Merging upstream version 1.71.1+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 63 insertions, 41 deletions

diff --git a/vendor/crypto-bigint/src/limb/add.rs b/vendor/crypto-bigint/src/limb/add.rs
index ddeda9e67..0ef793b2e 100644
--- a/vendor/crypto-bigint/src/limb/add.rs
+++ b/vendor/crypto-bigint/src/limb/add.rs
@@ -12,7 +12,7 @@ impl Limb {
         let b = rhs.0 as WideWord;
         let carry = carry.0 as WideWord;
         let ret = a + b + carry;
-        (Limb(ret as Word), Limb((ret >> Self::BIT_SIZE) as Word))
+        (Limb(ret as Word), Limb((ret >> Self::BITS) as Word))
     }
 
     /// Perform saturating addition.
diff --git a/vendor/crypto-bigint/src/limb/bits.rs b/vendor/crypto-bigint/src/limb/bits.rs
index c470ae9ab..02a74de5d 100644
--- a/vendor/crypto-bigint/src/limb/bits.rs
+++ b/vendor/crypto-bigint/src/limb/bits.rs
@@ -3,6 +3,16 @@ use super::Limb;
 impl Limb {
     /// Calculate the number of bits needed to represent this number.
     pub const fn bits(self) -> usize {
-        Limb::BIT_SIZE - (self.0.leading_zeros() as usize)
+        Limb::BITS - (self.0.leading_zeros() as usize)
+    }
+
+    /// Calculate the number of leading zeros in the binary representation of this number.
+    pub const fn leading_zeros(self) -> usize {
+        self.0.leading_zeros() as usize
+    }
+
+    /// Calculate the number of trailing zeros in the binary representation of this number.
+    pub const fn trailing_zeros(self) -> usize {
+        self.0.trailing_zeros() as usize
     }
 }
diff --git a/vendor/crypto-bigint/src/limb/cmp.rs b/vendor/crypto-bigint/src/limb/cmp.rs
index 76cc4b07c..4cdec5b5d 100644
--- a/vendor/crypto-bigint/src/limb/cmp.rs
+++ b/vendor/crypto-bigint/src/limb/cmp.rs
@@ -1,6 +1,7 @@
 //! Limb comparisons
 
-use super::{Limb, SignedWord, WideSignedWord, Word, HI_BIT};
+use super::HI_BIT;
+use crate::{CtChoice, Limb};
 use core::cmp::Ordering;
 use subtle::{Choice, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess};
 
@@ -24,22 +25,45 @@ impl Limb {
         self.0 == other.0
     }
 
-    /// Returns all 1's if `a`!=0 or 0 if `a`==0.
-    ///
-    /// Const-friendly: we can't yet use `subtle` in `const fn` contexts.
+    /// Return `b` if `c` is truthy, otherwise return `a`.
+    #[inline]
+    pub(crate) const fn ct_select(a: Self, b: Self, c: CtChoice) -> Self {
+        Self(c.select(a.0, b.0))
+    }
+
+    /// Returns the truthy value if `self != 0` and the falsy value otherwise.
+    #[inline]
+    pub(crate) const fn ct_is_nonzero(&self) -> CtChoice {
+        let inner = self.0;
+        CtChoice::from_lsb((inner | inner.wrapping_neg()) >> HI_BIT)
+    }
+
+    /// Returns the truthy value if `lhs == rhs` and the falsy value otherwise.
+    #[inline]
+    pub(crate) const fn ct_eq(lhs: Self, rhs: Self) -> CtChoice {
+        let x = lhs.0;
+        let y = rhs.0;
+
+        // x ^ y == 0 if and only if x == y
+        Self(x ^ y).ct_is_nonzero().not()
+    }
+
+    /// Returns the truthy value if `lhs < rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn is_nonzero(self) -> Word {
-        let inner = self.0 as SignedWord;
-        ((inner | inner.saturating_neg()) >> HI_BIT) as Word
+    pub(crate) const fn ct_lt(lhs: Self, rhs: Self) -> CtChoice {
+        let x = lhs.0;
+        let y = rhs.0;
+        let bit = (((!x) & y) | (((!x) | y) & (x.wrapping_sub(y)))) >> (Limb::BITS - 1);
+        CtChoice::from_lsb(bit)
     }
 
