grpc 1.53.0 → 1.54.2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c

@@ -286,7 +286,6 @@ BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
   if (out == NULL) {
     new_out = BN_new();
     if (new_out == NULL) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
       return NULL;
     }
     out = new_out;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c

@@ -240,8 +240,10 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a,
 
   // Each loop iteration halves at least one of |u| and |v|. Thus we need at
   // most the combined bit width of inputs for at least one value to be zero.
-  unsigned a_bits = a_width * BN_BITS2, n_bits = n_width * BN_BITS2;
-  unsigned num_iters = a_bits + n_bits;
+  // |a_bits| and |n_bits| cannot overflow because |bn_wexpand| ensures bit
+  // counts fit in even |int|.
+  size_t a_bits = a_width * BN_BITS2, n_bits = n_width * BN_BITS2;
+  size_t num_iters = a_bits + n_bits;
   if (num_iters < a_bits) {
     OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
     goto err;
@@ -260,7 +262,7 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a,
   //
   // After each loop iteration, u and v only get smaller, and at least one of
   // them shrinks by at least a factor of two.
-  for (unsigned i = 0; i < num_iters; i++) {
+  for (size_t i = 0; i < num_iters; i++) {
     BN_ULONG both_odd = word_is_odd_mask(u->d[0]) & word_is_odd_mask(v->d[0]);
 
     // If both |u| and |v| are odd, subtract the smaller from the larger.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c

@@ -61,11 +61,25 @@
 #include "internal.h"
 
 
-// This file has two other implementations: x86 assembly language in
-// asm/bn-586.pl and x86_64 inline assembly in asm/x86_64-gcc.c.
-#if defined(OPENSSL_NO_ASM) || \
-    !(defined(OPENSSL_X86) ||  \
-      (defined(OPENSSL_X86_64) && (defined(__GNUC__) || defined(__clang__))))
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86)
+// See asm/bn-586.pl.
+#define BN_ADD_ASM
+#define BN_MUL_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
+    (defined(__GNUC__) || defined(__clang__))
+// See asm/x86_64-gcc.c
+#define BN_ADD_ASM
+#define BN_MUL_ASM
+#endif
+
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64)
+// See asm/bn-armv8.pl.
+#define BN_ADD_ASM
+#endif
+
+#if !defined(BN_MUL_ASM)
 
 #ifdef BN_ULLONG
 #define mul_add(r, a, w, c)               \
@@ -201,157 +215,6 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, size_t n) {
   }
 }
 
