grpc 1.28.0 → 1.30.2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c

@@ -167,6 +167,10 @@ void BN_BLINDING_free(BN_BLINDING *r) {
   OPENSSL_free(r);
 }
 
+void BN_BLINDING_invalidate(BN_BLINDING *b) {
+  b->counter = BN_BLINDING_COUNTER - 1;
+}
+
 static int bn_blinding_update(BN_BLINDING *b, const BIGNUM *e,
                               const BN_MONT_CTX *mont, BN_CTX *ctx) {
   if (++b->counter == BN_BLINDING_COUNTER) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h

@@ -83,6 +83,7 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
 
 BN_BLINDING *BN_BLINDING_new(void);
 void BN_BLINDING_free(BN_BLINDING *b);
+void BN_BLINDING_invalidate(BN_BLINDING *b);
 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,
                         const BN_MONT_CTX *mont_ctx, BN_CTX *ctx);
 int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c

@@ -167,6 +167,22 @@ int RSA_up_ref(RSA *rsa) {
 
 unsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }
 
+const BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; }
+
+const BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; }
+
+const BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; }
+
+const BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; }
+
+const BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; }
+
+const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; }
+
+const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; }
+
+const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; }
+
 void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,
                   const BIGNUM **out_d) {
   if (out_n != NULL) {
@@ -639,7 +655,12 @@ err:
 }
 
 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
-                             const BIGNUM *m, int check_reduced, BN_CTX *ctx) {
+                             const BIGNUM *m, BN_CTX *ctx) {
+  if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
+    *out_ok = 0;
+    return 1;
+  }
+
   BN_CTX_start(ctx);
   BIGNUM *tmp = BN_CTX_get(ctx);
   int ret = tmp != NULL &&
@@ -647,19 +668,12 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
             bn_div_consttime(NULL, tmp, tmp, m, ctx);
   if (ret) {
     *out_ok = BN_is_one(tmp);
-    if (check_reduced && (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0)) {
-      *out_ok = 0;
-    }
   }
   BN_CTX_end(ctx);
   return ret;
 }
 
 int RSA_check_key(const RSA *key) {
-  BIGNUM n, pm1, qm1, lcm, dmp1, dmq1, iqmp_times_q;
-  BN_CTX *ctx;
-  int ok = 0, has_crt_values;
-
   if (RSA_is_opaque(key)) {
     // Opaque keys can't be checked.
     return 1;
@@ -681,50 +695,53 @@ int RSA_check_key(const RSA *key) {
     return 1;
   }
 
-  ctx = BN_CTX_new();
+  BN_CTX *ctx = BN_CTX_new();
   if (ctx == NULL) {
     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
     return 0;
   }
 
-  BN_init(&n);
+  BIGNUM tmp, de, pm1, qm1, dmp1, dmq1;
+  int ok = 0;
+  BN_init(&tmp);
+  BN_init(&de);
   BN_init(&pm1);
   BN_init(&qm1);
-  BN_init(&lcm);
   BN_init(&dmp1);
   BN_init(&dmq1);
-  BN_init(&iqmp_times_q);
-
-  int d_ok;
-  if (!bn_mul_consttime(&n, key->p, key->q, ctx) ||
-      // lcm = lcm(p, q)
-      !bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
-      !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
-      !bn_lcm_consttime(&lcm, &pm1, &qm1, ctx) ||
-      // Other implementations use the Euler totient rather than the Carmichael
-      // totient, so allow unreduced |key->d|.
-      !check_mod_inverse(&d_ok, key->e, key->d, &lcm,
-                         0 /* don't require reduced */, ctx)) {
+  if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {
     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
     goto out;
   }
 
-  if (BN_cmp(&n, key->n) != 0) {
+  if (BN_cmp(&tmp, key->n) != 0) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
     goto out;
   }
 
-  if (!d_ok) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+  if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
     goto out;
   }
 