+    /// Returns the truthy value if `lhs <= rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_cmp(lhs: Self, rhs: Self) -> SignedWord {
-        let a = lhs.0 as WideSignedWord;
-        let b = rhs.0 as WideSignedWord;
-        let gt = ((b - a) >> Limb::BIT_SIZE) & 1;
-        let lt = ((a - b) >> Limb::BIT_SIZE) & 1 & !gt;
-        (gt as SignedWord) - (lt as SignedWord)
+    pub(crate) const fn ct_le(lhs: Self, rhs: Self) -> CtChoice {
+        let x = lhs.0;
+        let y = rhs.0;
+        let bit = (((!x) | y) & ((x ^ y) | !(y.wrapping_sub(x)))) >> (Limb::BITS - 1);
+        CtChoice::from_lsb(bit)
     }
 }
 
diff --git a/vendor/crypto-bigint/src/limb/encoding.rs b/vendor/crypto-bigint/src/limb/encoding.rs
index 39974b061..ab28a6adb 100644
--- a/vendor/crypto-bigint/src/limb/encoding.rs
+++ b/vendor/crypto-bigint/src/limb/encoding.rs
@@ -4,9 +4,6 @@ use super::{Limb, Word};
 use crate::Encoding;
 
 impl Encoding for Limb {
-    const BIT_SIZE: usize = Self::BIT_SIZE;
-    const BYTE_SIZE: usize = Self::BYTE_SIZE;
-
     #[cfg(target_pointer_width = "32")]
     type Repr = [u8; 4];
     #[cfg(target_pointer_width = "64")]
diff --git a/vendor/crypto-bigint/src/limb/from.rs b/vendor/crypto-bigint/src/limb/from.rs
index fd2765bc9..aa6499243 100644
--- a/vendor/crypto-bigint/src/limb/from.rs
+++ b/vendor/crypto-bigint/src/limb/from.rs
@@ -25,7 +25,6 @@ impl Limb {
     /// Create a [`Limb`] from a `u64` integer (const-friendly)
     // TODO(tarcieri): replace with `const impl From<u64>` when stable
     #[cfg(target_pointer_width = "64")]
-    #[cfg_attr(docsrs, doc(cfg(target_pointer_width = "64")))]
     pub const fn from_u64(n: u64) -> Self {
         Limb(n)
     }
@@ -53,7 +52,6 @@ impl From<u32> for Limb {
 }
 
 #[cfg(target_pointer_width = "64")]
-#[cfg_attr(docsrs, doc(cfg(target_pointer_width = "64")))]
 impl From<u64> for Limb {
     #[inline]
     fn from(n: u64) -> Limb {
diff --git a/vendor/crypto-bigint/src/limb/mul.rs b/vendor/crypto-bigint/src/limb/mul.rs
index a342c6eae..7f8b08454 100644
--- a/vendor/crypto-bigint/src/limb/mul.rs
+++ b/vendor/crypto-bigint/src/limb/mul.rs
@@ -13,7 +13,7 @@ impl Limb {
         let c = c.0 as WideWord;
         let carry = carry.0 as WideWord;
         let ret = a + (b * c) + carry;
-        (Limb(ret as Word), Limb((ret >> Self::BIT_SIZE) as Word))
+        (Limb(ret as Word), Limb((ret >> Self::BITS) as Word))
     }
 
     /// Perform saturating multiplication.
@@ -40,7 +40,7 @@ impl CheckedMul for Limb {
     #[inline]
     fn checked_mul(&self, rhs: Self) -> CtOption<Self> {
         let result = self.mul_wide(rhs);
-        let overflow = Limb((result >> Self::BIT_SIZE) as Word);
+        let overflow = Limb((result >> Self::BITS) as Word);
         CtOption::new(Limb(result as Word), overflow.is_zero())
     }
 }
@@ -159,7 +159,7 @@ mod tests {
 
