grpc 1.28.0 → 1.30.0

data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h

@@ -0,0 +1,78 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_EC_EXTRA_INTERNAL_H
+#define OPENSSL_HEADER_EC_EXTRA_INTERNAL_H
+
+#include <openssl/ec.h>
+
+#include "../fipsmodule/ec/internal.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// Hash-to-curve.
+//
+// The following functions implement primitives from
+// draft-irtf-cfrg-hash-to-curve. The |dst| parameter in each function is the
+// domain separation tag and must be unique for each protocol and between the
+// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec
+// for additional guidance on this parameter.
+
+// ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 hashes |msg| to a point on
+// |group| and writes the result to |out|, implementing the
+// P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07. It
+// returns one on success and zero on error.
+OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
+    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
+    size_t dst_len, const uint8_t *msg, size_t msg_len);
+
+// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group|
+// and writes the result to |out|, using the hash_to_field operation from the
+// P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07, but
+// generating a value modulo the group order rather than a field element.
+OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha512_draft07(
+    const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
+    const uint8_t *msg, size_t msg_len);
+
+// ec_hash_to_curve_p521_xmd_sha512_sswu_draft06 hashes |msg| to a point on
+// |group| and writes the result to |out|, implementing the
+// P521_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-06. It
+// returns one on success and zero on error.
+//
+// This function implements an older version of the draft and should not be used
+// in new code.
+OPENSSL_EXPORT int ec_hash_to_curve_p521_xmd_sha512_sswu_draft06(
+    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
+    size_t dst_len, const uint8_t *msg, size_t msg_len);
+
+// ec_hash_to_scalar_p521_xmd_sha512_draft06 hashes |msg| to a scalar on |group|
+// and writes the result to |out|, using the hash_to_field operation from the
+// P521_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-06, but
+// generating a value modulo the group order rather than a field element.
+//
+// This function implements an older version of the draft and should not be used
+// in new code.
+OPENSSL_EXPORT int ec_hash_to_scalar_p521_xmd_sha512_draft06(
+    const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
+    const uint8_t *msg, size_t msg_len);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_EC_EXTRA_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c

@@ -96,8 +96,8 @@ int ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key,
   uint8_t buf[EC_MAX_BYTES];
   size_t buf_len;
   if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||
-      !ec_point_get_affine_coordinate_bytes(group, buf, NULL, &buf_len,
-                                            sizeof(buf), &shared_point)) {
+      !ec_get_x_coordinate_as_bytes(group, buf, &buf_len, sizeof(buf),
+                                    &shared_point)) {
     OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);
     return -1;
   }

data/third_party/boringssl-with-bazel/src/crypto/err/err.c

@@ -495,38 +495,39 @@ static const char *err_string_lookup(uint32_t lib, uint32_t key,
 
