grpc 1.30.0 → 1.31.1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c

@@ -866,7 +866,7 @@ static void p224_select_point(const uint64_t idx, size_t size,
 }
 
 // p224_get_bit returns the |i|th bit in |in|
-static char p224_get_bit(const p224_felem_bytearray in, size_t i) {
+static crypto_word_t p224_get_bit(const p224_felem_bytearray in, size_t i) {
   if (i >= 224) {
     return 0;
   }
@@ -977,13 +977,13 @@ static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
 
     // Add every 5 doublings.
     if (i % 5 == 0) {
-      uint64_t bits = p224_get_bit(scalar->bytes, i + 4) << 5;
+      crypto_word_t bits = p224_get_bit(scalar->bytes, i + 4) << 5;
       bits |= p224_get_bit(scalar->bytes, i + 3) << 4;
       bits |= p224_get_bit(scalar->bytes, i + 2) << 3;
       bits |= p224_get_bit(scalar->bytes, i + 1) << 2;
       bits |= p224_get_bit(scalar->bytes, i) << 1;
       bits |= p224_get_bit(scalar->bytes, i - 1);
-      uint8_t sign, digit;
+      crypto_word_t sign, digit;
       ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
 
       // Select the point to add or subtract.
@@ -1022,7 +1022,7 @@ static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,
     }
 
     // First, look 28 bits upwards.
-    uint64_t bits = p224_get_bit(scalar->bytes, i + 196) << 3;
+    crypto_word_t bits = p224_get_bit(scalar->bytes, i + 196) << 3;
     bits |= p224_get_bit(scalar->bytes, i + 140) << 2;
     bits |= p224_get_bit(scalar->bytes, i + 84) << 1;
     bits |= p224_get_bit(scalar->bytes, i + 28);
@@ -1080,14 +1080,15 @@ static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,
     // Add multiples of the generator.
     if (i <= 27) {
       // First, look 28 bits upwards.
-      uint64_t bits = p224_get_bit(g_scalar->bytes, i + 196) << 3;
+      crypto_word_t bits = p224_get_bit(g_scalar->bytes, i + 196) << 3;
       bits |= p224_get_bit(g_scalar->bytes, i + 140) << 2;
       bits |= p224_get_bit(g_scalar->bytes, i + 84) << 1;
       bits |= p224_get_bit(g_scalar->bytes, i + 28);
 
+      size_t index = (size_t)bits;
       p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
-                     g_p224_pre_comp[1][bits][0], g_p224_pre_comp[1][bits][1],
-                     g_p224_pre_comp[1][bits][2]);
+                     g_p224_pre_comp[1][index][0], g_p224_pre_comp[1][index][1],
+                     g_p224_pre_comp[1][index][2]);
       assert(!skip);
 
       // Second, look at the current position.
@@ -1095,20 +1096,21 @@ static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,
       bits |= p224_get_bit(g_scalar->bytes, i + 112) << 2;
       bits |= p224_get_bit(g_scalar->bytes, i + 56) << 1;
       bits |= p224_get_bit(g_scalar->bytes, i);
+      index = (size_t)bits;
       p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
-                     g_p224_pre_comp[0][bits][0], g_p224_pre_comp[0][bits][1],
-                     g_p224_pre_comp[0][bits][2]);
+                     g_p224_pre_comp[0][index][0], g_p224_pre_comp[0][index][1],
+                     g_p224_pre_comp[0][index][2]);
     }
 
     // Incorporate |p_scalar| every 5 doublings.
     if (i % 5 == 0) {
-      uint64_t bits = p224_get_bit(p_scalar->bytes, i + 4) << 5;
+      crypto_word_t bits = p224_get_bit(p_scalar->bytes, i + 4) << 5;
       bits |= p224_get_bit(p_scalar->bytes, i + 3) << 4;
       bits |= p224_get_bit(p_scalar->bytes, i + 2) << 3;
       bits |= p224_get_bit(p_scalar->bytes, i + 1) << 2;
       bits |= p224_get_bit(p_scalar->bytes, i) << 1;
       bits |= p224_get_bit(p_scalar->bytes, i - 1);
-      uint8_t sign, digit;
+      crypto_word_t sign, digit;
       ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
 
       // Select the point to add or subtract.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c

