grpc 1.41.0 → 1.41.1

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c

@@ -79,17 +79,11 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
 {
     const ASN1_TEMPLATE *tt = NULL, *seqtt;
     const ASN1_EXTERN_FUNCS *ef;
-    const ASN1_AUX *aux = it->funcs;
-    ASN1_aux_cb *asn1_cb;
     int i;
     if (!pval)
         return;
     if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval)
         return;
-    if (aux && aux->asn1_cb)
-        asn1_cb = aux->asn1_cb;
-    else
-        asn1_cb = 0;
 
     switch (it->itype) {
 
@@ -104,7 +98,9 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
         ASN1_primitive_free(pval, it);
         break;
 
-    case ASN1_ITYPE_CHOICE:
+    case ASN1_ITYPE_CHOICE: {
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
             if (i == 2)
@@ -124,6 +120,7 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
             *pval = NULL;
         }
         break;
+    }
 
     case ASN1_ITYPE_EXTERN:
         ef = it->funcs;
@@ -131,9 +128,11 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
             ef->asn1_ex_free(pval, it);
         break;
 
-    case ASN1_ITYPE_SEQUENCE:
+    case ASN1_ITYPE_SEQUENCE: {
         if (!asn1_refcount_dec_and_test_zero(pval, it))
             return;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
             if (i == 2)
@@ -162,6 +161,7 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
         }
         break;
     }
+    }
 }
 
 void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c

@@ -95,14 +95,8 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 {
     const ASN1_TEMPLATE *tt = NULL;
     const ASN1_EXTERN_FUNCS *ef;
-    const ASN1_AUX *aux = it->funcs;
-    ASN1_aux_cb *asn1_cb;
     ASN1_VALUE **pseqval;
     int i;
-    if (aux && aux->asn1_cb)
-        asn1_cb = aux->asn1_cb;
-    else
-        asn1_cb = 0;
 
     switch (it->itype) {
 
@@ -127,7 +121,9 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
             goto memerr;
         break;
 
-    case ASN1_ITYPE_CHOICE:
+    case ASN1_ITYPE_CHOICE: {
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);
             if (!i)
@@ -146,8 +142,11 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
         if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
             goto auxerr2;
         break;
+    }
 
-    case ASN1_ITYPE_SEQUENCE:
+    case ASN1_ITYPE_SEQUENCE: {
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);
             if (!i)
@@ -173,6 +172,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
             goto auxerr2;
         break;
     }
+    }
     return 1;
 
  memerr2:
@@ -271,7 +271,6 @@ static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
 static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
     ASN1_TYPE *typ;
-    ASN1_STRING *str;
     int utype;
 
     if (!it)
@@ -308,10 +307,7 @@ static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
         break;
 
     default:
-        str = ASN1_STRING_type_new(utype);
-        if (it->itype == ASN1_ITYPE_MSTRING && str)
-            str->flags |= ASN1_STRING_FLAG_MSTRING;
-        *pval = (ASN1_VALUE *)str;
+        *pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
         break;
     }
     if (*pval)

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c

@@ -118,6 +118,7 @@ int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it) {
 }
 
 static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it) {
+  assert(it->itype == ASN1_ITYPE_SEQUENCE);
   const ASN1_AUX *aux;
   if (!pval || !*pval) {
     return NULL;

data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c

@@ -265,14 +265,17 @@ static uint8_t base64_ascii_to_bin(uint8_t a) {
   const uint8_t is_slash = constant_time_eq_8(a, '/');
   const uint8_t is_equals = constant_time_eq_8(a, '=');
 