 static const char *const kLibraryNames[ERR_NUM_LIBS] = {
     "invalid library (0)",
-    "unknown library",                            // ERR_LIB_NONE
-    "system library",                             // ERR_LIB_SYS
-    "bignum routines",                            // ERR_LIB_BN
-    "RSA routines",                               // ERR_LIB_RSA
-    "Diffie-Hellman routines",                    // ERR_LIB_DH
-    "public key routines",                        // ERR_LIB_EVP
-    "memory buffer routines",                     // ERR_LIB_BUF
-    "object identifier routines",                 // ERR_LIB_OBJ
-    "PEM routines",                               // ERR_LIB_PEM
-    "DSA routines",                               // ERR_LIB_DSA
-    "X.509 certificate routines",                 // ERR_LIB_X509
-    "ASN.1 encoding routines",                    // ERR_LIB_ASN1
-    "configuration file routines",                // ERR_LIB_CONF
-    "common libcrypto routines",                  // ERR_LIB_CRYPTO
-    "elliptic curve routines",                    // ERR_LIB_EC
-    "SSL routines",                               // ERR_LIB_SSL
-    "BIO routines",                               // ERR_LIB_BIO
-    "PKCS7 routines",                             // ERR_LIB_PKCS7
-    "PKCS8 routines",                             // ERR_LIB_PKCS8
-    "X509 V3 routines",                           // ERR_LIB_X509V3
-    "random number generator",                    // ERR_LIB_RAND
-    "ENGINE routines",                            // ERR_LIB_ENGINE
-    "OCSP routines",                              // ERR_LIB_OCSP
-    "UI routines",                                // ERR_LIB_UI
-    "COMP routines",                              // ERR_LIB_COMP
-    "ECDSA routines",                             // ERR_LIB_ECDSA
-    "ECDH routines",                              // ERR_LIB_ECDH
-    "HMAC routines",                              // ERR_LIB_HMAC
-    "Digest functions",                           // ERR_LIB_DIGEST
-    "Cipher functions",                           // ERR_LIB_CIPHER
-    "HKDF functions",                             // ERR_LIB_HKDF
-    "User defined functions",                     // ERR_LIB_USER
+    "unknown library",              // ERR_LIB_NONE
+    "system library",               // ERR_LIB_SYS
+    "bignum routines",              // ERR_LIB_BN
+    "RSA routines",                 // ERR_LIB_RSA
+    "Diffie-Hellman routines",      // ERR_LIB_DH
+    "public key routines",          // ERR_LIB_EVP
+    "memory buffer routines",       // ERR_LIB_BUF
+    "object identifier routines",   // ERR_LIB_OBJ
+    "PEM routines",                 // ERR_LIB_PEM
+    "DSA routines",                 // ERR_LIB_DSA
+    "X.509 certificate routines",   // ERR_LIB_X509
+    "ASN.1 encoding routines",      // ERR_LIB_ASN1
+    "configuration file routines",  // ERR_LIB_CONF
+    "common libcrypto routines",    // ERR_LIB_CRYPTO
+    "elliptic curve routines",      // ERR_LIB_EC
+    "SSL routines",                 // ERR_LIB_SSL
+    "BIO routines",                 // ERR_LIB_BIO
+    "PKCS7 routines",               // ERR_LIB_PKCS7
+    "PKCS8 routines",               // ERR_LIB_PKCS8
+    "X509 V3 routines",             // ERR_LIB_X509V3
+    "random number generator",      // ERR_LIB_RAND
+    "ENGINE routines",              // ERR_LIB_ENGINE
+    "OCSP routines",                // ERR_LIB_OCSP
+    "UI routines",                  // ERR_LIB_UI
+    "COMP routines",                // ERR_LIB_COMP
+    "ECDSA routines",               // ERR_LIB_ECDSA
+    "ECDH routines",                // ERR_LIB_ECDH
+    "HMAC routines",                // ERR_LIB_HMAC
+    "Digest functions",             // ERR_LIB_DIGEST
+    "Cipher functions",             // ERR_LIB_CIPHER
+    "HKDF functions",               // ERR_LIB_HKDF
+    "Trust Token functions",        // ERR_LIB_TRUST_TOKEN
+    "User defined functions",       // ERR_LIB_USER
 };
 
 const char *ERR_lib_error_string(uint32_t packed_error) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c

@@ -472,7 +472,7 @@ static void aes_nohw_transpose(AES_NOHW_BATCH *batch) {
 // |num_blocks| must be at most |AES_NOHW_BATCH|.
 static void aes_nohw_to_batch(AES_NOHW_BATCH *out, const uint8_t *in,
                               size_t num_blocks) {
-  // Don't leave unused blocks unitialized.
+  // Don't leave unused blocks uninitialized.
   memset(out, 0, sizeof(AES_NOHW_BATCH));
   assert(num_blocks <= AES_NOHW_BATCH_SIZE);
   for (size_t i = 0; i < num_blocks; i++) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c

@@ -70,7 +70,7 @@
 #include "ec/felem.c"
 #include "ec/oct.c"
 #include "ec/p224-64.c"
-#include "../../third_party/fiat/p256.c"
+#include "ec/p256.c"
 #include "ec/p256-x86_64.c"
 #include "ec/scalar.c"
 #include "ec/simple.c"
@@ -88,6 +88,7 @@
 #include "modes/ofb.c"
 #include "modes/polyval.c"
 #include "rand/ctrdrbg.c"
+#include "rand/fork_detect.c"
 #include "rand/rand.c"
 #include "rand/urandom.c"
 #include "rsa/blinding.c"

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c

@@ -732,7 +732,7 @@ void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
     num_p--;
   }
   if (num_p == 0) {
-    bn_from_montgomery_small(r, mont->RR.d, num, mont);
+    bn_from_montgomery_small(r, num, mont->RR.d, num, mont);
     return;
   }
   unsigned bits = BN_num_bits_word(p[num_p - 1]) + (num_p - 1) * BN_BITS2;
@@ -809,8 +809,8 @@ void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
   OPENSSL_cleanse(val, sizeof(val));
 }
 
-void bn_mod_inverse_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
-                                     const BN_MONT_CTX *mont) {
+void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a,
+                                      size_t num, const BN_MONT_CTX *mont) {
   if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS) {
     abort();
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h

@@ -647,10 +647,13 @@ void bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
                             const BN_MONT_CTX *mont);
 
