Roll src/third_party/boringssl/src d7421ebf6..3ac32b1ed

crypto/curve25519_nss.cc

Index: crypto/curve25519_nss.cc
diff --git a/crypto/curve25519.cc b/crypto/curve25519_nss.cc
similarity index 64%
rename from crypto/curve25519.cc
rename to crypto/curve25519_nss.cc
index 3346df93a1ad706838195c7c46e682a8ffef0856..746356f22e50d335f0f83047272d14f297d56d7b 100644
--- a/crypto/curve25519.cc
+++ b/crypto/curve25519_nss.cc
@@ -4,30 +4,36 @@
 
 #include "crypto/curve25519.h"
 
+#include "crypto/secure_util.h"
+
 // Curve25519 is specified in terms of byte strings, not numbers, so all
 // implementations take and return the same sequence of bits. So the byte
 // order is implicitly specified as in, say, SHA1.
 //
 // Prototype for |curve25519_donna| function in
 // third_party/curve25519-donna/curve25519-donna.c
-extern "C" int curve25519_donna(uint8*, const uint8*, const uint8*);
+extern "C" int curve25519_donna(uint8_t*, const uint8_t*, const uint8_t*);
 
 namespace crypto {
 
 namespace curve25519 {
 
-void ScalarMult(const uint8* private_key,
-                const uint8* peer_public_key,
-                uint8* shared_key) {
+bool ScalarMult(const uint8_t* private_key,
+                const uint8_t* peer_public_key,
+                uint8_t* shared_key) {
   curve25519_donna(shared_key, private_key, peer_public_key);
+
+  // The all-zero output results when the input is a point of small order.
+  static const uint8_t kZeros[32] = {0};
+  return !SecureMemEqual(shared_key, kZeros, 32);
 }
 
 // kBasePoint is the base point (generator) of the elliptic curve group.
 // It is little-endian version of '9' followed by 31 zeros.
 // See "Computing public keys" section of http://cr.yp.to/ecdh.html.
-static const unsigned char kBasePoint[32] = {9};
+static const uint8_t kBasePoint[32] = {9};
 
-void ScalarBaseMult(const uint8* private_key, uint8* public_key) {
+void ScalarBaseMult(const uint8_t* private_key, uint8_t* public_key) {
   curve25519_donna(public_key, private_key, kBasePoint);
 }