-  uint8_t ret = 0xff;  // 0xff signals invalid.
-  ret = constant_time_select_8(is_upper, a - 'A', ret);       // [0,26)
-  ret = constant_time_select_8(is_lower, a - 'a' + 26, ret);  // [26,52)
-  ret = constant_time_select_8(is_digit, a - '0' + 52, ret);  // [52,62)
-  ret = constant_time_select_8(is_plus, 62, ret);
-  ret = constant_time_select_8(is_slash, 63, ret);
-  // Padding maps to zero, to be further handled by the caller.
-  ret = constant_time_select_8(is_equals, 0, ret);
+  uint8_t ret = 0;
+  ret |= is_upper & (a - 'A');       // [0,26)
+  ret |= is_lower & (a - 'a' + 26);  // [26,52)
+  ret |= is_digit & (a - '0' + 52);  // [52,62)
+  ret |= is_plus & 62;
+  ret |= is_slash & 63;
+  // Invalid inputs, 'A', and '=' have all been mapped to zero. Map invalid
+  // inputs to 0xff. Note '=' is padding and handled separately by the caller.
+  const uint8_t is_valid =
+      is_upper | is_lower | is_digit | is_plus | is_slash | is_equals;
+  ret |= ~is_valid;
   return ret;
 }
 

data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c

@@ -116,17 +116,11 @@ static int mem_new(BIO *bio) {
 }
 
 static int mem_free(BIO *bio) {
-  BUF_MEM *b;
-
-  if (bio == NULL) {
-    return 0;
-  }
-
   if (!bio->shutdown || !bio->init || bio->ptr == NULL) {
     return 1;
   }
 
-  b = (BUF_MEM *)bio->ptr;
+  BUF_MEM *b = (BUF_MEM *)bio->ptr;
   if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
     b->data = NULL;
   }

data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c

@@ -320,7 +320,7 @@ static int conn_new(BIO *bio) {
   bio->init = 0;
   bio->num = -1;
   bio->flags = 0;
-  bio->ptr = (char *)BIO_CONNECT_new();
+  bio->ptr = BIO_CONNECT_new();
   return bio->ptr != NULL;
 }
 
@@ -340,10 +340,6 @@ static void conn_close_socket(BIO *bio) {
 }
 
 static int conn_free(BIO *bio) {
-  if (bio == NULL) {
-    return 0;
-  }
-
   if (bio->shutdown) {
     conn_close_socket(bio);
   }

data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c

@@ -146,10 +146,6 @@ static int fd_new(BIO *bio) {
 }
 
 static int fd_free(BIO *bio) {
-  if (bio == NULL) {
-    return 0;
-  }
-
   if (bio->shutdown) {
     if (bio->init) {
       BORINGSSL_CLOSE(bio->num);

data/third_party/boringssl-with-bazel/src/crypto/bio/file.c

@@ -126,13 +126,7 @@ BIO *BIO_new_fp(FILE *stream, int close_flag) {
   return ret;
 }
 
-static int file_new(BIO *bio) { return 1; }
-
 static int file_free(BIO *bio) {
-  if (bio == NULL) {
-    return 0;
-  }
-
   if (!bio->shutdown) {
     return 1;
   }
@@ -279,7 +273,7 @@ static const BIO_METHOD methods_filep = {
     BIO_TYPE_FILE,   "FILE pointer",
     file_write,      file_read,
     NULL /* puts */, file_gets,
-    file_ctrl,       file_new,
+    file_ctrl,       NULL /* create */,
     file_free,       NULL /* callback_ctrl */,
 };
 

data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c

@@ -127,12 +127,7 @@ static void bio_destroy_pair(BIO *bio) {
 }
 
 static int bio_free(BIO *bio) {
-  struct bio_bio_st *b;
-
-  if (bio == NULL) {
-    return 0;
-  }
-  b = bio->ptr;
+  struct bio_bio_st *b = bio->ptr;
 
   assert(b != NULL);
 

