grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/cpu-intel.c

@@ -54,10 +54,6 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#if !defined(__STDC_FORMAT_MACROS)
-#define __STDC_FORMAT_MACROS
-#endif
-
 #include <openssl/cpu.h>
 
 
@@ -127,9 +123,17 @@ static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
 // and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.
 static void handle_cpu_env(uint32_t *out, const char *in) {
   const int invert = in[0] == '~';
+  const int hex = in[invert] == '0' && in[invert+1] == 'x';
+
+  int sscanf_result;
   uint64_t v;
+  if (hex) {
+    sscanf_result = sscanf(in + invert + 2, "%" PRIx64, &v);
+  } else {
+    sscanf_result = sscanf(in + invert, "%" PRIu64, &v);
+  }
 
-  if (!sscanf(in + invert, "%" PRIu64, &v)) {
+  if (!sscanf_result) {
     return;
   }
 
@@ -156,50 +160,43 @@ void OPENSSL_cpuid_setup(void) {
                edx == 0x69746e65 /* enti */ &&
                ecx == 0x444d4163 /* cAMD */;
 
-  int has_amd_xop = 0;
-  if (is_amd) {
-    // AMD-specific logic.
-    // See http://developer.amd.com/wordpress/media/2012/10/254811.pdf
-    OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0x80000000);
-    uint32_t num_extended_ids = eax;
-    if (num_extended_ids >= 0x80000001) {
-      OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0x80000001);
-      if (ecx & (1u << 11)) {
-        has_amd_xop = 1;
-      }
-    }
-  }
-
-  uint32_t extended_features = 0;
+  uint32_t extended_features[2] = {0};
   if (num_ids >= 7) {
     OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 7);
-    extended_features = ebx;
-  }
-
-  // Determine the number of cores sharing an L1 data cache to adjust the
-  // hyper-threading bit.
-  uint32_t cores_per_cache = 0;
-  if (is_amd) {
-    // AMD CPUs never share an L1 data cache between threads but do set the HTT
-    // bit on multi-core CPUs.
-    cores_per_cache = 1;
-  } else if (num_ids >= 4) {
-    // TODO(davidben): The Intel manual says this CPUID leaf enumerates all
-    // caches using ECX and doesn't say which is first. Does this matter?
-    OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 4);
-    cores_per_cache = 1 + ((eax >> 14) & 0xfff);
+    extended_features[0] = ebx;
+    extended_features[1] = ecx;
   }
 
   OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1);
 
-  // Adjust the hyper-threading bit.
-  if (edx & (1u << 28)) {
-    uint32_t num_logical_cores = (ebx >> 16) & 0xff;
-    if (cores_per_cache == 1 || num_logical_cores <= 1) {
-      edx &= ~(1u << 28);
+  if (is_amd) {
+    // See https://www.amd.com/system/files/TechDocs/25481.pdf, page 10.
+    const uint32_t base_family = (eax >> 8) & 15;
+    const uint32_t base_model = (eax >> 4) & 15;
+
+    uint32_t family = base_family;
+    uint32_t model = base_model;
+    if (base_family == 0xf) {
+      const uint32_t ext_family = (eax >> 20) & 255;
+      family += ext_family;
+      const uint32_t ext_model = (eax >> 16) & 15;
+      model |= ext_model << 4;
+    }
+
+    if (family < 0x17 || (family == 0x17 && 0x70 <= model && model <= 0x7f)) {
+      // Disable RDRAND on AMD families before 0x17 (Zen) due to reported
+      // failures after suspend.
+      // https://bugzilla.redhat.com/show_bug.cgi?id=1150286
+      // Also disable for family 0x17, models 0x70–0x7f, due to possible RDRAND
+      // failures there too.
+      ecx &= ~(1u << 30);
     }
   }
 
+  // Force the hyper-threading bit so that the more conservative path is always
+  // chosen.
+  edx |= 1u << 28;
+
   // Reserved bit #20 was historically repurposed to control the in-memory
   // representation of RC4 state. Always set it to zero.
   edx &= ~(1u << 20);
@@ -219,12 +216,9 @@ void OPENSSL_cpuid_setup(void) {
     edx &= ~(1u << 30);
   }
 
