grpc 1.41.0.pre2 → 1.42.0

data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c

@@ -32,8 +32,6 @@ typedef struct { uint32_t words[16]; } block_t;
 
 OPENSSL_STATIC_ASSERT(sizeof(block_t) == 64, "block_t has padding");
 
-#define R(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
-
 // salsa208_word_specification implements the Salsa20/8 core function, also
 // described in RFC 7914, section 3. It modifies the block at |inout|
 // in-place.
@@ -42,38 +40,38 @@ static void salsa208_word_specification(block_t *inout) {
   OPENSSL_memcpy(&x, inout, sizeof(x));
 
   for (int i = 8; i > 0; i -= 2) {
-    x.words[4] ^= R(x.words[0] + x.words[12], 7);
-    x.words[8] ^= R(x.words[4] + x.words[0], 9);
-    x.words[12] ^= R(x.words[8] + x.words[4], 13);
-    x.words[0] ^= R(x.words[12] + x.words[8], 18);
-    x.words[9] ^= R(x.words[5] + x.words[1], 7);
-    x.words[13] ^= R(x.words[9] + x.words[5], 9);
-    x.words[1] ^= R(x.words[13] + x.words[9], 13);
-    x.words[5] ^= R(x.words[1] + x.words[13], 18);
-    x.words[14] ^= R(x.words[10] + x.words[6], 7);
-    x.words[2] ^= R(x.words[14] + x.words[10], 9);
-    x.words[6] ^= R(x.words[2] + x.words[14], 13);
-    x.words[10] ^= R(x.words[6] + x.words[2], 18);
-    x.words[3] ^= R(x.words[15] + x.words[11], 7);
-    x.words[7] ^= R(x.words[3] + x.words[15], 9);
-    x.words[11] ^= R(x.words[7] + x.words[3], 13);
-    x.words[15] ^= R(x.words[11] + x.words[7], 18);
-    x.words[1] ^= R(x.words[0] + x.words[3], 7);
-    x.words[2] ^= R(x.words[1] + x.words[0], 9);
-    x.words[3] ^= R(x.words[2] + x.words[1], 13);
-    x.words[0] ^= R(x.words[3] + x.words[2], 18);
-    x.words[6] ^= R(x.words[5] + x.words[4], 7);
-    x.words[7] ^= R(x.words[6] + x.words[5], 9);
-    x.words[4] ^= R(x.words[7] + x.words[6], 13);
-    x.words[5] ^= R(x.words[4] + x.words[7], 18);
-    x.words[11] ^= R(x.words[10] + x.words[9], 7);
-    x.words[8] ^= R(x.words[11] + x.words[10], 9);
-    x.words[9] ^= R(x.words[8] + x.words[11], 13);
-    x.words[10] ^= R(x.words[9] + x.words[8], 18);
-    x.words[12] ^= R(x.words[15] + x.words[14], 7);
-    x.words[13] ^= R(x.words[12] + x.words[15], 9);
-    x.words[14] ^= R(x.words[13] + x.words[12], 13);
-    x.words[15] ^= R(x.words[14] + x.words[13], 18);
+    x.words[4] ^= CRYPTO_rotl_u32(x.words[0] + x.words[12], 7);
+    x.words[8] ^= CRYPTO_rotl_u32(x.words[4] + x.words[0], 9);
+    x.words[12] ^= CRYPTO_rotl_u32(x.words[8] + x.words[4], 13);
+    x.words[0] ^= CRYPTO_rotl_u32(x.words[12] + x.words[8], 18);
+    x.words[9] ^= CRYPTO_rotl_u32(x.words[5] + x.words[1], 7);
+    x.words[13] ^= CRYPTO_rotl_u32(x.words[9] + x.words[5], 9);
+    x.words[1] ^= CRYPTO_rotl_u32(x.words[13] + x.words[9], 13);
+    x.words[5] ^= CRYPTO_rotl_u32(x.words[1] + x.words[13], 18);
+    x.words[14] ^= CRYPTO_rotl_u32(x.words[10] + x.words[6], 7);
+    x.words[2] ^= CRYPTO_rotl_u32(x.words[14] + x.words[10], 9);
+    x.words[6] ^= CRYPTO_rotl_u32(x.words[2] + x.words[14], 13);
+    x.words[10] ^= CRYPTO_rotl_u32(x.words[6] + x.words[2], 18);
+    x.words[3] ^= CRYPTO_rotl_u32(x.words[15] + x.words[11], 7);
+    x.words[7] ^= CRYPTO_rotl_u32(x.words[3] + x.words[15], 9);
+    x.words[11] ^= CRYPTO_rotl_u32(x.words[7] + x.words[3], 13);
+    x.words[15] ^= CRYPTO_rotl_u32(x.words[11] + x.words[7], 18);
+    x.words[1] ^= CRYPTO_rotl_u32(x.words[0] + x.words[3], 7);
+    x.words[2] ^= CRYPTO_rotl_u32(x.words[1] + x.words[0], 9);
+    x.words[3] ^= CRYPTO_rotl_u32(x.words[2] + x.words[1], 13);
+    x.words[0] ^= CRYPTO_rotl_u32(x.words[3] + x.words[2], 18);
+    x.words[6] ^= CRYPTO_rotl_u32(x.words[5] + x.words[4], 7);
+    x.words[7] ^= CRYPTO_rotl_u32(x.words[6] + x.words[5], 9);
+    x.words[4] ^= CRYPTO_rotl_u32(x.words[7] + x.words[6], 13);
+    x.words[5] ^= CRYPTO_rotl_u32(x.words[4] + x.words[7], 18);
+    x.words[11] ^= CRYPTO_rotl_u32(x.words[10] + x.words[9], 7);
+    x.words[8] ^= CRYPTO_rotl_u32(x.words[11] + x.words[10], 9);
+    x.words[9] ^= CRYPTO_rotl_u32(x.words[8] + x.words[11], 13);
+    x.words[10] ^= CRYPTO_rotl_u32(x.words[9] + x.words[8], 18);
+    x.words[12] ^= CRYPTO_rotl_u32(x.words[15] + x.words[14], 7);
+    x.words[13] ^= CRYPTO_rotl_u32(x.words[12] + x.words[15], 9);
+    x.words[14] ^= CRYPTO_rotl_u32(x.words[13] + x.words[12], 13);
+    x.words[15] ^= CRYPTO_rotl_u32(x.words[14] + x.words[13], 18);
   }
 