@@ -50,8 +50,8 @@ static const BN_ULONG ONE[P256_LIMBS] = {
 
 // Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in
 // util.c for details
-static unsigned booth_recode_w5(unsigned in) {
-  unsigned s, d;
+static crypto_word_t booth_recode_w5(crypto_word_t in) {
+  crypto_word_t s, d;
 
   s = ~((in >> 5) - 1);
   d = (1 << 6) - in - 1;
@@ -61,8 +61,8 @@ static unsigned booth_recode_w5(unsigned in) {
   return (d << 1) + (s & 1);
 }
 
-static unsigned booth_recode_w7(unsigned in) {
-  unsigned s, d;
+static crypto_word_t booth_recode_w7(crypto_word_t in) {
+  crypto_word_t s, d;
 
   s = ~((in >> 7) - 1);
   d = (1 << 8) - in - 1;
@@ -194,8 +194,8 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
   assert(p_scalar != NULL);
   assert(group->field.width == P256_LIMBS);
 
-  static const unsigned kWindowSize = 5;
-  static const unsigned kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
+  static const size_t kWindowSize = 5;
+  static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
 
   // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
   // add no more than 63 bytes of overhead. Thus, |table| should require
@@ -232,17 +232,17 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
 
   BN_ULONG tmp[P256_LIMBS];
   alignas(32) P256_POINT h;
-  unsigned index = 255;
-  unsigned wvalue = p_str[(index - 1) / 8];
+  size_t index = 255;
+  crypto_word_t wvalue = p_str[(index - 1) / 8];
   wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
 
   ecp_nistz256_select_w5(r, table, booth_recode_w5(wvalue) >> 1);
 
   while (index >= 5) {
     if (index != 255) {
-      unsigned off = (index - 1) / 8;
+      size_t off = (index - 1) / 8;
 
-      wvalue = p_str[off] | p_str[off + 1] << 8;
+      wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
       wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
 
       wvalue = booth_recode_w5(wvalue);
@@ -283,21 +283,22 @@ typedef union {
   P256_POINT_AFFINE a;
 } p256_point_union_t;
 
-static unsigned calc_first_wvalue(unsigned *index, const uint8_t p_str[33]) {
-  static const unsigned kWindowSize = 7;
-  static const unsigned kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
+static crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {
+  static const size_t kWindowSize = 7;
+  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
   *index = kWindowSize;
 
-  unsigned wvalue = (p_str[0] << 1) & kMask;
+  crypto_word_t wvalue = (p_str[0] << 1) & kMask;
   return booth_recode_w7(wvalue);
 }
 
-static unsigned calc_wvalue(unsigned *index, const uint8_t p_str[33]) {
-  static const unsigned kWindowSize = 7;
-  static const unsigned kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
+static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {
+  static const size_t kWindowSize = 7;
+  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
 
-  const unsigned off = (*index - 1) / 8;
-  unsigned wvalue = p_str[off] | p_str[off + 1] << 8;
+  const size_t off = (*index - 1) / 8;
+  crypto_word_t wvalue =
+      (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
   wvalue = (wvalue >> ((*index - 1) % 8)) & kMask;
   *index += kWindowSize;
 
@@ -325,8 +326,8 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
   p_str[32] = 0;
 
   // First window
-  unsigned index = 0;
-  unsigned wvalue = calc_first_wvalue(&index, p_str);
+  size_t index = 0;
+  crypto_word_t wvalue = calc_first_wvalue(&index, p_str);
 
   ecp_nistz256_select_w7(&p.a, ecp_nistz256_precomputed[0], wvalue >> 1);
   ecp_nistz256_neg(p.p.Z, p.p.Y);
@@ -370,8 +371,8 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
   p_str[32] = 0;
 
   // First window
-  unsigned index = 0;
-  unsigned wvalue = calc_first_wvalue(&index, p_str);
+  size_t index = 0;
+  size_t wvalue = calc_first_wvalue(&index, p_str);
 
   // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
   // is infinity and |ONE| otherwise. |p| was computed from the table, so it

