grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/hrss/internal.h

@@ -0,0 +1,62 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_HRSS_INTERNAL_H
+#define OPENSSL_HEADER_HRSS_INTERNAL_H
+
+#include <openssl/base.h>
+#include "../internal.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+#define N 701
+#define BITS_PER_WORD (sizeof(crypto_word_t) * 8)
+#define WORDS_PER_POLY ((N + BITS_PER_WORD - 1) / BITS_PER_WORD)
+#define BITS_IN_LAST_WORD (N % BITS_PER_WORD)
+
+struct poly2 {
+  crypto_word_t v[WORDS_PER_POLY];
+};
+
+struct poly3 {
+  struct poly2 s, a;
+};
+
+OPENSSL_EXPORT void HRSS_poly2_rotr_consttime(struct poly2 *p, size_t bits);
+OPENSSL_EXPORT void HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x,
+                                   const struct poly3 *y);
+OPENSSL_EXPORT void HRSS_poly3_invert(struct poly3 *out,
+                                      const struct poly3 *in);
+
+// On x86-64, we can use the AVX2 code from [HRSS]. (The authors have given
+// explicit permission for this and signed a CLA.) However it's 57KB of object
+// code, so it's not used if |OPENSSL_SMALL| is defined.
+#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \
+    defined(OPENSSL_X86_64) && defined(OPENSSL_LINUX)
+#define POLY_RQ_MUL_ASM
+// poly_Rq_mul is defined in assembly. Inputs and outputs must be 16-byte-
+// aligned.
+extern void poly_Rq_mul(uint16_t r[N + 3], const uint16_t a[N + 3],
+                        const uint16_t b[N + 3]);
+#endif
+
+
+#if defined(__cplusplus)
+}  // extern "C"
+#endif
+
+#endif  // !OPENSSL_HEADER_HRSS_INTERNAL_H

data/third_party/boringssl/crypto/internal.h

@@ -116,14 +116,11 @@
 #include <assert.h>
 #include <string.h>
 
-#if defined(__GNUC__) && \
-    (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) < 40800
-// |alignas| and |alignof| were added in C11. GCC added support in version 4.8.
-// Testing for __STDC_VERSION__/__cplusplus doesn't work because 4.7 already
-// reports support for C11.
-#define alignas(x) __attribute__ ((aligned (x)))
-#define alignof(x) __alignof__ (x)
-#elif !defined(__cplusplus)
+#if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)
+#include <valgrind/memcheck.h>
+#endif
+
+#if !defined(__cplusplus)
 #if defined(_MSC_VER)
 #define alignas(x) __declspec(align(x))
 #define alignof __alignof
@@ -132,13 +129,13 @@
 #endif
 #endif
 
-#if !defined(OPENSSL_NO_THREADS) && \
+#if defined(OPENSSL_THREADS) && \
     (!defined(OPENSSL_WINDOWS) || defined(__MINGW32__))
 #include <pthread.h>
 #define OPENSSL_PTHREADS
 #endif
 
-#if !defined(OPENSSL_NO_THREADS) && !defined(OPENSSL_PTHREADS) && \
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_PTHREADS) && \
     defined(OPENSSL_WINDOWS)
 #define OPENSSL_WINDOWS_THREADS
 OPENSSL_MSVC_PRAGMA(warning(push, 3))
@@ -157,6 +154,14 @@ extern "C" {
 void OPENSSL_cpuid_setup(void);
 #endif
 
+#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \
+    !defined(OPENSSL_STATIC_ARMCAP)
+// OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P|
+// for unit tests. Any modifications to the value must be made after
+// |CRYPTO_library_init| but before any other function call in BoringSSL.
+OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void);
+#endif
+
 
 #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT)
 #define BORINGSSL_HAS_UINT128
@@ -182,6 +187,15 @@ typedef __uint128_t uint128_t;
 #define OPENSSL_FALLTHROUGH [[gnu::fallthrough]]
 #elif defined(__GNUC__) && __GNUC__ >= 7 // gcc 7
 #define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough))
+#elif defined(__clang__)
+#if __has_attribute(fallthrough) && __clang_major__ >= 5
+// Clang 3.5, at least, complains about "error: declaration does not declare
+// anything", possibily because we put a semicolon after this macro in
+// practice. Thus limit it to >= Clang 5, which does work.
+#define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough))
+#else // clang versions that do not support fallthrough.
+#define OPENSSL_FALLTHROUGH
+#endif
 #else // C++11 on gcc 6, and all other cases
 #define OPENSSL_FALLTHROUGH
 #endif
@@ -230,15 +244,41 @@ typedef uint32_t crypto_word_t;
 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
 #endif
 
