grpc 1.53.2 → 1.54.0

data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c

@@ -50,12 +50,13 @@
 
 #include <assert.h>
 
-#include <openssl/cpu.h>
 #include <openssl/cipher.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-#include "../fipsmodule/cipher/internal.h"
+#include "../delocate.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
 
 
 struct ccm128_context {
@@ -275,14 +276,12 @@ struct aead_aes_ccm_ctx {
   struct ccm128_context ccm;
 };
 
-OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
-                          sizeof(struct aead_aes_ccm_ctx),
-                      "AEAD state is too small");
-#if defined(__GNUC__) || defined(__clang__)
-OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
-                          alignof(struct aead_aes_ccm_ctx),
-                      "AEAD state has insufficient alignment");
-#endif
+static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                  sizeof(struct aead_aes_ccm_ctx),
+              "AEAD state is too small");
+static_assert(alignof(union evp_aead_ctx_st_state) >=
+                  alignof(struct aead_aes_ccm_ctx),
+              "AEAD state has insufficient alignment");
 
 static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                              size_t key_len, size_t tag_len, unsigned M,
@@ -351,6 +350,7 @@ static int aead_aes_ccm_seal_scatter(
   }
 
   *out_tag_len = ctx->tag_len;
+  AEAD_CCM_verify_service_indicator(ctx);
   return 1;
 }
 
@@ -391,6 +391,7 @@ static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
+  AEAD_CCM_verify_service_indicator(ctx);
   return 1;
 }
 
@@ -399,25 +400,18 @@ static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
   return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
 }
 
-static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
-    16,  // key length (AES-128)
-    13,  // nonce length
-    4,   // overhead
-    4,   // max tag length
-    0,   // seal_scatter_supports_extra_in
-
-    aead_aes_ccm_bluetooth_init,
-    NULL /* init_with_direction */,
-    aead_aes_ccm_cleanup,
-    NULL /* open */,
-    aead_aes_ccm_seal_scatter,
-    aead_aes_ccm_open_gather,
-    NULL /* get_iv */,
-    NULL /* tag_len */,
-};
+DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth) {
+  memset(out, 0, sizeof(EVP_AEAD));
+
+  out->key_len = 16;
+  out->nonce_len = 13;
+  out->overhead = 4;
+  out->max_tag_len = 4;
 
-const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
-  return &aead_aes_128_ccm_bluetooth;
+  out->init = aead_aes_ccm_bluetooth_init;
+  out->cleanup = aead_aes_ccm_cleanup;
+  out->seal_scatter = aead_aes_ccm_seal_scatter;
+  out->open_gather = aead_aes_ccm_open_gather;
 }
 
 static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
@@ -425,23 +419,35 @@ static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
   return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
 }
 
-static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
-    16,  // key length (AES-128)
-    13,  // nonce length
-    8,   // overhead
-    8,   // max tag length
-    0,   // seal_scatter_supports_extra_in
-
-    aead_aes_ccm_bluetooth_8_init,
-    NULL /* init_with_direction */,
-    aead_aes_ccm_cleanup,
-    NULL /* open */,
-    aead_aes_ccm_seal_scatter,
-    aead_aes_ccm_open_gather,
-    NULL /* get_iv */,
-    NULL /* tag_len */,
-};
+DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth_8) {
+  memset(out, 0, sizeof(EVP_AEAD));
+
+  out->key_len = 16;
+  out->nonce_len = 13;
+  out->overhead = 8;
+  out->max_tag_len = 8;
+
+  out->init = aead_aes_ccm_bluetooth_8_init;
+  out->cleanup = aead_aes_ccm_cleanup;
+  out->seal_scatter = aead_aes_ccm_seal_scatter;
+  out->open_gather = aead_aes_ccm_open_gather;
+}
+
+static int aead_aes_ccm_matter_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                    size_t key_len, size_t tag_len) {
+  return aead_aes_ccm_init(ctx, key, key_len, tag_len, 16, 2);
+}
+
+DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_matter) {
+  memset(out, 0, sizeof(EVP_AEAD));
+
+  out->key_len = 16;
+  out->nonce_len = 13;
+  out->overhead = 16;
+  out->max_tag_len = 16;
 
