for alice, by using alice's private key and bob's
   // public key.
-  uint8 alice_shared_key[curve25519::kBytes];
+  uint8_t alice_shared_key[curve25519::kBytes];
   curve25519::ScalarMult(alice_private_key, bob_public_key, alice_shared_key);
 
   // Get the shared key for bob, by using bob's private key and alice's public
   // key.
-  uint8 bob_shared_key[curve25519::kBytes];
+  uint8_t bob_shared_key[curve25519::kBytes];
   curve25519::ScalarMult(bob_private_key, alice_public_key, bob_shared_key);
 
   // Computed shared key of alice and bob should be the same.
   ASSERT_EQ(0, memcmp(alice_shared_key, bob_shared_key, curve25519::kBytes));
 }
 
+TEST(Curve25519, SmallOrder) {
+  static const uint8_t kSmallOrderPoint[32] = {
+      0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3,
+      0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32,
+      0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8,
+  };
+
+  uint8_t out[32], private_key[32];
+  memset(private_key, 0x11, sizeof(private_key));
+
+  EXPECT_FALSE(curve25519::ScalarMult(private_key, kSmallOrderPoint, out));
+}
+
 }  // namespace crypto