Make ec_felem_equal constant-time.
This doesn't fix any particular issue, but we may as well use
the constant-time comparison to be more robust.
Change-Id: I96dffce7fe153a7dd4eec226a6b42dcea240c3f1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40591
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/ec/felem.c b/crypto/fipsmodule/ec/felem.c
index 713b6b8..be178f5 100644
--- a/crypto/fipsmodule/ec/felem.c
+++ b/crypto/fipsmodule/ec/felem.c
@@ -94,8 +94,6 @@
int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a,
const EC_FELEM *b) {
- // Note this function is variable-time. Constant-time operations should use
- // |ec_felem_non_zero_mask|.
- return OPENSSL_memcmp(a->words, b->words,
- group->field.width * sizeof(BN_ULONG)) == 0;
+ return CRYPTO_memcmp(a->words, b->words,
+ group->field.width * sizeof(BN_ULONG)) == 0;
}
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
index 7295335..5a40d9d 100644
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@@ -218,8 +218,7 @@
void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,
const EC_FELEM *a, const EC_FELEM *b);
-// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. It
-// treats |a| and |b| as public and does *not* run in constant time.
+// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise.
int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b);