-const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
-  return &aead_aes_128_ccm_bluetooth_8;
+  out->init = aead_aes_ccm_matter_init;
+  out->cleanup = aead_aes_ccm_cleanup;
+  out->seal_scatter = aead_aes_ccm_seal_scatter;
+  out->open_gather = aead_aes_ccm_open_gather;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h

@@ -112,6 +112,45 @@ struct evp_aead_st {
                     size_t extra_in_len);
 };
 
+struct evp_cipher_st {
+  // type contains a NID identifying the cipher. (e.g. NID_aes_128_gcm.)
+  int nid;
+
+  // block_size contains the block size, in bytes, of the cipher, or 1 for a
+  // stream cipher.
+  unsigned block_size;
+
+  // key_len contains the key size, in bytes, for the cipher. If the cipher
+  // takes a variable key size then this contains the default size.
+  unsigned key_len;
+
+  // iv_len contains the IV size, in bytes, or zero if inapplicable.
+  unsigned iv_len;
+
+  // ctx_size contains the size, in bytes, of the per-key context for this
+  // cipher.
+  unsigned ctx_size;
+
+  // flags contains the OR of a number of flags. See |EVP_CIPH_*|.
+  uint32_t flags;
+
+  // app_data is a pointer to opaque, user data.
+  void *app_data;
+
+  int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv,
+              int enc);
+
+  int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                size_t inl);
+
+  // cleanup, if non-NULL, releases memory associated with the context. It is
+  // called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been
+  // called at this point.
+  void (*cleanup)(EVP_CIPHER_CTX *);
+
+  int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
+};
+
 // aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,
 // where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is
 // set to a function that encrypts single blocks. If not NULL, |*gcm_key| is

data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c

@@ -49,13 +49,15 @@
 #include <openssl/cmac.h>
 
 #include <assert.h>
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/aes.h>
 #include <openssl/cipher.h>
 #include <openssl/mem.h>
 
-#include "../internal.h"
+#include "../../internal.h"
+#include "../service_indicator/internal.h"
 
 
 struct cmac_ctx_st {
@@ -85,6 +87,8 @@ int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
              const uint8_t *in, size_t in_len) {
   const EVP_CIPHER *cipher;
   switch (key_len) {
+    // WARNING: this code assumes that all supported key sizes are FIPS
+    // Approved.
     case 16:
       cipher = EVP_aes_128_cbc();
       break;
@@ -99,10 +103,17 @@ int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
   CMAC_CTX ctx;
   CMAC_CTX_init(&ctx);
 
+  // We have to verify that all the CMAC services actually succeed before
+  // updating the indicator state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
   const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&
                  CMAC_Update(&ctx, in, in_len) &&
                  CMAC_Final(&ctx, out, &scratch_out_len);
+  FIPS_service_indicator_unlock_state();
 
+  if (ok) {
+    FIPS_service_indicator_update_state();
+  }
   CMAC_CTX_cleanup(&ctx);
   return ok;
 }
@@ -173,8 +184,13 @@ static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};
 
 int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
               const EVP_CIPHER *cipher, ENGINE *engine) {
+  int ret = 0;
   uint8_t scratch[AES_BLOCK_SIZE];
 
+  // We have to avoid the underlying AES-CBC |EVP_CIPHER| services updating the
+  // indicator state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
+
   size_t block_size = EVP_CIPHER_block_size(cipher);
   if ((block_size != AES_BLOCK_SIZE && block_size != 8 /* 3-DES */) ||
       EVP_CIPHER_key_length(cipher) != key_len ||
@@ -182,7 +198,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
       !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, block_size) ||
       // Reset context again ready for first data.
       !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
-    return 0;
+    goto out;
   }
 
   if (block_size == AES_BLOCK_SIZE) {
@@ -193,8 +209,11 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
     binary_field_mul_x_64(ctx->k2, ctx->k1);
   }
   ctx->block_used = 0;
+  ret = 1;
 