-  // The SDBG bit is repurposed to denote AMD XOP support.
-  if (has_amd_xop) {
-    ecx |= (1u << 11);
-  } else {
-    ecx &= ~(1u << 11);
-  }
+  // The SDBG bit is repurposed to denote AMD XOP support. Don't ever use AMD
+  // XOP code paths.
+  ecx &= ~(1u << 11);
 
   uint64_t xcr0 = 0;
   if (ecx & (1u << 27)) {
@@ -241,26 +235,26 @@ void OPENSSL_cpuid_setup(void) {
     //
     // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
     // doesn't clear those.
-    extended_features &=
+    extended_features[0] &=
         ~((1u << 5) | (1u << 16) | (1u << 21) | (1u << 30) | (1u << 31));
   }
   // See Intel manual, volume 1, section 15.2.
   if ((xcr0 & 0xe6) != 0xe6) {
     // Clear AVX512F. Note we don't touch other AVX512 extensions because they
     // can be used with YMM.
-    extended_features &= ~(1u << 16);
+    extended_features[0] &= ~(1u << 16);
   }
 
   // Disable ADX instructions on Knights Landing. See OpenSSL commit
   // 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
   if ((ecx & (1u << 26)) == 0) {
-    extended_features &= ~(1u << 19);
+    extended_features[0] &= ~(1u << 19);
   }
 
   OPENSSL_ia32cap_P[0] = edx;
   OPENSSL_ia32cap_P[1] = ecx;
-  OPENSSL_ia32cap_P[2] = extended_features;
-  OPENSSL_ia32cap_P[3] = 0;
+  OPENSSL_ia32cap_P[2] = extended_features[0];
+  OPENSSL_ia32cap_P[3] = extended_features[1];
 
   const char *env1, *env2;
   env1 = getenv("OPENSSL_ia32cap");

data/third_party/boringssl/crypto/crypto.c

@@ -36,8 +36,8 @@
 #define BORINGSSL_NO_STATIC_INITIALIZER
 #endif
 
-#endif  /* !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64 ||
-                               OPENSSL_ARM || OPENSSL_AARCH64) */
+#endif  // !NO_ASM && !STATIC_ARMCAP &&
+        // (X86 || X86_64 || ARM || AARCH64 || PPC64LE)
 
 
 // Our assembly does not use the GOT to reference symbols, which means
@@ -60,8 +60,7 @@
 // that tests the capability values will still skip the constructor but, so
 // far, the init constructor function only sets the capability variables.
 
-#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-
+#if defined(BORINGSSL_DISPATCH_TEST)
 // This value must be explicitly initialised to zero in order to work around a
 // bug in libtool or the linker on OS X.
 //
@@ -69,6 +68,12 @@
 // archive, linking on OS X will fail to resolve common symbols. By
 // initialising it to zero, it becomes a "data symbol", which isn't so
 // affected.
+HIDDEN uint8_t BORINGSSL_function_hit[7] = {0};
+#endif
+
+#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
+
+// This value must be explicitly initialized to zero. See similar comment above.
 HIDDEN uint32_t OPENSSL_ia32cap_P[4] = {0};
 
 #elif defined(OPENSSL_PPC64LE)
@@ -82,7 +87,8 @@ HIDDEN unsigned long OPENSSL_ppc64le_hwcap2 = 0;
 #if defined(OPENSSL_STATIC_ARMCAP)
 
 HIDDEN uint32_t OPENSSL_armcap_P =
-#if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON__)
+#if defined(OPENSSL_STATIC_ARMCAP_NEON) || \
+    (defined(__ARM_NEON__) || defined(__ARM_NEON))
     ARMV7_NEON |
 #endif
 #if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO)
@@ -101,6 +107,10 @@ HIDDEN uint32_t OPENSSL_armcap_P =
 
 #else
 HIDDEN uint32_t OPENSSL_armcap_P = 0;
+
+uint32_t *OPENSSL_get_armcap_pointer_for_test(void) {
+  return &OPENSSL_armcap_P;
+}
 #endif
 
 #endif
@@ -164,31 +174,36 @@ int CRYPTO_has_asm(void) {
 #endif
 }
 
-const char *SSLeay_version(int unused) {
-  return "BoringSSL";
+const char *SSLeay_version(int which) { return OpenSSL_version(which); }
+
+const char *OpenSSL_version(int which) {
+  switch (which) {
+    case OPENSSL_VERSION:
+      return "BoringSSL";
+    case OPENSSL_CFLAGS:
+      return "compiler: n/a";
+    case OPENSSL_BUILT_ON:
+      return "built on: n/a";
+    case OPENSSL_PLATFORM:
+      return "platform: n/a";
+    case OPENSSL_DIR:
+      return "OPENSSLDIR: n/a";
+    default:
+      return "not available";
+  }
 }
 