data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c

@@ -81,19 +81,7 @@ static int closesocket(int sock) {
 }
 #endif
 
-static int sock_new(BIO *bio) {
-  bio->init = 0;
-  bio->num = 0;
-  bio->ptr = NULL;
-  bio->flags = 0;
-  return 1;
-}
-
 static int sock_free(BIO *bio) {
-  if (bio == NULL) {
-    return 0;
-  }
-
   if (bio->shutdown) {
     if (bio->init) {
       closesocket(bio->num);
@@ -105,17 +93,15 @@ static int sock_free(BIO *bio) {
 }
 
 static int sock_read(BIO *b, char *out, int outl) {
-  int ret = 0;
-
   if (out == NULL) {
     return 0;
   }
 
   bio_clear_socket_error();
 #if defined(OPENSSL_WINDOWS)
-  ret = recv(b->num, out, outl, 0);
+  int ret = recv(b->num, out, outl, 0);
 #else
-  ret = read(b->num, out, outl);
+  int ret = read(b->num, out, outl);
 #endif
   BIO_clear_retry_flags(b);
   if (ret <= 0) {
@@ -186,7 +172,7 @@ static const BIO_METHOD methods_sockp = {
     BIO_TYPE_SOCKET, "socket",
     sock_write,      sock_read,
     NULL /* puts */, NULL /* gets, */,
-    sock_ctrl,       sock_new,
+    sock_ctrl,       NULL /* create */,
     sock_free,       NULL /* callback_ctrl */,
 };
 

data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c

@@ -404,6 +404,15 @@ int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) {
   return 1;
 }
 
+int CBB_add_zeros(CBB *cbb, size_t len) {
+  uint8_t *out;
+  if (!CBB_add_space(cbb, &out, len)) {
+    return 0;
+  }
+  OPENSSL_memset(out, 0, len);
+  return 1;
+}
+
 int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) {
   if (!CBB_flush(cbb) ||
       !cbb_buffer_add(cbb->base, out_data, len)) {

data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c

@@ -216,6 +216,14 @@ int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) {
   return cbs_get_length_prefixed(cbs, out, 3);
 }
 
+int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c) {
+  const uint8_t *split = OPENSSL_memchr(CBS_data(cbs), c, CBS_len(cbs));
+  if (split == NULL) {
+    return 0;
+  }
+  return CBS_get_bytes(cbs, out, split - CBS_data(cbs));
+}
+
 // parse_base128_integer reads a big-endian base-128 integer from |cbs| and sets
 // |*out| to the result. This is the encoding used in DER for both high tag
 // number form and OID components.

data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c

@@ -67,25 +67,42 @@
 #include "../internal.h"
 
 
+static const struct {
+  int nid;
+  const char *name;
+  const EVP_CIPHER *(*func)(void);
+} kCiphers[] = {
+    {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc},
+    {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr},
+    {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb},
+    {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm},
+    {NID_aes_128_ofb128, "aes-128-ofb", EVP_aes_128_ofb},
+    {NID_aes_192_cbc, "aes-192-cbc", EVP_aes_192_cbc},
+    {NID_aes_192_ctr, "aes-192-ctr", EVP_aes_192_ctr},
+    {NID_aes_192_ecb, "aes-192-ecb", EVP_aes_192_ecb},
+    {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm},
+    {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb},
+    {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc},
+    {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
+    {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
+    {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},
+    {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb},
+    {NID_des_cbc, "des-cbc", EVP_des_cbc},
+    {NID_des_ecb, "des-ecb", EVP_des_ecb},
+    {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc},
+    {NID_des_ede_ecb, "des-ede", EVP_des_ede},
+    {NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc},
+    {NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc},
+    {NID_rc4, "rc4", EVP_rc4},
+};
+
 const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
-  switch (nid) {
-    case NID_rc2_cbc:
-      return EVP_rc2_cbc();
-    case NID_rc2_40_cbc:
-      return EVP_rc2_40_cbc();
-    case NID_des_ede3_cbc:
-      return EVP_des_ede3_cbc();
-    case NID_des_ede_cbc:
-      return EVP_des_cbc();
-    case NID_aes_128_cbc:
-      return EVP_aes_128_cbc();
-    case NID_aes_192_cbc:
-      return EVP_aes_192_cbc();
-    case NID_aes_256_cbc:
-      return EVP_aes_256_cbc();
-    default:
-      return NULL;
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) {
+    if (kCiphers[i].nid == nid) {
+      return kCiphers[i].func();
+    }
   }
+  return NULL;
 }
 
 const EVP_CIPHER *EVP_get_cipherbyname(const char *name) {
@@ -93,54 +110,17 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) {
     return NULL;
   }
 
