grpc 1.0.1 → 1.1.2

data/third_party/boringssl/crypto/rsa/internal.h

@@ -77,9 +77,6 @@ int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
                          int padding);
 int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
                         const uint8_t *in, size_t in_len, int padding);
-int rsa_default_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
-                           size_t max_out, const uint8_t *in, size_t in_len,
-                           int padding);
 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
                                   size_t len);
 int rsa_default_multi_prime_keygen(RSA *rsa, int bits, int num_primes,
@@ -90,17 +87,12 @@ int rsa_default_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
 #define RSA_PKCS1_PADDING_SIZE 11
 
 
-BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
+BN_BLINDING *BN_BLINDING_new(void);
 void BN_BLINDING_free(BN_BLINDING *b);
-int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
-int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
-int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_CTX *ctx);
-BN_BLINDING *BN_BLINDING_create_param(
-    BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
-    int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-                      const BIGNUM *m, BN_CTX *ctx, const BN_MONT_CTX *mont),
-    const BN_MONT_CTX *mont);
-BN_BLINDING *rsa_setup_blinding(RSA *rsa, BN_CTX *in_ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,
+                        const BN_MONT_CTX *mont_ctx, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx,
+                       BN_CTX *ctx);
 
 
 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,

data/third_party/boringssl/crypto/rsa/padding.c

@@ -59,6 +59,7 @@
 #include <limits.h>
 #include <string.h>
 
+#include <openssl/bn.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -73,7 +74,6 @@
 int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,
                                  const uint8_t *from, unsigned from_len) {
   unsigned j;
-  uint8_t *p;
 
   if (to_len < RSA_PKCS1_PADDING_SIZE) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -85,7 +85,7 @@ int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,
     return 0;
   }
 
-  p = (uint8_t *)to;
+  uint8_t *p = to;
 
   *(p++) = 0;
   *(p++) = 1; /* Private Key BT (Block Type) */
@@ -154,7 +154,6 @@ int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,
 int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,
                                  const uint8_t *from, unsigned from_len) {
   unsigned i, j;
-  uint8_t *p;
 
   if (to_len < RSA_PKCS1_PADDING_SIZE) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
@@ -166,7 +165,7 @@ int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,
     return 0;
   }
 
-  p = (unsigned char *)to;
+  uint8_t *p = to;
 
   *(p++) = 0;
   *(p++) = 2; /* Public Key BT (Block Type) */
@@ -275,47 +274,46 @@ int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,
   return 1;
 }
 
-int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
-               unsigned seedlen, const EVP_MD *dgst) {
-  unsigned outlen = 0;
-  uint32_t i;
-  uint8_t cnt[4];
-  EVP_MD_CTX c;
-  uint8_t md[EVP_MAX_MD_SIZE];
-  unsigned mdlen;
-  int ret = -1;
-
-  EVP_MD_CTX_init(&c);
-  mdlen = EVP_MD_size(dgst);
-
-  for (i = 0; outlen < len; i++) {
-    cnt[0] = (uint8_t)((i >> 24) & 255);
-    cnt[1] = (uint8_t)((i >> 16) & 255);
-    cnt[2] = (uint8_t)((i >> 8)) & 255;
-    cnt[3] = (uint8_t)(i & 255);
-    if (!EVP_DigestInit_ex(&c, dgst, NULL) ||
-        !EVP_DigestUpdate(&c, seed, seedlen) ||
-        !EVP_DigestUpdate(&c, cnt, 4)) {
+static int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed,
+                      size_t seed_len, const EVP_MD *md) {
+  int ret = 0;
+  EVP_MD_CTX ctx;
+  EVP_MD_CTX_init(&ctx);
+
+  size_t md_len = EVP_MD_size(md);
+
+  for (uint32_t i = 0; len > 0; i++) {
+    uint8_t counter[4];
+    counter[0] = (uint8_t)(i >> 24);
+    counter[1] = (uint8_t)(i >> 16);
+    counter[2] = (uint8_t)(i >> 8);
+    counter[3] = (uint8_t)i;
+    if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
+        !EVP_DigestUpdate(&ctx, seed, seed_len) ||
+        !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {
       goto err;
     }
 
