Upgrade fiat-crypto, rewrite to use new types

Cargo.toml

@@ -17,7 +17,7 @@ ctr = { version = "0.9.2", optional = true }
 cmac = { version = "0.7.2", optional = true }
 base64 = "0.21.2"
 byteorder = "1.4.3"
-fiat-crypto = { version = "0.1.20", optional = true }
+fiat-crypto = { version = "0.2.1", optional = true }
 fixed = { version = "1.23", optional = true }
 getrandom = { version = "0.2.10", features = ["std"] }
 serde = { version = "1.0", features = ["derive"] }

src/field/field255.rs

@@ -8,8 +8,9 @@ use crate::{
     field::{FieldElement, FieldElementVisitor, FieldError},
 };
 use fiat_crypto::curve25519_64::{
-    fiat_25519_add, fiat_25519_carry, fiat_25519_carry_mul, fiat_25519_from_bytes, fiat_25519_opp,
-    fiat_25519_selectznz, fiat_25519_sub, fiat_25519_tight_field_element, fiat_25519_to_bytes,
+    fiat_25519_add, fiat_25519_carry, fiat_25519_carry_mul, fiat_25519_from_bytes,
+    fiat_25519_loose_field_element, fiat_25519_opp, fiat_25519_relax, fiat_25519_selectznz,
+    fiat_25519_sub, fiat_25519_tight_field_element, fiat_25519_to_bytes,
 };
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use std::{
@@ -71,7 +72,7 @@ impl Field255 {
             return Err(FieldError::ModulusOverflow);
         }
 
-        let mut output = [0; 5];
+        let mut output = fiat_25519_tight_field_element([0; 5]);
         fiat_25519_from_bytes(&mut output, &value);
 
         Ok(Field255(output))
@@ -95,8 +96,8 @@ impl ConstantTimeEq for Field255 {
 impl ConditionallySelectable for Field255 {
     fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
         let mut output = [0; 5];
-        fiat_25519_selectznz(&mut output, choice.unwrap_u8(), &a.0, &b.0);
-        Field255(output)
+        fiat_25519_selectznz(&mut output, choice.unwrap_u8(), &(a.0).0, &(b.0).0);
+        Field255(fiat_25519_tight_field_element(output))
     }
 }
 
@@ -112,17 +113,17 @@ impl Add for Field255 {
     type Output = Field255;
 
     fn add(self, rhs: Self) -> Field255 {
-        let mut loose_output = [0; 5];
+        let mut loose_output = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_add(&mut loose_output, &self.0, &rhs.0);
-        let mut output = [0; 5];
+        let mut output = fiat_25519_tight_field_element([0; 5]);
         fiat_25519_carry(&mut output, &loose_output);
         Field255(output)
     }
 }
 
 impl AddAssign for Field255 {
     fn add_assign(&mut self, rhs: Self) {
-        let mut loose_output = [0; 5];
+        let mut loose_output = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_add(&mut loose_output, &self.0, &rhs.0);
         fiat_25519_carry(&mut self.0, &loose_output);
     }
@@ -132,17 +133,17 @@ impl Sub for Field255 {
     type Output = Field255;
 
     fn sub(self, rhs: Self) -> Field255 {
-        let mut loose_output = [0; 5];
+        let mut loose_output = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_sub(&mut loose_output, &self.0, &rhs.0);
-        let mut output = [0; 5];
+        let mut output = fiat_25519_tight_field_element([0; 5]);
         fiat_25519_carry(&mut output, &loose_output);
         Field255(output)
     }
 }
 
 impl SubAssign for Field255 {
     fn sub_assign(&mut self, rhs: Self) {
-        let mut loose_output = [0; 5];
+        let mut loose_output = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_sub(&mut loose_output, &self.0, &rhs.0);
         fiat_25519_carry(&mut self.0, &loose_output);
     }
@@ -152,16 +153,23 @@ impl Mul for Field255 {
     type Output = Field255;
 
     fn mul(self, rhs: Self) -> Field255 {
-        let mut output = [0; 5];
-        fiat_25519_carry_mul(&mut output, &self.0, &rhs.0);
+        let mut self_relaxed = fiat_25519_loose_field_element([0; 5]);
+        fiat_25519_relax(&mut self_relaxed, &self.0);
+        let mut rhs_relaxed = fiat_25519_loose_field_element([0; 5]);
+        fiat_25519_relax(&mut rhs_relaxed, &rhs.0);
+        let mut output = fiat_25519_tight_field_element([0; 5]);
+        fiat_25519_carry_mul(&mut output, &self_relaxed, &rhs_relaxed);
         Field255(output)
     }
 }
 
 impl MulAssign for Field255 {
     fn mul_assign(&mut self, rhs: Self) {
-        let self_copy = self.0;
-        fiat_25519_carry_mul(&mut self.0, &self_copy, &rhs.0);
+        let mut self_relaxed = fiat_25519_loose_field_element([0; 5]);
+        fiat_25519_relax(&mut self_relaxed, &self.0);
+        let mut rhs_relaxed = fiat_25519_loose_field_element([0; 5]);
+        fiat_25519_relax(&mut rhs_relaxed, &rhs.0);
+        fiat_25519_carry_mul(&mut self.0, &self_relaxed, &rhs_relaxed);
     }
 }
 
