grpc 1.24.0 → 1.25.0

data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c

@@ -48,6 +48,7 @@
 
 #include <openssl/aes.h>
 
+#include <assert.h>
 #include <limits.h>
 #include <string.h>
 
@@ -65,9 +66,10 @@ static const unsigned kBound = 6;
 
 int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
                  const uint8_t *in, size_t in_len) {
-  // See RFC 3394, section 2.2.1.
+  // See RFC 3394, section 2.2.1. Additionally, note that section 2 requires the
+  // plaintext be at least two 8-byte blocks.
 
-  if (in_len > INT_MAX - 8 || in_len < 8 || in_len % 8 != 0) {
+  if (in_len > INT_MAX - 8 || in_len < 16 || in_len % 8 != 0) {
     return -1;
   }
 
@@ -99,16 +101,17 @@ int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
   return (int)in_len + 8;
 }
 
-int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
-                   const uint8_t *in, size_t in_len) {
-  // See RFC 3394, section 2.2.2.
-
-  if (in_len > INT_MAX || in_len < 16 || in_len % 8 != 0) {
-    return -1;
-  }
-
-  if (iv == NULL) {
-    iv = kDefaultIV;
+// aes_unwrap_key_inner performs steps one and two from
+// https://tools.ietf.org/html/rfc3394#section-2.2.2
+static int aes_unwrap_key_inner(const AES_KEY *key, uint8_t *out,
+                                uint8_t out_iv[8], const uint8_t *in,
+                                size_t in_len) {
+  // See RFC 3394, section 2.2.2. Additionally, note that section 2 requires the
+  // plaintext be at least two 8-byte blocks, so the ciphertext must be at least
+  // three blocks.
+
+  if (in_len > INT_MAX || in_len < 24 || in_len % 8 != 0) {
+    return 0;
   }
 
   uint8_t A[AES_BLOCK_SIZE];
@@ -130,9 +133,104 @@ int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
     }
   }
 
-  if (CRYPTO_memcmp(A, iv, 8) != 0) {
+  memcpy(out_iv, A, 8);
+  return 1;
+}
+
+int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
+                   const uint8_t *in, size_t in_len) {
+  uint8_t calculated_iv[8];
+  if (!aes_unwrap_key_inner(key, out, calculated_iv, in, in_len)) {
+    return -1;
+  }
+
+  if (iv == NULL) {
+    iv = kDefaultIV;
+  }
+  if (CRYPTO_memcmp(calculated_iv, iv, 8) != 0) {
     return -1;
   }
 
   return (int)in_len - 8;
 }
+
+// kPaddingConstant is used in Key Wrap with Padding. See
+// https://tools.ietf.org/html/rfc5649#section-3
+static const uint8_t kPaddingConstant[4] = {0xa6, 0x59, 0x59, 0xa6};
+
+int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len,
+                        size_t max_out, const uint8_t *in, size_t in_len) {
+  // See https://tools.ietf.org/html/rfc5649#section-4.1
+  const uint32_t in_len32_be = CRYPTO_bswap4(in_len);
+  const uint64_t in_len64 = in_len;
+  const size_t padded_len = (in_len + 7) & ~7;
+
+  *out_len = 0;
+  if (in_len == 0 || in_len64 > 0xffffffffu || in_len + 7 < in_len ||
+      padded_len + 8 < padded_len || max_out < padded_len + 8) {
+    return 0;
+  }
+
+  uint8_t block[AES_BLOCK_SIZE];
+  memcpy(block, kPaddingConstant, sizeof(kPaddingConstant));
+  memcpy(block + 4, &in_len32_be, sizeof(in_len32_be));
+
+  if (in_len <= 8) {
+    memset(block + 8, 0, 8);
+    memcpy(block + 8, in, in_len);
+    AES_encrypt(block, out, key);
+    *out_len = AES_BLOCK_SIZE;
+    return 1;
+  }
+
+  uint8_t *padded_in = OPENSSL_malloc(padded_len);
+  if (padded_in == NULL) {
+    return 0;
+  }
+  assert(padded_len >= 8);
+  memset(padded_in + padded_len - 8, 0, 8);
+  memcpy(padded_in, in, in_len);
+  const int ret = AES_wrap_key(key, block, out, padded_in, padded_len);
+  OPENSSL_free(padded_in);
+  if (ret < 0) {
+    return 0;
+  }
+  *out_len = ret;
+  return 1;
+}
+
+int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len,
+                          size_t max_out, const uint8_t *in, size_t in_len) {
+  *out_len = 0;
+  if (in_len < AES_BLOCK_SIZE || max_out < in_len - 8) {
+    return 0;
+  }
+
+  uint8_t iv[8];
+  if (in_len == AES_BLOCK_SIZE) {
+    uint8_t block[AES_BLOCK_SIZE];
+    AES_decrypt(in, block, key);
+    memcpy(iv, block, sizeof(iv));
+    memcpy(out, block + 8, 8);
+  } else if (!aes_unwrap_key_inner(key, out, iv, in, in_len)) {
+    return 0;
+  }
+  assert(in_len % 8 == 0);
+
+  crypto_word_t ok = constant_time_eq_int(
+      CRYPTO_memcmp(iv, kPaddingConstant, sizeof(kPaddingConstant)), 0);
+
+  uint32_t claimed_len32;
+  memcpy(&claimed_len32, iv + 4, sizeof(claimed_len32));
+  const size_t claimed_len = CRYPTO_bswap4(claimed_len32);
+  ok &= ~constant_time_is_zero_w(claimed_len);
+  ok &= constant_time_eq_w((claimed_len - 1) >> 3, (in_len - 9) >> 3);
+
+  // Check that padding bytes are all zero.
+  for (size_t i = in_len - 15; i < in_len - 8; i++) {
+    ok &= constant_time_is_zero_w(constant_time_ge_8(i, claimed_len) & out[i]);
+  }
+
+  *out_len = constant_time_select_w(ok, claimed_len, 0);
+  return ok & 1;
+}

