grpc 1.55.0 → 1.56.0

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -53,6 +53,17 @@ struct evp_hpke_kem_st {
   int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
                size_t *out_shared_secret_len, const uint8_t *enc,
                size_t enc_len);
+  int (*auth_encap_with_seed)(const EVP_HPKE_KEY *key,
+                              uint8_t *out_shared_secret,
+                              size_t *out_shared_secret_len, uint8_t *out_enc,
+                              size_t *out_enc_len, size_t max_enc,
+                              const uint8_t *peer_public_key,
+                              size_t peer_public_key_len, const uint8_t *seed,
+                              size_t seed_len);
+  int (*auth_decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+                    size_t *out_shared_secret_len, const uint8_t *enc,
+                    size_t enc_len, const uint8_t *peer_public_key,
+                    size_t peer_public_key_len);
 };
 
 struct evp_hpke_kdf_st {
@@ -211,6 +222,76 @@ static int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
   return 1;
 }
 
+static int x25519_auth_encap_with_seed(
+    const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
+    size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
+    size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *seed, size_t seed_len) {
+  if (max_enc < X25519_PUBLIC_VALUE_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+    return 0;
+  }
+  if (seed_len != X25519_PRIVATE_KEY_LEN) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+  X25519_public_from_private(out_enc, seed);
+
+  uint8_t dh[2 * X25519_SHARED_KEY_LEN];
+  if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, seed, peer_public_key) ||
+      !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, key->public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_enc_len = X25519_PUBLIC_VALUE_LEN;
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
+static int x25519_auth_decap(const EVP_HPKE_KEY *key,
+                             uint8_t *out_shared_secret,
+                             size_t *out_shared_secret_len, const uint8_t *enc,
+                             size_t enc_len, const uint8_t *peer_public_key,
+                             size_t peer_public_key_len) {
+  uint8_t dh[2 * X25519_SHARED_KEY_LEN];
+  if (enc_len != X25519_PUBLIC_VALUE_LEN ||
+      peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
+      !X25519(dh, key->private_key, enc) ||
+      !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+    return 0;
+  }
+
+  uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];
+  OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, peer_public_key,
+                 X25519_PUBLIC_VALUE_LEN);
+  if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
+                                SHA256_DIGEST_LENGTH, dh, sizeof(dh),
+                                kem_context, sizeof(kem_context))) {
+    return 0;
+  }
+
+  *out_shared_secret_len = SHA256_DIGEST_LENGTH;
+  return 1;
+}
+
 const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
   static const EVP_HPKE_KEM kKEM = {
       /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
@@ -222,6 +303,8 @@ const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
       x25519_generate_key,
       x25519_encap_with_seed,
       x25519_decap,
+      x25519_auth_encap_with_seed,
+      x25519_auth_decap,
   };
   return &kKEM;
 }
@@ -373,8 +456,10 @@ static int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,
 }
 