-const char *OpenSSL_version(int unused) {
-  return "BoringSSL";
-}
+unsigned long SSLeay(void) { return OPENSSL_VERSION_NUMBER; }
 
-unsigned long SSLeay(void) {
-  return OPENSSL_VERSION_NUMBER;
-}
+unsigned long OpenSSL_version_num(void) { return OPENSSL_VERSION_NUMBER; }
 
-unsigned long OpenSSL_version_num(void) {
-  return OPENSSL_VERSION_NUMBER;
-}
+int CRYPTO_malloc_init(void) { return 1; }
 
-int CRYPTO_malloc_init(void) {
-  return 1;
-}
+int OPENSSL_malloc_init(void) { return 1; }
 
 void ENGINE_load_builtin_engines(void) {}
 
-int ENGINE_register_all_complete(void) {
-  return 1;
-}
+int ENGINE_register_all_complete(void) { return 1; }
 
 void OPENSSL_load_builtin_modules(void) {}
 
@@ -196,3 +211,5 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
   CRYPTO_library_init();
   return 1;
 }
+
+void OPENSSL_cleanup(void) {}

data/third_party/boringssl/crypto/curve25519/spake25519.c

@@ -481,7 +481,7 @@ int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len,
   }
 
   ge_p3 Qstar;
-  if (0 != x25519_ge_frombytes_vartime(&Qstar, their_msg)) {
+  if (!x25519_ge_frombytes_vartime(&Qstar, their_msg)) {
     // Point received from peer was not on the curve.
     return 0;
   }

data/third_party/boringssl/crypto/dsa/dsa.c

@@ -79,7 +79,7 @@
 #define OPENSSL_DSA_MAX_MODULUS_BITS 10000
 
 // Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
-// Rabin-Miller
+// Miller-Rabin.
 #define DSS_prime_checks 50
 
 static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
@@ -256,7 +256,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
     // Find q.
     for (;;) {
       // step 1
-      if (!BN_GENCB_call(cb, 0, m++)) {
+      if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, m++)) {
         goto err;
       }
 
@@ -319,7 +319,7 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
     n = (bits - 1) / 160;
 
     for (;;) {
-      if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {
+      if ((counter != 0) && !BN_GENCB_call(cb, BN_GENCB_GENERATED, counter)) {
         goto err;
       }
 
@@ -541,22 +541,51 @@ void DSA_SIG_free(DSA_SIG *sig) {
   OPENSSL_free(sig);
 }
 
+// mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and
+// |b| as secret. This function internally uses Montgomery reduction, but
+// neither inputs nor outputs are in Montgomery form.
+static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                             const BN_MONT_CTX *mont, BN_CTX *ctx) {
+  BN_CTX_start(ctx);
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  // |BN_mod_mul_montgomery| removes a factor of R, so we cancel it with a
+  // single |BN_to_montgomery| which adds one factor of R.
+  int ok = tmp != NULL &&
+           BN_to_montgomery(tmp, a, mont, ctx) &&
+           BN_mod_mul_montgomery(r, tmp, b, mont, ctx);
+  BN_CTX_end(ctx);
+  return ok;
+}
+
 DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) {
+  if (!dsa->p || !dsa->q || !dsa->g) {
+    OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
+    return NULL;
+  }
+
+  // Reject invalid parameters. In particular, the algorithm will infinite loop
+  // if |g| is zero.
+  if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) {
+    OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
+    return NULL;
+  }
+
+  // We only support DSA keys that are a multiple of 8 bits. (This is a weaker
+  // check than the one in |DSA_do_check_signature|, which only allows 160-,
+  // 224-, and 256-bit keys.
+  if (BN_num_bits(dsa->q) % 8 != 0) {
+    OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
+    return NULL;
+  }
+
   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
   BIGNUM m;
   BIGNUM xr;
   BN_CTX *ctx = NULL;
-  int reason = ERR_R_BN_LIB;
   DSA_SIG *ret = NULL;
 
   BN_init(&m);
   BN_init(&xr);
-
-  if (!dsa->p || !dsa->q || !dsa->g) {
-    reason = DSA_R_MISSING_PARAMETERS;
-    goto err;
-  }
-
   s = BN_new();
   if (s == NULL) {
     goto err;
@@ -572,9 +601,9 @@ redo:
   }
 
   if (digest_len > BN_num_bytes(dsa->q)) {
-    // if the digest length is greater than the size of q use the
-    // BN_num_bits(dsa->q) leftmost bits of the digest, see
-    // fips 186-3, 4.2
+    // If the digest length is greater than the size of |dsa->q| use the
+    // BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2.
+    // Note the above check that |dsa->q| is a multiple of 8 bits.
     digest_len = BN_num_bytes(dsa->q);
   }
 