data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c

@@ -6,7 +6,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -50,14 +50,14 @@
 
 #include <assert.h>
 
+#include "../aes/internal.h"
 #include "../modes/internal.h"
 
 
 void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                         const AES_KEY *key, uint8_t ivec[AES_BLOCK_SIZE],
                         uint8_t ecount_buf[AES_BLOCK_SIZE], unsigned int *num) {
-  CRYPTO_ctr128_encrypt(in, out, len, key, ivec, ecount_buf, num,
-                        (block128_f)AES_encrypt);
+  CRYPTO_ctr128_encrypt(in, out, len, key, ivec, ecount_buf, num, AES_encrypt);
 }
 
 void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key,
@@ -72,33 +72,30 @@ void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key,
   }
 }
 
-#if defined(OPENSSL_NO_ASM) || \
-    (!defined(OPENSSL_X86_64) && !defined(OPENSSL_X86))
 void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                      const AES_KEY *key, uint8_t *ivec, const int enc) {
+  if (hwaes_capable()) {
+    aes_hw_cbc_encrypt(in, out, len, key, ivec, enc);
+    return;
+  }
 
+#if defined(AES_NOHW_CBC)
+  if (!vpaes_capable()) {
+    aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc);
+    return;
+  }
+#endif
   if (enc) {
-    CRYPTO_cbc128_encrypt(in, out, len, key, ivec, (block128_f)AES_encrypt);
+    CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt);
   } else {
-    CRYPTO_cbc128_decrypt(in, out, len, key, ivec, (block128_f)AES_decrypt);
+    CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt);
   }
 }
-#else
-
-void asm_AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
-                         const AES_KEY *key, uint8_t *ivec, const int enc);
-void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
-                     const AES_KEY *key, uint8_t *ivec, const int enc) {
-  asm_AES_cbc_encrypt(in, out, len, key, ivec, enc);
-}
-
-#endif  // OPENSSL_NO_ASM || (!OPENSSL_X86_64 && !OPENSSL_X86)
 
 void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,
                         const AES_KEY *key, uint8_t *ivec, int *num) {
   unsigned num_u = (unsigned)(*num);
-  CRYPTO_ofb128_encrypt(in, out, length, key, ivec, &num_u,
-                        (block128_f)AES_encrypt);
+  CRYPTO_ofb128_encrypt(in, out, length, key, ivec, &num_u, AES_encrypt);
   *num = (int)num_u;
 }
 
@@ -106,7 +103,6 @@ void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,
                         const AES_KEY *key, uint8_t *ivec, int *num,
                         int enc) {
   unsigned num_u = (unsigned)(*num);
-  CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc,
-                        (block128_f)AES_encrypt);
+  CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc, AES_encrypt);
   *num = (int)num_u;
 }

data/third_party/boringssl/crypto/fipsmodule/bcm.c

@@ -19,6 +19,10 @@
 #include <openssl/crypto.h>
 
 #include <stdlib.h>
+#if defined(BORINGSSL_FIPS)
+#include <sys/mman.h>
+#include <unistd.h>
+#endif
 