 #define HPKE_MODE_BASE 0
+#define HPKE_MODE_AUTH 2
 
-static int hpke_key_schedule(EVP_HPKE_CTX *ctx, const uint8_t *shared_secret,
+static int hpke_key_schedule(EVP_HPKE_CTX *ctx, uint8_t mode,
+                             const uint8_t *shared_secret,
                              size_t shared_secret_len, const uint8_t *info,
                              size_t info_len) {
   uint8_t suite_id[HPKE_SUITE_ID_LEN];
@@ -407,7 +492,7 @@ static int hpke_key_schedule(EVP_HPKE_CTX *ctx, const uint8_t *shared_secret,
   size_t context_len;
   CBB context_cbb;
   CBB_init_fixed(&context_cbb, context, sizeof(context));
-  if (!CBB_add_u8(&context_cbb, HPKE_MODE_BASE) ||
+  if (!CBB_add_u8(&context_cbb, mode) ||
       !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
       !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
       !CBB_finish(&context_cbb, NULL, &context_len)) {
@@ -507,8 +592,8 @@ int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
   if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,
                             out_enc_len, max_enc, peer_public_key,
                             peer_public_key_len, seed, seed_len) ||
-      !hpke_key_schedule(ctx, shared_secret, shared_secret_len, info,
-                         info_len)) {
+      !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,
+                         info, info_len)) {
     EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }
@@ -528,8 +613,79 @@ int EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,
   uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
   size_t shared_secret_len;
   if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||
-      !hpke_key_schedule(ctx, shared_secret, shared_secret_len, info,
-                         info_len)) {
+      !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,
+                         info, info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
+    return 0;
+  }
+  return 1;
+}
+
+
+int EVP_HPKE_CTX_setup_auth_sender(
+    EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
+    const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
+    const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *info, size_t info_len) {
+  uint8_t seed[MAX_SEED_LEN];
+  RAND_bytes(seed, key->kem->seed_len);
+  return EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
+      ctx, out_enc, out_enc_len, max_enc, key, kdf, aead, peer_public_key,
+      peer_public_key_len, info, info_len, seed, key->kem->seed_len);
+}
+
+int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
+    EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
+    const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
+    const uint8_t *peer_public_key, size_t peer_public_key_len,
+    const uint8_t *info, size_t info_len, const uint8_t *seed,
+    size_t seed_len) {
+  if (key->kem->auth_encap_with_seed == NULL) {
+    // Not all HPKE KEMs support AuthEncap.
+    OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+    return 0;
+  }
+
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 1;
+  ctx->kem = key->kem;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!key->kem->auth_encap_with_seed(
+          key, shared_secret, &shared_secret_len, out_enc, out_enc_len, max_enc,
+          peer_public_key, peer_public_key_len, seed, seed_len) ||
+      !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,
+                         info, info_len)) {
+    EVP_HPKE_CTX_cleanup(ctx);
+    return 0;
+  }
+  return 1;
+}
+
+int EVP_HPKE_CTX_setup_auth_recipient(
+    EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,
+    const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,
+    const uint8_t *info, size_t info_len, const uint8_t *peer_public_key,
+    size_t peer_public_key_len) {
+  if (key->kem->auth_decap == NULL) {
+    // Not all HPKE KEMs support AuthDecap.
+    OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+    return 0;
+  }
+
+  EVP_HPKE_CTX_zero(ctx);
+  ctx->is_sender = 0;
+  ctx->kem = key->kem;
+  ctx->kdf = kdf;
+  ctx->aead = aead;
+  uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
+  size_t shared_secret_len;
+  if (!key->kem->auth_decap(key, shared_secret, &shared_secret_len, enc,
+                            enc_len, peer_public_key, peer_public_key_len) ||
+      !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,
+                         info, info_len)) {
     EVP_HPKE_CTX_cleanup(ctx);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/internal.h

@@ -548,6 +548,24 @@ OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));
 #define OPENSSL_C11_ATOMIC
 #endif
 
+// Older MSVC does not support C11 atomics, so we fallback to the Windows APIs.
+// This can be removed once we can rely on
+// https://devblogs.microsoft.com/cppblog/c11-atomics-in-visual-studio-2022-version-17-5-preview-2/
+#if !defined(OPENSSL_C11_ATOMIC) && defined(OPENSSL_THREADS) && \
+    defined(OPENSSL_WINDOWS)
+#define OPENSSL_WINDOWS_ATOMIC
+#endif
+
+// Require some atomics implementation. Contact BoringSSL maintainers if you
+// have a platform with fails this check.
+//
+// Note this check can only be done in C. From C++, we don't know whether the
+// corresponding C mode would support C11 atomics.
+#if !defined(__cplusplus) && defined(OPENSSL_THREADS) && \
+    !defined(OPENSSL_C11_ATOMIC) && !defined(OPENSSL_WINDOWS_ATOMIC)
+#error "Thread-compatible configurations require atomics"
+#endif
+
 // CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates.
 #define CRYPTO_REFCOUNT_MAX 0xffffffff
 