   for (int i = 0; i < 16; ++i) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c

@@ -456,7 +456,7 @@ void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
 int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
                      const BIGNUM *numerator, const BIGNUM *divisor,
-                     BN_CTX *ctx) {
+                     unsigned divisor_min_bits, BN_CTX *ctx) {
   if (BN_is_negative(numerator) || BN_is_negative(divisor)) {
     OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
     return 0;
@@ -496,8 +496,26 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
   r->neg = 0;
 
   // Incorporate |numerator| into |r|, one bit at a time, reducing after each
-  // step. At the start of each loop iteration, |r| < |divisor|
-  for (int i = numerator->width - 1; i >= 0; i--) {
+  // step. We maintain the invariant that |0 <= r < divisor| and
+  // |q * divisor + r = n| where |n| is the portion of |numerator| incorporated
+  // so far.
+  //
+  // First, we short-circuit the loop: if we know |divisor| has at least
+  // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated
+  // without reductions. This significantly speeds up |RSA_check_key|. For
+  // simplicity, we round down to a whole number of words.
+  assert(divisor_min_bits <= BN_num_bits(divisor));
+  int initial_words = 0;
+  if (divisor_min_bits > 0) {
+    initial_words = (divisor_min_bits - 1) / BN_BITS2;
+    if (initial_words > numerator->width) {
+      initial_words = numerator->width;
+    }
+    OPENSSL_memcpy(r->d, numerator->d + numerator->width - initial_words,
+                   initial_words * sizeof(BN_ULONG));
+  }
+
+  for (int i = numerator->width - initial_words - 1; i >= 0; i--) {
     for (int bit = BN_BITS2 - 1; bit >= 0; bit--) {
       // Incorporate the next bit of the numerator, by computing
       // r = 2*r or 2*r + 1. Note the result fits in one more word. We store the

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c

@@ -157,10 +157,11 @@ int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
   BN_CTX_start(ctx);
   unsigned shift;
   BIGNUM *gcd = BN_CTX_get(ctx);
-  int ret = gcd != NULL &&
+  int ret = gcd != NULL &&  //
             bn_mul_consttime(r, a, b, ctx) &&
             bn_gcd_consttime(gcd, &shift, a, b, ctx) &&
-            bn_div_consttime(r, NULL, r, gcd, ctx) &&
+            // |gcd| has a secret bit width.
+            bn_div_consttime(r, NULL, r, gcd, /*divisor_min_bits=*/0, ctx) &&
             bn_rshift_secret_shift(r, r, shift, ctx);
   BN_CTX_end(ctx);
   return ret;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h