 #include <openssl/digest.h>
 #include <openssl/hmac.h>
@@ -36,8 +40,10 @@
 #include "bn/cmp.c"
 #include "bn/ctx.c"
 #include "bn/div.c"
+#include "bn/div_extra.c"
 #include "bn/exponentiation.c"
 #include "bn/gcd.c"
+#include "bn/gcd_extra.c"
 #include "bn/generic.c"
 #include "bn/jacobi.c"
 #include "bn/montgomery.c"
@@ -55,22 +61,25 @@
 #include "des/des.c"
 #include "digest/digest.c"
 #include "digest/digests.c"
+#include "ecdh/ecdh.c"
 #include "ecdsa/ecdsa.c"
 #include "ec/ec.c"
 #include "ec/ec_key.c"
 #include "ec/ec_montgomery.c"
+#include "ec/felem.c"
 #include "ec/oct.c"
 #include "ec/p224-64.c"
 #include "../../third_party/fiat/p256.c"
 #include "ec/p256-x86_64.c"
+#include "ec/scalar.c"
 #include "ec/simple.c"
+#include "ec/simple_mul.c"
 #include "ec/util.c"
 #include "ec/wnaf.c"
 #include "hmac/hmac.c"
 #include "md4/md4.c"
 #include "md5/md5.c"
 #include "modes/cbc.c"
-#include "modes/ccm.c"
 #include "modes/cfb.c"
 #include "modes/ctr.c"
 #include "modes/gcm.c"
@@ -94,13 +103,61 @@
 #if defined(BORINGSSL_FIPS)
 
 #if !defined(OPENSSL_ASAN)
-// These symbols are filled in by delocate.go. They point to the start and end
-// of the module, and the location of the integrity hash, respectively.
+
+// These symbols are filled in by delocate.go (in static builds) or a linker
+// script (in shared builds). They point to the start and end of the module, and
+// the location of the integrity hash, respectively.
 extern const uint8_t BORINGSSL_bcm_text_start[];
 extern const uint8_t BORINGSSL_bcm_text_end[];
 extern const uint8_t BORINGSSL_bcm_text_hash[];
+#if defined(BORINGSSL_SHARED_LIBRARY)
+extern const uint8_t BORINGSSL_bcm_rodata_start[];
+extern const uint8_t BORINGSSL_bcm_rodata_end[];
 #endif
 
+// assert_within is used to sanity check that certain symbols are within the
+// bounds of the integrity check. It checks that start <= symbol < end and
+// aborts otherwise.
+static void assert_within(const void *start, const void *symbol,
+                          const void *end) {
+  const uintptr_t start_val = (uintptr_t) start;
+  const uintptr_t symbol_val = (uintptr_t) symbol;
+  const uintptr_t end_val = (uintptr_t) end;
+
+  if (start_val <= symbol_val && symbol_val < end_val) {
+    return;
+  }
+
+  fprintf(
+      stderr,
+      "FIPS module doesn't span expected symbol. Expected %p <= %p < %p\n",
+      start, symbol, end);
+  BORINGSSL_FIPS_abort();
+}
+
+#if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64)
+static void BORINGSSL_maybe_set_module_text_permissions(int permission) {
+  // Android may be compiled in execute-only-memory mode, in which case the
+  // .text segment cannot be read. That conflicts with the need for a FIPS
+  // module to hash its own contents, therefore |mprotect| is used to make
+  // the module's .text readable for the duration of the hashing process. In
+  // other build configurations this is a no-op.
+  const uintptr_t page_size = getpagesize();
+  const uintptr_t page_start =
+      ((uintptr_t)BORINGSSL_bcm_text_start) & ~(page_size - 1);
+
+  if (mprotect((void *)page_start,
+               ((uintptr_t)BORINGSSL_bcm_text_end) - page_start,
+               permission) != 0) {
+    perror("BoringSSL: mprotect");
+  }
+}
+#else
+static void BORINGSSL_maybe_set_module_text_permissions(int permission) {}
+#endif  // !ANDROID
+
+#endif  // !ASAN
+
 static void __attribute__((constructor))
 BORINGSSL_bcm_power_on_self_test(void) {
   CRYPTO_library_init();
@@ -111,26 +168,81 @@ BORINGSSL_bcm_power_on_self_test(void) {
   const uint8_t *const start = BORINGSSL_bcm_text_start;
   const uint8_t *const end = BORINGSSL_bcm_text_end;
 