-#define CONSTTIME_TRUE_W ~((crypto_word_t)0)
-#define CONSTTIME_FALSE_W ((crypto_word_t)0)
-#define CONSTTIME_TRUE_8 ((uint8_t)0xff)
-
 #define CONSTTIME_TRUE_W ~((crypto_word_t)0)
 #define CONSTTIME_FALSE_W ((crypto_word_t)0)
 #define CONSTTIME_TRUE_8 ((uint8_t)0xff)
 #define CONSTTIME_FALSE_8 ((uint8_t)0)
 
+// value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about
+// the returned value. This is used to mitigate compilers undoing constant-time
+// code, until we can express our requirements directly in the language.
+//
+// Note the compiler is aware that |value_barrier_w| has no side effects and
+// always has the same output for a given input. This allows it to eliminate
+// dead code, move computations across loops, and vectorize.
+static inline crypto_word_t value_barrier_w(crypto_word_t a) {
+#if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
+  __asm__("" : "+r"(a) : /* no inputs */);
+#endif
+  return a;
+}
+
+// value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
+static inline uint32_t value_barrier_u32(uint32_t a) {
+#if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
+  __asm__("" : "+r"(a) : /* no inputs */);
+#endif
+  return a;
+}
+
+// value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.
+static inline uint64_t value_barrier_u64(uint64_t a) {
+#if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
+  __asm__("" : "+r"(a) : /* no inputs */);
+#endif
+  return a;
+}
+
 // constant_time_msb_w returns the given value with the MSB copied to all the
 // other bits.
 static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
@@ -351,7 +391,13 @@ static inline uint8_t constant_time_eq_int_8(int a, int b) {
 static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
                                                    crypto_word_t a,
                                                    crypto_word_t b) {
-  return (mask & a) | (~mask & b);
+  // Clang recognizes this pattern as a select. While it usually transforms it
+  // to a cmov, it sometimes further transforms it into a branch, which we do
+  // not want.
+  //
+  // Adding barriers to both |mask| and |~mask| breaks the relationship between
+  // the two, which makes the compiler stick with bitmasks.
+  return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b);
 }
 
 // constant_time_select_8 acts like |constant_time_select| but operates on
@@ -368,10 +414,30 @@ static inline int constant_time_select_int(crypto_word_t mask, int a, int b) {
                                       (crypto_word_t)(b)));
 }
 
+#if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)
+
+// CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region
+// of memory as secret. Secret data is tracked as it flows to registers and
+// other parts of a memory. If secret data is used as a condition for a branch,
+// or as a memory index, it will trigger warnings in valgrind.
+#define CONSTTIME_SECRET(x, y) VALGRIND_MAKE_MEM_UNDEFINED(x, y)
+
+// CONSTTIME_DECLASSIFY takes a pointer and a number of bytes and marks that
+// region of memory as public. Public data is not subject to constant-time
+// rules.
+#define CONSTTIME_DECLASSIFY(x, y) VALGRIND_MAKE_MEM_DEFINED(x, y)
+
+#else
+
+#define CONSTTIME_SECRET(x, y)
+#define CONSTTIME_DECLASSIFY(x, y)
+
+#endif  // BORINGSSL_CONSTANT_TIME_VALIDATION
+
 
 // Thread-safe initialisation.
 
-#if defined(OPENSSL_NO_THREADS)
+#if !defined(OPENSSL_THREADS)
 typedef uint32_t CRYPTO_once_t;
 #define CRYPTO_ONCE_INIT 0
 #elif defined(OPENSSL_WINDOWS_THREADS)
@@ -427,7 +493,7 @@ OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count);
 // thread.h as a structure large enough to fit the real type. The global lock is
 // a different type so it may be initialized with platform initializer macros.
 
-#if defined(OPENSSL_NO_THREADS)
+#if !defined(OPENSSL_THREADS)
 struct CRYPTO_STATIC_MUTEX {
   char padding;  // Empty structs have different sizes in C and C++.
 };
@@ -492,7 +558,7 @@ OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write(
 #if defined(__cplusplus)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace internal {
 
@@ -520,7 +586,7 @@ using MutexWriteLock =
 using MutexReadLock =
     internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern "C++"
 #endif  // defined(__cplusplus)
@@ -624,7 +690,7 @@ static inline uint64_t CRYPTO_bswap8(uint64_t x) {
 }
 #elif defined(_MSC_VER)
 OPENSSL_MSVC_PRAGMA(warning(push, 3))
-#include <intrin.h>
+#include <stdlib.h>
 OPENSSL_MSVC_PRAGMA(warning(pop))
 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
@@ -732,6 +798,15 @@ static inline void *OPENSSL_memset(void *dst, int c, size_t n) {
 void BORINGSSL_FIPS_abort(void) __attribute__((noreturn));
 #endif
 
