grpc 1.28.0 → 1.30.2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h

@@ -0,0 +1,49 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FORK_DETECT_H
+#define OPENSSL_HEADER_CRYPTO_FORK_DETECT_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// crypto_get_fork_generation returns the fork generation number for the current
+// process, or zero if not supported on the platform. The fork generation number
+// is a non-zero, strictly-monotonic counter with the property that, if queried
+// in an address space and then again in a subsequently forked copy, the forked
+// address space will observe a greater value.
+//
+// This function may be used to clear cached values across a fork. When
+// initializing a cache, record the fork generation. Before using the cache,
+// check if the fork generation has changed. If so, drop the cache and update
+// the save fork generation. Note this logic transparently handles platforms
+// which always return zero.
+//
+// This is not reliably supported on all platforms which implement |fork|, so it
+// should only be used as a hardening measure.
+OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void);
+
+// CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing is an internal detail
+// used for testing purposes.
+OPENSSL_EXPORT void CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(void);
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FORK_DETECT_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h

@@ -0,0 +1,64 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H
+#define OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H
+
+#include <openssl/base.h>
+
+
+#if defined(OPENSSL_LINUX)
+
+#include <sys/syscall.h>
+
+#if defined(OPENSSL_X86_64)
+#define EXPECTED_NR_getrandom 318
+#elif defined(OPENSSL_X86)
+#define EXPECTED_NR_getrandom 355
+#elif defined(OPENSSL_AARCH64)
+#define EXPECTED_NR_getrandom 278
+#elif defined(OPENSSL_ARM)
+#define EXPECTED_NR_getrandom 384
+#elif defined(OPENSSL_PPC64LE)
+#define EXPECTED_NR_getrandom 359
+#endif
+
+#if defined(EXPECTED_NR_getrandom)
+#define USE_NR_getrandom
+
+#if defined(__NR_getrandom)
+
+#if __NR_getrandom != EXPECTED_NR_getrandom
+#error "system call number for getrandom is not the expected value"
+#endif
+
+#else  // __NR_getrandom
+
+#define __NR_getrandom EXPECTED_NR_getrandom
+
+#endif  // __NR_getrandom
+
+#endif  // EXPECTED_NR_getrandom
+
+#if !defined(GRND_NONBLOCK)
+#define GRND_NONBLOCK 1
+#endif
+#if !defined(GRND_RANDOM)
+#define GRND_RANDOM 2
+#endif
+
+#endif  // OPENSSL_LINUX
+
+
+#endif  // OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h

@@ -40,17 +40,33 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 // system.
 void CRYPTO_sysrand(uint8_t *buf, size_t len);
 
-#if defined(OPENSSL_URANDOM) || defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+#if defined(OPENSSL_URANDOM)
+// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
+// from the operating system.
+void CRYPTO_init_sysrand(void);
+
 // CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
 // operating system. It may draw from the |GRND_RANDOM| pool on Android,
 // depending on the vendor's configuration.
 void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);
 
 // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
-// operating system, if the entropy pool is initialized. If it is uninitialized,
-// it will not block and will instead fill |buf| with all zeros or early
-// /dev/urandom output.
-void CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
+// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
+// pool is initialized or if getrandom() is not available and not in FIPS mode.
+// Otherwise it will not block and will instead fill |buf| with all zeros and
+// return 0.
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
+#else
+OPENSSL_INLINE void CRYPTO_init_sysrand(void) {}
+
+OPENSSL_INLINE void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+}
+
+OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
 #endif
 
 // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
@@ -105,10 +121,19 @@ OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);
 
 
 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+
 OPENSSL_INLINE int have_rdrand(void) {
   return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
 }
 
+// have_fast_rdrand returns true if RDRAND is supported and it's reasonably
+// fast. Concretely the latter is defined by whether the chip is Intel (fast) or
+// not (assumed slow).
+OPENSSL_INLINE int have_fast_rdrand(void) {
+  const uint32_t *const ia32cap = OPENSSL_ia32cap_get();
+  return (ia32cap[1] & (1u << 30)) && (ia32cap[0] & (1u << 30));
+}
+
 // CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
 // |out|. It returns one on success or zero on hardware failure.
 int CRYPTO_rdrand(uint8_t out[8]);
@@ -117,6 +142,17 @@ int CRYPTO_rdrand(uint8_t out[8]);
 // the hardware RNG. The |len| argument must be a multiple of eight. It returns
 // one on success and zero on hardware failure.
 int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
+
+#else  // OPENSSL_X86_64 && !OPENSSL_NO_ASM
+
+OPENSSL_INLINE int have_rdrand(void) {
+  return 0;
+}
+
+OPENSSL_INLINE int have_fast_rdrand(void) {
+  return 0;
+}
+
 #endif  // OPENSSL_X86_64 && !OPENSSL_NO_ASM
 
