briansmith · briansmith · Jun 14, 2019 · Jun 4, 2019 · Jun 4, 2019 · josephlr
diff --git a/crypto/fipsmodule/ec/ecp_nistz256.c b/crypto/fipsmodule/ec/ecp_nistz256.c
@@ -23,8 +23,6 @@
 
 #include "ecp_nistz256.h"
 
-#include <string.h>
-
 #include "ecp_nistz.h"
 #include "../bn/internal.h"
 #include "../../limbs/limbs.inl"

diff --git a/crypto/fipsmodule/ec/ecp_nistz384.inl b/crypto/fipsmodule/ec/ecp_nistz384.inl
@@ -128,7 +128,9 @@ void GFp_nistz384_point_add(P384_POINT *r, const P384_POINT *a,
     if (is_equal(S1, S2)) {
       GFp_nistz384_point_double(r, a);
     } else {
-      memset(r, 0, sizeof(*r));
+      limbs_zero(r->X, P384_LIMBS);
+      limbs_zero(r->Y, P384_LIMBS);
+      limbs_zero(r->Z, P384_LIMBS);
     }
     return;
   }

diff --git a/crypto/fipsmodule/ec/gfp_p256.c b/crypto/fipsmodule/ec/gfp_p256.c
@@ -70,18 +70,16 @@ void GFp_p256_scalar_sqr_rep_mont(ScalarMont r, const ScalarMont a, Limb rep) {
 
 #if !defined(OPENSSL_X86_64)
 
-#include <string.h>
-
 /* TODO(perf): Optimize these. */
 
 void GFp_nistz256_select_w5(P256_POINT *out, const P256_POINT table[16],
                             int index) {
   assert(index >= 0);
   size_t index_s = (size_t)index; /* XXX: constant time? */
 
-  alignas(32) Elem x; memset(x, 0, sizeof(x));
-  alignas(32) Elem y; memset(y, 0, sizeof(y));
-  alignas(32) Elem z; memset(z, 0, sizeof(z));
+  alignas(32) Elem x; limbs_zero(x, P256_LIMBS);
+  alignas(32) Elem y; limbs_zero(y, P256_LIMBS);
+  alignas(32) Elem z; limbs_zero(z, P256_LIMBS);
 
   for (size_t i = 0; i < 16; ++i) {
     Limb mask = constant_time_eq_w(index_s, i + 1);

diff --git a/crypto/fipsmodule/ec/gfp_p384.c b/crypto/fipsmodule/ec/gfp_p384.c
@@ -14,8 +14,6 @@
 
 #include "../../limbs/limbs.h"
 
-#include <string.h>
-
 #include "ecp_nistz384.h"
 #include "../bn/internal.h"
 #include "../../internal.h"
@@ -223,9 +221,9 @@ void GFp_p384_scalar_mul_mont(ScalarMont r, const ScalarMont a,
 
 static void gfp_p384_point_select_w5(P384_POINT *out,
                                      const P384_POINT table[16], size_t index) {
-  Elem x; memset(x, 0, sizeof(x));
-  Elem y; memset(y, 0, sizeof(y));
-  Elem z; memset(z, 0, sizeof(z));
+  Elem x; limbs_zero(x, P384_LIMBS);
+  Elem y; limbs_zero(y, P384_LIMBS);
+  Elem z; limbs_zero(z, P384_LIMBS);
 
   for (size_t i = 0; i < 16; ++i) {
     Limb mask = constant_time_eq_w(index, i + 1);

diff --git a/crypto/internal.h b/crypto/internal.h
@@ -255,4 +255,10 @@ static inline void to_be_u64_ptr(uint8_t *out, uint64_t value) {
   out[7] = (uint8_t)value;
 }
 
+static inline void bytes_copy(uint8_t out[], const uint8_t in[], size_t len) {
+  for (size_t i = 0; i < len; ++i) {
+    out[i] = in[i];
+  }
+}
+
 #endif  // OPENSSL_HEADER_CRYPTO_INTERNAL_H
diff --git a/crypto/limbs/limbs.inl b/crypto/limbs/limbs.inl
@@ -153,3 +153,9 @@ static inline void limbs_select(Limb r[], const Limb table[],
     }
   }
 }
+
+static inline void limbs_zero(Limb r[], size_t num_limbs) {
+  for (size_t i = 0; i < num_limbs; ++i) {
+    r[i] = 0;
+  }
+}
diff --git a/third_party/fiat/curve25519.c b/third_party/fiat/curve25519.c
@@ -31,8 +31,6 @@
 #pragma warning(push, 3)
 #endif
 
-#include <string.h>
-
 #if defined(_MSC_VER)
 #pragma warning(pop)
 #endif
@@ -93,9 +91,6 @@ static uint64_t load_4(const uint8_t *in) {
 
 #if defined(BORINGSSL_CURVE25519_64BIT)
 
-typedef uint64_t fe_limb_t;
-#define FE_NUM_LIMBS 5
-
 // assert_fe asserts that |f| satisfies bounds:
 //
 //  [[0x0 ~> 0x8cccccccccccc],
@@ -132,9 +127,6 @@ typedef uint64_t fe_limb_t;
 