-    if (outlen + mdlen <= len) {
-      if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL)) {
+    if (md_len <= len) {
+      if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {
         goto err;
       }
-      outlen += mdlen;
+      out += md_len;
+      len -= md_len;
     } else {
-      if (!EVP_DigestFinal_ex(&c, md, NULL)) {
+      uint8_t digest[EVP_MAX_MD_SIZE];
+      if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {
         goto err;
       }
-      memcpy(mask + outlen, md, len - outlen);
-      outlen = len;
+      memcpy(out, digest, len);
+      len = 0;
     }
   }
-  ret = 0;
+
+  ret = 1;
 
 err:
-  EVP_MD_CTX_cleanup(&c);
+  EVP_MD_CTX_cleanup(&ctx);
   return ret;
 }
 
@@ -357,7 +355,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
   seed = to + 1;
   db = to + mdlen + 1;
 
-  if (!EVP_Digest((void *)param, param_len, db, NULL, md, NULL)) {
+  if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {
     return 0;
   }
   memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
@@ -373,14 +371,14 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
     return 0;
   }
 
-  if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) {
+  if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {
     goto out;
   }
   for (i = 0; i < emlen - mdlen; i++) {
     db[i] ^= dbmask[i];
   }
 
-  if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) {
+  if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) {
     goto out;
   }
   for (i = 0; i < mdlen; i++) {
@@ -429,21 +427,21 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
   maskedseed = from + 1;
   maskeddb = from + 1 + mdlen;
 
-  if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
+  if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
     goto err;
   }
   for (i = 0; i < mdlen; i++) {
     seed[i] ^= maskedseed[i];
   }
 
-  if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
+  if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
     goto err;
   }
   for (i = 0; i < dblen; i++) {
     db[i] ^= maskeddb[i];
   }
 
-  if (!EVP_Digest((void *)param, param_len, phash, NULL, md, NULL)) {
+  if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {
     goto err;
   }
 
@@ -548,7 +546,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
     goto err;
   }
-  if (PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash) < 0) {
+  if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {
     goto err;
   }
   for (i = 0; i < maskedDBLen; i++) {
@@ -598,8 +596,7 @@ err:
 int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                    const unsigned char *mHash,
                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
-                                   int sLen) {
-  int i;
+                                   int sLenRequested) {
   int ret = 0;
   size_t maskedDBLen, MSBits, emLen;
   size_t hLen;
@@ -612,19 +609,6 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
 
   hLen = EVP_MD_size(Hash);
 
-  /* Negative sLen has special meanings:
-   *	-1	sLen == hLen
-   *	-2	salt length is maximized
-   *	-N	reserved */
-  if (sLen == -1) {
-    sLen = hLen;
-  } else if (sLen == -2) {
-    sLen = -2;
-  } else if (sLen < -2) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
-    goto err;
-  }
-
   if (BN_is_zero(rsa->n)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
     goto err;
@@ -637,16 +621,33 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     *EM++ = 0;
     emLen--;
   }
-  if (sLen == -2) {
-    if (emLen < hLen + 2) {
-      OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-      goto err;
-    }
+
+  if (emLen < hLen + 2) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+    goto err;
+  }
+
+  /* Negative sLenRequested has special meanings:
+   *   -1  sLen == hLen
+   *   -2  salt length is maximized
+   *   -N  reserved */
+  size_t sLen;
+  if (sLenRequested == -1) {
+    sLen = hLen;
+  } else if (sLenRequested == -2) {
     sLen = emLen - hLen - 2;
-  } else if (emLen < hLen + sLen + 2) {
+  } else if (sLenRequested < 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
+    goto err;
+  } else {
+    sLen = (size_t)sLenRequested;
+  }
+
+  if (emLen - hLen - 2 < sLen) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
     goto err;
   }
+
   if (sLen > 0) {
     salt = OPENSSL_malloc(sLen);
     if (!salt) {
@@ -674,7 +675,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
   EVP_MD_CTX_cleanup(&ctx);
 