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c

@@ -27,6 +27,7 @@
 #include <openssl/mem.h>
 
 #include "internal.h"
+#include "fork_detect.h"
 #include "../../internal.h"
 #include "../delocate.h"
 
@@ -57,6 +58,7 @@ static const unsigned kReseedInterval = 4096;
 // rand_thread_state contains the per-thread state for the RNG.
 struct rand_thread_state {
   CTR_DRBG_STATE drbg;
+  uint64_t fork_generation;
   // calls is the number of generate calls made on |drbg| since it was last
   // (re)seeded. This is bound by |kReseedInterval|.
   unsigned calls;
@@ -125,11 +127,9 @@ static void rand_thread_state_free(void *state_in) {
 
 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
     !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
-static int hwrand(uint8_t *buf, const size_t len) {
-  if (!have_rdrand()) {
-    return 0;
-  }
-
+// rdrand should only be called if either |have_rdrand| or |have_fast_rdrand|
+// returned true.
+static int rdrand(uint8_t *buf, const size_t len) {
   const size_t len_multiple8 = len & ~7;
   if (!CRYPTO_rdrand_multiple8_buf(buf, len_multiple8)) {
     return 0;
@@ -157,7 +157,7 @@ static int hwrand(uint8_t *buf, const size_t len) {
 
 #else
 
-static int hwrand(uint8_t *buf, size_t len) {
+static int rdrand(uint8_t *buf, size_t len) {
   return 0;
 }
 
@@ -168,7 +168,8 @@ static int hwrand(uint8_t *buf, size_t len) {
 static void rand_get_seed(struct rand_thread_state *state,
                           uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
   if (!state->last_block_valid) {
-    if (!hwrand(state->last_block, sizeof(state->last_block))) {
+    if (!have_rdrand() ||
+        !rdrand(state->last_block, sizeof(state->last_block))) {
       CRYPTO_sysrand_for_seed(state->last_block, sizeof(state->last_block));
     }
     state->last_block_valid = 1;
@@ -179,8 +180,8 @@ static void rand_get_seed(struct rand_thread_state *state,
 #define FIPS_OVERREAD 10
   uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD];
 
-  int used_hwrand = hwrand(entropy, sizeof(entropy));
-  if (!used_hwrand) {
+  int used_rdrand = have_rdrand() && rdrand(entropy, sizeof(entropy));
+  if (!used_rdrand) {
     CRYPTO_sysrand_for_seed(entropy, sizeof(entropy));
   }
 
@@ -215,7 +216,7 @@ static void rand_get_seed(struct rand_thread_state *state,
 #if defined(OPENSSL_URANDOM)
   // If we used RDRAND, also opportunistically read from the system. This avoids
   // solely relying on the hardware once the entropy pool has been initialized.
-  if (used_hwrand) {
+  if (used_rdrand) {
     CRYPTO_sysrand_if_available(entropy, CTR_DRBG_ENTROPY_LEN);
     for (size_t i = 0; i < CTR_DRBG_ENTROPY_LEN; i++) {
       seed[i] ^= entropy[i];
@@ -241,20 +242,31 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
     return;
   }
 