-  if (OPENSSL_strcasecmp(name, "rc4") == 0) {
-    return EVP_rc4();
-  } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) {
-    return EVP_des_cbc();
-  } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 ||
-             // This is not a name used by OpenSSL, but tcpdump registers it
-             // with |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a
-             // no-op, so we support the name here.
-             OPENSSL_strcasecmp(name, "3des") == 0) {
-    return EVP_des_ede3_cbc();
-  } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) {
-    return EVP_aes_128_cbc();
-  } else if (OPENSSL_strcasecmp(name, "aes-192-cbc") == 0) {
-    return EVP_aes_192_cbc();
-  } else if (OPENSSL_strcasecmp(name, "aes-256-cbc") == 0) {
-    return EVP_aes_256_cbc();
-  } else if (OPENSSL_strcasecmp(name, "aes-128-ctr") == 0) {
-    return EVP_aes_128_ctr();
-  } else if (OPENSSL_strcasecmp(name, "aes-192-ctr") == 0) {
-    return EVP_aes_192_ctr();
-  } else if (OPENSSL_strcasecmp(name, "aes-256-ctr") == 0) {
-    return EVP_aes_256_ctr();
-  } else if (OPENSSL_strcasecmp(name, "aes-128-ecb") == 0) {
-    return EVP_aes_128_ecb();
-  } else if (OPENSSL_strcasecmp(name, "aes-192-ecb") == 0) {
-    return EVP_aes_192_ecb();
-  } else if (OPENSSL_strcasecmp(name, "aes-256-ecb") == 0) {
-    return EVP_aes_256_ecb();
-  } else if (OPENSSL_strcasecmp(name, "aes-128-gcm") == 0) {
-    return EVP_aes_128_gcm();
-  } else if (OPENSSL_strcasecmp(name, "aes-192-gcm") == 0) {
-    return EVP_aes_192_gcm();
-  } else if (OPENSSL_strcasecmp(name, "aes-256-gcm") == 0) {
-    return EVP_aes_256_gcm();
-  } else if (OPENSSL_strcasecmp(name, "aes-128-ofb") == 0) {
-    return EVP_aes_128_ofb();
-  } else if (OPENSSL_strcasecmp(name, "aes-192-ofb") == 0) {
-    return EVP_aes_192_ofb();
-  } else if (OPENSSL_strcasecmp(name, "aes-256-ofb") == 0) {
-    return EVP_aes_256_ofb();
-  } else if (OPENSSL_strcasecmp(name, "des-ecb") == 0) {
-    return EVP_des_ecb();
-  } else if (OPENSSL_strcasecmp(name, "des-ede") == 0) {
-    return EVP_des_ede();
-  } else if (OPENSSL_strcasecmp(name, "des-ede-cbc") == 0) {
-    return EVP_des_ede_cbc();
-  } else if (OPENSSL_strcasecmp(name, "rc2-cbc") == 0) {
-    return EVP_rc2_cbc();
+  // This is not a name used by OpenSSL, but tcpdump registers it with
+  // |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a no-op, so we
+  // support the name here.
+  if (OPENSSL_strcasecmp(name, "3des") == 0) {
+    name = "des-ede3-cbc";
+  }
+
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) {
+    if (OPENSSL_strcasecmp(kCiphers[i].name, name) == 0) {
+      return kCiphers[i].func();
+    }
   }
 
   return NULL;

data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c

@@ -83,6 +83,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = {
     {NID_sha256, EVP_sha256, SN_sha256, LN_sha256},
     {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
     {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
+    {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256},
     {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
     // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
     // hash function when given a signature OID. To avoid unintended lax parsing