@@ -552,12 +552,15 @@ int bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 // bn_div_consttime behaves like |BN_div|, but it rejects negative inputs and
 // treats both inputs, including their magnitudes, as secret. It is, as a
 // result, much slower than |BN_div| and should only be used for rare operations
-// where Montgomery reduction is not available.
+// where Montgomery reduction is not available. |divisor_min_bits| is a
+// public lower bound for |BN_num_bits(divisor)|. When |divisor|'s bit width is
+// public, this can speed up the operation.
 //
 // Note that |quotient->width| will be set pessimally to |numerator->width|.
 OPENSSL_EXPORT int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
                                     const BIGNUM *numerator,
-                                    const BIGNUM *divisor, BN_CTX *ctx);
+                                    const BIGNUM *divisor,
+                                    unsigned divisor_min_bits, BN_CTX *ctx);
 
 // bn_is_relatively_prime checks whether GCD(|x|, |y|) is one. On success, it
 // returns one and sets |*out_relatively_prime| to one if the GCD was one and

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c

@@ -75,10 +75,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
       if (ret == NULL) {
         ret = BN_new();
       }
-      if (ret == NULL) {
-        goto end;
-      }
-      if (!BN_set_word(ret, BN_is_bit_set(a, 0))) {
+      if (ret == NULL ||
+          !BN_set_word(ret, BN_is_bit_set(a, 0))) {
         if (ret != in) {
           BN_free(ret);
         }
@@ -88,17 +86,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
     }
 
     OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-    return (NULL);
+    return NULL;
   }
 
   if (BN_is_zero(a) || BN_is_one(a)) {
     if (ret == NULL) {
       ret = BN_new();
     }
-    if (ret == NULL) {
-      goto end;
-    }
-    if (!BN_set_word(ret, BN_is_one(a))) {
+    if (ret == NULL ||
+        !BN_set_word(ret, BN_is_one(a))) {
       if (ret != in) {
         BN_free(ret);
       }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c

@@ -911,6 +911,16 @@ static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
                                   size_t key_len, size_t tag_len) {
   const size_t key_bits = key_len * 8;
 
+  switch (key_bits) {
+    case 128:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);
+      break;
+
+    case 256:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);
+      break;
+  }
+
   if (key_bits != 128 && key_bits != 192 && key_bits != 256) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
     return 0;  // EVP_AEAD_CTX_init should catch this.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/des.c

@@ -342,10 +342,10 @@ void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) {
 
     // table contained 0213 4657
     t2 = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL;
-    schedule->subkeys[i][0] = ROTATE(t2, 30) & 0xffffffffL;
+    schedule->subkeys[i][0] = CRYPTO_rotr_u32(t2, 30);
 
     t2 = ((s >> 16L) | (t & 0xffff0000L));
-    schedule->subkeys[i][1] = ROTATE(t2, 26) & 0xffffffffL;
+    schedule->subkeys[i][1] = CRYPTO_rotr_u32(t2, 26);
   }
 }
 
@@ -392,8 +392,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) {
   // <71755.204@CompuServe.COM> for pointing this out.
   // clear the top bits on machines with 8byte longs
   // shift left by 2
-  r = ROTATE(r, 29) & 0xffffffffL;
-  l = ROTATE(l, 29) & 0xffffffffL;
+  r = CRYPTO_rotr_u32(r, 29);
+  l = CRYPTO_rotr_u32(l, 29);
 
   // I don't know if it is worth the effort of loop unrolling the
   // inner loop
@@ -434,8 +434,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) {
   }
 
   // rotate and clear the top bits on machines with 8byte longs
-  l = ROTATE(l, 3) & 0xffffffffL;
-  r = ROTATE(r, 3) & 0xffffffffL;
+  l = CRYPTO_rotr_u32(l, 3);
+  r = CRYPTO_rotr_u32(r, 3);
 