data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c

@@ -230,7 +230,7 @@ static void scalar_sub(scalar *lhs, const scalar *rhs) {
 static void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) {
   for (int i = 0; i < DEGREE / 2; i++) {
     uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i];
-    uint32_t img_img = (uint32_t)rhs->c[2 * i + 1] * lhs->c[2 * i + 1];
+    uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i + 1];
     uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1];
     uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i];
     out->c[2 * i] =
@@ -283,16 +283,23 @@ static void scalar_inner_product(scalar *out, const vector *lhs,
 // operates on public inputs.
 static void scalar_from_keccak_vartime(scalar *out,
                                        struct BORINGSSL_keccak_st *keccak_ctx) {
-  uint8_t bytes[3];
-  for (int i = 0; i < DEGREE;) {
-    BORINGSSL_keccak_squeeze(keccak_ctx, bytes, sizeof(bytes));
-    uint16_t d1 = bytes[0] + 256 * (bytes[1] % 16);
-    uint16_t d2 = bytes[1] / 16 + 16 * bytes[2];
-    if (d1 < kPrime) {
-      out->c[i++] = d1;
-    }
-    if (d2 < kPrime && i < DEGREE) {
-      out->c[i++] = d2;
+  assert(keccak_ctx->offset == 0);
+  assert(keccak_ctx->rate_bytes == 168);
+  static_assert(168 % 3 == 0, "block and coefficient boundaries do not align");
+
+  int done = 0;
+  while (done < DEGREE) {
+    uint8_t block[168];
+    BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block));
+    for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) {
+      uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);
+      uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];
+      if (d1 < kPrime) {
+        out->c[done++] = d1;
+      }
+      if (d2 < kPrime && done < DEGREE) {
+        out->c[done++] = d2;
+      }
     }
   }
 }

data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h

@@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */
 
 
-#define NUM_NID 967
+#define NUM_NID 965
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -8777,14 +8777,13 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0},
     {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
     {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
-    {"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0},
+    {NULL, NULL, NID_undef, 0, NULL, 0},
     {"ED448", "ED448", NID_ED448, 3, &kObjectData[6181], 0},
     {"X448", "X448", NID_X448, 3, &kObjectData[6184], 0},
     {"SHA512-256", "sha512-256", NID_sha512_256, 9, &kObjectData[6187], 0},
     {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0},
-    {"X25519Kyber768", "X25519Kyber768", NID_X25519Kyber768, 0, NULL, 0},
-    {"P256Kyber768", "P256Kyber768", NID_P256Kyber768, 0, NULL, 0},
-    {"P384Kyber768", "P384Kyber768", NID_P384Kyber768, 0, NULL, 0},
+    {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
+     NID_X25519Kyber768Draft00, 0, NULL, 0},
 };
 
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8846,7 +8845,6 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     110 /* CAST5-CFB */,
     109 /* CAST5-ECB */,
     111 /* CAST5-OFB */,
-    959 /* CECPQ2 */,
     894 /* CMAC */,
     13 /* CN */,
     141 /* CRLReason */,
@@ -8918,8 +8916,6 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     18 /* OU */,
     749 /* Oakley-EC2N-3 */,
     750 /* Oakley-EC2N-4 */,
-    965 /* P256Kyber768 */,
-    966 /* P384Kyber768 */,
     9 /* PBE-MD2-DES */,
     168 /* PBE-MD2-RC2-64 */,
     10 /* PBE-MD5-DES */,
@@ -8986,7 +8982,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     458 /* UID */,
     0 /* UNDEF */,
     948 /* X25519 */,
-    964 /* X25519Kyber768 */,
+    964 /* X25519Kyber768Draft00 */,
     961 /* X448 */,
     11 /* X500 */,
     378 /* X500algorithms */,
@@ -9758,7 +9754,6 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     285 /* Biometric Info */,
     179 /* CA Issuers */,
     785 /* CA Repository */,
-    959 /* CECPQ2 */,
     131 /* Code Signing */,
     783 /* Diffie-Hellman based MAC */,
     382 /* Directory */,
@@ -9834,8 +9829,6 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     366 /* OCSP Nonce */,
     371 /* OCSP Service Locator */,
     180 /* OCSP Signing */,
-    965 /* P256Kyber768 */,
-    966 /* P384Kyber768 */,
     161 /* PBES2 */,
     69 /* PBKDF2 */,
     162 /* PBMAC1 */,
@@ -9860,7 +9853,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     133 /* Time Stamping */,
     375 /* Trust Root */,
     948 /* X25519 */,
-    964 /* X25519Kyber768 */,
+    964 /* X25519Kyber768Draft00 */,
     961 /* X448 */,
     12 /* X509 */,
     402 /* X509v3 AC Targeting */,

data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c

@@ -78,7 +78,8 @@
 static int load_iv(char **fromp, unsigned char *to, size_t num);
 static int check_pem(const char *nm, const char *name);
 