 #else
 
-typedef uint32_t fe_limb_t;
-#define FE_NUM_LIMBS 10
-
 // assert_fe asserts that |f| satisfies bounds:
 //
 //  [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333],
@@ -185,7 +177,7 @@ static void fe_frombytes_strict(fe *h, const uint8_t s[32]) {
 
 static void fe_frombytes(fe *h, const uint8_t s[32]) {
   uint8_t s_copy[32];
-  memcpy(s_copy, s, 32);
+  bytes_copy(s_copy, s, 32);
   s_copy[31] &= 0x7f;
   fe_frombytes_strict(h, s_copy);
 }
@@ -197,21 +189,21 @@ static void fe_tobytes(uint8_t s[32], const fe *f) {
 
 // h = 0
 static void fe_0(fe *h) {
-  memset(h, 0, sizeof(fe));
+  fe_limbs_zero(h->v);
 }
 
 static void fe_loose_0(fe_loose *h) {
-  memset(h, 0, sizeof(fe_loose));
+  fe_limbs_zero(h->v);
 }
 
 // h = 1
 static void fe_1(fe *h) {
-  memset(h, 0, sizeof(fe));
+  fe_0(h);
   h->v[0] = 1;
 }
 
 static void fe_loose_1(fe_loose *h) {
-  memset(h, 0, sizeof(fe_loose));
+  fe_loose_0(h);
   h->v[0] = 1;
 }
 
@@ -333,17 +325,15 @@ static void fe_cmov(fe_loose *f, const fe_loose *g, fe_limb_t b) {
 
 // h = f
 static void fe_copy(fe *h, const fe *f) {
-  memmove(h, f, sizeof(fe));
+  fe_limbs_copy(h->v, f->v);
 }
 
 static void fe_copy_lt(fe_loose *h, const fe *f) {
-  OPENSSL_STATIC_ASSERT(sizeof(fe_loose) == sizeof(fe),
-                        "fe and fe_loose mismatch");
-  memmove(h, f, sizeof(fe));
+  fe_limbs_copy(h->v, f->v);
 }
 #if !defined(OPENSSL_SMALL)
 static void fe_copy_ll(fe_loose *h, const fe_loose *f) {
-  memmove(h, f, sizeof(fe_loose));
+  fe_limbs_copy(h->v, f->v);
 }
 #endif // !defined(OPENSSL_SMALL)
 
@@ -1810,7 +1800,7 @@ void GFp_x25519_scalar_mult_generic(uint8_t out[32],
   fe_loose x2l, z2l, x3l, tmp0l, tmp1l;
 
   uint8_t e[32];
-  memcpy(e, scalar, 32);
+  bytes_copy(e, scalar, 32);
   GFp_x25519_sc_mask(e);
   // The following implementation was transcribed to Coq and proven to
   // correspond to unary scalar multiplication in affine coordinates given that
@@ -1885,7 +1875,7 @@ void GFp_x25519_scalar_mult_generic(uint8_t out[32],
 void GFp_x25519_public_from_private_generic(uint8_t out_public_value[32],
                                             const uint8_t private_key[32]) {
   uint8_t e[32];
-  memcpy(e, private_key, 32);
+  bytes_copy(e, private_key, 32);
   GFp_x25519_sc_mask(e);
 
   ge_p3 A;

diff --git a/third_party/fiat/internal.h b/third_party/fiat/internal.h
@@ -41,30 +41,43 @@ void GFp_x25519_NEON(uint8_t out[32], const uint8_t scalar[32],
 #endif
 
 #if defined(BORINGSSL_CURVE25519_64BIT)
-// fe means field element. Here the field is \Z/(2^255-19). An element t,
+// An element t,
 // entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153
 // t[3]+2^204 t[4].
 // fe limbs are bounded by 1.125*2^51.
-// Multiplication and carrying produce fe from fe_loose.
-typedef struct fe { uint64_t v[5]; } fe;
-
 // fe_loose limbs are bounded by 3.375*2^51.
-// Addition and subtraction produce fe_loose from (fe, fe).
-typedef struct fe_loose { uint64_t v[5]; } fe_loose;
+typedef uint64_t fe_limb_t;
+#define FE_NUM_LIMBS 5
 #else
-// fe means field element. Here the field is \Z/(2^255-19). An element t,
+// An element t,
 // entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
 // t[3]+2^102 t[4]+...+2^230 t[9].
 // fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc.
+// fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc.
+typedef uint32_t fe_limb_t;
+#define FE_NUM_LIMBS 10
+#endif
+
+// fe means field element. Here the field is \Z/(2^255-19).
 // Multiplication and carrying produce fe from fe_loose.
-//
 // Keep in sync with `Elem` and `ELEM_LIMBS` in curve25519/ops.rs.
-typedef struct fe { uint32_t v[10]; } fe;
+typedef struct fe { fe_limb_t v[FE_NUM_LIMBS]; } fe;
 
-// fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc.
 // Addition and subtraction produce fe_loose from (fe, fe).
-typedef struct fe_loose { uint32_t v[10]; } fe_loose;
-#endif
+// Keep in sync with `Elem` and `ELEM_LIMBS` in curve25519/ops.rs.
+typedef struct fe_loose { fe_limb_t v[FE_NUM_LIMBS]; } fe_loose;
+
+static inline void fe_limbs_copy(fe_limb_t r[], const fe_limb_t a[]) {
+  for (size_t i = 0; i < FE_NUM_LIMBS; ++i) {
+    r[i] = a[i];
+  }
+}
+
+static inline void fe_limbs_zero(fe_limb_t r[]) {
+  for (size_t i = 0; i < FE_NUM_LIMBS; ++i) {
+    r[i] = 0;
+  }
+}
 
 // ge means group element.
 //