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c

@@ -67,7 +67,7 @@ static fiat_p256_limb_t fiat_p256_nz(
 
 static void fiat_p256_copy(fiat_p256_limb_t out[FIAT_P256_NLIMBS],
                            const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {
-  for (int i = 0; i < FIAT_P256_NLIMBS; i++) {
+  for (size_t i = 0; i < FIAT_P256_NLIMBS; i++) {
     out[i] = in1[i];
   }
 }
@@ -393,7 +393,7 @@ static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size,
 }
 
 // fiat_p256_get_bit returns the |i|th bit in |in|
-static char fiat_p256_get_bit(const uint8_t *in, int i) {
+static crypto_word_t fiat_p256_get_bit(const uint8_t *in, int i) {
   if (i < 0 || i >= 256) {
     return 0;
   }
@@ -498,20 +498,20 @@ static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
 
     // do other additions every 5 doublings
     if (i % 5 == 0) {
-      uint64_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5;
+      crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5;
       bits |= fiat_p256_get_bit(scalar->bytes, i + 3) << 4;
       bits |= fiat_p256_get_bit(scalar->bytes, i + 2) << 3;
       bits |= fiat_p256_get_bit(scalar->bytes, i + 1) << 2;
       bits |= fiat_p256_get_bit(scalar->bytes, i) << 1;
       bits |= fiat_p256_get_bit(scalar->bytes, i - 1);
-      uint8_t sign, digit;
+      crypto_word_t sign, digit;
       ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
 
       // select the point to add or subtract, in constant time.
-      fiat_p256_select_point(digit, 17, (const fiat_p256_felem(*)[3])p_pre_comp,
-                             tmp);
+      fiat_p256_select_point((fiat_p256_limb_t)digit, 17,
+                             (const fiat_p256_felem(*)[3])p_pre_comp, tmp);
       fiat_p256_opp(ftmp, tmp[1]);  // (X, -Y, Z) is the negative point.
-      fiat_p256_cmovznz(tmp[1], sign, tmp[1], ftmp);
+      fiat_p256_cmovznz(tmp[1], (fiat_p256_limb_t)sign, tmp[1], ftmp);
 
       if (!skip) {
         fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
@@ -543,12 +543,13 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
     }
 
     // First, look 32 bits upwards.
-    uint64_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3;
+    crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3;
     bits |= fiat_p256_get_bit(scalar->bytes, i + 160) << 2;
     bits |= fiat_p256_get_bit(scalar->bytes, i + 96) << 1;
     bits |= fiat_p256_get_bit(scalar->bytes, i + 32);
     // Select the point to add, in constant time.
-    fiat_p256_select_point_affine(bits, 15, fiat_p256_g_pre_comp[1], tmp);
+    fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
+                                  fiat_p256_g_pre_comp[1], tmp);
 
     if (!skip) {
       fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
@@ -566,7 +567,8 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
     bits |= fiat_p256_get_bit(scalar->bytes, i + 64) << 1;
     bits |= fiat_p256_get_bit(scalar->bytes, i);
     // Select the point to add, in constant time.
-    fiat_p256_select_point_affine(bits, 15, fiat_p256_g_pre_comp[0], tmp);
+    fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
+                                  fiat_p256_g_pre_comp[0], tmp);
     fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
                         tmp[0], tmp[1], tmp[2]);
   }
@@ -613,14 +615,15 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
     // constant-time lookup.
     if (i <= 31) {
       // First, look 32 bits upwards.
-      uint64_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3;
+      crypto_word_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3;
       bits |= fiat_p256_get_bit(g_scalar->bytes, i + 160) << 2;
       bits |= fiat_p256_get_bit(g_scalar->bytes, i + 96) << 1;
       bits |= fiat_p256_get_bit(g_scalar->bytes, i + 32);
       if (bits != 0) {
+        size_t index = (size_t)(bits - 1);
         fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
-                            1 /* mixed */, fiat_p256_g_pre_comp[1][bits - 1][0],
-                            fiat_p256_g_pre_comp[1][bits - 1][1],
+                            1 /* mixed */, fiat_p256_g_pre_comp[1][index][0],
+                            fiat_p256_g_pre_comp[1][index][1],
                             fiat_p256_one);
         skip = 0;
       }
@@ -631,9 +634,10 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
       bits |= fiat_p256_get_bit(g_scalar->bytes, i + 64) << 1;
       bits |= fiat_p256_get_bit(g_scalar->bytes, i);
       if (bits != 0) {
+        size_t index = (size_t)(bits - 1);
         fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
-                            1 /* mixed */, fiat_p256_g_pre_comp[0][bits - 1][0],
-                            fiat_p256_g_pre_comp[0][bits - 1][1],
+                            1 /* mixed */, fiat_p256_g_pre_comp[0][index][0],
+                            fiat_p256_g_pre_comp[0][index][1],
                             fiat_p256_one);
         skip = 0;
       }
@@ -642,7 +646,7 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
     int digit = p_wNAF[i];
     if (digit != 0) {
       assert(digit & 1);
-      int idx = digit < 0 ? (-digit) >> 1 : digit >> 1;
+      size_t idx = (size_t)(digit < 0 ? (-digit) >> 1 : digit >> 1);
       fiat_p256_felem *y = &p_pre_comp[idx][1], tmp;
       if (digit < 0) {
         fiat_p256_opp(tmp, p_pre_comp[idx][1]);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c