-  if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
+  // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it
+  // may be unreduced because other implementations use the Euler totient. We
+  // simply check that d * e is one mod p-1 and mod q-1.
+  if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
+      !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
+      !bn_mul_consttime(&de, key->d, key->e, ctx) ||
+      !bn_div_consttime(NULL, &tmp, &de, &pm1, ctx) ||
+      !bn_div_consttime(NULL, &de, &de, &qm1, ctx)) {
+    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+    goto out;
+  }
+
+  if (!BN_is_one(&tmp) || !BN_is_one(&de)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
     goto out;
   }
 
-  has_crt_values = key->dmp1 != NULL;
+  int has_crt_values = key->dmp1 != NULL;
   if (has_crt_values != (key->dmq1 != NULL) ||
       has_crt_values != (key->iqmp != NULL)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
@@ -733,12 +750,9 @@ int RSA_check_key(const RSA *key) {
 
   if (has_crt_values) {
     int dmp1_ok, dmq1_ok, iqmp_ok;
-    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1,
-                           1 /* check reduced */, ctx) ||
-        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1,
-                           1 /* check reduced */, ctx) ||
-        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p,
-                           1 /* check reduced */, ctx)) {
+    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, ctx) ||
+        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, ctx) ||
+        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, ctx)) {
       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
       goto out;
     }
@@ -752,13 +766,12 @@ int RSA_check_key(const RSA *key) {
   ok = 1;
 
 out:
-  BN_free(&n);
+  BN_free(&tmp);
+  BN_free(&de);
   BN_free(&pm1);
   BN_free(&qm1);
-  BN_free(&lcm);
   BN_free(&dmp1);
   BN_free(&dmq1);
-  BN_free(&iqmp_times_q);
   BN_CTX_free(ctx);
 
   return ok;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c

@@ -70,6 +70,7 @@
 #include "../bn/internal.h"
 #include "../../internal.h"
 #include "../delocate.h"
+#include "../rand/fork_detect.h"
 
 
 static int check_modulus_and_exponent_sizes(const RSA *rsa) {
@@ -345,7 +346,7 @@ err:
 // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
 // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
 // destroyed as needed.
-#if defined(OPNESSL_TSAN)
+#if defined(OPENSSL_TSAN)
 // Smaller under TSAN so that the edge case can be hit with fewer threads.
 #define MAX_BLINDINGS_PER_RSA 2
 #else
@@ -365,8 +366,21 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
   assert(rsa->mont_n != NULL);
 
   BN_BLINDING *ret = NULL;
+  const uint64_t fork_generation = CRYPTO_get_fork_generation();
   CRYPTO_MUTEX_lock_write(&rsa->lock);
 
+  // Wipe the blinding cache on |fork|.
+  if (rsa->blinding_fork_generation != fork_generation) {
+    for (unsigned i = 0; i < rsa->num_blindings; i++) {
+      // The inuse flag must be zero unless we were forked from a
+      // multi-threaded process, in which case calling back into BoringSSL is
+      // forbidden.
+      assert(rsa->blindings_inuse[i] == 0);
+      BN_BLINDING_invalidate(rsa->blindings[i]);
+    }
+    rsa->blinding_fork_generation = fork_generation;
+  }
+
   uint8_t *const free_inuse_flag =
       OPENSSL_memchr(rsa->blindings_inuse, 0, rsa->num_blindings);
   if (free_inuse_flag != NULL) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c

@@ -105,6 +105,23 @@ int SHA512_Init(SHA512_CTX *sha) {
   return 1;
 }
 
+int SHA512_256_Init(SHA512_CTX *sha) {
+  sha->h[0] = UINT64_C(0x22312194fc2bf72c);
+  sha->h[1] = UINT64_C(0x9f555fa3c84c64c2);
+  sha->h[2] = UINT64_C(0x2393b86b6f53b151);
+  sha->h[3] = UINT64_C(0x963877195940eabd);
+  sha->h[4] = UINT64_C(0x96283ee2a88effe3);
+  sha->h[5] = UINT64_C(0xbe5e1e2553863992);
+  sha->h[6] = UINT64_C(0x2b0199fc2c85b8aa);
+  sha->h[7] = UINT64_C(0x0eb72ddc81c52ca2);
+
+  sha->Nl = 0;
+  sha->Nh = 0;
+  sha->num = 0;
+  sha->md_len = SHA512_256_DIGEST_LENGTH;
+  return 1;
+}
+
 uint8_t *SHA384(const uint8_t *data, size_t len,
                 uint8_t out[SHA384_DIGEST_LENGTH]) {
   SHA512_CTX ctx;
@@ -125,6 +142,16 @@ uint8_t *SHA512(const uint8_t *data, size_t len,
   return out;
 }
 