   FP(r, l);
   data[0] = l;
@@ -454,8 +454,8 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) {
   // sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for
   // pointing this out.
   // clear the top bits on machines with 8byte longs
-  r = ROTATE(r, 29) & 0xffffffffL;
-  l = ROTATE(l, 29) & 0xffffffffL;
+  r = CRYPTO_rotr_u32(r, 29);
+  l = CRYPTO_rotr_u32(l, 29);
 
   // I don't know if it is worth the effort of loop unrolling the
   // inner loop
@@ -495,8 +495,8 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) {
     D_ENCRYPT(ks, r, l, 0);
   }
   // rotate and clear the top bits on machines with 8byte longs
-  data[0] = ROTATE(l, 3) & 0xffffffffL;
-  data[1] = ROTATE(r, 3) & 0xffffffffL;
+  data[0] = CRYPTO_rotr_u32(l, 3);
+  data[1] = CRYPTO_rotr_u32(r, 3);
 }
 
 void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1,
@@ -782,4 +782,3 @@ void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) {
 #undef D_ENCRYPT
 #undef ITERATIONS
 #undef HALF_ITERATIONS
-#undef ROTATE

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/internal.h

@@ -218,7 +218,7 @@ how to use xors :-) I got it to its final state.
 #define D_ENCRYPT(ks, LL, R, S)                                                \
   do {                                                                         \
     LOAD_DATA(ks, R, S, u, t, E0, E1);                                         \
-    t = ROTATE(t, 4);                                                          \
+    t = CRYPTO_rotr_u32(t, 4);                                                 \
     (LL) ^=                                                                    \
         DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \
         DES_SPtrans[4][(u >> 18L) & 0x3f] ^                                    \
@@ -230,8 +230,6 @@ how to use xors :-) I got it to its final state.
 #define ITERATIONS 16
 #define HALF_ITERATIONS 8
 
-#define ROTATE(a, n) (((a) >> (n)) + ((a) << (32 - (n))))
-
 
 #if defined(__cplusplus)
 }  // extern C

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c

@@ -72,7 +72,7 @@ uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) {
   return out;
 }
 
-// Implemented from RFC1186 The MD4 Message-Digest Algorithm.
+// Implemented from RFC 1186 The MD4 Message-Digest Algorithm.
 
 int MD4_Init(MD4_CTX *md4) {
   OPENSSL_memset(md4, 0, sizeof(MD4_CTX));
@@ -113,24 +113,22 @@ int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) {
 #define G(b, c, d) (((b) & (c)) | ((b) & (d)) | ((c) & (d)))
 #define H(b, c, d) ((b) ^ (c) ^ (d))
 
-#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
-
 #define R0(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + F((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
   } while (0)
 
 #define R1(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + G((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
   } while (0)
 
 #define R2(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + H((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
   } while (0)
 
 void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
@@ -237,7 +235,6 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
 #undef F
 #undef G
 #undef H
-#undef ROTATE
 #undef R0
 #undef R1
 #undef R2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c

@@ -119,33 +119,31 @@ int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) {
 #define H(b, c, d) ((b) ^ (c) ^ (d))
 #define I(b, c, d) (((~(d)) | (b)) ^ (c))
 
-#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
-
 #define R0(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + F((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
     (a) += (b);                            \
   } while (0)
 
 #define R1(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + G((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
     (a) += (b);                            \
   } while (0)
 
 #define R2(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + H((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
     (a) += (b);                            \
   } while (0)
 
 #define R3(a, b, c, d, k, s, t)            \
   do {                                     \
     (a) += ((k) + (t) + I((b), (c), (d))); \
-    (a) = ROTATE(a, s);                    \
+    (a) = CRYPTO_rotl_u32(a, s);           \
     (a) += (b);                            \
   } while (0)
 
@@ -280,7 +278,6 @@ static void md5_block_data_order(uint32_t *state, const uint8_t *data,
 #undef G
 #undef H
 #undef I
-#undef ROTATE
 #undef R0
 #undef R1
 #undef R2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c

@@ -193,7 +193,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a,
 #endif  // BORINGSSL_HAS_UINT128
 
 void gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) {
-  // We implement GHASH in terms of POLYVAL, as described in RFC8452. This
+  // We implement GHASH in terms of POLYVAL, as described in RFC 8452. This
   // avoids a shift by 1 in the multiplication, needed to account for bit
   // reversal losing a bit after multiplication, that is,
   // rev128(X) * rev128(Y) = rev255(X*Y).