-#ifdef BN_ULLONG
-BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                      size_t n) {
-  BN_ULLONG ll = 0;
-
-  if (n == 0) {
-    return 0;
-  }
-
-  while (n & ~3) {
-    ll += (BN_ULLONG)a[0] + b[0];
-    r[0] = (BN_ULONG)ll;
-    ll >>= BN_BITS2;
-    ll += (BN_ULLONG)a[1] + b[1];
-    r[1] = (BN_ULONG)ll;
-    ll >>= BN_BITS2;
-    ll += (BN_ULLONG)a[2] + b[2];
-    r[2] = (BN_ULONG)ll;
-    ll >>= BN_BITS2;
-    ll += (BN_ULLONG)a[3] + b[3];
-    r[3] = (BN_ULONG)ll;
-    ll >>= BN_BITS2;
-    a += 4;
-    b += 4;
-    r += 4;
-    n -= 4;
-  }
-  while (n) {
-    ll += (BN_ULLONG)a[0] + b[0];
-    r[0] = (BN_ULONG)ll;
-    ll >>= BN_BITS2;
-    a++;
-    b++;
-    r++;
-    n--;
-  }
-  return (BN_ULONG)ll;
-}
-
-#else  // !BN_ULLONG
-
-BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                      size_t n) {
-  BN_ULONG c, l, t;
-
-  if (n == 0) {
-    return (BN_ULONG)0;
-  }
-
-  c = 0;
-  while (n & ~3) {
-    t = a[0];
-    t += c;
-    c = (t < c);
-    l = t + b[0];
-    c += (l < t);
-    r[0] = l;
-    t = a[1];
-    t += c;
-    c = (t < c);
-    l = t + b[1];
-    c += (l < t);
-    r[1] = l;
-    t = a[2];
-    t += c;
-    c = (t < c);
-    l = t + b[2];
-    c += (l < t);
-    r[2] = l;
-    t = a[3];
-    t += c;
-    c = (t < c);
-    l = t + b[3];
-    c += (l < t);
-    r[3] = l;
-    a += 4;
-    b += 4;
-    r += 4;
-    n -= 4;
-  }
-  while (n) {
-    t = a[0];
-    t += c;
-    c = (t < c);
-    l = t + b[0];
-    c += (l < t);
-    r[0] = l;
-    a++;
-    b++;
-    r++;
-    n--;
-  }
-  return (BN_ULONG)c;
-}
-
-#endif  // !BN_ULLONG
-
-BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                      size_t n) {
-  BN_ULONG t1, t2;
-  int c = 0;
-
-  if (n == 0) {
-    return (BN_ULONG)0;
-  }
-
-  while (n & ~3) {
-    t1 = a[0];
-    t2 = b[0];
-    r[0] = t1 - t2 - c;
-    if (t1 != t2) {
-      c = (t1 < t2);
-    }
-    t1 = a[1];
-    t2 = b[1];
-    r[1] = t1 - t2 - c;
-    if (t1 != t2) {
-      c = (t1 < t2);
-    }
-    t1 = a[2];
-    t2 = b[2];
-    r[2] = t1 - t2 - c;
-    if (t1 != t2) {
-      c = (t1 < t2);
-    }
-    t1 = a[3];
-    t2 = b[3];
-    r[3] = t1 - t2 - c;
-    if (t1 != t2) {
-      c = (t1 < t2);
-    }
-    a += 4;
-    b += 4;
-    r += 4;
-    n -= 4;
-  }
-  while (n) {
-    t1 = a[0];
-    t2 = b[0];
-    r[0] = t1 - t2 - c;
-    if (t1 != t2) {
-      c = (t1 < t2);
-    }
-    a++;
-    b++;
-    r++;
-    n--;
-  }
-  return c;
-}
-
 // mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0)
 // mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)
 // sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0)
@@ -369,9 +232,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
     (c0) = (BN_ULONG)Lw(t);             \
     hi = (BN_ULONG)Hw(t);               \
     (c1) += (hi);                       \
-    if ((c1) < hi) {                    \
-      (c2)++;                           \
-    }                                   \
+    (c2) += (c1) < hi;                  \
   } while (0)
 
 #define mul_add_c2(a, b, c0, c1, c2)        \
@@ -382,16 +243,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
     (c0) = (BN_ULONG)Lw(tt);                \
     hi = (BN_ULONG)Hw(tt);                  \
     (c1) += hi;                             \
-    if ((c1) < hi) {                        \
-      (c2)++;                               \
-    }                                       \
+    (c2) += (c1) < hi;                      \
     t += (c0); /* no carry */               \
     (c0) = (BN_ULONG)Lw(t);                 \
     hi = (BN_ULONG)Hw(t);                   \
     (c1) += hi;                             \
-    if ((c1) < hi) {                        \
-      (c2)++;                               \
-    }                                       \
+    (c2) += (c1) < hi;                      \
   } while (0)
 
 #define sqr_add_c(a, i, c0, c1, c2)           \
@@ -402,9 +259,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
     (c0) = (BN_ULONG)Lw(t);                   \
     hi = (BN_ULONG)Hw(t);                     \
     (c1) += hi;                               \
-    if ((c1) < hi) {                          \
-      (c2)++;                                 \
-    }                                         \
+    (c2) += (c1) < hi;                        \
   } while (0)
 
 #define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
@@ -708,4 +563,93 @@ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) {
 #undef sqr_add_c
 #undef sqr_add_c2
 