@@ -108,7 +108,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
   if (i > 0) {
     window |= bn_is_bit_set_words(scalar->words, width, i - 1);
   }
-  uint8_t sign, digit;
+  crypto_word_t sign, digit;
   ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window);
 
   // Select the entry in constant-time.
@@ -121,7 +121,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
   // Negate if necessary.
   EC_FELEM neg_Y;
   ec_felem_neg(group, &neg_Y, &out->Y);
-  BN_ULONG sign_mask = sign;
+  crypto_word_t sign_mask = sign;
   sign_mask = 0u - sign_mask;
   ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y);
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.c

@@ -240,9 +240,9 @@
 //   P-384: ...01110011; w = 2, 5, 6, 7 are okay
 //   P-256: ...01010001; w = 5, 7 are okay
 //   P-224: ...00111101; w = 3, 4, 5, 6 are okay
-void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
-                                     uint8_t in) {
-  uint8_t s, d;
+void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit,
+                                     crypto_word_t in) {
+  crypto_word_t s, d;
 
   s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as
                           * 6-bit value */

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c

@@ -21,6 +21,7 @@
 #include <openssl/aes.h>
 #include <openssl/bn.h>
 #include <openssl/des.h>
+#include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/ec_key.h>
 #include <openssl/nid.h>
@@ -430,11 +431,44 @@ int boringssl_fips_self_test(
       0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a,
       0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8,
   };
+  // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256.
+  const uint8_t kP256Point[65] = {
+      0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3,
+      0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51,
+      0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9,
+      0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0,
+      0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52,
+      0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80,
+  };
+  // kP256Scalar is SHA256("Primitive Z Computation KAT scalar").
+  const uint8_t kP256Scalar[32] = {
+      0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e,
+      0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf,
+      0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b,
+  };
+  // kP256PointResult is |kP256Scalar|×|kP256Point|.
+  const uint8_t kP256PointResult[65] = {
+      0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac,
+      0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6,
+      0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e,
+      0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7,
+      0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2,
+      0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a,
+#if !defined(BORINGSSL_FIPS_BREAK_Z_COMPUTATION)
+      0x0c,
+#else
+      0x00,
+#endif
+  };
 
   EVP_AEAD_CTX aead_ctx;
   EVP_AEAD_CTX_zero(&aead_ctx);
   RSA *rsa_key = NULL;
   EC_KEY *ec_key = NULL;
+  EC_GROUP *ec_group = NULL;
+  EC_POINT *ec_point_in = NULL;
+  EC_POINT *ec_point_out = NULL;
+  BIGNUM *ec_scalar = NULL;
   ECDSA_SIG *sig = NULL;
   int ret = 0;
 