   /* Generate dbMask in place then perform XOR on it */
-  if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
+  if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
     goto err;
   }
 
@@ -686,7 +687,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
   p += emLen - sLen - hLen - 2;
   *p++ ^= 0x1;
   if (sLen > 0) {
-    for (i = 0; i < sLen; i++) {
+    for (size_t i = 0; i < sLen; i++) {
       *p++ ^= salt[i];
     }
   }

data/third_party/boringssl/crypto/rsa/rsa.c

@@ -64,7 +64,7 @@
 #include <openssl/err.h>
 #include <openssl/ex_data.h>
 #include <openssl/mem.h>
-#include <openssl/obj.h>
+#include <openssl/nid.h>
 #include <openssl/thread.h>
 
 #include "internal.h"
@@ -169,6 +169,42 @@ int RSA_up_ref(RSA *rsa) {
   return 1;
 }
 
+void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
+                  const BIGNUM **out_d) {
+  if (out_n != NULL) {
+    *out_n = rsa->n;
+  }
+  if (out_e != NULL) {
+    *out_e = rsa->e;
+  }
+  if (out_d != NULL) {
+    *out_d = rsa->d;
+  }
+}
+
+void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
+                      const BIGNUM **out_q) {
+  if (out_p != NULL) {
+    *out_p = rsa->p;
+  }
+  if (out_q != NULL) {
+    *out_q = rsa->q;
+  }
+}
+
+void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
+                         const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
+  if (out_dmp1 != NULL) {
+    *out_dmp1 = rsa->dmp1;
+  }
+  if (out_dmq1 != NULL) {
+    *out_dmq1 = rsa->dmq1;
+  }
+  if (out_iqmp != NULL) {
+    *out_iqmp = rsa->iqmp;
+  }
+}
+
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
   if (rsa->meth->keygen) {
     return rsa->meth->keygen(rsa, bits, e_value, cb);
@@ -258,16 +294,6 @@ int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
   return out_len;
 }
 
-int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
-                   const uint8_t *in, size_t in_len, int padding) {
-  if (rsa->meth->verify_raw) {
-    return rsa->meth->verify_raw(rsa, out_len, out, max_out, in, in_len, padding);
-  }
-
-  return rsa_default_verify_raw(rsa, out_len, out, max_out, in, in_len,
-                                padding);
-}
-
 int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
                        int padding) {
   size_t out_len;
@@ -473,6 +499,11 @@ finish:
 
 int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
                const uint8_t *sig, size_t sig_len, RSA *rsa) {
+  if (rsa->n == NULL || rsa->e == NULL) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
+    return 0;
+  }
+
   const size_t rsa_size = RSA_size(rsa);
   uint8_t *buf = NULL;
   int ret = 0;
@@ -480,15 +511,6 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
   size_t signed_msg_len, len;
   int signed_msg_is_alloced = 0;
 
-  if (rsa->meth->verify) {
-    return rsa->meth->verify(hash_nid, msg, msg_len, sig, sig_len, rsa);
-  }
-
-  if (sig_len != rsa_size) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_WRONG_SIGNATURE_LENGTH);
-    return 0;
-  }
-
   if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
     return 0;
@@ -510,7 +532,7 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
     goto out;
   }
 
-  if (len != signed_msg_len || CRYPTO_memcmp(buf, signed_msg, len) != 0) {
+  if (len != signed_msg_len || memcmp(buf, signed_msg, len) != 0) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
     goto out;
   }
@@ -531,7 +553,7 @@ static void bn_free_and_null(BIGNUM **bn) {
 }
 
 int RSA_check_key(const RSA *key) {
-  BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp;
+  BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
   BN_CTX *ctx;
   int ok = 0, has_crt_values;
 