+#endif  // !BN_MUL_ASM
+
+#if !defined(BN_ADD_ASM)
+
+// bn_add_with_carry returns |x + y + carry|, and sets |*out_carry| to the
+// carry bit. |carry| must be zero or one.
+static inline BN_ULONG bn_add_with_carry(BN_ULONG x, BN_ULONG y, BN_ULONG carry,
+                                         BN_ULONG *out_carry) {
+  assert(carry == 0 || carry == 1);
+#if defined(BN_ULLONG)
+  BN_ULLONG ret = carry;
+  ret += (BN_ULLONG)x + y;
+  *out_carry = (BN_ULONG)(ret >> BN_BITS2);
+  return (BN_ULONG)ret;
+#else
+  x += carry;
+  carry = x < carry;
+  BN_ULONG ret = x + y;
+  carry += ret < x;
+  *out_carry = carry;
+  return ret;
 #endif
+}
+
+// bn_sub_with_borrow returns |x - y - borrow|, and sets |*out_borrow| to the
+// borrow bit. |borrow| must be zero or one.
+static inline BN_ULONG bn_sub_with_borrow(BN_ULONG x, BN_ULONG y,
+                                          BN_ULONG borrow,
+                                          BN_ULONG *out_borrow) {
+  assert(borrow == 0 || borrow == 1);
+  BN_ULONG ret = x - y - borrow;
+  *out_borrow = (x < y) | ((x == y) & borrow);
+  return ret;
+}
+
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+                      size_t n) {
+  if (n == 0) {
+    return 0;
+  }
+
+  BN_ULONG carry = 0;
+  while (n & ~3) {
+    r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
+    r[1] = bn_add_with_carry(a[1], b[1], carry, &carry);
+    r[2] = bn_add_with_carry(a[2], b[2], carry, &carry);
+    r[3] = bn_add_with_carry(a[3], b[3], carry, &carry);
+    a += 4;
+    b += 4;
+    r += 4;
+    n -= 4;
+  }
+  while (n) {
+    r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
+    a++;
+    b++;
+    r++;
+    n--;
+  }
+  return carry;
+}
+
+BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+                      size_t n) {
+  if (n == 0) {
+    return (BN_ULONG)0;
+  }
+
+  BN_ULONG borrow = 0;
+  while (n & ~3) {
+    r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
+    r[1] = bn_sub_with_borrow(a[1], b[1], borrow, &borrow);
+    r[2] = bn_sub_with_borrow(a[2], b[2], borrow, &borrow);
+    r[3] = bn_sub_with_borrow(a[3], b[3], borrow, &borrow);
+    a += 4;
+    b += 4;
+    r += 4;
+    n -= 4;
+  }
+  while (n) {
+    r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
+    a++;
+    b++;
+    r++;
+    n--;
+  }
+  return borrow;
+}
+
+#endif  // !BN_ADD_ASM

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h

@@ -189,14 +189,20 @@ extern "C" {
 #define BN_CAN_USE_INLINE_ASM
 #endif
 
-// |BN_mod_exp_mont_consttime| is based on the assumption that the L1 data
-// cache line width of the target processor is at least the following value.
-#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH 64
-
-// The number of |BN_ULONG|s needed for the |BN_mod_exp_mont_consttime| stack-
-// allocated storage buffer. The buffer is just the right size for the RSAZ
-// and is about ~1KB larger than what's necessary (4480 bytes) for 1024-bit
-// inputs.
+// MOD_EXP_CTIME_ALIGN is the alignment needed for |BN_mod_exp_mont_consttime|'s
+// tables.
+//
+// TODO(davidben): Historically, this alignment came from cache line
+// assumptions, which we've since removed. Is 64-byte alignment still necessary
+// or ideal? The true alignment requirement seems to now be 32 bytes, coming
+// from RSAZ's use of VMOVDQA to a YMM register. Non-x86_64 has even fewer
+// requirements.
+#define MOD_EXP_CTIME_ALIGN 64
+
+// MOD_EXP_CTIME_STORAGE_LEN is the number of |BN_ULONG|s needed for the
+// |BN_mod_exp_mont_consttime| stack-allocated storage buffer. The buffer is
+// just the right size for the RSAZ and is about ~1KB larger than what's
+// necessary (4480 bytes) for 1024-bit inputs.
 #define MOD_EXP_CTIME_STORAGE_LEN \
   (((320u * 3u) + (32u * 9u * 16u)) / sizeof(BN_ULONG))
 
@@ -211,8 +217,8 @@ extern "C" {
 #define Hw(t) ((BN_ULONG)((t) >> BN_BITS2))
 #endif
 
-// bn_minimal_width returns the minimal value of |bn->top| which fits the
-// value of |bn|.
+// bn_minimal_width returns the minimal number of words needed to represent
+// |bn|.
 int bn_minimal_width(const BIGNUM *bn);
 
