grpc 1.10.0.pre1 → 1.10.0.pre2

data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c

@@ -0,0 +1,302 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE  // needed for syscall() on Linux.
+#endif
+
+#include <openssl/rand.h>
+
+#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY)
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#if defined(OPENSSL_LINUX)
+#if defined(BORINGSSL_FIPS)
+#include <linux/random.h>
+#include <sys/ioctl.h>
+#endif
+#include <sys/syscall.h>
+#endif
+
+#include <openssl/thread.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../delocate.h"
+#include "../../internal.h"
+
+
+#if defined(OPENSSL_LINUX)
+
+#if defined(OPENSSL_X86_64)
+#define EXPECTED_NR_getrandom 318
+#elif defined(OPENSSL_X86)
+#define EXPECTED_NR_getrandom 355
+#elif defined(OPENSSL_AARCH64)
+#define EXPECTED_NR_getrandom 278
+#elif defined(OPENSSL_ARM)
+#define EXPECTED_NR_getrandom 384
+#elif defined(OPENSSL_PPC64LE)
+#define EXPECTED_NR_getrandom 359
+#endif
+
+#if defined(EXPECTED_NR_getrandom)
+#define USE_NR_getrandom
+
+#if defined(__NR_getrandom)
+
+#if __NR_getrandom != EXPECTED_NR_getrandom
+#error "system call number for getrandom is not the expected value"
+#endif
+
+#else  // __NR_getrandom
+
+#define __NR_getrandom EXPECTED_NR_getrandom
+
+#endif  // __NR_getrandom
+
+#endif  // EXPECTED_NR_getrandom
+
+#if !defined(GRND_NONBLOCK)
+#define GRND_NONBLOCK 1
+#endif
+
+#endif  // OPENSSL_LINUX
+
+// rand_lock is used to protect the |*_requested| variables.
+DEFINE_STATIC_MUTEX(rand_lock);
+
+// The following constants are magic values of |urandom_fd|.
+static const int kUnset = 0;
+static const int kHaveGetrandom = -3;
+
+// urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
+// |rand_lock|.
+DEFINE_BSS_GET(int, urandom_fd_requested);
+
+// urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
+DEFINE_BSS_GET(int, urandom_fd);
+
+DEFINE_STATIC_ONCE(rand_once);
+
+#if defined(USE_NR_getrandom) || defined(BORINGSSL_FIPS)
+// message writes |msg| to stderr. We use this because referencing |stderr|
+// with |fprintf| generates relocations, which is a problem inside the FIPS
+// module.
+static void message(const char *msg) {
+  ssize_t r;
+  do {
+    r = write(2, msg, strlen(msg));
+  } while (r == -1 && errno == EINTR);
+}
+#endif
+
+// init_once initializes the state of this module to values previously
+// requested. This is the only function that modifies |urandom_fd| and
+// |urandom_buffering|, whose values may be read safely after calling the
+// once.
+static void init_once(void) {
+  CRYPTO_STATIC_MUTEX_lock_read(rand_lock_bss_get());
+  int fd = *urandom_fd_requested_bss_get();
+  CRYPTO_STATIC_MUTEX_unlock_read(rand_lock_bss_get());
+
+#if defined(USE_NR_getrandom)
+  uint8_t dummy;
+  long getrandom_ret =
+      syscall(__NR_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK);
+
+  if (getrandom_ret == 1) {
+    *urandom_fd_bss_get() = kHaveGetrandom;
+    return;
+  } else if (getrandom_ret == -1 && errno == EAGAIN) {
+    message(
+        "getrandom indicates that the entropy pool has not been initialized. "
+        "Rather than continue with poor entropy, this process will block until "
+        "entropy is available.\n");
+
+    do {
+      getrandom_ret =
+          syscall(__NR_getrandom, &dummy, sizeof(dummy), 0 /* no flags */);
+    } while (getrandom_ret == -1 && errno == EINTR);
+
+    if (getrandom_ret == 1) {
+      *urandom_fd_bss_get() = kHaveGetrandom;
+      return;
+    }
+  }
+#endif  // USE_NR_getrandom
+
+  if (fd == kUnset) {
+    do {
+      fd = open("/dev/urandom", O_RDONLY);
+    } while (fd == -1 && errno == EINTR);
+  }
+
+  if (fd < 0) {
+    abort();
+  }
+
+  assert(kUnset == 0);
+  if (fd == kUnset) {
+    // Because we want to keep |urandom_fd| in the BSS, we have to initialise
+    // it to zero. But zero is a valid file descriptor too. Thus if open
+    // returns zero for /dev/urandom, we dup it to get a non-zero number.