     #[test]
     fn mul_wide() {
-        let primes: &[u32] = &[3, 5, 17, 256, 65537];
+        let primes: &[u32] = &[3, 5, 17, 257, 65537];
 
         for &a_int in primes {
             for &b_int in primes {
diff --git a/vendor/crypto-bigint/src/limb/rand.rs b/vendor/crypto-bigint/src/limb/rand.rs
index 0bc8af31a..43471682d 100644
--- a/vendor/crypto-bigint/src/limb/rand.rs
+++ b/vendor/crypto-bigint/src/limb/rand.rs
@@ -2,41 +2,34 @@
 
 use super::Limb;
 use crate::{Encoding, NonZero, Random, RandomMod};
-use rand_core::{CryptoRng, RngCore};
+use rand_core::CryptoRngCore;
 use subtle::ConstantTimeLess;
 
-#[cfg_attr(docsrs, doc(cfg(feature = "rand_core")))]
 impl Random for Limb {
     #[cfg(target_pointer_width = "32")]
-    fn random(mut rng: impl CryptoRng + RngCore) -> Self {
+    fn random(rng: &mut impl CryptoRngCore) -> Self {
         Self(rng.next_u32())
     }
 
     #[cfg(target_pointer_width = "64")]
-    fn random(mut rng: impl CryptoRng + RngCore) -> Self {
+    fn random(rng: &mut impl CryptoRngCore) -> Self {
         Self(rng.next_u64())
     }
 }
 
-#[cfg_attr(docsrs, doc(cfg(feature = "rand_core")))]
 impl RandomMod for Limb {
-    fn random_mod(mut rng: impl CryptoRng + RngCore, modulus: &NonZero<Self>) -> Self {
+    fn random_mod(rng: &mut impl CryptoRngCore, modulus: &NonZero<Self>) -> Self {
         let mut bytes = <Self as Encoding>::Repr::default();
 
-        // TODO(tarcieri): use `div_ceil` when available
-        // See: https://github.com/rust-lang/rust/issues/88581
-        let mut n_bytes = modulus.bits() / 8;
-
-        // Ensure the randomly generated value can always be larger than
-        // the modulus in order to ensure a uniform distribution
-        if n_bytes < Self::BYTE_SIZE {
-            n_bytes += 1;
-        }
+        let n_bits = modulus.bits();
+        let n_bytes = (n_bits + 7) / 8;
+        let mask = 0xff >> (8 * n_bytes - n_bits);
 
         loop {
             rng.fill_bytes(&mut bytes[..n_bytes]);
-            let n = Limb::from_le_bytes(bytes);
+            bytes[n_bytes - 1] &= mask;
 
+            let n = Limb::from_le_bytes(bytes);
             if n.ct_lt(modulus).into() {
                 return n;
             }
diff --git a/vendor/crypto-bigint/src/limb/sub.rs b/vendor/crypto-bigint/src/limb/sub.rs
index 1560a1b64..0fc7a4a68 100644
--- a/vendor/crypto-bigint/src/limb/sub.rs
+++ b/vendor/crypto-bigint/src/limb/sub.rs
@@ -10,9 +10,9 @@ impl Limb {
     pub const fn sbb(self, rhs: Limb, borrow: Limb) -> (Limb, Limb) {
         let a = self.0 as WideWord;
         let b = rhs.0 as WideWord;
-        let borrow = (borrow.0 >> (Self::BIT_SIZE - 1)) as WideWord;
+        let borrow = (borrow.0 >> (Self::BITS - 1)) as WideWord;
         let ret = a.wrapping_sub(b + borrow);
-        (Limb(ret as Word), Limb((ret >> Self::BIT_SIZE) as Word))
+        (Limb(ret as Word), Limb((ret >> Self::BITS) as Word))
     }
 
     /// Perform saturating subtraction.