 // bn_set_minimal_width sets |bn->width| to |bn_minimal_width(bn)|. If |bn| is
@@ -228,7 +234,7 @@ int bn_wexpand(BIGNUM *bn, size_t words);
 // than a number of words.
 int bn_expand(BIGNUM *bn, size_t bits);
 
-// bn_resize_words adjusts |bn->top| to be |words|. It returns one on success
+// bn_resize_words adjusts |bn->width| to be |words|. It returns one on success
 // and zero on allocation error or if |bn|'s value is too large.
 OPENSSL_EXPORT int bn_resize_words(BIGNUM *bn, size_t words);
 
@@ -257,6 +263,12 @@ int bn_fits_in_words(const BIGNUM *bn, size_t num);
 // is representable in |num| words. Otherwise, it returns zero.
 int bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn);
 
+// bn_assert_fits_in_bytes asserts that |bn| fits in |num| bytes. This is a
+// no-op in release builds, but triggers an assert in debug builds, and
+// declassifies all bytes which are therefore known to be zero in constant-time
+// validation.
+void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num);
+
 // bn_mul_add_words multiples |ap| by |w|, adds the result to |rp|, and places
 // the result in |rp|. |ap| and |rp| must both be |num| words long. It returns
 // the carry word of the operation. |ap| and |rp| may be equal but otherwise may
@@ -344,6 +356,12 @@ int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
 int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
                          const BIGNUM *max_exclusive);
 
+// BN_MONTGOMERY_MAX_WORDS is the maximum numer of words allowed in a |BIGNUM|
+// used with Montgomery reduction. Ideally this limit would be applied to all
+// |BIGNUM|s, in |bn_wexpand|, but the exactfloat library needs to create 8 MiB
+// values for other operations.
+#define BN_MONTGOMERY_MAX_WORDS (8 * 1024 / sizeof(BN_ULONG))
+
 #if !defined(OPENSSL_NO_ASM) &&                         \
     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
@@ -353,11 +371,16 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
 // corresponding field in |BN_MONT_CTX|. It returns one if |bn_mul_mont| handles
 // inputs of this size and zero otherwise.
 //
+// If at least one of |ap| or |bp| is fully reduced, |rp| will be fully reduced.
+// If neither is fully-reduced, the output may not be either.
+//
+// This function allocates |num| words on the stack, so |num| should be at most
+// |BN_MONTGOMERY_MAX_WORDS|.
+//
 // TODO(davidben): The x86_64 implementation expects a 32-bit input and masks
 // off upper bits. The aarch64 implementation expects a 64-bit input and does
 // not. |size_t| is the safer option but not strictly correct for x86_64. But
-// this function implicitly already has a bound on the size of |num| because it
-// internally creates |num|-sized stack allocation.
+// the |BN_MONTGOMERY_MAX_WORDS| bound makes this moot.
 //
 // See also discussion in |ToWord| in abi_test.h for notes on smaller-than-word
 // inputs.
@@ -371,36 +394,39 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
 // bn_mul_mont_gather5 multiples loads index |power| of |table|, multiplies it
 // by |ap| modulo |np|, and stores the result in |rp|. The values are |num|
 // words long and represented in Montgomery form. |n0| is a pointer to the
-// corresponding field in |BN_MONT_CTX|.
+// corresponding field in |BN_MONT_CTX|. |table| must be aligned to at least
+// 16 bytes. |power| must be less than 32 and is treated as secret.
+//
+// WARNING: This function implements Almost Montgomery Multiplication from
+// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.
+// However, even if they are fully reduced, the output may not be.
 void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
                          const BN_ULONG *table, const BN_ULONG *np,
                          const BN_ULONG *n0, int num, int power);
 
 // bn_scatter5 stores |inp| to index |power| of |table|. |inp| and each entry of
-// |table| are |num| words long. |power| must be less than 32. |table| must be
-// 32*|num| words long.
+// |table| are |num| words long. |power| must be less than 32 and is treated as
+// public. |table| must be 32*|num| words long. |table| must be aligned to at
+// least 16 bytes.
 void bn_scatter5(const BN_ULONG *inp, size_t num, BN_ULONG *table,
                  size_t power);
 