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c

@@ -356,7 +356,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
     int used_cpu;
     rand_get_seed(state, seed, &used_cpu);
 
-    uint8_t personalization[CTR_DRBG_ENTROPY_LEN];
+    uint8_t personalization[CTR_DRBG_ENTROPY_LEN] = {0};
     size_t personalization_len = 0;
 #if defined(OPENSSL_URANDOM)
     // If we used RDRAND, also opportunistically read from the system. This

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c

@@ -206,6 +206,12 @@ void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
   }
 }
 
+const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) {
+  // We do not support the id-RSASSA-PSS key encoding. If we add support later,
+  // the |maskHash| field should be filled in for OpenSSL compatibility.
+  return NULL;
+}
+
 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
                          const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
   if (out_dmp1 != NULL) {
@@ -657,7 +663,8 @@ err:
 }
 
 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
-                             const BIGNUM *m, BN_CTX *ctx) {
+                             const BIGNUM *m, unsigned m_min_bits,
+                             BN_CTX *ctx) {
   if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
     *out_ok = 0;
     return 1;
@@ -670,7 +677,7 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
   BIGNUM *tmp = BN_CTX_get(ctx);
   int ret = tmp != NULL &&
             bn_mul_consttime(tmp, a, ainv, ctx) &&
-            bn_div_consttime(NULL, tmp, tmp, m, ctx);
+            bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
   if (ret) {
     *out_ok = BN_is_one(tmp);
   }
@@ -750,10 +757,15 @@ int RSA_check_key(const RSA *key) {
   // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
   // by earlier checks in this function.
   if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
-      !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
-      !bn_mul_consttime(&de, key->d, key->e, ctx) ||
-      !bn_div_consttime(NULL, &tmp, &de, &pm1, ctx) ||
-      !bn_div_consttime(NULL, &de, &de, &qm1, ctx)) {
+      !bn_usub_consttime(&qm1, key->q, BN_value_one())) {
+    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+    goto out;
+  }
+  const unsigned pm1_bits = BN_num_bits(&pm1);
+  const unsigned qm1_bits = BN_num_bits(&qm1);
+  if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||
+      !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||
+      !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {
     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
     goto out;
   }
@@ -772,9 +784,12 @@ int RSA_check_key(const RSA *key) {
 
   if (has_crt_values) {
     int dmp1_ok, dmq1_ok, iqmp_ok;
-    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, ctx) ||
-        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, ctx) ||
-        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, ctx)) {
+    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||
+        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||
+        // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,
+        // we only need a lower bound anyway.
+        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,
+                           ctx)) {
       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
       goto out;
     }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c

@@ -1262,12 +1262,14 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
     // values for d.
   } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
 
+  assert(BN_num_bits(pm1) == (unsigned)prime_bits);
+  assert(BN_num_bits(qm1) == (unsigned)prime_bits);
   if (// Calculate n.
       !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
       // Calculate d mod (p-1).
-      !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) ||
+      !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) ||
       // Calculate d mod (q-1)
-      !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) {
+      !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, prime_bits, ctx)) {
     goto bn_err;
   }
   bn_set_minimal_width(rsa->n);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c

@@ -111,11 +111,10 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
   return 1;
 }
 
-#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
-#define Xupdate(a, ix, ia, ib, ic, id) \
-  do {                                 \
-    (a) = ((ia) ^ (ib) ^ (ic) ^ (id)); \
-    (ix) = (a) = ROTATE((a), 1);       \
+#define Xupdate(a, ix, ia, ib, ic, id)    \
+  do {                                    \
+    (a) = ((ia) ^ (ib) ^ (ic) ^ (id));    \
+    (ix) = (a) = CRYPTO_rotl_u32((a), 1); \
   } while (0)
 
 #define K_00_19 0x5a827999UL
@@ -133,45 +132,47 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
 #define F_40_59(b, c, d) (((b) & (c)) | (((b) | (c)) & (d)))
 #define F_60_79(b, c, d) F_20_39(b, c, d)
 
-#define BODY_00_15(i, a, b, c, d, e, f, xi)                               \
-  do {                                                                    \
-    (f) = (xi) + (e) + K_00_19 + ROTATE((a), 5) + F_00_19((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                                \
+#define BODY_00_15(i, a, b, c, d, e, f, xi)                \
+  do {                                                     \
+    (f) = (xi) + (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + \
+          F_00_19((b), (c), (d));                          \
+    (b) = CRYPTO_rotl_u32((b), 30);                        \
   } while (0)
 
