grpc 1.55.0 → 1.56.2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h

@@ -53,6 +53,7 @@
 
 #include <openssl/aes.h>
 
+#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -75,6 +76,20 @@ extern "C" {
 typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
                            const AES_KEY *key);
 
+OPENSSL_INLINE void CRYPTO_xor16(uint8_t out[16], const uint8_t a[16],
+                                 const uint8_t b[16]) {
+  // TODO(davidben): Ideally we'd leave this to the compiler, which could use
+  // vector registers, etc. But the compiler doesn't know that |in| and |out|
+  // cannot partially alias. |restrict| is slightly two strict (we allow exact
+  // aliasing), but perhaps in-place could be a separate function?
+  static_assert(16 % sizeof(crypto_word_t) == 0,
+                "block cannot be evenly divided into words");
+  for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
+    CRYPTO_store_word_le(
+        out + i, CRYPTO_load_word_le(a + i) ^ CRYPTO_load_word_le(b + i));
+  }
+}
+
 
 // CTR.
 
@@ -115,21 +130,19 @@ typedef struct { uint64_t hi,lo; } u128;
 
 // gmult_func multiplies |Xi| by the GCM key and writes the result back to
 // |Xi|.
-typedef void (*gmult_func)(uint64_t Xi[2], const u128 Htable[16]);
+typedef void (*gmult_func)(uint8_t Xi[16], const u128 Htable[16]);
 
 // ghash_func repeatedly multiplies |Xi| by the GCM key and adds in blocks from
 // |inp|. The result is written back to |Xi| and the |len| argument must be a
 // multiple of 16.
-typedef void (*ghash_func)(uint64_t Xi[2], const u128 Htable[16],
+typedef void (*ghash_func)(uint8_t Xi[16], const u128 Htable[16],
                            const uint8_t *inp, size_t len);
 
 typedef struct gcm128_key_st {
-  // Note the MOVBE-based, x86-64, GHASH assembly requires |H| and |Htable| to
-  // be the first two elements of this struct. Additionally, some assembly
-  // routines require a 16-byte-aligned |Htable| when hashing data, but not
+  // |gcm_*_ssse3| require a 16-byte-aligned |Htable| when hashing data, but not
   // initialization. |GCM128_KEY| is not itself aligned to simplify embedding in
   // |EVP_AEAD_CTX|, but |Htable|'s offset must be a multiple of 16.
-  u128 H;
+  // TODO(crbug.com/boringssl/604): Revisit this.
   u128 Htable[16];
   gmult_func gmult;
   ghash_func ghash;
@@ -145,17 +158,17 @@ typedef struct gcm128_key_st {
 // should be zero-initialized before use.
 typedef struct {
   // The following 5 names follow names in GCM specification
-  union {
-    uint64_t u[2];
-    uint32_t d[4];
-    uint8_t c[16];
-    crypto_word_t t[16 / sizeof(crypto_word_t)];
-  } Yi, EKi, EK0, len, Xi;
-
-  // Note that the order of |Xi| and |gcm_key| is fixed by the MOVBE-based,
-  // x86-64, GHASH assembly. Additionally, some assembly routines require
-  // |gcm_key| to be 16-byte aligned. |GCM128_KEY| is not itself aligned to
-  // simplify embedding in |EVP_AEAD_CTX|.
+  uint8_t Yi[16];
+  uint8_t EKi[16];
+  uint8_t EK0[16];
+  struct {
+    uint64_t aad;
+    uint64_t msg;
+  } len;
+  uint8_t Xi[16];
+
+  // |gcm_*_ssse3| require |Htable| to be 16-byte-aligned.
+  // TODO(crbug.com/boringssl/604): Revisit this.
   alignas(16) GCM128_KEY gcm_key;
 
   unsigned mres, ares;
@@ -172,7 +185,7 @@ int crypto_gcm_clmul_enabled(void);
 // accelerated) functions for performing operations in the GHASH field. If the
 // AVX implementation was used |*out_is_avx| will be true.
 void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
-                       u128 *out_key, u128 out_table[16], int *out_is_avx,
+                       u128 out_table[16], int *out_is_avx,
                        const uint8_t gcm_key[16]);
 
 // CRYPTO_gcm128_init_key initialises |gcm_key| to use |block| (typically AES)
@@ -240,8 +253,8 @@ OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
 // GCM assembly.
 
 void gcm_init_nohw(u128 Htable[16], const uint64_t H[2]);
-void gcm_gmult_nohw(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_nohw(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+void gcm_gmult_nohw(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_nohw(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
                     size_t len);
 
 #if !defined(OPENSSL_NO_ASM)
@@ -249,29 +262,31 @@ void gcm_ghash_nohw(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
 #define GCM_FUNCREF
 void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
-void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+void gcm_gmult_clmul(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_clmul(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
                      size_t len);
 
