RubyGems - grpc - Versions diffs - 1.37.0.pre1 → 1.39.0.pre1 - Mend

grpc 1.37.0.pre1 → 1.39.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (636) hide show

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c CHANGED Viewed

@@ -1232,6 +1232,10 @@ void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out) {
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {}
+int EC_GROUP_get_asn1_flag(const EC_GROUP *group) {
+  return OPENSSL_EC_NAMED_CURVE;
+}
 const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) {
   // This function exists purely to give callers a way to call
   // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of|

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c CHANGED Viewed

@@ -171,7 +171,6 @@ void EC_KEY_free(EC_KEY *r) {
   EC_GROUP_free(r->group);
   EC_POINT_free(r->pub_key);
   ec_wrapped_scalar_free(r->priv_key);
-  BN_free(r->fixed_k);
   CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h CHANGED Viewed

@@ -729,10 +729,6 @@ struct ec_key_st {
   EC_POINT *pub_key;
   EC_WRAPPED_SCALAR *priv_key;
-  // fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
-  // This is only for the FIPS power-on tests.
-  BIGNUM *fixed_k;
   unsigned int enc_flag;
   point_conversion_form_t conv_form;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c CHANGED Viewed

@@ -61,9 +61,10 @@
 #include <openssl/sha.h>
 #include <openssl/type_check.h>
+#include "../../internal.h"
 #include "../bn/internal.h"
 #include "../ec/internal.h"
-#include "../../internal.h"
+#include "internal.h"
 // digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for
@@ -198,70 +199,74 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
   return 1;
 }
-static int ecdsa_sign_setup(const EC_KEY *eckey, EC_SCALAR *out_kinv_mont,
-                            EC_SCALAR *out_r, const uint8_t *digest,
-                            size_t digest_len, const EC_SCALAR *priv_key) {
+static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry,
+                                  const EC_SCALAR *priv_key, const EC_SCALAR *k,
+                                  const uint8_t *digest, size_t digest_len) {
+  *out_retry = 0;
   // Check that the size of the group order is FIPS compliant (FIPS 186-4
   // B.5.2).
-  const EC_GROUP *group = EC_KEY_get0_group(eckey);
   const BIGNUM *order = EC_GROUP_get0_order(group);
   if (BN_num_bits(order) < 160) {
     OPENSSL_PUT_ERROR(ECDSA, EC_R_INVALID_GROUP_ORDER);
-    return 0;
+    return NULL;
   }
-  int ret = 0;
-  EC_SCALAR k;
+  // Compute r, the x-coordinate of k * generator.
   EC_RAW_POINT tmp_point;
-  do {
-    // Include the private key and message digest in the k generation.
-    if (eckey->fixed_k != NULL) {
-      if (!ec_bignum_to_scalar(group, &k, eckey->fixed_k)) {
-        goto err;
-      }
-      if (ec_scalar_is_zero(group, &k)) {
-        OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
-        goto err;
-      }
-    } else {
-      // Pass a SHA512 hash of the private key and digest as additional data
-      // into the RBG. This is a hardening measure against entropy failure.
-      OPENSSL_STATIC_ASSERT(SHA512_DIGEST_LENGTH >= 32,
-                            "additional_data is too large for SHA-512");
-      SHA512_CTX sha;
-      uint8_t additional_data[SHA512_DIGEST_LENGTH];
-      SHA512_Init(&sha);
-      SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
-      SHA512_Update(&sha, digest, digest_len);