 // bn_from_montgomery_small sets |r| to |a| translated out of the Montgomery
-// domain. |r| and |a| are |num| words long, which must be |mont->N.width|. |a|
-// must be fully-reduced and may alias |r|.
-void bn_from_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
-                              const BN_MONT_CTX *mont);
+// domain. |r| and |a| are |num_r| and |num_a| words long, respectively. |num_r|
+// must be |mont->N.width|. |a| must be at most |mont->N|^2 and may alias |r|.
+//
+// Unlike most of these functions, only |num_r| is bounded by
+// |BN_SMALL_MAX_WORDS|. |num_a| may exceed it, but must be at most 2 * |num_r|.
+void bn_from_montgomery_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a,
+                              size_t num_a, const BN_MONT_CTX *mont);
 
 // bn_mod_mul_montgomery_small sets |r| to |a| * |b| mod |mont->N|. Both inputs
 // and outputs are in the Montgomery domain. Each array is |num| words long,
@@ -675,13 +678,13 @@ void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
                            const BN_ULONG *p, size_t num_p,
                            const BN_MONT_CTX *mont);
 
-// bn_mod_inverse_prime_mont_small sets |r| to |a|^-1 mod |mont->N|. |mont->N|
-// must be a prime. |r| and |a| are |num| words long, which must be
-// |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. |a| must be fully-reduced
-// and may alias |r|. This function runs in time independent of |a|, but
-// |mont->N| is a public value.
-void bn_mod_inverse_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
-                                     const BN_MONT_CTX *mont);
+// bn_mod_inverse0_prime_mont_small sets |r| to |a|^-1 mod |mont->N|. If |a| is
+// zero, |r| is set to zero. |mont->N| must be a prime. |r| and |a| are |num|
+// words long, which must be |mont->N.width| and at most |BN_SMALL_MAX_WORDS|.
+// |a| must be fully-reduced and may alias |r|. This function runs in time
+// independent of |a|, but |mont->N| is a public value.
+void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a,
+                                      size_t num, const BN_MONT_CTX *mont);
 
 
 #if defined(__cplusplus)

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c

@@ -455,18 +455,18 @@ void bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
   bn_mod_mul_montgomery_small(r, a, mont->RR.d, num, mont);
 }
 
-void bn_from_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,
-                              const BN_MONT_CTX *mont) {
-  if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS) {
+void bn_from_montgomery_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a,
+                              size_t num_a, const BN_MONT_CTX *mont) {
+  if (num_r != (size_t)mont->N.width || num_r > BN_SMALL_MAX_WORDS ||
+      num_a > 2 * num_r) {
     abort();
   }
-  BN_ULONG tmp[BN_SMALL_MAX_WORDS * 2];
-  OPENSSL_memcpy(tmp, a, num * sizeof(BN_ULONG));
-  OPENSSL_memset(tmp + num, 0, num * sizeof(BN_ULONG));
-  if (!bn_from_montgomery_in_place(r, num, tmp, 2 * num, mont)) {
+  BN_ULONG tmp[BN_SMALL_MAX_WORDS * 2] = {0};
+  OPENSSL_memcpy(tmp, a, num_a * sizeof(BN_ULONG));
+  if (!bn_from_montgomery_in_place(r, num_r, tmp, 2 * num_r, mont)) {
     abort();
   }
-  OPENSSL_cleanse(tmp, 2 * num * sizeof(BN_ULONG));
+  OPENSSL_cleanse(tmp, 2 * num_r * sizeof(BN_ULONG));
 }
 
 void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c

@@ -119,26 +119,20 @@ static void bn_mul_normal(BN_ULONG *r, const BN_ULONG *a, size_t na,
   }
 }
 
-#if !defined(OPENSSL_X86) || defined(OPENSSL_NO_ASM)
-// Here follows specialised variants of bn_add_words() and bn_sub_words(). They
-// have the property performing operations on arrays of different sizes. The
-// sizes of those arrays is expressed through cl, which is the common length (
-// basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
-// lengths, calculated as len(a)-len(b). All lengths are the number of
-// BN_ULONGs...  For the operations that require a result array as parameter,
-// it must have the length cl+abs(dl). These functions should probably end up
-// in bn_asm.c as soon as there are assembler counterparts for the systems that
-// use assembler files.
-
+// bn_sub_part_words sets |r| to |a| - |b|. It returns the borrow bit, which is
+// one if the operation underflowed and zero otherwise. |cl| is the common
+// length, that is, the shorter of len(a) or len(b). |dl| is the delta length,
+// that is, len(a) - len(b). |r|'s length matches the larger of |a| and |b|, or
+// cl + abs(dl).
+//
+// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention
+// is confusing.
 static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
                                   const BN_ULONG *b, int cl, int dl) {
-  BN_ULONG c, t;
-
   assert(cl >= 0);
-  c = bn_sub_words(r, a, b, cl);
-
+  BN_ULONG borrow = bn_sub_words(r, a, b, cl);
   if (dl == 0) {
-    return c;
+    return borrow;
   }
 