+uint8_t *SHA512_256(const uint8_t *data, size_t len,
+                    uint8_t out[SHA512_256_DIGEST_LENGTH]) {
+  SHA512_CTX ctx;
+  SHA512_256_Init(&ctx);
+  SHA512_Update(&ctx, data, len);
+  SHA512_Final(out, &ctx);
+  OPENSSL_cleanse(&ctx, sizeof(ctx));
+  return out;
+}
+
 #if !defined(SHA512_ASM)
 static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
                                     size_t num_blocks);
@@ -141,6 +168,17 @@ int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
   return SHA512_Update(sha, data, len);
 }
 
+int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
+  return SHA512_Update(sha, data, len);
+}
+
+int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],
+                                    SHA512_CTX *sha) {
+  // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this
+  // has a |smaller output.
+  return SHA512_Final(out, sha);
+}
+
 void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
   sha512_block_data_order(c->h, block, 1);
 }
@@ -231,41 +269,12 @@ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
     return 0;
   }
 
-  switch (sha->md_len) {
-    // Let compiler decide if it's appropriate to unroll...
-    case SHA384_DIGEST_LENGTH:
-      for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
-        uint64_t t = sha->h[n];
-
-        *(out++) = (uint8_t)(t >> 56);
-        *(out++) = (uint8_t)(t >> 48);
-        *(out++) = (uint8_t)(t >> 40);
-        *(out++) = (uint8_t)(t >> 32);
-        *(out++) = (uint8_t)(t >> 24);
-        *(out++) = (uint8_t)(t >> 16);
-        *(out++) = (uint8_t)(t >> 8);
-        *(out++) = (uint8_t)(t);
-      }
-      break;
-    case SHA512_DIGEST_LENGTH:
-      for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
-        uint64_t t = sha->h[n];
-
-        *(out++) = (uint8_t)(t >> 56);
-        *(out++) = (uint8_t)(t >> 48);
-        *(out++) = (uint8_t)(t >> 40);
-        *(out++) = (uint8_t)(t >> 32);
-        *(out++) = (uint8_t)(t >> 24);
-        *(out++) = (uint8_t)(t >> 16);
-        *(out++) = (uint8_t)(t >> 8);
-        *(out++) = (uint8_t)(t);
-      }
-      break;
-    // ... as well as make sure md_len is not abused.
-    default:
-      // TODO(davidben): This bad |md_len| case is one of the few places a
-      // low-level hash 'final' function can fail. This should never happen.
-      return 0;
+  assert(sha->md_len % 8 == 0);
+  const size_t out_words = sha->md_len / 8;
+  for (size_t i = 0; i < out_words; i++) {
+    const uint64_t t = CRYPTO_bswap8(sha->h[i]);
+    memcpy(out, &t, sizeof(t));
+    out += sizeof(t);
   }
 
   return 1;

data/third_party/boringssl-with-bazel/src/crypto/mem.c

@@ -84,27 +84,34 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
 // Windows doesn't really support weak symbols as of May 2019, and Clang on
 // Windows will emit strong symbols instead. See
 // https://bugs.llvm.org/show_bug.cgi?id=37598
-#if defined(__GNUC__) || (defined(__clang__) && !defined(_MSC_VER))
+#if defined(__ELF__) && defined(__GNUC__)
+#define WEAK_SYMBOL_FUNC(rettype, name, args) \
+  rettype name args __attribute__((weak));
+#else
+#define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL;
+#endif
+
 // sdallocx is a sized |free| function. By passing the size (which we happen to
 // always know in BoringSSL), the malloc implementation can save work. We cannot
-// depend on |sdallocx| being available so we declare a wrapper that falls back
-// to |free| as a weak symbol.
+// depend on |sdallocx| being available, however, so it's a weak symbol.
 //
 // This will always be safe, but will only be overridden if the malloc
 // implementation is statically linked with BoringSSL. So, if |sdallocx| is
 // provided in, say, libc.so, we still won't use it because that's dynamically
 // linked. This isn't an ideal result, but its helps in some cases.
-void sdallocx(void *ptr, size_t size, int flags);
+WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags));
 