-#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd)         \
-  do {                                                              \
-    Xupdate(f, xi, xa, xb, xc, xd);                                 \
-    (f) += (e) + K_00_19 + ROTATE((a), 5) + F_00_19((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                          \
+#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd)                  \
+  do {                                                                       \
+    Xupdate(f, xi, xa, xb, xc, xd);                                          \
+    (f) += (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + F_00_19((b), (c), (d)); \
+    (b) = CRYPTO_rotl_u32((b), 30);                                          \
   } while (0)
 
-#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd)         \
-  do {                                                              \
-    Xupdate(f, xi, xa, xb, xc, xd);                                 \
-    (f) += (e) + K_20_39 + ROTATE((a), 5) + F_20_39((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                          \
+#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd)                  \
+  do {                                                                       \
+    Xupdate(f, xi, xa, xb, xc, xd);                                          \
+    (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \
+    (b) = CRYPTO_rotl_u32((b), 30);                                          \
   } while (0)
 
-#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd)             \
-  do {                                                              \
-    Xupdate(f, xa, xa, xb, xc, xd);                                 \
-    (f) += (e) + K_20_39 + ROTATE((a), 5) + F_20_39((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                          \
+#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd)                      \
+  do {                                                                       \
+    Xupdate(f, xa, xa, xb, xc, xd);                                          \
+    (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \
+    (b) = CRYPTO_rotl_u32((b), 30);                                          \
   } while (0)
 
-#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd)             \
-  do {                                                              \
-    Xupdate(f, xa, xa, xb, xc, xd);                                 \
-    (f) += (e) + K_40_59 + ROTATE((a), 5) + F_40_59((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                          \
+#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd)                      \
+  do {                                                                       \
+    Xupdate(f, xa, xa, xb, xc, xd);                                          \
+    (f) += (e) + K_40_59 + CRYPTO_rotl_u32((a), 5) + F_40_59((b), (c), (d)); \
+    (b) = CRYPTO_rotl_u32((b), 30);                                          \
   } while (0)
 
-#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd)                   \
-  do {                                                                    \
-    Xupdate(f, xa, xa, xb, xc, xd);                                       \
-    (f) = (xa) + (e) + K_60_79 + ROTATE((a), 5) + F_60_79((b), (c), (d)); \
-    (b) = ROTATE((b), 30);                                                \
+#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd)    \
+  do {                                                     \
+    Xupdate(f, xa, xa, xb, xc, xd);                        \
+    (f) = (xa) + (e) + K_60_79 + CRYPTO_rotl_u32((a), 5) + \
+          F_60_79((b), (c), (d));                          \
+    (b) = CRYPTO_rotl_u32((b), 30);                        \
   } while (0)
 
 #ifdef X
@@ -338,7 +339,6 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
 }
 #endif
 
-#undef ROTATE
 #undef Xupdate
 #undef K_00_19
 #undef K_20_39

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c

@@ -184,15 +184,17 @@ static const uint32_t K256[64] = {
     0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
 
-#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
-
-// FIPS specification refers to right rotations, while our ROTATE macro
-// is left one. This is why you might notice that rotation coefficients
-// differ from those observed in FIPS document by 32-N...
-#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
-#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
-#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
-#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
+// See FIPS 180-4, section 4.1.2.
+#define Sigma0(x)                                       \
+  (CRYPTO_rotr_u32((x), 2) ^ CRYPTO_rotr_u32((x), 13) ^ \
+   CRYPTO_rotr_u32((x), 22))
+#define Sigma1(x)                                       \
+  (CRYPTO_rotr_u32((x), 6) ^ CRYPTO_rotr_u32((x), 11) ^ \
+   CRYPTO_rotr_u32((x), 25))
+#define sigma0(x) \
+  (CRYPTO_rotr_u32((x), 7) ^ CRYPTO_rotr_u32((x), 18) ^ ((x) >> 3))
+#define sigma1(x) \
+  (CRYPTO_rotr_u32((x), 17) ^ CRYPTO_rotr_u32((x), 19) ^ ((x) >> 10))
 
 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
@@ -309,7 +311,6 @@ void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
   sha256_block_data_order(state, data, num_blocks);
 }
 
-#undef ROTATE
 #undef Sigma0
 #undef Sigma1
 #undef sigma0