-void PEM_proc_type(char *buf, int type) {
+// PEM_proc_type appends a Proc-Type header to |buf|, determined by |type|.
+static void PEM_proc_type(char buf[PEM_BUFSIZE], int type) {
   const char *str;
 
   if (type == PEM_TYPE_ENCRYPTED) {
@@ -96,24 +97,27 @@ void PEM_proc_type(char *buf, int type) {
   OPENSSL_strlcat(buf, "\n", PEM_BUFSIZE);
 }
 
-void PEM_dek_info(char *buf, const char *type, int len, char *str) {
+// PEM_dek_info appends a DEK-Info header to |buf|, with an algorithm of |type|
+// and a single parameter, specified by hex-encoding |len| bytes from |str|.
+static void PEM_dek_info(char buf[PEM_BUFSIZE], const char *type, size_t len,
+                         char *str) {
   static const unsigned char map[17] = "0123456789ABCDEF";
-  long i;
-  int j;
 
   OPENSSL_strlcat(buf, "DEK-Info: ", PEM_BUFSIZE);
   OPENSSL_strlcat(buf, type, PEM_BUFSIZE);
   OPENSSL_strlcat(buf, ",", PEM_BUFSIZE);
-  j = strlen(buf);
-  if (j + (len * 2) + 1 > PEM_BUFSIZE) {
+  size_t buf_len = strlen(buf);
+  // We must write an additional |2 * len + 2| bytes after |buf_len|, including
+  // the trailing newline and NUL.
+  if (len > (PEM_BUFSIZE - buf_len - 2) / 2) {
     return;
   }
-  for (i = 0; i < len; i++) {
-    buf[j + i * 2] = map[(str[i] >> 4) & 0x0f];
-    buf[j + i * 2 + 1] = map[(str[i]) & 0x0f];
+  for (size_t i = 0; i < len; i++) {
+    buf[buf_len + i * 2] = map[(str[i] >> 4) & 0x0f];
+    buf[buf_len + i * 2 + 1] = map[(str[i]) & 0x0f];
   }
-  buf[j + i * 2] = '\n';
-  buf[j + i * 2 + 1] = '\0';
+  buf[buf_len + len * 2] = '\n';
+  buf[buf_len + len * 2 + 1] = '\0';
 }
 
 void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
@@ -318,7 +322,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
       }
       kstr = (unsigned char *)buf;
     }
-    assert(iv_len <= (int)sizeof(iv));
+    assert(iv_len <= sizeof(iv));
     if (!RAND_bytes(iv, iv_len)) {  // Generate a salt
       goto err;
     }
@@ -332,7 +336,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
       OPENSSL_cleanse(buf, PEM_BUFSIZE);
     }
 
-    assert(strlen(objstr) + 23 + 2 * iv_len + 13 <= sizeof buf);
+    assert(strlen(objstr) + 23 + 2 * iv_len + 13 <= sizeof(buf));
 
     buf[0] = '\0';
     PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
@@ -781,5 +785,5 @@ int PEM_def_callback(char *buf, int size, int rwflag, void *userdata) {
     return 0;
   }
   OPENSSL_strlcpy(buf, userdata, (size_t)size);
-  return len;
+  return (int)len;
 }

data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c}

@@ -18,35 +18,25 @@
 #include <stdlib.h>
 
 
-#if !defined(OPENSSL_C11_ATOMIC)
+#if !defined(OPENSSL_THREADS)
 
 static_assert((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX,
               "CRYPTO_REFCOUNT_MAX is incorrect");
 