-      SHA512_Final(additional_data, &sha);
-      if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
-        goto err;
-      }
-    }
+  EC_SCALAR r;
+  if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||
+      !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {
+    return NULL;
+  }
-    // Compute k^-1 in the Montgomery domain. This is |ec_scalar_to_montgomery|
-    // followed by |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery|
-    // followed by |ec_scalar_from_montgomery| is equivalent and slightly more
-    // efficient. Note k is non-zero, so the inverse must exist.
-    ec_scalar_inv0_montgomery(group, out_kinv_mont, &k);
-    ec_scalar_from_montgomery(group, out_kinv_mont, out_kinv_mont);
-    // Compute r, the x-coordinate of generator * k.
-    if (!ec_point_mul_scalar_base(group, &tmp_point, &k) ||
-        !ec_get_x_coordinate_as_scalar(group, out_r, &tmp_point)) {
-      goto err;
-    }
-  } while (ec_scalar_is_zero(group, out_r));
+  if (ec_scalar_is_zero(group, &r)) {
+    *out_retry = 1;
+    return NULL;
+  }
-  ret = 1;
+  // s = priv_key * r. Note if only one parameter is in the Montgomery domain,
+  // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal
+  // domain.
+  EC_SCALAR s;
+  ec_scalar_to_montgomery(group, &s, &r);
+  ec_scalar_mul_montgomery(group, &s, priv_key, &s);
+  // s = m + priv_key * r.
+  EC_SCALAR tmp;
+  digest_to_scalar(group, &tmp, digest, digest_len);
+  ec_scalar_add(group, &s, &s, &tmp);
+  // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery
+  // domain. This is |ec_scalar_to_montgomery| followed by
+  // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by
+  // |ec_scalar_from_montgomery| is equivalent and slightly more efficient.
+  // Then, as above, only one parameter is in the Montgomery domain, so the
+  // result is in the normal domain. Finally, note k is non-zero (or computing r
+  // would fail), so the inverse must exist.
+  ec_scalar_inv0_montgomery(group, &tmp, k);     // tmp = k^-1 R^2
+  ec_scalar_from_montgomery(group, &tmp, &tmp);  // tmp = k^-1 R
+  ec_scalar_mul_montgomery(group, &s, &s, &tmp);
+  if (ec_scalar_is_zero(group, &s)) {
+    *out_retry = 1;
+    return NULL;
+  }
-err:
-  OPENSSL_cleanse(&k, sizeof(k));
+  ECDSA_SIG *ret = ECDSA_SIG_new();
+  if (ret == NULL ||  //
+      !bn_set_words(ret->r, r.words, order->width) ||
+      !bn_set_words(ret->s, s.words, order->width)) {
+    ECDSA_SIG_free(ret);
+    return NULL;
+  }
   return ret;
 }
-ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
-                         const EC_KEY *eckey) {
+ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest,
+                                                       size_t digest_len,
+                                                       const EC_KEY *eckey,
+                                                       const uint8_t *nonce,
+                                                       size_t nonce_len) {
   if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
     OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
     return NULL;
@@ -272,57 +277,63 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
     OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
     return NULL;
   }
-  const BIGNUM *order = EC_GROUP_get0_order(group);
   const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
-  int ok = 0;
-  ECDSA_SIG *ret = ECDSA_SIG_new();
-  EC_SCALAR kinv_mont, r_mont, s, m, tmp;