@@ -570,7 +592,7 @@ int RSA_check_key(const RSA *key) {
   BN_init(&de);
   BN_init(&dmp1);
   BN_init(&dmq1);
-  BN_init(&iqmp);
+  BN_init(&iqmp_times_q);
 
   if (!BN_mul(&n, key->p, key->q, ctx) ||
       /* lcm = lcm(prime-1, for all primes) */
@@ -587,8 +609,7 @@ int RSA_check_key(const RSA *key) {
     num_additional_primes = sk_RSA_additional_prime_num(key->additional_primes);
   }
 
-  size_t i;
-  for (i = 0; i < num_additional_primes; i++) {
+  for (size_t i = 0; i < num_additional_primes; i++) {
     const RSA_additional_prime *ap =
         sk_RSA_additional_prime_value(key->additional_primes, i);
     if (!BN_mul(&n, &n, ap->prime, ctx) ||
@@ -631,14 +652,15 @@ int RSA_check_key(const RSA *key) {
         /* dmq1 = d mod (q-1) */
         !BN_mod(&dmq1, key->d, &qm1, ctx) ||
         /* iqmp = q^-1 mod p */
-        !BN_mod_inverse(&iqmp, key->q, key->p, ctx)) {
+        !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
       goto out;
     }
 
     if (BN_cmp(&dmp1, key->dmp1) != 0 ||
         BN_cmp(&dmq1, key->dmq1) != 0 ||
-        BN_cmp(&iqmp, key->iqmp) != 0) {
+        BN_cmp(key->iqmp, key->p) >= 0 ||
+        !BN_is_one(&iqmp_times_q)) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
       goto out;
     }
@@ -655,7 +677,7 @@ out:
   BN_free(&de);
   BN_free(&dmp1);
   BN_free(&dmq1);
-  BN_free(&iqmp);
+  BN_free(&iqmp_times_q);
   BN_CTX_free(ctx);
 
   return ok;

data/third_party/boringssl/crypto/rsa/rsa_asn1.c

@@ -59,8 +59,6 @@
 #include <limits.h>
 #include <string.h>
 
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
@@ -325,22 +323,23 @@ int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
     return 0;
   }
 
+  CBB other_prime_infos;
   if (is_multiprime) {
-    CBB other_prime_infos;
     if (!CBB_add_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE)) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
       return 0;
     }
-    size_t i;
-    for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); i++) {
+    for (size_t i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes);
+         i++) {
       RSA_additional_prime *ap =
-              sk_RSA_additional_prime_value(rsa->additional_primes, i);
+          sk_RSA_additional_prime_value(rsa->additional_primes, i);
       CBB other_prime_info;
       if (!CBB_add_asn1(&other_prime_infos, &other_prime_info,
                         CBS_ASN1_SEQUENCE) ||
           !marshal_integer(&other_prime_info, ap->prime) ||
           !marshal_integer(&other_prime_info, ap->exp) ||
-          !marshal_integer(&other_prime_info, ap->coeff)) {
+          !marshal_integer(&other_prime_info, ap->coeff) ||
+          !CBB_flush(&other_prime_infos)) {
         OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
         return 0;
       }
@@ -390,6 +389,7 @@ int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
   CBB cbb;
   if (!CBB_init(&cbb, 0) ||
       !RSA_marshal_public_key(&cbb, in)) {
+    CBB_cleanup(&cbb);
     return -1;
   }
   return CBB_finish_i2d(&cbb, outp);
@@ -417,20 +417,12 @@ int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
   CBB cbb;
   if (!CBB_init(&cbb, 0) ||
       !RSA_marshal_private_key(&cbb, in)) {
+    CBB_cleanup(&cbb);
     return -1;
   }
   return CBB_finish_i2d(&cbb, outp);
 }
 
-ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
-  ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
-  ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
-  ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
-  ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3),
-} ASN1_SEQUENCE_END(RSA_PSS_PARAMS);
-
-IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS);
-
 RSA *RSAPublicKey_dup(const RSA *rsa) {
   uint8_t *der;
   size_t der_len;