+// boringssl_fips_self_test runs the FIPS KAT-based self tests. It returns one
+// on success and zero on error. The argument is the integrity hash of the FIPS
+// module and may be used to check and write flag files to suppress duplicate
+// self-tests. If |module_hash_len| is zero then no flag file will be checked
+// nor written and tests will always be run.
+int boringssl_fips_self_test(const uint8_t *module_hash,
+                             size_t module_hash_len);
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

data/third_party/boringssl/crypto/lhash/lhash.c

@@ -139,17 +139,17 @@ size_t lh_num_items(const _LHASH *lh) { return lh->num_items; }
 // not found, it returns a pointer that points to a NULL pointer. If |out_hash|
 // is not NULL, then it also puts the hash value of |data| in |*out_hash|.
 static LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash,
-                                          const void *data) {
-  const uint32_t hash = lh->hash(data);
-  LHASH_ITEM *cur, **ret;
-
+                                          const void *data,
+                                          lhash_hash_func_helper call_hash_func,
+                                          lhash_cmp_func_helper call_cmp_func) {
+  const uint32_t hash = call_hash_func(lh->hash, data);
   if (out_hash != NULL) {
     *out_hash = hash;
   }
 
-  ret = &lh->buckets[hash % lh->num_buckets];
-  for (cur = *ret; cur != NULL; cur = *ret) {
-    if (lh->comp(cur->data, data) == 0) {
+  LHASH_ITEM **ret = &lh->buckets[hash % lh->num_buckets];
+  for (LHASH_ITEM *cur = *ret; cur != NULL; cur = *ret) {
+    if (call_cmp_func(lh->comp, cur->data, data) == 0) {
       break;
     }
     ret = &cur->next;
@@ -158,16 +158,35 @@ static LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash,
   return ret;
 }
 
-void *lh_retrieve(const _LHASH *lh, const void *data) {
-  LHASH_ITEM **next_ptr;
+// get_next_ptr_by_key behaves like |get_next_ptr_and_hash| but takes a key
+// which may be a different type from the values stored in |lh|.
+static LHASH_ITEM **get_next_ptr_by_key(const _LHASH *lh, const void *key,
+                                        uint32_t key_hash,
+                                        int (*cmp_key)(const void *key,
+                                                       const void *value)) {
+  LHASH_ITEM **ret = &lh->buckets[key_hash % lh->num_buckets];
+  for (LHASH_ITEM *cur = *ret; cur != NULL; cur = *ret) {
+    if (cmp_key(key, cur->data) == 0) {
+      break;
+    }
+    ret = &cur->next;
+  }
 
-  next_ptr = get_next_ptr_and_hash(lh, NULL, data);
+  return ret;
+}
 
-  if (*next_ptr == NULL) {
-    return NULL;
-  }
+void *lh_retrieve(const _LHASH *lh, const void *data,
+                  lhash_hash_func_helper call_hash_func,
+                  lhash_cmp_func_helper call_cmp_func) {
+  LHASH_ITEM **next_ptr =
+      get_next_ptr_and_hash(lh, NULL, data, call_hash_func, call_cmp_func);
+  return *next_ptr == NULL ? NULL : (*next_ptr)->data;
+}
 
-  return (*next_ptr)->data;
+void *lh_retrieve_key(const _LHASH *lh, const void *key, uint32_t key_hash,
+                      int (*cmp_key)(const void *key, const void *value)) {
+  LHASH_ITEM **next_ptr = get_next_ptr_by_key(lh, key, key_hash, cmp_key);
+  return *next_ptr == NULL ? NULL : (*next_ptr)->data;
 }
 
 // lh_rebucket allocates a new array of |new_num_buckets| pointers and
@@ -233,12 +252,15 @@ static void lh_maybe_resize(_LHASH *lh) {
   }
 }
 
-int lh_insert(_LHASH *lh, void **old_data, void *data) {
+int lh_insert(_LHASH *lh, void **old_data, void *data,
+              lhash_hash_func_helper call_hash_func,
+              lhash_cmp_func_helper call_cmp_func) {
   uint32_t hash;
   LHASH_ITEM **next_ptr, *item;
 
   *old_data = NULL;
-  next_ptr = get_next_ptr_and_hash(lh, &hash, data);
+  next_ptr =
+      get_next_ptr_and_hash(lh, &hash, data, call_hash_func, call_cmp_func);
 
 
   if (*next_ptr != NULL) {
@@ -265,10 +287,13 @@ int lh_insert(_LHASH *lh, void **old_data, void *data) {
   return 1;
 }
 
-void *lh_delete(_LHASH *lh, const void *data) {
+void *lh_delete(_LHASH *lh, const void *data,
+                lhash_hash_func_helper call_hash_func,
+                lhash_cmp_func_helper call_cmp_func) {
   LHASH_ITEM **next_ptr, *item, *ret;
 