@@ -582,19 +611,23 @@ redo:
     goto err;
   }
 
-  // Compute  s = inv(k) (m + xr) mod q
-  if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {
-    goto err;  // s = xr
-  }
-  if (!BN_add(s, &xr, &m)) {
-    goto err;  // s = m + xr
-  }
-  if (BN_cmp(s, dsa->q) > 0) {
-    if (!BN_sub(s, s, dsa->q)) {
-      goto err;
-    }
+  // |m| is bounded by 2^(num_bits(q)), which is slightly looser than q. This
+  // violates |bn_mod_add_consttime| and |mod_mul_consttime|'s preconditions.
+  // (The underlying algorithms could accept looser bounds, but we reduce for
+  // simplicity.)
+  size_t q_width = bn_minimal_width(dsa->q);
+  if (!bn_resize_words(&m, q_width) ||
+      !bn_resize_words(&xr, q_width)) {
+    goto err;
   }
-  if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {
+  bn_reduce_once_in_place(m.d, 0 /* no carry word */, dsa->q->d,
+                          xr.d /* scratch space */, q_width);
+
+  // Compute s = inv(k) (m + xr) mod q. Note |dsa->method_mont_q| is
+  // initialized by |dsa_sign_setup|.
+  if (!mod_mul_consttime(&xr, dsa->priv_key, r, dsa->method_mont_q, ctx) ||
+      !bn_mod_add_consttime(s, &xr, &m, dsa->q, ctx) ||
+      !mod_mul_consttime(s, s, kinv, dsa->method_mont_q, ctx)) {
     goto err;
   }
 
@@ -612,7 +645,7 @@ redo:
 
 err:
   if (ret == NULL) {
-    OPENSSL_PUT_ERROR(DSA, reason);
+    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
     BN_free(r);
     BN_free(s);
   }
@@ -648,7 +681,7 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
   }
 
   i = BN_num_bits(dsa->q);
-  // fips 186-3 allows only different sizes for q
+  // FIPS 186-3 allows only different sizes for q.
   if (i != 160 && i != 224 && i != 256) {
     OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
     return 0;
@@ -832,29 +865,18 @@ int DSA_size(const DSA *dsa) {
   return ret;
 }
 
-static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
+static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv,
                           BIGNUM **out_r) {
-  BN_CTX *ctx;
-  BIGNUM k, *kinv = NULL, *r = NULL;
-  int ret = 0;
-
   if (!dsa->p || !dsa->q || !dsa->g) {
     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
     return 0;
   }
 
+  int ret = 0;
+  BIGNUM k;
   BN_init(&k);
-
-  ctx = ctx_in;
-  if (ctx == NULL) {
-    ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      goto err;
-    }
-  }
-
-  r = BN_new();
-  kinv = BN_new();
+  BIGNUM *r = BN_new();
+  BIGNUM *kinv = BN_new();
   if (r == NULL || kinv == NULL ||
       // Get random k
       !BN_rand_range_ex(&k, 1, dsa->q) ||
@@ -867,32 +889,34 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
       // Compute r = (g^k mod p) mod q
       !BN_mod_exp_mont_consttime(r, dsa->g, &k, dsa->p, ctx,
                                  dsa->method_mont_p) ||
+      // Note |BN_mod| below is not constant-time and may leak information about
+      // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not
+      // easily performed in constant-time with Montgomery reduction.
+      //
+      // However, |r| at this point is g^k (mod p). It is almost the value of
+      // |r| revealed in the signature anyway (g^k (mod p) (mod q)), going from
+      // it to |k| would require computing a discrete log.
       !BN_mod(r, r, dsa->q, ctx) ||
       // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
       // Theorem.
       !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {
+    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
     goto err;
   }
 
   BN_clear_free(*out_kinv);
   *out_kinv = kinv;
   kinv = NULL;
+
   BN_clear_free(*out_r);
   *out_r = r;
+  r = NULL;
+
   ret = 1;
 
 err:
-  if (!ret) {
-    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
-    if (r != NULL) {
-      BN_clear_free(r);
-    }
-  }
-
-  if (ctx_in == NULL) {
-    BN_CTX_free(ctx);
-  }
   BN_clear_free(&k);
+  BN_clear_free(r);
   BN_clear_free(kinv);
   return ret;
 }