-__attribute((weak, noinline))
-#else
-static
-#endif
-void sdallocx(void *ptr, size_t size, int flags) {
-  free(ptr);
-}
+// The following two functions are for memory tracking. They are no-ops by
+// default but can be overridden at link time if the application needs to
+// observe heap operations.
+WEAK_SYMBOL_FUNC(void, OPENSSL_track_memory_alloc, (void *ptr, size_t size));
+WEAK_SYMBOL_FUNC(void, OPENSSL_track_memory_free, (void *ptr, size_t size));
 
 void *OPENSSL_malloc(size_t size) {
+  if (size + OPENSSL_MALLOC_PREFIX < size) {
+    return NULL;
+  }
+
   void *ptr = malloc(size + OPENSSL_MALLOC_PREFIX);
   if (ptr == NULL) {
     return NULL;
@@ -113,6 +120,9 @@ void *OPENSSL_malloc(size_t size) {
   *(size_t *)ptr = size;
 
   __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
+  if (OPENSSL_track_memory_alloc) {
+    OPENSSL_track_memory_alloc(ptr, size + OPENSSL_MALLOC_PREFIX);
+  }
   return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX;
 }
 
@@ -125,8 +135,15 @@ void OPENSSL_free(void *orig_ptr) {
   __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
 
   size_t size = *(size_t *)ptr;
+  if (OPENSSL_track_memory_free) {
+    OPENSSL_track_memory_free(ptr, size + OPENSSL_MALLOC_PREFIX);
+  }
   OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX);
-  sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
+  if (sdallocx) {
+    sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
+  } else {
+    free(ptr);
+  }
 }
 
 void *OPENSSL_realloc(void *orig_ptr, size_t new_size) {

data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h

@@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */
 
 
-#define NUM_NID 962
+#define NUM_NID 963
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -7127,6 +7127,16 @@ static const uint8_t kObjectData[] = {
     0x2b,
     0x65,
     0x6f,
+    /* NID_sha512_256 */
+    0x60,
+    0x86,
+    0x48,
+    0x01,
+    0x65,
+    0x03,
+    0x04,
+    0x02,
+    0x06,
 };
 
 static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -8770,6 +8780,7 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0},
     {"ED448", "ED448", NID_ED448, 3, &kObjectData[6181], 0},
     {"X448", "X448", NID_X448, 3, &kObjectData[6184], 0},
+    {"SHA512-256", "sha512-256", NID_sha512_256, 9, &kObjectData[6187], 0},
 };
 
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8959,6 +8970,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     672 /* SHA256 */,
     673 /* SHA384 */,
     674 /* SHA512 */,
+    962 /* SHA512-256 */,
     188 /* SMIME */,
     167 /* SMIME-CAPS */,
     100 /* SN */,
@@ -10632,6 +10644,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     673 /* sha384 */,
     669 /* sha384WithRSAEncryption */,
     674 /* sha512 */,
+    962 /* sha512-256 */,
     670 /* sha512WithRSAEncryption */,
     42 /* shaWithRSAEncryption */,
     52 /* signingTime */,
@@ -11391,6 +11404,7 @@ static const uint16_t kNIDsInOIDOrder[] = {
     673 /* 2.16.840.1.101.3.4.2.2 (OBJ_sha384) */,
     674 /* 2.16.840.1.101.3.4.2.3 (OBJ_sha512) */,
     675 /* 2.16.840.1.101.3.4.2.4 (OBJ_sha224) */,
+    962 /* 2.16.840.1.101.3.4.2.6 (OBJ_sha512_256) */,
     802 /* 2.16.840.1.101.3.4.3.1 (OBJ_dsa_with_SHA224) */,
     803 /* 2.16.840.1.101.3.4.3.2 (OBJ_dsa_with_SHA256) */,
     71 /* 2.16.840.1.113730.1.1 (OBJ_netscape_cert_type) */,