 // bn_gather5 loads index |power| of |table| and stores it in |out|. |out| and
-// each entry of |table| are |num| words long. |power| must be less than 32.
-void bn_gather5(BN_ULONG *out, size_t num, BN_ULONG *table, size_t power);
+// each entry of |table| are |num| words long. |power| must be less than 32 and
+// is treated as secret. |table| must be aligned to at least 16 bytes.
+void bn_gather5(BN_ULONG *out, size_t num, const BN_ULONG *table, size_t power);
 
 // bn_power5 squares |ap| five times and multiplies it by the value stored at
 // index |power| of |table|, modulo |np|. It stores the result in |rp|. The
 // values are |num| words long and represented in Montgomery form. |n0| is a
 // pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible
-// by 8.
+// by 8. |power| must be less than 32 and is treated as secret.
+//
+// WARNING: This function implements Almost Montgomery Multiplication from
+// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.
+// However, even if they are fully reduced, the output may not be.
 void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table,
                const BN_ULONG *np, const BN_ULONG *n0, int num, int power);
-
-// bn_from_montgomery converts |ap| from Montgomery form modulo |np| and writes
-// the result in |rp|, each of which is |num| words long. It returns one on
-// success and zero if it cannot handle inputs of length |num|. |n0| is a
-// pointer to the corresponding field in |BN_MONT_CTX|.
-int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
-                       const BN_ULONG *not_used, const BN_ULONG *np,
-                       const BN_ULONG *n0, int num);
 #endif  // !OPENSSL_NO_ASM && OPENSSL_X86_64
 
 uint64_t bn_mont_n0(const BIGNUM *n);
@@ -436,7 +462,7 @@ int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 
 // bn_is_bit_set_words returns one if bit |bit| is set in |a| and zero
 // otherwise.
-int bn_is_bit_set_words(const BN_ULONG *a, size_t num, unsigned bit);
+int bn_is_bit_set_words(const BN_ULONG *a, size_t num, size_t bit);
 
 // bn_one_to_montgomery sets |r| to one in Montgomery form. It returns one on
 // success and zero on error. This function treats the bit width of the modulus
@@ -632,6 +658,15 @@ int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
 int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
                                 BN_CTX *ctx, const BN_MONT_CTX *mont_p);
 
+// BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If
+// so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It
+// then stores it as |*pmont|. It returns one on success and zero on error. Note
+// this function assumes |mod| is public.
+//
+// If |*pmont| is already non-NULL then it does nothing and returns one.
+int BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+                           const BIGNUM *mod, BN_CTX *bn_ctx);
+
 
 // Low-level operations for small numbers.
 //
@@ -687,9 +722,10 @@ void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a,
 // bn_mod_exp_mont_small sets |r| to |a|^|p| mod |mont->N|. It returns one on
 // success and zero on programmer or internal error. Both inputs and outputs are
 // in the Montgomery domain. |r| and |a| are |num| words long, which must be
-// |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. |a| must be fully-reduced.
-// This function runs in time independent of |a|, but |p| and |mont->N| are
-// public values. |a| must be fully-reduced and may alias with |r|.
+// |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. |num_p|, measured in bits,
+// must fit in |size_t|. |a| must be fully-reduced. This function runs in time
+// independent of |a|, but |p| and |mont->N| are public values. |a| must be
+// fully-reduced and may alias with |r|.
 //
 // Note this function differs from |BN_mod_exp_mont| which uses Montgomery
 // reduction but takes input and output outside the Montgomery domain. Combine
@@ -708,6 +744,25 @@ void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a,
                                       size_t num, const BN_MONT_CTX *mont);
 
 
+// Word-based byte conversion functions.
+
+// bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian,
+// unsigned integer and writes the result to |out_len| words in |out|. |out_len|
+// must be large enough to represent any |in_len|-byte value. That is, |out_len|
+// must be at least |BN_BYTES * in_len|.
+void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in,
+                            size_t in_len);
+
+// bn_words_to_big_endian represents |in_len| words from |in| as a big-endian,
+// unsigned integer in |out_len| bytes. It writes the result to |out|. |out_len|
+// must be large enough to represent |in| without truncation.
+//
+// Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have
+// leading zeros.
+void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,
+                            size_t in_len);
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c