-  return 1;
+out:
+  FIPS_service_indicator_unlock_state();
+  return ret;
 }
 
 int CMAC_Reset(CMAC_CTX *ctx) {
@@ -203,6 +222,12 @@ int CMAC_Reset(CMAC_CTX *ctx) {
 }
 
 int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
+  int ret = 0;
+
+  // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the
+  // indicator state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
+
   size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);
   assert(block_size <= AES_BLOCK_SIZE);
   uint8_t scratch[AES_BLOCK_SIZE];
@@ -224,38 +249,51 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
     // case we don't want to process this block now because it might be the last
     // block and that block is treated specially.
     if (in_len == 0) {
-      return 1;
+      ret = 1;
+      goto out;
     }
 
     assert(ctx->block_used == block_size);
 
     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, block_size)) {
-      return 0;
+      goto out;
     }
   }
 
   // Encrypt all but one of the remaining blocks.
   while (in_len > block_size) {
     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, block_size)) {
-      return 0;
+      goto out;
     }
     in += block_size;
     in_len -= block_size;
   }
 
   OPENSSL_memcpy(ctx->block, in, in_len);
-  ctx->block_used = in_len;
-
-  return 1;
+  // |in_len| is bounded by |block_size|, which fits in |unsigned|.
+  static_assert(EVP_MAX_BLOCK_LENGTH < UINT_MAX,
+                "EVP_MAX_BLOCK_LENGTH is too large");
+  ctx->block_used = (unsigned)in_len;
+  ret = 1;
+
+out:
+  FIPS_service_indicator_unlock_state();
+  return ret;
 }
 
 int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
+  int ret = 0;
   size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);
   assert(block_size <= AES_BLOCK_SIZE);
 
+  // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the
+  // indicator state, so we lock the state here.
+  FIPS_service_indicator_lock_state();
+
   *out_len = block_size;
   if (out == NULL) {
-    return 1;
+    ret = 1;
+    goto out;
   }
 
   const uint8_t *mask = ctx->k1;
@@ -273,6 +311,12 @@ int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
   for (unsigned i = 0; i < block_size; i++) {
     out[i] = ctx->block[i] ^ mask[i];
   }
+  ret = EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);
 
-  return EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);
+out:
+  FIPS_service_indicator_unlock_state();
+  if (ret) {
+    FIPS_service_indicator_update_state();
+  }
+  return ret;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c

@@ -58,6 +58,8 @@
 
 #include <openssl/bn.h>
 
+#include "internal.h"
+
 
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {
   *out_flags = 0;
@@ -165,9 +167,6 @@ int DH_check(const DH *dh, int *out_flags) {
     if (!BN_is_one(t2)) {
       *out_flags |= DH_CHECK_INVALID_Q_VALUE;
     }
-    if (dh->j && BN_cmp(dh->j, t1)) {
-      *out_flags |= DH_CHECK_INVALID_J_VALUE;
-    }
   } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
     l = BN_mod_word(dh->p, 24);
     if (l == (BN_ULONG)-1) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c

@@ -66,6 +66,8 @@
 
 #include "../../internal.h"
 #include "../bn/internal.h"
+#include "../service_indicator/internal.h"
+#include "internal.h"
 
 
 #define OPENSSL_DH_MAX_MODULUS_BITS 10000
@@ -73,7 +75,6 @@
 DH *DH_new(void) {
   DH *dh = OPENSSL_malloc(sizeof(DH));
   if (dh == NULL) {
-    OPENSSL_PUT_ERROR(DH, ERR_R_MALLOC_FAILURE);
     return NULL;
   }
 
@@ -99,9 +100,6 @@ void DH_free(DH *dh) {
   BN_clear_free(dh->p);
   BN_clear_free(dh->g);
   BN_clear_free(dh->q);
-  BN_clear_free(dh->j);
-  OPENSSL_free(dh->seed);
-  BN_clear_free(dh->counter);
   BN_clear_free(dh->pub_key);
   BN_clear_free(dh->priv_key);
   CRYPTO_MUTEX_cleanup(&dh->method_mont_p_lock);
@@ -109,6 +107,8 @@ void DH_free(DH *dh) {
   OPENSSL_free(dh);
 }
 