-  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
+  EC_SCALAR k;
+  if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {
     return NULL;
   }
+  int retry_ignored;
+  return ecdsa_sign_impl(group, &retry_ignored, priv_key, &k, digest,
+                         digest_len);
+}
-  digest_to_scalar(group, &m, digest, digest_len);
-  for (;;) {
-    if (!ecdsa_sign_setup(eckey, &kinv_mont, &r_mont, digest, digest_len,
-                          priv_key) ||
-        !bn_set_words(ret->r, r_mont.words, order->width)) {
-      goto err;
-    }
-    // Compute priv_key * r (mod order). Note if only one parameter is in the
-    // Montgomery domain, |ec_scalar_mod_mul_montgomery| will compute the answer
-    // in the normal domain.
-    ec_scalar_to_montgomery(group, &r_mont, &r_mont);
-    ec_scalar_mul_montgomery(group, &s, priv_key, &r_mont);
+// This function is only exported for testing and is not called in production
+// code.
+ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing(
+    const uint8_t *digest, size_t digest_len, const EC_KEY *eckey,
+    const uint8_t *nonce, size_t nonce_len) {
+  return ecdsa_sign_with_nonce_for_known_answer_test(digest, digest_len, eckey,
+                                                     nonce, nonce_len);
+}
-    // Compute tmp = m + priv_key * r.
-    ec_scalar_add(group, &tmp, &m, &s);
+ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
+                         const EC_KEY *eckey) {
+  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {
+    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
+    return NULL;
+  }
-    // Finally, multiply s by k^-1. That was retained in Montgomery form, so the
-    // same technique as the previous multiplication works.
-    ec_scalar_mul_montgomery(group, &s, &tmp, &kinv_mont);
-    if (!bn_set_words(ret->s, s.words, order->width)) {
-      goto err;
-    }
-    if (!BN_is_zero(ret->s)) {
-      // s != 0 => we have a valid signature
-      break;
-    }
+  const EC_GROUP *group = EC_KEY_get0_group(eckey);
+  if (group == NULL || eckey->priv_key == NULL) {
+    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
+    return NULL;
   }
+  const BIGNUM *order = EC_GROUP_get0_order(group);
+  const EC_SCALAR *priv_key = &eckey->priv_key->scalar;
-  ok = 1;
+  // Pass a SHA512 hash of the private key and digest as additional data
+  // into the RBG. This is a hardening measure against entropy failure.
+  OPENSSL_STATIC_ASSERT(SHA512_DIGEST_LENGTH >= 32,
+                        "additional_data is too large for SHA-512");
+  SHA512_CTX sha;
+  uint8_t additional_data[SHA512_DIGEST_LENGTH];
+  SHA512_Init(&sha);
+  SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
+  SHA512_Update(&sha, digest, digest_len);
+  SHA512_Final(additional_data, &sha);
-err:
-  if (!ok) {
-    ECDSA_SIG_free(ret);
-    ret = NULL;
+  for (;;) {
+    EC_SCALAR k;
+    if (!ec_random_nonzero_scalar(group, &k, additional_data)) {
+      return NULL;
+    }
+    int retry;
+    ECDSA_SIG *sig =
+        ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len);
+    if (sig != NULL || !retry) {
+      return sig;
+    }
   }
-  OPENSSL_cleanse(&kinv_mont, sizeof(kinv_mont));
-  OPENSSL_cleanse(&r_mont, sizeof(r_mont));
-  OPENSSL_cleanse(&s, sizeof(s));
-  OPENSSL_cleanse(&tmp, sizeof(tmp));
-  OPENSSL_cleanse(&m, sizeof(m));
-  return ret;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h ADDED Viewed