-  static const uint8_t kHMACKey[64] = {0};
+  assert_within(start, AES_encrypt, end);
+  assert_within(start, RSA_sign, end);
+  assert_within(start, RAND_bytes, end);
+  assert_within(start, EC_GROUP_cmp, end);
+  assert_within(start, SHA256_Update, end);
+  assert_within(start, ECDSA_do_verify, end);
+  assert_within(start, EVP_AEAD_CTX_seal, end);
+
+#if defined(BORINGSSL_SHARED_LIBRARY)
+  const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start;
+  const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end;
+#else
+  // In the static build, read-only data is placed within the .text segment.
+  const uint8_t *const rodata_start = BORINGSSL_bcm_text_start;
+  const uint8_t *const rodata_end = BORINGSSL_bcm_text_end;
+#endif
+
+  assert_within(rodata_start, kPrimes, rodata_end);
+  assert_within(rodata_start, des_skb, rodata_end);
+  assert_within(rodata_start, kP256Params, rodata_end);
+  assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
+
+#if defined(OPENSSL_ANDROID)
+  uint8_t result[SHA256_DIGEST_LENGTH];
+  const EVP_MD *const kHashFunction = EVP_sha256();
+#else
   uint8_t result[SHA512_DIGEST_LENGTH];
+  const EVP_MD *const kHashFunction = EVP_sha512();
+#endif
 
+  static const uint8_t kHMACKey[64] = {0};
   unsigned result_len;
-  if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,
-            result, &result_len) ||
+  HMAC_CTX hmac_ctx;
+  HMAC_CTX_init(&hmac_ctx);
+  if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction,
+                    NULL /* no ENGINE */)) {
+    fprintf(stderr, "HMAC_Init_ex failed.\n");
+    goto err;
+  }
+
+  BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC);
+#if defined(BORINGSSL_SHARED_LIBRARY)
+  uint64_t length = end - start;
+  HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
+  HMAC_Update(&hmac_ctx, start, length);
+
+  length = rodata_end - rodata_start;
+  HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length));
+  HMAC_Update(&hmac_ctx, rodata_start, length);
+#else
+  HMAC_Update(&hmac_ctx, start, end - start);
+#endif
+  BORINGSSL_maybe_set_module_text_permissions(PROT_EXEC);
+
+  if (!HMAC_Final(&hmac_ctx, result, &result_len) ||
       result_len != sizeof(result)) {
+    fprintf(stderr, "HMAC failed.\n");
     goto err;
   }
+  HMAC_CTX_cleanup(&hmac_ctx);
 
   const uint8_t *expected = BORINGSSL_bcm_text_hash;
 
   if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {
     goto err;
   }
-#endif
 
+  if (!boringssl_fips_self_test(BORINGSSL_bcm_text_hash, sizeof(result))) {
+    goto err;
+  }
+#else
   if (!BORINGSSL_self_test()) {
     goto err;
   }
+#endif  // OPENSSL_ASAN
 
   return;
 

data/third_party/boringssl/crypto/fipsmodule/bn/bn.c

@@ -384,6 +384,23 @@ int bn_expand(BIGNUM *bn, size_t bits) {
 }
 
 int bn_resize_words(BIGNUM *bn, size_t words) {
+#if defined(OPENSSL_PPC64LE)
+  // This is a workaround for a miscompilation bug in Clang 7.0.1 on POWER.
+  // The unittests catch the miscompilation, if it occurs, and it manifests
+  // as a crash in |bn_fits_in_words|.
+  //
+  // The bug only triggers if building in FIPS mode and with -O3. Clang 8.0.1
+  // has the same bug but this workaround is not effective there---I've not
+  // been able to find a workaround for 8.0.1.
+  //
+  // At the time of writing (2019-08-08), Clang git does *not* have this bug
+  // and does not need this workaroud. The current git version should go on to
+  // be Clang 10 thus, once we can depend on that, this can be removed.
+  if (value_barrier_w((size_t)bn->width == words)) {
+    return 1;
+  }
+#endif
+
   if ((size_t)bn->width <= words) {
     if (!bn_wexpand(bn, words)) {
       return 0;
@@ -406,8 +423,8 @@ int bn_resize_words(BIGNUM *bn, size_t words) {
 void bn_select_words(BN_ULONG *r, BN_ULONG mask, const BN_ULONG *a,
                      const BN_ULONG *b, size_t num) {
   for (size_t i = 0; i < num; i++) {
-    OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
-                           crypto_word_t_too_small);
+    OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                          "crypto_word_t is too small");
     r[i] = constant_time_select_w(mask, a[i], b[i]);
   }
 }