Update NSS to 3.21 RTM and NSPR to 4.11 RTM

nss/lib/freebl/ecl/ecp_jac.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecp.h"
 #include "mplogic.h"
 #include <stdlib.h>
 #ifdef ECL_DEBUG
 #include <assert.h>
 #endif
@@ skipping 126 matching lines @@
         /* A = qx * pz^2, B = qy * pz^3 */
         MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth));
         MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth));
         MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
         MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
 
         /* C = A - px, D = B - py */
         MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
         MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
 
+        if (mp_cmp_z(&C) == 0) {
+                /* P == Q or P == -Q */

[Ryan Sleevi, 2015/12/11 01:26:14]

Of interest; correctness fix

[davidben, 2015/12/11 22:10:58]

I don't really know this math well enough to be able to review it or judge
impact.

https://bugzilla.mozilla.org/show_bug.cgi?id=1125025 doesn't seem to think it
affects TLS.

+                if (mp_cmp_z(&D) == 0) {
+                        /* P == Q */
+                        /* It is cheaper to double (qx, qy, 1) than (px, py, pz). */
+                        MP_DIGIT(&D, 0) = 1; /* Set D to 1. */
+                        MP_CHECKOK(ec_GFp_pt_dbl_jac(qx, qy, &D, rx, ry, rz, group));
+                } else {
+                        /* P == -Q */
+                        MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
+                }
+                goto CLEANUP;
+        }
+
         /* C2 = C^2, C3 = C^3 */
         MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth));
         MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth));
 
         /* rz = pz * C */
         MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth));
 
         /* C = px * C^2 */
         MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth));
         /* A = D^2 */
@@ skipping 41 matching lines @@
 
         MP_DIGITS(&t0) = 0;
         MP_DIGITS(&t1) = 0;
         MP_DIGITS(&M) = 0;
         MP_DIGITS(&S) = 0;
         MP_CHECKOK(mp_init(&t0));
         MP_CHECKOK(mp_init(&t1));
         MP_CHECKOK(mp_init(&M));
         MP_CHECKOK(mp_init(&S));
 
-        if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+        /* P == inf or P == -P */

[Ryan Sleevi, 2015/12/11 01:26:14]

Another correctness fix

[davidben, 2015/12/11 22:10:58]

Ditto.

+        if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES || mp_cmp_z(py) == 0) {
                 MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
                 goto CLEANUP;
         }
 
         if (mp_cmp_d(pz, 1) == 0) {
                 /* M = 3 * px^2 + a */
                 MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
                 MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
                 MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
                 MP_CHECKOK(group->meth->
@@ skipping 146 matching lines @@
  * Software Implementation of the NIST Elliptic Curves over Prime Fields. */
 mp_err
 ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
                                    const mp_int *py, mp_int *rx, mp_int *ry,
                                    const ECGroup *group)
 {
         mp_err res = MP_OKAY;
         mp_int precomp[4][4][2];
         mp_int rz;
         const mp_int *a, *b;
-        int i, j;
+        unsigned int i, j;
         int ai, bi, d;
 
         for (i = 0; i < 4; i++) {
                 for (j = 0; j < 4; j++) {
                         MP_DIGITS(&precomp[i][j][0]) = 0;
                         MP_DIGITS(&precomp[i][j][1]) = 0;
                 }
         }
         MP_DIGITS(&rz) = 0;
 
@@ skipping 86 matching lines @@
                                                          &precomp[i][0][0], &precomp[i][0][1],
                                                          &precomp[i][3][0], &precomp[i][3][1], group));
         }
 
         d = (mpl_significant_bits(a) + 1) / 2;
 
         /* R = inf */
         MP_CHECKOK(mp_init(&rz));
         MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
 
-        for (i = d - 1; i >= 0; i--) {
+        for (i = d; i-- > 0;) {
                 ai = MP_GET_BIT(a, 2 * i + 1);
                 ai <<= 1;
                 ai |= MP_GET_BIT(a, 2 * i);
                 bi = MP_GET_BIT(b, 2 * i + 1);
                 bi <<= 1;
                 bi |= MP_GET_BIT(b, 2 * i);
                 /* R = 2^2 * R */
                 MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
                 MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
                 /* R = R + (ai * A + bi * B) */
@@ skipping 12 matching lines @@
   CLEANUP:
         mp_clear(&rz);
         for (i = 0; i < 4; i++) {
                 for (j = 0; j < 4; j++) {
                         mp_clear(&precomp[i][j][0]);
                         mp_clear(&precomp[i][j][1]);
                 }
         }
         return res;
 }