+  const uint64_t fork_generation = CRYPTO_get_fork_generation();
+
   // Additional data is mixed into every CTR-DRBG call to protect, as best we
   // can, against forks & VM clones. We do not over-read this information and
   // don't reseed with it so, from the point of view of FIPS, this doesn't
   // provide “prediction resistance”. But, in practice, it does.
   uint8_t additional_data[32];
-  if (!hwrand(additional_data, sizeof(additional_data))) {
+  // Intel chips have fast RDRAND instructions while, in other cases, RDRAND can
+  // be _slower_ than a system call.
+  if (!have_fast_rdrand() ||
+      !rdrand(additional_data, sizeof(additional_data))) {
     // Without a hardware RNG to save us from address-space duplication, the OS
     // entropy is used. This can be expensive (one read per |RAND_bytes| call)
-    // and so can be disabled by applications that we have ensured don't fork
-    // and aren't at risk of VM cloning.
-    if (!rand_fork_unsafe_buffering_enabled()) {
-      CRYPTO_sysrand(additional_data, sizeof(additional_data));
-    } else {
+    // and so is disabled when we have fork detection, or if the application has
+    // promised not to fork.
+    if (fork_generation != 0 || rand_fork_unsafe_buffering_enabled()) {
       OPENSSL_memset(additional_data, 0, sizeof(additional_data));
+    } else if (!have_rdrand()) {
+      // No alternative so block for OS entropy.
+      CRYPTO_sysrand(additional_data, sizeof(additional_data));
+    } else if (!CRYPTO_sysrand_if_available(additional_data,
+                                            sizeof(additional_data)) &&
+               !rdrand(additional_data, sizeof(additional_data))) {
+      // RDRAND failed: block for OS entropy.
+      CRYPTO_sysrand(additional_data, sizeof(additional_data));
     }
   }
 
@@ -283,6 +295,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
       abort();
     }
     state->calls = 0;
+    state->fork_generation = fork_generation;
 
 #if defined(BORINGSSL_FIPS)
     if (state != &stack_state) {
@@ -299,7 +312,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 #endif
   }
 
-  if (state->calls >= kReseedInterval) {
+  if (state->calls >= kReseedInterval ||
+      state->fork_generation != fork_generation) {
     uint8_t seed[CTR_DRBG_ENTROPY_LEN];
     rand_get_seed(state, seed);
 #if defined(BORINGSSL_FIPS)
@@ -317,6 +331,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
       abort();
     }
     state->calls = 0;
+    state->fork_generation = fork_generation;
   } else {
 #if defined(BORINGSSL_FIPS)
     CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c

@@ -65,38 +65,12 @@
 #include <openssl/thread.h>
 #include <openssl/mem.h>
 
+#include "getrandom_fillin.h"
 #include "../delocate.h"
 #include "../../internal.h"
 
 
-#if defined(OPENSSL_LINUX)
-
-#if defined(OPENSSL_X86_64)
-#define EXPECTED_NR_getrandom 318
-#elif defined(OPENSSL_X86)
-#define EXPECTED_NR_getrandom 355
-#elif defined(OPENSSL_AARCH64)
-#define EXPECTED_NR_getrandom 278
-#elif defined(OPENSSL_ARM)
-#define EXPECTED_NR_getrandom 384
-#elif defined(OPENSSL_PPC64LE)
-#define EXPECTED_NR_getrandom 359
-#endif
-
-#if defined(EXPECTED_NR_getrandom)
-#define USE_NR_getrandom
-
-#if defined(__NR_getrandom)
-
-#if __NR_getrandom != EXPECTED_NR_getrandom
-#error "system call number for getrandom is not the expected value"
-#endif
-
-#else  // __NR_getrandom
-
-#define __NR_getrandom EXPECTED_NR_getrandom
-
-#endif  // __NR_getrandom
+#if defined(USE_NR_getrandom)
 
 #if defined(OPENSSL_MSAN)
 void __msan_unpoison(void *, size_t);
@@ -119,28 +93,12 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
   return ret;
 }
 
-#endif  // EXPECTED_NR_getrandom
-
-#if !defined(GRND_NONBLOCK)
-#define GRND_NONBLOCK 1
-#endif
-#if !defined(GRND_RANDOM)
-#define GRND_RANDOM 2
-#endif
-
-#endif  // OPENSSL_LINUX
-
-// rand_lock is used to protect the |*_requested| variables.
-DEFINE_STATIC_MUTEX(rand_lock)
+#endif  // USE_NR_getrandom
 
-// The following constants are magic values of |urandom_fd|.
-static const int kUnset = 0;
+// kHaveGetrandom in |urandom_fd| signals that |getrandom| or |getentropy| is
+// available and should be used instead.
 static const int kHaveGetrandom = -3;
 
-// urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
-// |rand_lock|.
-DEFINE_BSS_GET(int, urandom_fd_requested)
-
 // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
 DEFINE_BSS_GET(int, urandom_fd)
 
@@ -179,14 +137,9 @@ static void maybe_set_extra_getrandom_flags(void) {
 DEFINE_STATIC_ONCE(rand_once)
 
