Don't require the C toolchain to provide assert.h for non-debug builds.

crypto/fipsmodule/bn/montgomery.c

@@ -121,7 +121,7 @@ int GFp_bn_from_montgomery_in_place(BN_ULONG r[], size_t num_r, BN_ULONG a[],
                                     size_t num_a, const BN_ULONG n[],
                                     size_t num_n,
                                     const BN_ULONG n0_[BN_MONT_CTX_N0_LIMBS]) {
-  assert(num_n != 0);
+  ASSERT(num_n != 0);
   if (num_r != num_n || num_a != 2 * num_n) {
     return 0;
   }

crypto/fipsmodule/bn/montgomery_inv.c

@@ -47,7 +47,7 @@ OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t
 // multiplication. This implementation does the negation implicitly by doing
 // the computations as a difference instead of a sum.
 uint64_t GFp_bn_neg_inv_mod_r_u64(uint64_t n) {
-  assert(n % 2 == 1);
+  ASSERT(n % 2 == 1);
 
   // alpha == 2**(lg r - 1) == r / 2.
   static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
@@ -61,7 +61,7 @@ uint64_t GFp_bn_neg_inv_mod_r_u64(uint64_t n) {
   // 2**(lg r - i) == u*2*alpha - v*beta.
   for (size_t i = 0; i < LG_LITTLE_R; ++i) {
 #if BN_BITS2 == 64 && defined(BN_ULLONG)
-    assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
+    ASSERT((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
            ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
 #endif
 
@@ -98,7 +98,7 @@ uint64_t GFp_bn_neg_inv_mod_r_u64(uint64_t n) {
 
   // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
 #if BN_BITS2 == 64 && defined(BN_ULLONG)
-  assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
+  ASSERT(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
 #endif
 
   return v;

crypto/fipsmodule/ec/ecp_nistz.c

@@ -28,7 +28,7 @@
 void gfp_little_endian_bytes_from_scalar(uint8_t str[], size_t str_len,
                                          const Limb scalar[],
                                          size_t num_limbs) {
-  assert(str_len == (num_limbs * sizeof(Limb)) + 1);
+  ASSERT(str_len == (num_limbs * sizeof(Limb)) + 1);
 
   size_t i;
   for (i = 0; i < num_limbs * sizeof(Limb); i += sizeof(Limb)) {

crypto/fipsmodule/ec/ecp_nistz.h

@@ -248,8 +248,8 @@
 //   P-224: ...00111101; w = 3, 4, 5, 6 are okay
 static inline void booth_recode(Limb *is_negative, unsigned *digit,
                                 unsigned in, unsigned w) {
-  assert(w >= 2);
-  assert(w <= 7);
+  ASSERT(w >= 2);
+  ASSERT(w <= 7);
 
   // Set all bits of `s` to MSB(in), similar to |constant_time_msb_s|,
   // but 'in' seen as (`w+1`)-bit value.

crypto/fipsmodule/ec/ecp_nistz256.c

@@ -252,7 +252,7 @@ void GFp_nistz256_point_mul(P256_POINT *r, const Limb p_scalar[P256_LIMBS],
   raw_wvalue = (raw_wvalue >> ((index - 1) % 8)) & kMask;
 
   booth_recode(&recoded_is_negative, &recoded, raw_wvalue, kWindowSize);
-  assert(!recoded_is_negative);
+  ASSERT(!recoded_is_negative);
   GFp_nistz256_select_w5(r, table, recoded);
 
   while (index >= kWindowSize) {

crypto/fipsmodule/ec/ecp_nistz384.inl

@@ -224,7 +224,7 @@ void GFp_nistz384_point_mul(P384_POINT *r, const BN_ULONG p_scalar[P384_LIMBS],
   wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
 
   booth_recode(&recoded_is_negative, &recoded, wvalue, 5);
-  assert(!recoded_is_negative);
+  ASSERT(!recoded_is_negative);
 
   gfp_p384_point_select_w5(r, table, recoded);
 

crypto/fipsmodule/ec/gfp_p256.c

@@ -59,7 +59,7 @@ void GFp_p256_scalar_sqr_mont(ScalarMont r, const ScalarMont a) {
 }
 
 void GFp_p256_scalar_sqr_rep_mont(ScalarMont r, const ScalarMont a, Limb rep) {
-  assert(rep >= 1);
+  ASSERT(rep >= 1);
   GFp_p256_scalar_sqr_mont(r, a);
   for (Limb i = 1; i < rep; ++i) {
     GFp_p256_scalar_sqr_mont(r, r);
@@ -74,7 +74,7 @@ void GFp_p256_scalar_sqr_rep_mont(ScalarMont r, const ScalarMont a, Limb rep) {
 