   r += cl;
@@ -146,147 +140,26 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
   b += cl;
 
   if (dl < 0) {
-    for (;;) {
-      t = b[0];
-      r[0] = 0 - t - c;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[1];
-      r[1] = 0 - t - c;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[2];
-      r[2] = 0 - t - c;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[3];
-      r[3] = 0 - t - c;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      b += 4;
-      r += 4;
+    // |a| is shorter than |b|. Complete the subtraction as if the excess words
+    // in |a| were zeros.
+    dl = -dl;
+    for (int i = 0; i < dl; i++) {
+      r[i] = 0u - b[i] - borrow;
+      borrow |= r[i] != 0;
     }
   } else {
-    int save_dl = dl;
-    while (c) {
-      t = a[0];
-      r[0] = t - c;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[1];
-      r[1] = t - c;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[2];
-      r[2] = t - c;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[3];
-      r[3] = t - c;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      save_dl = dl;
-      a += 4;
-      r += 4;
-    }
-    if (dl > 0) {
-      if (save_dl > dl) {
-        switch (save_dl - dl) {
-          case 1:
-            r[1] = a[1];
-            if (--dl <= 0) {
-              break;
-            }
-            OPENSSL_FALLTHROUGH;
-          case 2:
-            r[2] = a[2];
-            if (--dl <= 0) {
-              break;
-            }
-            OPENSSL_FALLTHROUGH;
-          case 3:
-            r[3] = a[3];
-            if (--dl <= 0) {
-              break;
-            }
-        }
-        a += 4;
-        r += 4;
-      }
-    }
-
-    if (dl > 0) {
-      for (;;) {
-        r[0] = a[0];
-        if (--dl <= 0) {
-          break;
-        }
-        r[1] = a[1];
-        if (--dl <= 0) {
-          break;
-        }
-        r[2] = a[2];
-        if (--dl <= 0) {
-          break;
-        }
-        r[3] = a[3];
-        if (--dl <= 0) {
-          break;
-        }
-
-        a += 4;
-        r += 4;
-      }
+    // |b| is shorter than |a|. Complete the subtraction as if the excess words
+    // in |b| were zeros.
+    for (int i = 0; i < dl; i++) {
+      // |r| and |a| may alias, so use a temporary.
+      BN_ULONG tmp = a[i];
+      r[i] = a[i] - borrow;
+      borrow = tmp < r[i];
     }
   }
 
-  return c;
+  return borrow;
 }
-#else
-// On other platforms the function is defined in asm.
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                           int cl, int dl);
-#endif
 
 // bn_abs_sub_part_words computes |r| = |a| - |b|, storing the absolute value
 // and returning a mask of all ones if the result was negative and all zeros if
@@ -294,8 +167,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 // convention.
 //
 // TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention
-// is confusing. The trouble is 32-bit x86 implements |bn_sub_part_words| in
-// assembly, but we can probably just delete it?
+// is confusing.
 static BN_ULONG bn_abs_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
                                       const BN_ULONG *b, int cl, int dl,
                                       BN_ULONG *tmp) {
@@ -583,7 +455,7 @@ static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
   static const int kMulNormalSize = 16;
   if (al >= kMulNormalSize && bl >= kMulNormalSize) {
     if (-1 <= i && i <= 1) {
-      // Find the larger power of two less than or equal to the larger length.
+      // Find the largest power of two less than or equal to the larger length.
       int j;
       if (i >= 0) {
         j = BN_num_bits_word((BN_ULONG)al);
@@ -599,6 +471,10 @@ static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
       if (al > j || bl > j) {
         // We know |al| and |bl| are at most one from each other, so if al > j,
         // bl >= j, and vice versa. Thus we can use |bn_mul_part_recursive|.
+        //
+        // TODO(davidben): This codepath is almost unused in standard
+        // algorithms. Is this optimization necessary? See notes in
+        // https://boringssl-review.googlesource.com/q/I0bd604e2cd6a75c266f64476c23a730ca1721ea6
         assert(al >= j && bl >= j);
         if (!bn_wexpand(t, j * 8) ||
             !bn_wexpand(rr, j * 4)) {