 // init_once initializes the state of this module to values previously
-// requested. This is the only function that modifies |urandom_fd| and
-// |urandom_buffering|, whose values may be read safely after calling the
-// once.
+// requested. This is the only function that modifies |urandom_fd|, which may be
+// read safely after calling the once.
 static void init_once(void) {
-  CRYPTO_STATIC_MUTEX_lock_read(rand_lock_bss_get());
-  int fd = *urandom_fd_requested_bss_get();
-  CRYPTO_STATIC_MUTEX_unlock_read(rand_lock_bss_get());
-
 #if defined(USE_NR_getrandom)
   int have_getrandom;
   uint8_t dummy;
@@ -229,31 +182,16 @@ static void init_once(void) {
   abort();
 #endif
 
-  if (fd == kUnset) {
-    do {
-      fd = open("/dev/urandom", O_RDONLY);
-    } while (fd == -1 && errno == EINTR);
-  }
+  int fd;
+  do {
+    fd = open("/dev/urandom", O_RDONLY);
+  } while (fd == -1 && errno == EINTR);
 
   if (fd < 0) {
     perror("failed to open /dev/urandom");
     abort();
   }
 
-  assert(kUnset == 0);
-  if (fd == kUnset) {
-    // Because we want to keep |urandom_fd| in the BSS, we have to initialise
-    // it to zero. But zero is a valid file descriptor too. Thus if open
-    // returns zero for /dev/urandom, we dup it to get a non-zero number.
-    fd = dup(fd);
-    close(kUnset);
-
-    if (fd <= 0) {
-      perror("failed to dup /dev/urandom fd");
-      abort();
-    }
-  }
-
   int flags = fcntl(fd, F_GETFD);
   if (flags == -1) {
     // Native Client doesn't implement |fcntl|.
@@ -342,40 +280,6 @@ static void wait_for_entropy(void) {
 #endif  // BORINGSSL_FIPS
 }
 
-void RAND_set_urandom_fd(int fd) {
-  fd = dup(fd);
-  if (fd < 0) {
-    perror("failed to dup supplied urandom fd");
-    abort();
-  }
-
-  assert(kUnset == 0);
-  if (fd == kUnset) {
-    // Because we want to keep |urandom_fd| in the BSS, we have to initialise
-    // it to zero. But zero is a valid file descriptor too. Thus if dup
-    // returned zero we dup it again to get a non-zero number.
-    fd = dup(fd);
-    close(kUnset);
-
-    if (fd <= 0) {
-      perror("failed to dup supplied urandom fd");
-      abort();
-    }
-  }
-
-  CRYPTO_STATIC_MUTEX_lock_write(rand_lock_bss_get());
-  *urandom_fd_requested_bss_get() = fd;
-  CRYPTO_STATIC_MUTEX_unlock_write(rand_lock_bss_get());
-
-  CRYPTO_once(rand_once_bss_get(), init_once);
-  if (*urandom_fd_bss_get() == kHaveGetrandom) {
-    close(fd);
-  } else if (*urandom_fd_bss_get() != fd) {
-    fprintf(stderr, "RAND_set_urandom_fd called after initialisation.\n");
-    abort();
-  }
-}
-
 // fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
 // on success and zero on error. If |block| is one, this function will block
 // until the entropy pool is initialized. Otherwise, this function may fail,
@@ -397,7 +301,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
   }
 #endif
 
-  CRYPTO_once(rand_once_bss_get(), init_once);
+  CRYPTO_init_sysrand();
   if (block) {
     CRYPTO_once(wait_for_entropy_once_bss_get(), wait_for_entropy);
   }
@@ -452,6 +356,10 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   }
 }
 
+void CRYPTO_init_sysrand(void) {
+  CRYPTO_once(rand_once_bss_get(), init_once);
+}
+
 #if defined(BORINGSSL_FIPS)
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) {
@@ -466,16 +374,18 @@ void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
 #endif
 }
 
-void CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
-  // Return all zeros if |fill_with_entropy| fails.
-  OPENSSL_memset(out, 0, requested);
+#endif  // BORINGSSL_FIPS
 
-  if (!fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0) &&
-      errno != EAGAIN) {
+int CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
+  if (fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0)) {
+    return 1;
+  } else if (errno == EAGAIN) {
+    OPENSSL_memset(out, 0, requested);
+    return 0;
+  } else {
     perror("opportunistic entropy fill failed");
     abort();
   }
 }
-#endif  // BORINGSSL_FIPS
 
 #endif  // OPENSSL_URANDOM