+    fd = dup(fd);
+    close(kUnset);
+
+    if (fd <= 0) {
+      abort();
+    }
+  }
+
+#if defined(BORINGSSL_FIPS)
+  // In FIPS mode we ensure that the kernel has sufficient entropy before
+  // continuing. This is automatically handled by getrandom, which requires
+  // that the entropy pool has been initialised, but for urandom we have to
+  // poll.
+  for (;;) {
+    int entropy_bits;
+    if (ioctl(fd, RNDGETENTCNT, &entropy_bits)) {
+      message(
+          "RNDGETENTCNT on /dev/urandom failed. We cannot continue in this "
+          "case when in FIPS mode.\n");
+      abort();
+    }
+
+    static const int kBitsNeeded = 256;
+    if (entropy_bits >= kBitsNeeded) {
+      break;
+    }
+
+    usleep(250000);
+  }
+#endif
+
+  int flags = fcntl(fd, F_GETFD);
+  if (flags == -1) {
+    // Native Client doesn't implement |fcntl|.
+    if (errno != ENOSYS) {
+      abort();
+    }
+  } else {
+    flags |= FD_CLOEXEC;
+    if (fcntl(fd, F_SETFD, flags) == -1) {
+      abort();
+    }
+  }
+  *urandom_fd_bss_get() = fd;
+}
+
+void RAND_set_urandom_fd(int fd) {
+  fd = dup(fd);
+  if (fd < 0) {
+    abort();
+  }
+
+  assert(kUnset == 0);
+  if (fd == kUnset) {
+    // Because we want to keep |urandom_fd| in the BSS, we have to initialise
+    // it to zero. But zero is a valid file descriptor too. Thus if dup
+    // returned zero we dup it again to get a non-zero number.
+    fd = dup(fd);
+    close(kUnset);
+
+    if (fd <= 0) {
+      abort();
+    }
+  }
+
+  CRYPTO_STATIC_MUTEX_lock_write(rand_lock_bss_get());
+  *urandom_fd_requested_bss_get() = fd;
+  CRYPTO_STATIC_MUTEX_unlock_write(rand_lock_bss_get());
+
+  CRYPTO_once(rand_once_bss_get(), init_once);
+  if (*urandom_fd_bss_get() == kHaveGetrandom) {
+    close(fd);
+  } else if (*urandom_fd_bss_get() != fd) {
+    abort();  // Already initialized.
+  }
+}
+
+#if defined(USE_NR_getrandom) && defined(OPENSSL_MSAN)
+void __msan_unpoison(void *, size_t);
+#endif
+
+// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
+// on success and zero on error.
+static char fill_with_entropy(uint8_t *out, size_t len) {
+  while (len > 0) {
+    ssize_t r;
+
+    if (*urandom_fd_bss_get() == kHaveGetrandom) {
+#if defined(USE_NR_getrandom)
+      do {
+        r = syscall(__NR_getrandom, out, len, 0 /* no flags */);
+      } while (r == -1 && errno == EINTR);
+
+#if defined(OPENSSL_MSAN)
+      if (r > 0) {
+        // MSAN doesn't recognise |syscall| and thus doesn't notice that we
+        // have initialised the output buffer.
+        __msan_unpoison(out, r);
+      }
+#endif  // OPENSSL_MSAN
+
+#else  // USE_NR_getrandom
+      abort();
+#endif
+    } else {
+      do {
+        r = read(*urandom_fd_bss_get(), out, len);
+      } while (r == -1 && errno == EINTR);
+    }
+
+    if (r <= 0) {
+      return 0;
+    }
+    out += r;
+    len -= r;
+  }
+
+  return 1;
+}
+
+// CRYPTO_sysrand puts |requested| random bytes into |out|.
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
+  if (requested == 0) {
+    return;
+  }
+
+  CRYPTO_once(rand_once_bss_get(), init_once);
+
+  if (!fill_with_entropy(out, requested)) {
+    abort();
+  }
+
+#if defined(BORINGSSL_FIPS_BREAK_CRNG)
+  // This breaks the "continuous random number generator test" defined in FIPS
+  // 140-2, section 4.9.2, and implemented in rand_get_seed().