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c

@@ -456,7 +456,7 @@ void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
 int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
                      const BIGNUM *numerator, const BIGNUM *divisor,
-                     BN_CTX *ctx) {
+                     unsigned divisor_min_bits, BN_CTX *ctx) {
   if (BN_is_negative(numerator) || BN_is_negative(divisor)) {
     OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
     return 0;
@@ -496,8 +496,26 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
   r->neg = 0;
 
   // Incorporate |numerator| into |r|, one bit at a time, reducing after each
-  // step. At the start of each loop iteration, |r| < |divisor|
-  for (int i = numerator->width - 1; i >= 0; i--) {
+  // step. We maintain the invariant that |0 <= r < divisor| and
+  // |q * divisor + r = n| where |n| is the portion of |numerator| incorporated
+  // so far.
+  //
+  // First, we short-circuit the loop: if we know |divisor| has at least
+  // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated
+  // without reductions. This significantly speeds up |RSA_check_key|. For
+  // simplicity, we round down to a whole number of words.
+  assert(divisor_min_bits <= BN_num_bits(divisor));
+  int initial_words = 0;
+  if (divisor_min_bits > 0) {
+    initial_words = (divisor_min_bits - 1) / BN_BITS2;
+    if (initial_words > numerator->width) {
+      initial_words = numerator->width;
+    }
+    OPENSSL_memcpy(r->d, numerator->d + numerator->width - initial_words,
+                   initial_words * sizeof(BN_ULONG));
+  }
+
+  for (int i = numerator->width - initial_words - 1; i >= 0; i--) {
     for (int bit = BN_BITS2 - 1; bit >= 0; bit--) {
       // Incorporate the next bit of the numerator, by computing
       // r = 2*r or 2*r + 1. Note the result fits in one more word. We store the

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c

@@ -157,10 +157,11 @@ int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
   BN_CTX_start(ctx);
   unsigned shift;
   BIGNUM *gcd = BN_CTX_get(ctx);
-  int ret = gcd != NULL &&
+  int ret = gcd != NULL &&  //
             bn_mul_consttime(r, a, b, ctx) &&
             bn_gcd_consttime(gcd, &shift, a, b, ctx) &&
-            bn_div_consttime(r, NULL, r, gcd, ctx) &&
+            // |gcd| has a secret bit width.
+            bn_div_consttime(r, NULL, r, gcd, /*divisor_min_bits=*/0, ctx) &&
             bn_rshift_secret_shift(r, r, shift, ctx);
   BN_CTX_end(ctx);
   return ret;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h

@@ -552,12 +552,15 @@ int bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 // bn_div_consttime behaves like |BN_div|, but it rejects negative inputs and
 // treats both inputs, including their magnitudes, as secret. It is, as a
 // result, much slower than |BN_div| and should only be used for rare operations
-// where Montgomery reduction is not available.
+// where Montgomery reduction is not available. |divisor_min_bits| is a
+// public lower bound for |BN_num_bits(divisor)|. When |divisor|'s bit width is
+// public, this can speed up the operation.
 //
 // Note that |quotient->width| will be set pessimally to |numerator->width|.
 OPENSSL_EXPORT int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
                                     const BIGNUM *numerator,
-                                    const BIGNUM *divisor, BN_CTX *ctx);
+                                    const BIGNUM *divisor,
+                                    unsigned divisor_min_bits, BN_CTX *ctx);
 
 // bn_is_relatively_prime checks whether GCD(|x|, |y|) is one. On success, it
 // returns one and sets |*out_relatively_prime| to one if the GCD was one and