-  next_ptr = get_next_ptr_and_hash(lh, NULL, data);
+  next_ptr =
+      get_next_ptr_and_hash(lh, NULL, data, call_hash_func, call_cmp_func);
 
   if (*next_ptr == NULL) {
     // No such element.
@@ -286,8 +311,7 @@ void *lh_delete(_LHASH *lh, const void *data) {
   return ret;
 }
 
-static void lh_doall_internal(_LHASH *lh, void (*no_arg_func)(void *),
-                              void (*arg_func)(void *, void *), void *arg) {
+void lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), void *arg) {
   if (lh == NULL) {
     return;
   }
@@ -301,11 +325,7 @@ static void lh_doall_internal(_LHASH *lh, void (*no_arg_func)(void *),
     LHASH_ITEM *next;
     for (LHASH_ITEM *cur = lh->buckets[i]; cur != NULL; cur = next) {
       next = cur->next;
-      if (arg_func) {
-        arg_func(cur->data, arg);
-      } else {
-        no_arg_func(cur->data);
-      }
+      func(cur->data, arg);
     }
   }
 
@@ -319,14 +339,6 @@ static void lh_doall_internal(_LHASH *lh, void (*no_arg_func)(void *),
   lh_maybe_resize(lh);
 }
 
-void lh_doall(_LHASH *lh, void (*func)(void *)) {
-  lh_doall_internal(lh, func, NULL, NULL);
-}
-
-void lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), void *arg) {
-  lh_doall_internal(lh, NULL, func, arg);
-}
-
 uint32_t lh_strhash(const char *c) {
   if (c == NULL) {
     return 0;

data/third_party/boringssl/crypto/mem.c

@@ -59,7 +59,6 @@
 #include <assert.h>
 #include <stdarg.h>
 #include <stdio.h>
-#include <string.h>
 
 #if defined(OPENSSL_WINDOWS)
 OPENSSL_MSVC_PRAGMA(warning(push, 3))
@@ -72,6 +71,36 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 
 #define OPENSSL_MALLOC_PREFIX 8
 
+#if defined(OPENSSL_ASAN)
+void __asan_poison_memory_region(const volatile void *addr, size_t size);
+void __asan_unpoison_memory_region(const volatile void *addr, size_t size);
+#else
+static void __asan_poison_memory_region(const void *addr, size_t size) {}
+static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
+#endif
+
+// Windows doesn't really support weak symbols as of May 2019, and Clang on
+// Windows will emit strong symbols instead. See
+// https://bugs.llvm.org/show_bug.cgi?id=37598
+#if defined(__GNUC__) || (defined(__clang__) && !defined(_MSC_VER))
+// sdallocx is a sized |free| function. By passing the size (which we happen to
+// always know in BoringSSL), the malloc implementation can save work. We cannot
+// depend on |sdallocx| being available so we declare a wrapper that falls back
+// to |free| as a weak symbol.
+//
+// This will always be safe, but will only be overridden if the malloc
+// implementation is statically linked with BoringSSL. So, if |sdallocx| is
+// provided in, say, libc.so, we still won't use it because that's dynamically
+// linked. This isn't an ideal result, but its helps in some cases.
+void sdallocx(void *ptr, size_t size, int flags);
+
+__attribute((weak, noinline))
+#else
+static
+#endif
+void sdallocx(void *ptr, size_t size, int flags) {
+  free(ptr);
+}
 
 void *OPENSSL_malloc(size_t size) {
   void *ptr = malloc(size + OPENSSL_MALLOC_PREFIX);
@@ -81,6 +110,7 @@ void *OPENSSL_malloc(size_t size) {
 
   *(size_t *)ptr = size;
 
+  __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
   return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX;
 }
 
@@ -90,10 +120,11 @@ void OPENSSL_free(void *orig_ptr) {
   }
 
   void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;
+  __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
 
   size_t size = *(size_t *)ptr;
   OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX);
-  free(ptr);
+  sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
 }
 
 void *OPENSSL_realloc(void *orig_ptr, size_t new_size) {
@@ -102,7 +133,9 @@ void *OPENSSL_realloc(void *orig_ptr, size_t new_size) {
   }
 
   void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;
+  __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
   size_t old_size = *(size_t *)ptr;
+  __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
 
   void *ret = OPENSSL_malloc(new_size);
   if (ret == NULL) {
@@ -135,6 +168,10 @@ void OPENSSL_cleanse(void *ptr, size_t len) {
 #endif  // !OPENSSL_NO_ASM
 }
 
+void OPENSSL_clear_free(void *ptr, size_t unused) {
+  OPENSSL_free(ptr);
+}
+
 int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) {
   const uint8_t *a = in_a;
   const uint8_t *b = in_b;