 void GFp_nistz256_select_w5(P256_POINT *out, const P256_POINT table[16],
                             int index) {
-  assert(index >= 0);
+  ASSERT(index >= 0);
   size_t index_s = (size_t)index; /* XXX: constant time? */
 
   alignas(32) Elem x; limbs_zero(x, P256_LIMBS);
@@ -97,7 +97,7 @@ void GFp_nistz256_select_w5(P256_POINT *out, const P256_POINT table[16],
 
 void GFp_nistz256_select_w7(P256_POINT_AFFINE *out,
                             const PRECOMP256_ROW table, int index) {
-  assert(index >= 0);
+  ASSERT(index >= 0);
   size_t index_as_s = (size_t)index; /* XXX: constant time? */
 
   alignas(32) Limb xy[P256_LIMBS * 2];

crypto/fipsmodule/ec/gfp_p384.c

@@ -152,7 +152,7 @@ static void elem_div_by_2(Elem r, const Elem a) {
 #if defined(NDEBUG)
   (void)carry2;
 #endif
-  assert(carry2 == 0);
+  ASSERT(carry2 == 0);
 
   copy_conditional(r, adjusted, is_odd);
 }
@@ -203,7 +203,7 @@ void GFp_p384_elem_neg(Elem r, const Elem a) {
 #if defined(NDEBUG)
   (void)borrow;
 #endif
-  assert(borrow == 0);
+  ASSERT(borrow == 0);
   for (size_t i = 0; i < P384_LIMBS; ++i) {
     r[i] = constant_time_select_w(is_zero, 0, r[i]);
   }

crypto/internal.h

@@ -111,7 +111,12 @@
 
 #include <GFp/base.h> // Must be first.
 
+#if !defined(NDEBUG)
 #include <assert.h>
+#define ASSERT(x) assert(x)
+#else
+#define ASSERT(x) ((void)0)
+#endif
 
 #include <GFp/type_check.h>
 

crypto/limbs/limbs.c

@@ -48,7 +48,7 @@ Limb LIMBS_equal_limb(const Limb a[], Limb b, size_t num_limbs) {
   if (num_limbs == 0) {
     return constant_time_is_zero_w(b);
   }
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
   Limb lo_equal = constant_time_eq_w(a[0], b);
   Limb hi_zero = LIMBS_are_zero(&a[1], num_limbs - 1);
   return constant_time_select_w(lo_equal, hi_zero, 0);
@@ -68,7 +68,7 @@ Limb LIMBS_are_even(const Limb a[], size_t num_limbs) {
 
 /* Returns 0xffff...f if |a| is less than |b|, and zero otherwise. */
 Limb LIMBS_less_than(const Limb a[], const Limb b[], size_t num_limbs) {
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
   /* There are lots of ways to implement this. It is implemented this way to
    * be consistent with |LIMBS_limbs_reduce_once| and other code that makes such
    * comparisons as part of doing conditional reductions. */
@@ -81,7 +81,7 @@ Limb LIMBS_less_than(const Limb a[], const Limb b[], size_t num_limbs) {
 }
 
 Limb LIMBS_less_than_limb(const Limb a[], Limb b, size_t num_limbs) {
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
 
   Limb dummy;
   Limb lo = constant_time_is_nonzero_w(limb_sub(&dummy, a[0], b));
@@ -95,7 +95,7 @@ void LIMBS_copy(Limb r[], const Limb a[], size_t num_limbs) {
 
 /* if (r >= m) { r -= m; } */
 void LIMBS_reduce_once(Limb r[], const Limb m[], size_t num_limbs) {
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
   /* This could be done more efficiently if we had |num_limbs| of extra space
    * available, by storing |r - m| and then doing a conditional copy of either
    * |r| or |r - m|. But, in order to operate in constant space, with an eye
@@ -111,7 +111,7 @@ void LIMBS_reduce_once(Limb r[], const Limb m[], size_t num_limbs) {
     borrow =
         limb_sbb(&r[i], r[i], constant_time_select_w(lt, 0, m[i]), borrow);
   }
-  assert(borrow == 0);
+  ASSERT(borrow == 0);
 }
 
 void LIMBS_add_mod(Limb r[], const Limb a[], const Limb b[], const Limb m[],

crypto/limbs/limbs.inl

@@ -55,7 +55,7 @@ typedef uint64_t DoubleLimb;
 /* |*r = a + b + carry_in|, returning carry out bit. |carry_in| must be 0 or 1.
  */
 static inline Carry limb_adc(Limb *r, Limb a, Limb b, Carry carry_in) {
-  assert(carry_in == 0 || carry_in == 1);
+  ASSERT(carry_in == 0 || carry_in == 1);
   Carry ret;
 #if defined(GFp_ADDCARRY_INTRINSIC)
   ret = GFp_ADDCARRY_INTRINSIC(carry_in, a, b, r);
@@ -64,7 +64,7 @@ static inline Carry limb_adc(Limb *r, Limb a, Limb b, Carry carry_in) {
   *r = (Limb)x;
   ret = (Carry)(x >> LIMB_BITS);
 #endif
-  assert(ret == 0 || ret == 1);
+  ASSERT(ret == 0 || ret == 1);
   return ret;
 }
 