@@ -602,6 +636,30 @@ int boringssl_fips_self_test(
     goto err;
   }
 
+  // Primitive Z Computation KAT (IG 9.6).
+  ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+  if (ec_group == NULL) {
+    fprintf(stderr, "Failed to create P-256 group.\n");
+    goto err;
+  }
+  ec_point_in = EC_POINT_new(ec_group);
+  ec_point_out = EC_POINT_new(ec_group);
+  ec_scalar = BN_new();
+  uint8_t z_comp_result[65];
+  if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||
+      !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),
+                          NULL) ||
+      !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) ||
+      !EC_POINT_mul(ec_group, ec_point_out, NULL, ec_point_in, ec_scalar,
+                    NULL) ||
+      !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED,
+                          z_comp_result, sizeof(z_comp_result), NULL) ||
+      !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result),
+                  "Z Computation Result")) {
+    fprintf(stderr, "Z Computation KAT failed.\n");
+    goto err;
+  }
+
   // DBRG KAT
   CTR_DRBG_STATE drbg;
   if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
@@ -642,6 +700,10 @@ err:
   EVP_AEAD_CTX_cleanup(&aead_ctx);
   RSA_free(rsa_key);
   EC_KEY_free(ec_key);
+  EC_POINT_free(ec_point_in);
+  EC_POINT_free(ec_point_out);
+  EC_GROUP_free(ec_group);
+  BN_free(ec_scalar);
   ECDSA_SIG_free(sig);
 
   return ret;

data/third_party/boringssl-with-bazel/src/crypto/mem.c

@@ -72,6 +72,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 
 
 #define OPENSSL_MALLOC_PREFIX 8
+OPENSSL_STATIC_ASSERT(OPENSSL_MALLOC_PREFIX >= sizeof(size_t),
+                      "size_t too large");
 
 #if defined(OPENSSL_ASAN)
 void __asan_poison_memory_region(const volatile void *addr, size_t size);
@@ -101,13 +103,21 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {}
 // linked. This isn't an ideal result, but its helps in some cases.
 WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags));
 
-// The following two functions are for memory tracking. They are no-ops by
-// default but can be overridden at link time if the application needs to
-// observe heap operations.
-WEAK_SYMBOL_FUNC(void, OPENSSL_track_memory_alloc, (void *ptr, size_t size));
-WEAK_SYMBOL_FUNC(void, OPENSSL_track_memory_free, (void *ptr, size_t size));
+// The following three functions can be defined to override default heap
+// allocation and freeing. If defined, it is the responsibility of
+// |OPENSSL_memory_free| to zero out the memory before returning it to the
+// system. |OPENSSL_memory_free| will not be passed NULL pointers.
+WEAK_SYMBOL_FUNC(void*, OPENSSL_memory_alloc, (size_t size));
+WEAK_SYMBOL_FUNC(void, OPENSSL_memory_free, (void *ptr));
+WEAK_SYMBOL_FUNC(size_t, OPENSSL_memory_get_size, (void *ptr));
 
 void *OPENSSL_malloc(size_t size) {
+  if (OPENSSL_memory_alloc != NULL) {
+    assert(OPENSSL_memory_free != NULL);
+    assert(OPENSSL_memory_get_size != NULL);
+    return OPENSSL_memory_alloc(size);
+  }
+
   if (size + OPENSSL_MALLOC_PREFIX < size) {
     return NULL;
   }
@@ -120,9 +130,6 @@ void *OPENSSL_malloc(size_t size) {
   *(size_t *)ptr = size;
 
   __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
-  if (OPENSSL_track_memory_alloc) {
-    OPENSSL_track_memory_alloc(ptr, size + OPENSSL_MALLOC_PREFIX);
-  }
   return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX;
 }
 
@@ -131,13 +138,15 @@ void OPENSSL_free(void *orig_ptr) {
     return;
   }
 
+  if (OPENSSL_memory_free != NULL) {
+    OPENSSL_memory_free(orig_ptr);
+    return;
+  }
+
   void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;
   __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
 
   size_t size = *(size_t *)ptr;
-  if (OPENSSL_track_memory_free) {
-    OPENSSL_track_memory_free(ptr, size + OPENSSL_MALLOC_PREFIX);
-  }
   OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX);
   if (sdallocx) {
     sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
@@ -151,10 +160,15 @@ void *OPENSSL_realloc(void *orig_ptr, size_t new_size) {
     return OPENSSL_malloc(new_size);
   }
 
-  void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;
-  __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
-  size_t old_size = *(size_t *)ptr;
-  __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
+  size_t old_size;
+  if (OPENSSL_memory_get_size != NULL) {
+    old_size = OPENSSL_memory_get_size(orig_ptr);
+  } else {
+    void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;
+    __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
+    old_size = *(size_t *)ptr;
+    __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);
+  }
 
   void *ret = OPENSSL_malloc(new_size);
   if (ret == NULL) {