+unsigned DH_bits(const DH *dh) { return BN_num_bits(dh->p); }
+
 const BIGNUM *DH_get0_pub_key(const DH *dh) { return dh->pub_key; }
 
 const BIGNUM *DH_get0_priv_key(const DH *dh) { return dh->priv_key; }
@@ -186,6 +186,8 @@ int DH_set_length(DH *dh, unsigned priv_length) {
 }
 
 int DH_generate_key(DH *dh) {
+  boringssl_ensure_ffdh_self_test();
+
   int ok = 0;
   int generate_new_key = 0;
   BN_CTX *ctx = NULL;
@@ -322,7 +324,8 @@ static int dh_compute_key(DH *dh, BIGNUM *out_shared_key,
   return ret;
 }
 
-int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
+int dh_compute_key_padded_no_self_test(unsigned char *out,
+                                       const BIGNUM *peers_key, DH *dh) {
   BN_CTX *ctx = BN_CTX_new();
   if (ctx == NULL) {
     return -1;
@@ -343,7 +346,15 @@ int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
   return ret;
 }
 
+int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
+  boringssl_ensure_ffdh_self_test();
+
+  return dh_compute_key_padded_no_self_test(out, peers_key, dh);
+}
+
 int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
+  boringssl_ensure_ffdh_self_test();
+
   BN_CTX *ctx = BN_CTX_new();
   if (ctx == NULL) {
     return -1;
@@ -353,7 +364,8 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
   int ret = -1;
   BIGNUM *shared_key = BN_CTX_get(ctx);
   if (shared_key && dh_compute_key(dh, shared_key, peers_key, ctx)) {
-    ret = BN_bn2bin(shared_key, out);
+    // A |BIGNUM|'s byte count fits in |int|.
+    ret = (int)BN_bn2bin(shared_key, out);
   }
 
   BN_CTX_end(ctx);
@@ -371,6 +383,8 @@ int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len,
     return 0;
   }
 
+  FIPS_service_indicator_lock_state();
+
   int ret = 0;
   const size_t dh_len = DH_size(dh);
   uint8_t *shared_bytes = OPENSSL_malloc(dh_len);
@@ -392,6 +406,7 @@ int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len,
   ret = 1;
 
  err:
+  FIPS_service_indicator_unlock_state();
   OPENSSL_free(shared_bytes);
   return ret;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h

@@ -0,0 +1,56 @@
+/* Copyright (c) 2022, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H
+
+#include <openssl/base.h>
+
+#include <openssl/thread.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+struct dh_st {
+  BIGNUM *p;
+  BIGNUM *g;
+  BIGNUM *q;
+  BIGNUM *pub_key;   // g^x mod p
+  BIGNUM *priv_key;  // x
+
+  // priv_length contains the length, in bits, of the private value. If zero,
+  // the private value will be the same length as |p|.
+  unsigned priv_length;
+
+  CRYPTO_MUTEX method_mont_p_lock;
+  BN_MONT_CTX *method_mont_p;
+
+  int flags;
+  CRYPTO_refcount_t references;
+};
+
+// dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|,
+// but doesn't try to run the self-test first. This is for use in the self tests
+// themselves, to prevent an infinite loop.
+int dh_compute_key_padded_no_self_test(unsigned char *out,
+                                       const BIGNUM *peers_key, DH *dh);
+
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c

@@ -106,6 +106,11 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) {
   return 1;
 }
 
+void EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx) {
+  OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
+  EVP_MD_CTX_cleanup(ctx);
+}
+
 void EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
   if (!ctx) {
     return;
@@ -139,7 +144,6 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) {
   if (in->pctx) {
     pctx = in->pctx_ops->dup(in->pctx);
     if (!pctx) {
-      OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
       return 0;
     }
   }
@@ -153,7 +157,6 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) {
         if (pctx) {
           in->pctx_ops->free(pctx);
         }
-        OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
         return 0;
       }
     } else {
@@ -202,7 +205,6 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *engine) {
     assert(type->ctx_size != 0);
     uint8_t *md_data = OPENSSL_malloc(type->ctx_size);
     if (md_data == NULL) {
-      OPENSSL_PUT_ERROR(DIGEST, ERR_R_MALLOC_FAILURE);
       return 0;
     }