+  OPENSSL_memset(out, 0, requested);
+#endif
+}
+
+#endif /* !OPENSSL_WINDOWS && !defined(OPENSSL_FUCHSIA) && \
+          !BORINGSSL_UNSAFE_DETERMINISTIC_MODE && !OPENSSL_TRUSTY */

data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c

@@ -0,0 +1,263 @@
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/rsa.h>
+
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/mem.h>
+#include <openssl/err.h>
+
+#include "internal.h"
+#include "../../internal.h"
+
+
+#define BN_BLINDING_COUNTER 32
+
+struct bn_blinding_st {
+  BIGNUM *A;  // The base blinding factor, Montgomery-encoded.
+  BIGNUM *Ai;  // The inverse of the blinding factor, Montgomery-encoded.
+  unsigned counter;
+};
+
+static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,
+                                    const BN_MONT_CTX *mont, BN_CTX *ctx);
+
+BN_BLINDING *BN_BLINDING_new(void) {
+  BN_BLINDING *ret = OPENSSL_malloc(sizeof(BN_BLINDING));
+  if (ret == NULL) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+  OPENSSL_memset(ret, 0, sizeof(BN_BLINDING));
+
+  ret->A = BN_new();
+  if (ret->A == NULL) {
+    goto err;
+  }
+
+  ret->Ai = BN_new();
+  if (ret->Ai == NULL) {
+    goto err;
+  }
+
+  // The blinding values need to be created before this blinding can be used.
+  ret->counter = BN_BLINDING_COUNTER - 1;
+
+  return ret;
+
+err:
+  BN_BLINDING_free(ret);
+  return NULL;
+}
+
+void BN_BLINDING_free(BN_BLINDING *r) {
+  if (r == NULL) {
+    return;
+  }
+
+  BN_free(r->A);
+  BN_free(r->Ai);
+  OPENSSL_free(r);
+}
+
+static int bn_blinding_update(BN_BLINDING *b, const BIGNUM *e,
+                              const BN_MONT_CTX *mont, BN_CTX *ctx) {
+  if (++b->counter == BN_BLINDING_COUNTER) {
+    // re-create blinding parameters
+    if (!bn_blinding_create_param(b, e, mont, ctx)) {
+      goto err;
+    }
+    b->counter = 0;
+  } else {
+    if (!BN_mod_mul_montgomery(b->A, b->A, b->A, mont, ctx) ||
+        !BN_mod_mul_montgomery(b->Ai, b->Ai, b->Ai, mont, ctx)) {
+      goto err;
+    }
+  }
+
+  return 1;
+
+err:
+  // |A| and |Ai| may be in an inconsistent state so they both need to be
+  // replaced the next time this blinding is used. Note that this is only
+  // sufficient because support for |BN_BLINDING_NO_UPDATE| and
+  // |BN_BLINDING_NO_RECREATE| was previously dropped.
+  b->counter = BN_BLINDING_COUNTER - 1;
+
+  return 0;
+}
+
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,
+                        const BN_MONT_CTX *mont, BN_CTX *ctx) {
+  // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
+  // cancels one Montgomery factor, so the resulting value of |n| is unencoded.
+  if (!bn_blinding_update(b, e, mont, ctx) ||
+      !BN_mod_mul_montgomery(n, n, b->A, mont, ctx)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,
+                       BN_CTX *ctx) {
+  // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
+  // cancels one Montgomery factor, so the resulting value of |n| is unencoded.
+  return BN_mod_mul_montgomery(n, n, b->Ai, mont, ctx);
+}
+
+static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,
+                                    const BN_MONT_CTX *mont, BN_CTX *ctx) {
+  int retry_counter = 32;
+
+  do {
+    if (!BN_rand_range_ex(b->A, 1, &mont->N)) {
+      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+      return 0;
+    }
+
+    // |BN_from_montgomery| + |BN_mod_inverse_blinded| is equivalent to, but
+    // more efficient than, |BN_mod_inverse_blinded| + |BN_to_montgomery|.
+    if (!BN_from_montgomery(b->Ai, b->A, mont, ctx)) {
+      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+      return 0;
+    }
+
+    int no_inverse;
+    if (BN_mod_inverse_blinded(b->Ai, &no_inverse, b->Ai, mont, ctx)) {
+      break;
+    }
+
+    if (!no_inverse) {
+      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+      return 0;
+    }
+
+    // For reasonably-sized RSA keys, it should almost never be the case that a
+    // random value doesn't have an inverse.
+    if (retry_counter-- == 0) {
+      OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
+      return 0;
+    }
+    ERR_clear_error();
+  } while (1);
+
+  if (!BN_mod_exp_mont(b->A, b->A, e, &mont->N, ctx, mont)) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  if (!BN_to_montgomery(b->A, b->A, mont, ctx)) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  return 1;
+}