@@ -78,14 +78,14 @@ static inline Carry limb_add(Limb *r, Limb a, Limb b) {
   *r = (Limb)x;
   ret = (Carry)(x >> LIMB_BITS);
 #endif
-  assert(ret == 0 || ret == 1);
+  ASSERT(ret == 0 || ret == 1);
   return ret;
 }
 
 /* |*r = a - b - borrow_in|, returning the borrow out bit. |borrow_in| must be
  * 0 or 1. */
 static inline Carry limb_sbb(Limb *r, Limb a, Limb b, Carry borrow_in) {
-  assert(borrow_in == 0 || borrow_in == 1);
+  ASSERT(borrow_in == 0 || borrow_in == 1);
   Carry ret;
 #if defined(GFp_SUBBORROW_INTRINSIC)
   ret = GFp_SUBBORROW_INTRINSIC(borrow_in, a, b, r);
@@ -94,7 +94,7 @@ static inline Carry limb_sbb(Limb *r, Limb a, Limb b, Carry borrow_in) {
   *r = (Limb)x;
   ret = (Carry)((x >> LIMB_BITS) & 1);
 #endif
-  assert(ret == 0 || ret == 1);
+  ASSERT(ret == 0 || ret == 1);
   return ret;
 }
 
@@ -108,13 +108,13 @@ static inline Carry limb_sub(Limb *r, Limb a, Limb b) {
   *r = (Limb)x;
   ret = (Carry)((x >> LIMB_BITS) & 1);
 #endif
-  assert(ret == 0 || ret == 1);
+  ASSERT(ret == 0 || ret == 1);
   return ret;
 }
 
 static inline Carry limbs_add(Limb r[], const Limb a[], const Limb b[],
                               size_t num_limbs) {
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
   Carry carry = limb_add(&r[0], a[0], b[0]);
   for (size_t i = 1; i < num_limbs; ++i) {
     carry = limb_adc(&r[i], a[i], b[i], carry);
@@ -125,7 +125,7 @@ static inline Carry limbs_add(Limb r[], const Limb a[], const Limb b[],
 /* |r -= s|, returning the borrow. */
 static inline Carry limbs_sub(Limb r[], const Limb a[], const Limb b[],
                               size_t num_limbs) {
-  assert(num_limbs >= 1);
+  ASSERT(num_limbs >= 1);
   Carry borrow = limb_sub(&r[0], a[0], b[0]);
   for (size_t i = 1; i < num_limbs; ++i) {
     borrow = limb_sbb(&r[i], a[i], b[i], borrow);

third_party/fiat/curve25519.c

@@ -102,7 +102,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe(f)                                                    \
   do {                                                                  \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \
-      assert(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc));             \
+      ASSERT(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc));             \
     }                                                                   \
   } while (0)
 
@@ -119,7 +119,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe_loose(f)                                              \
   do {                                                                  \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \
-      assert(f[_assert_fe_i] <= UINT64_C(0x1a666666666664));            \
+      ASSERT(f[_assert_fe_i] <= UINT64_C(0x1a666666666664));            \
     }                                                                   \
   } while (0)
 
@@ -138,7 +138,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe(f)                                                     \
   do {                                                                   \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \
-      assert(f[_assert_fe_i] <=                                          \
+      ASSERT(f[_assert_fe_i] <=                                          \
              ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u));            \
     }                                                                    \
   } while (0)
@@ -156,7 +156,7 @@ static uint64_t load_4(const uint8_t *in) {
 #define assert_fe_loose(f)                                               \
   do {                                                                   \
     for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \
-      assert(f[_assert_fe_i] <=                                          \
+      ASSERT(f[_assert_fe_i] <=                                          \
              ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u));            \
     }                                                                    \
   } while (0)
@@ -168,7 +168,7 @@ OPENSSL_STATIC_ASSERT(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS,
 
 static void fe_frombytes_strict(fe *h, const uint8_t s[32]) {
   // |fiat_25519_from_bytes| requires the top-most bit be clear.
-  assert((s[31] & 0x80) == 0);
+  ASSERT((s[31] & 0x80) == 0);
   fiat_25519_from_bytes(h->v, s);
   assert_fe(h->v);
 }