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c

@@ -911,6 +911,16 @@ static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
                                   size_t key_len, size_t tag_len) {
   const size_t key_bits = key_len * 8;
 
+  switch (key_bits) {
+    case 128:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);
+      break;
+
+    case 256:
+      boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);
+      break;
+  }
+
   if (key_bits != 128 && key_bits != 192 && key_bits != 256) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
     return 0;  // EVP_AEAD_CTX_init should catch this.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c

@@ -72,7 +72,7 @@ uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) {
   return out;
 }
 
-// Implemented from RFC1186 The MD4 Message-Digest Algorithm.
+// Implemented from RFC 1186 The MD4 Message-Digest Algorithm.
 
 int MD4_Init(MD4_CTX *md4) {
   OPENSSL_memset(md4, 0, sizeof(MD4_CTX));

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c

@@ -193,7 +193,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a,
 #endif  // BORINGSSL_HAS_UINT128
 
 void gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) {
-  // We implement GHASH in terms of POLYVAL, as described in RFC8452. This
+  // We implement GHASH in terms of POLYVAL, as described in RFC 8452. This
   // avoids a shift by 1 in the multiplication, needed to account for bit
   // reversal losing a bit after multiplication, that is,
   // rev128(X) * rev128(Y) = rev255(X*Y).

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c

@@ -356,7 +356,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
     int used_cpu;
     rand_get_seed(state, seed, &used_cpu);
 
-    uint8_t personalization[CTR_DRBG_ENTROPY_LEN];
+    uint8_t personalization[CTR_DRBG_ENTROPY_LEN] = {0};
     size_t personalization_len = 0;
 #if defined(OPENSSL_URANDOM)
     // If we used RDRAND, also opportunistically read from the system. This

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c

@@ -206,6 +206,12 @@ void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
   }
 }
 
+const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) {
+  // We do not support the id-RSASSA-PSS key encoding. If we add support later,
+  // the |maskHash| field should be filled in for OpenSSL compatibility.
+  return NULL;
+}
+
 void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
                          const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {
   if (out_dmp1 != NULL) {
@@ -657,7 +663,8 @@ err:
 }
 
 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
-                             const BIGNUM *m, BN_CTX *ctx) {
+                             const BIGNUM *m, unsigned m_min_bits,
+                             BN_CTX *ctx) {
   if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
     *out_ok = 0;
     return 1;
@@ -670,7 +677,7 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
   BIGNUM *tmp = BN_CTX_get(ctx);
   int ret = tmp != NULL &&
             bn_mul_consttime(tmp, a, ainv, ctx) &&
-            bn_div_consttime(NULL, tmp, tmp, m, ctx);
+            bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
   if (ret) {
     *out_ok = BN_is_one(tmp);
   }
@@ -750,10 +757,15 @@ int RSA_check_key(const RSA *key) {
   // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
   // by earlier checks in this function.
   if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
-      !bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
-      !bn_mul_consttime(&de, key->d, key->e, ctx) ||
-      !bn_div_consttime(NULL, &tmp, &de, &pm1, ctx) ||
-      !bn_div_consttime(NULL, &de, &de, &qm1, ctx)) {
+      !bn_usub_consttime(&qm1, key->q, BN_value_one())) {
+    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+    goto out;
+  }
+  const unsigned pm1_bits = BN_num_bits(&pm1);
+  const unsigned qm1_bits = BN_num_bits(&qm1);
+  if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||
+      !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||
+      !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {
     OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
     goto out;
   }
@@ -772,9 +784,12 @@ int RSA_check_key(const RSA *key) {
 
   if (has_crt_values) {
     int dmp1_ok, dmq1_ok, iqmp_ok;
-    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, ctx) ||
-        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, ctx) ||
-        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, ctx)) {
+    if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||
+        !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||
+        // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,
+        // we only need a lower bound anyway.
+        !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,
+                           ctx)) {
       OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
       goto out;
     }