@@ -191,9 +199,9 @@ impl<'a> Neg for &'a Field255 {
     type Output = Field255;
 
     fn neg(self) -> Field255 {
-        let mut loose_output = [0; 5];
+        let mut loose_output = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_opp(&mut loose_output, &self.0);
-        let mut output = [0; 5];
+        let mut output = fiat_25519_tight_field_element([0; 5]);
         fiat_25519_carry(&mut output, &loose_output);
         Field255(output)
     }
@@ -294,11 +302,11 @@ impl FieldElement for Field255 {
     }
 
     fn zero() -> Self {
-        Field255([0, 0, 0, 0, 0])
+        Field255(fiat_25519_tight_field_element([0, 0, 0, 0, 0]))
     }
 
     fn one() -> Self {
-        Field255([1, 0, 0, 0, 0])
+        Field255(fiat_25519_tight_field_element([1, 0, 0, 0, 0]))
     }
 }
 
@@ -337,7 +345,9 @@ mod tests {
         },
     };
     use assert_matches::assert_matches;
-    use fiat_crypto::curve25519_64::{fiat_25519_from_bytes, fiat_25519_to_bytes};
+    use fiat_crypto::curve25519_64::{
+        fiat_25519_from_bytes, fiat_25519_tight_field_element, fiat_25519_to_bytes,
+    };
     use num_bigint::BigUint;
     use once_cell::sync::Lazy;
     use std::convert::{TryFrom, TryInto};
@@ -351,7 +361,7 @@ mod tests {
             let mut le_bytes_array = [0u8; 32];
             le_bytes_array[..le_bytes_vec.len()].copy_from_slice(&le_bytes_vec);
 
-            let mut output = [0; 5];
+            let mut output = fiat_25519_tight_field_element([0; 5]);
             fiat_25519_from_bytes(&mut output, &le_bytes_array);
             Field255(output)
         }

supply-chain/audits.toml

@@ -143,6 +143,11 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 delta = "0.1.19 -> 0.1.20"
 
+[[audits.fiat-crypto]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+delta = "0.1.20 -> 0.2.0"
+
 [[audits.fixed]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"

supply-chain/config.toml

@@ -2,7 +2,7 @@
 # cargo-vet config file
 
 [cargo-vet]
-version = "0.7"
+version = "0.8"
 
 [imports.bytecode-alliance]
 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
@@ -35,10 +35,6 @@ criteria = "safe-to-deploy"
 [policy.prio-binaries]
 criteria = "safe-to-run"
 
-[[exemptions.adler]]
-version = "1.0.2"
-criteria = "safe-to-run"
-
 [[exemptions.aead]]
 version = "0.5.1"
 criteria = "safe-to-deploy"
@@ -215,16 +211,6 @@ version = "0.8.5"
 criteria = "safe-to-deploy"
 notes = "This is only used when the \"test-util\" feature is enabled."
 
-[[exemptions.rand_chacha]]
-version = "0.3.1"
-criteria = "safe-to-deploy"
-notes = "This is only used when the \"test-util\" feature is enabled."
-
-[[exemptions.rand_core]]
-version = "0.6.3"
-criteria = "safe-to-deploy"
-notes = "This is only used when the \"test-util\" feature is enabled."
-
 [[exemptions.ring]]
 version = "0.16.20"
 criteria = "safe-to-deploy"
@@ -255,11 +241,6 @@ criteria = "safe-to-run"
 version = "0.4.18"
 criteria = "safe-to-run"
 
-[[exemptions.subtle]]
-version = "2.4.1"
-criteria = "safe-to-deploy"
-notes = "This is only used when the \"crypto-dependencies\" or \"prio2\" features are enabled."
-
 [[exemptions.tinytemplate]]
 version = "1.2.1"
 criteria = "safe-to-run"

supply-chain/imports.lock

@@ -239,6 +239,12 @@ user-id = 64539
 user-login = "kennykerr"
 user-name = "Kenny Kerr"
 
+[[audits.bytecode-alliance.audits.adler]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+version = "1.0.2"
+notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
+
 [[audits.bytecode-alliance.audits.anes]]
 who = "Pat Hickey <phickey@fastly.com>"
 criteria = "safe-to-deploy"
@@ -344,13 +350,20 @@ criteria = "safe-to-deploy"
 version = "0.37.13"
 notes = "The Bytecode Alliance is the author of this crate."
 
-[audits.divviup.audits]
+[[audits.divviup.audits.fiat-crypto]]
+who = "Brandon Pitman <bran@bran.land>"
+criteria = "safe-to-deploy"
+delta = "0.2.0 -> 0.2.1"
 
-[[audits.embark-studios.audits.epaint]]
-who = "Johan Andersson <opensource@embark-studios.com>"
+[[audits.divviup.audits.rand_chacha]]
+who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
-violation = "<0.20.0"
-notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321"
+version = "0.3.1"
+
+[[audits.divviup.audits.rand_core]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+version = "0.6.3"
 
 [[audits.embark-studios.audits.tap]]
 who = "Johan Andersson <opensource@embark-studios.com>"
@@ -575,6 +588,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
 delta = "1.10.1 -> 1.10.2"
 
+[[audits.firefox.audits.subtle]]
+who = "Simon Friedberger <simon@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "2.5.0"
+notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation."
+
 [[audits.firefox.audits.tracing]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-run"