@@ -0,0 +1,39 @@
+/* Copyright (c) 2021, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H
+#include <openssl/base.h>
+#if defined(__cplusplus)
+extern "C" {
+#endif
+// ecdsa_sign_with_nonce_for_known_answer_test behaves like |ECDSA_do_sign| but
+// takes a fixed nonce. This function is used as part of known-answer tests in
+// the FIPS module.
+ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest,
+                                                       size_t digest_len,
+                                                       const EC_KEY *eckey,
+                                                       const uint8_t *nonce,
+                                                       size_t nonce_len);
+#if defined(__cplusplus)
+}
+#endif
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c CHANGED Viewed

@@ -60,6 +60,7 @@
 #include <string.h>
 #include "../../internal.h"
+#include "../digest/md32_common.h"
 uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) {
@@ -84,29 +85,26 @@ int MD4_Init(MD4_CTX *md4) {
 void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num);
-#define DATA_ORDER_IS_LITTLE_ENDIAN
+void MD4_Transform(MD4_CTX *c, const uint8_t data[MD4_CBLOCK]) {
+  md4_block_data_order(c->h, data, 1);
+}
-#define HASH_CTX MD4_CTX
-#define HASH_CBLOCK 64
-#define HASH_DIGEST_LENGTH 16
-#define HASH_UPDATE MD4_Update
-#define HASH_TRANSFORM MD4_Transform
-#define HASH_FINAL MD4_Final
-#define HASH_MAKE_STRING(c, s) \
-  do {                         \
-    uint32_t ll;               \
-    ll = (c)->h[0];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[1];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[2];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[3];            \
-    HOST_l2c(ll, (s));         \
-  } while (0)
-#define HASH_BLOCK_DATA_ORDER md4_block_data_order
+int MD4_Update(MD4_CTX *c, const void *data, size_t len) {
+  crypto_md32_update(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,
+                     &c->Nh, &c->Nl, data, len);
+  return 1;
+}
-#include "../digest/md32_common.h"
+int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) {
+  crypto_md32_final(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,
+                    c->Nh, c->Nl, /*is_big_endian=*/0);
+  CRYPTO_store_u32_le(out, c->h[0]);
+  CRYPTO_store_u32_le(out + 4, c->h[1]);
+  CRYPTO_store_u32_le(out + 8, c->h[2]);
+  CRYPTO_store_u32_le(out + 12, c->h[3]);
+  return 1;
+}
 // As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
 // simplified to the code below.  Wei attributes these optimizations
@@ -136,7 +134,7 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num);
   } while (0)
 void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
-  uint32_t A, B, C, D, l;
+  uint32_t A, B, C, D;
   uint32_t X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15;
   A = state[0];
@@ -145,53 +143,53 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
   D = state[3];
   for (; num--;) {
-    HOST_c2l(data, l);
-    X0 = l;
-    HOST_c2l(data, l);
-    X1 = l;
+    X0 = CRYPTO_load_u32_le(data);
+    data += 4;
+    X1 = CRYPTO_load_u32_le(data);
+    data += 4;
     // Round 0
     R0(A, B, C, D, X0, 3, 0);
-    HOST_c2l(data, l);
-    X2 = l;
+    X2 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(D, A, B, C, X1, 7, 0);
-    HOST_c2l(data, l);
-    X3 = l;
+    X3 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(C, D, A, B, X2, 11, 0);
-    HOST_c2l(data, l);
-    X4 = l;
+    X4 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(B, C, D, A, X3, 19, 0);
-    HOST_c2l(data, l);
-    X5 = l;
+    X5 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(A, B, C, D, X4, 3, 0);
-    HOST_c2l(data, l);
-    X6 = l;
+    X6 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(D, A, B, C, X5, 7, 0);
-    HOST_c2l(data, l);
-    X7 = l;
+    X7 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(C, D, A, B, X6, 11, 0);
-    HOST_c2l(data, l);
-    X8 = l;
+    X8 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(B, C, D, A, X7, 19, 0);
-    HOST_c2l(data, l);
-    X9 = l;
+    X9 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(A, B, C, D, X8, 3, 0);
-    HOST_c2l(data, l);
-    X10 = l;
+    X10 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(D, A, B, C, X9, 7, 0);
-    HOST_c2l(data, l);
-    X11 = l;
+    X11 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(C, D, A, B, X10, 11, 0);
-    HOST_c2l(data, l);
-    X12 = l;
+    X12 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(B, C, D, A, X11, 19, 0);
-    HOST_c2l(data, l);
-    X13 = l;
+    X13 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(A, B, C, D, X12, 3, 0);
-    HOST_c2l(data, l);
-    X14 = l;
+    X14 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(D, A, B, C, X13, 7, 0);
-    HOST_c2l(data, l);
-    X15 = l;
+    X15 = CRYPTO_load_u32_le(data);
+    data += 4;
     R0(C, D, A, B, X14, 11, 0);
     R0(B, C, D, A, X15, 19, 0);
     // Round 1
@@ -236,15 +234,6 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
   }
 }
-#undef DATA_ORDER_IS_LITTLE_ENDIAN
-#undef HASH_CTX
-#undef HASH_CBLOCK
-#undef HASH_DIGEST_LENGTH
-#undef HASH_UPDATE
-#undef HASH_TRANSFORM
-#undef HASH_FINAL
-#undef HASH_MAKE_STRING
-#undef HASH_BLOCK_DATA_ORDER
 #undef F
 #undef G
 #undef H
@@ -252,5 +241,3 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
 #undef R0
 #undef R1
 #undef R2
-#undef HOST_c2l
-#undef HOST_l2c