@@ -116,7 +116,6 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>
-#include <openssl/type_check.h>
 
 #include "internal.h"
 #include "../../internal.h"
@@ -173,6 +172,10 @@ static int bn_mont_ctx_set_N_and_n0(BN_MONT_CTX *mont, const BIGNUM *mod) {
     OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
     return 0;
   }
+  if (!bn_fits_in_words(mod, BN_MONTGOMERY_MAX_WORDS)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return 0;
+  }
 
   // Save the modulus.
   if (!BN_copy(&mont->N, mod)) {
@@ -190,11 +193,10 @@ static int bn_mont_ctx_set_N_and_n0(BN_MONT_CTX *mont, const BIGNUM *mod) {
   // others, we could use a shorter R value and use faster |BN_ULONG|-based
   // math instead of |uint64_t|-based math, which would be double-precision.
   // However, currently only the assembler files know which is which.
-  OPENSSL_STATIC_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
-                        "BN_MONT_CTX_N0_LIMBS value is invalid");
-  OPENSSL_STATIC_ASSERT(
-      sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),
-      "uint64_t is insufficient precision for n0");
+  static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
+                "BN_MONT_CTX_N0_LIMBS value is invalid");
+  static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),
+                "uint64_t is insufficient precision for n0");
   uint64_t n0 = bn_mont_n0(&mont->N);
   mont->n0[0] = (BN_ULONG)n0;
 #if BN_MONT_CTX_N0_LIMBS == 2
@@ -430,6 +432,9 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     if (!bn_wexpand(r, num)) {
       return 0;
     }
+    // This bound is implied by |bn_mont_ctx_set_N_and_n0|. |bn_mul_mont|
+    // allocates |num| words on the stack, so |num| cannot be too large.
+    assert((size_t)num <= BN_MONTGOMERY_MAX_WORDS);
     if (!bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
       // The check above ensures this won't happen.
       assert(0);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c

@@ -22,11 +22,10 @@
 
 static uint64_t bn_neg_inv_mod_r_u64(uint64_t n);
 
-OPENSSL_STATIC_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
-                      "BN_MONT_CTX_N0_LIMBS value is invalid");
-OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS ==
-                          sizeof(uint64_t),
-                      "uint64_t is insufficient precision for n0");
+static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
+              "BN_MONT_CTX_N0_LIMBS value is invalid");
+static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),
+              "uint64_t is insufficient precision for n0");
 
 // LG_LITTLE_R is log_2(r).
 #define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c

@@ -62,7 +62,6 @@
 
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/type_check.h>
 
 #include "internal.h"
 #include "../../internal.h"
@@ -281,8 +280,8 @@ static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
   BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);
   BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);
   bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);
-  OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
-                        "crypto_word_t is too small");
+  static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                "crypto_word_t is too small");
   c = constant_time_select_w(neg, c_neg, c_pos);
 
   // We now have our three components. Add them together.
@@ -395,8 +394,8 @@ static void bn_mul_part_recursive(BN_ULONG *r, const BN_ULONG *a,
   BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);
   BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);
   bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);
-  OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
-                        "crypto_word_t is too small");
+  static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                "crypto_word_t is too small");
   c = constant_time_select_w(neg, c_neg, c_pos);
 
   // We now have our three components. Add them together.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c

@@ -359,6 +359,17 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
 static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
                                   const BIGNUM *rem, BN_CTX *ctx);
 
+BN_GENCB *BN_GENCB_new(void) {
+  BN_GENCB *callback = OPENSSL_malloc(sizeof(BN_GENCB));
+  if (callback == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(callback, 0, sizeof(BN_GENCB));
+  return callback;
+}
+
+void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); }
+
 void BN_GENCB_set(BN_GENCB *callback,
                   int (*f)(int event, int n, struct bn_gencb_st *),
                   void *arg) {
@@ -374,6 +385,8 @@ int BN_GENCB_call(BN_GENCB *callback, int event, int n) {
   return callback->callback(event, n, callback);
 }
 
+void *BN_GENCB_get_arg(const BN_GENCB *callback) { return callback->arg; }
+
 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
                          const BIGNUM *rem, BN_GENCB *cb) {
   BIGNUM *t;