-static struct CRYPTO_STATIC_MUTEX g_refcount_lock = CRYPTO_STATIC_MUTEX_INIT;
-
 void CRYPTO_refcount_inc(CRYPTO_refcount_t *count) {
-  CRYPTO_STATIC_MUTEX_lock_write(&g_refcount_lock);
   if (*count < CRYPTO_REFCOUNT_MAX) {
     (*count)++;
   }
-  CRYPTO_STATIC_MUTEX_unlock_write(&g_refcount_lock);
 }
 
 int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count) {
-  int ret;
-
-  CRYPTO_STATIC_MUTEX_lock_write(&g_refcount_lock);
   if (*count == 0) {
     abort();
   }
   if (*count < CRYPTO_REFCOUNT_MAX) {
     (*count)--;
   }
-  ret = (*count == 0);
-  CRYPTO_STATIC_MUTEX_unlock_write(&g_refcount_lock);
-
-  return ret;
+  return *count == 0;
 }
 
-#endif  // OPENSSL_C11_ATOMIC
+#endif  // !OPENSSL_THREADS

data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c

@@ -0,0 +1,89 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if defined(OPENSSL_WINDOWS_ATOMIC)
+
+#include <windows.h>
+
+
+// See comment above the typedef of CRYPTO_refcount_t about these tests.
+static_assert(alignof(CRYPTO_refcount_t) == alignof(LONG),
+              "CRYPTO_refcount_t does not match LONG alignment");
+static_assert(sizeof(CRYPTO_refcount_t) == sizeof(LONG),
+              "CRYPTO_refcount_t does not match LONG size");
+
+static_assert((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX,
+              "CRYPTO_REFCOUNT_MAX is incorrect");
+
+static uint32_t atomic_load_u32(volatile LONG *ptr) {
+  // This is not ideal because it still writes to a cacheline. MSVC is not able
+  // to optimize this to a true atomic read, and Windows does not provide an
+  // InterlockedLoad function.
+  //
+  // The Windows documentation [1] does say "Simple reads and writes to
+  // properly-aligned 32-bit variables are atomic operations", but this is not
+  // phrased in terms of the C11 and C++11 memory models, and indeed a read or
+  // write seems to produce slightly different code on MSVC than a sequentially
+  // consistent std::atomic::load in C++. Moreover, it is unclear if non-MSVC
+  // compilers on Windows provide the same guarantees. Thus we avoid relying on
+  // this and instead still use an interlocked function. This is still
+  // preferable a global mutex, and eventually this code will be replaced by
+  // [2]. Additionally, on clang-cl, we'll use the |OPENSSL_C11_ATOMIC| path.
+  //
+  // [1] https://learn.microsoft.com/en-us/windows/win32/sync/interlocked-variable-access
+  // [2] https://devblogs.microsoft.com/cppblog/c11-atomics-in-visual-studio-2022-version-17-5-preview-2/
+  return (uint32_t)InterlockedCompareExchange(ptr, 0, 0);
+}
+
+static int atomic_compare_exchange_u32(volatile LONG *ptr, uint32_t *expected32,
+                                       uint32_t desired) {
+  LONG expected = (LONG)*expected32;
+  LONG actual = InterlockedCompareExchange(ptr, (LONG)desired, expected);
+  *expected32 = (uint32_t)actual;
+  return actual == expected;
+}
+
+void CRYPTO_refcount_inc(CRYPTO_refcount_t *in_count) {
+  volatile LONG *count = (volatile LONG *)in_count;
+  uint32_t expected = atomic_load_u32(count);
+
+  while (expected != CRYPTO_REFCOUNT_MAX) {
+    const uint32_t new_value = expected + 1;
+    if (atomic_compare_exchange_u32(count, &expected, new_value)) {
+      break;
+    }
+  }
+}
+
+int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *in_count) {
+  volatile LONG *count = (volatile LONG *)in_count;
+  uint32_t expected = atomic_load_u32(count);
+
+  for (;;) {
+    if (expected == 0) {
+      abort();
+    } else if (expected == CRYPTO_REFCOUNT_MAX) {
+      return 0;
+    } else {
+      const uint32_t new_value = expected - 1;
+      if (atomic_compare_exchange_u32(count, &expected, new_value)) {
+        return new_value == 0;
+      }
+    }
+  }
+}
+
+#endif  // OPENSSL_WINDOWS_ATOMIC

data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h

@@ -0,0 +1,77 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+
+#ifndef OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H
+#define OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,
+                                      size_t max_out, const uint8_t *from,
+                                      size_t from_len, const uint8_t *param,
+                                      size_t param_len, const EVP_MD *md,
+                                      const EVP_MD *mgf1md);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H