 // |gcm_gmult_ssse3| and |gcm_ghash_ssse3| require |Htable| to be
 // 16-byte-aligned, but |gcm_init_ssse3| does not.
 void gcm_init_ssse3(u128 Htable[16], const uint64_t Xi[2]);
-void gcm_gmult_ssse3(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_ssse3(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in,
+void gcm_gmult_ssse3(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_ssse3(uint8_t Xi[16], const u128 Htable[16], const uint8_t *in,
                      size_t len);
 
 #if defined(OPENSSL_X86_64)
 #define GHASH_ASM_X86_64
 void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
-void gcm_gmult_avx(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in,
+void gcm_gmult_avx(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_avx(uint8_t Xi[16], const u128 Htable[16], const uint8_t *in,
                    size_t len);
 
 #define HW_GCM
 size_t aesni_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
-                         const AES_KEY *key, uint8_t ivec[16], uint64_t *Xi);
+                         const AES_KEY *key, uint8_t ivec[16],
+                         const u128 Htable[16], uint8_t Xi[16]);
 size_t aesni_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
-                         const AES_KEY *key, uint8_t ivec[16], uint64_t *Xi);
+                         const AES_KEY *key, uint8_t ivec[16],
+                         const u128 Htable[16], uint8_t Xi[16]);
 #endif  // OPENSSL_X86_64
 
 #if defined(OPENSSL_X86)
@@ -287,25 +302,27 @@ OPENSSL_INLINE int gcm_pmull_capable(void) {
   return CRYPTO_is_ARMv8_PMULL_capable();
 }
 
-void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
-void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+void gcm_init_v8(u128 Htable[16], const uint64_t H[2]);
+void gcm_gmult_v8(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_v8(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
                   size_t len);
 
 OPENSSL_INLINE int gcm_neon_capable(void) { return CRYPTO_is_NEON_capable(); }
 
-void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]);
-void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]);
-void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+void gcm_init_neon(u128 Htable[16], const uint64_t H[2]);
+void gcm_gmult_neon(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_neon(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
                     size_t len);
 
 #if defined(OPENSSL_AARCH64)
 #define HW_GCM
 // These functions are defined in aesv8-gcm-armv8.pl.
 void aes_gcm_enc_kernel(const uint8_t *in, uint64_t in_bits, void *out,
-                        void *Xi, uint8_t *ivec, const AES_KEY *key);
+                        void *Xi, uint8_t *ivec, const AES_KEY *key,
+                        const u128 Htable[16]);
 void aes_gcm_dec_kernel(const uint8_t *in, uint64_t in_bits, void *out,
-                        void *Xi, uint8_t *ivec, const AES_KEY *key);
+                        void *Xi, uint8_t *ivec, const AES_KEY *key,
+                        const u128 Htable[16]);
 #endif
 
 #endif
@@ -380,19 +397,12 @@ size_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len,
 //
 // POLYVAL is a polynomial authenticator that operates over a field very
 // similar to the one that GHASH uses. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-3.
-
-typedef union {
-  uint64_t u[2];
-  uint8_t c[16];
-} polyval_block;
+// https://www.rfc-editor.org/rfc/rfc8452.html#section-3.
 
 struct polyval_ctx {
-  // Note that the order of |S|, |H| and |Htable| is fixed by the MOVBE-based,
-  // x86-64, GHASH assembly. Additionally, some assembly routines require
-  // |Htable| to be 16-byte aligned.
-  polyval_block S;
-  u128 H;
+  uint8_t S[16];
+  // |gcm_*_ssse3| require |Htable| to be 16-byte-aligned.
+  // TODO(crbug.com/boringssl/604): Revisit this.
   alignas(16) u128 Htable[16];
   gmult_func gmult;
   ghash_func ghash;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c

@@ -70,14 +70,7 @@ void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
 
   while (len >= 16) {
     (*block)(ivec, ivec, key);
-    for (; n < 16; n += sizeof(size_t)) {
-      size_t a, b;
-      OPENSSL_memcpy(&a, in + n, sizeof(size_t));
-      OPENSSL_memcpy(&b, ivec + n, sizeof(size_t));
-
-      const size_t c = a ^ b;
-      OPENSSL_memcpy(out + n, &c, sizeof(size_t));
-    }
+    CRYPTO_xor16(out, in, ivec);
     len -= 16;
     out += 16;
     in += 16;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c

@@ -22,70 +22,69 @@
 
 
 // byte_reverse reverses the order of the bytes in |b->c|.
-static void byte_reverse(polyval_block *b) {
-  const uint64_t t = CRYPTO_bswap8(b->u[0]);
-  b->u[0] = CRYPTO_bswap8(b->u[1]);
-  b->u[1] = t;
+static void byte_reverse(uint8_t b[16]) {
+  uint64_t hi = CRYPTO_load_u64_le(b);
+  uint64_t lo = CRYPTO_load_u64_le(b + 8);
+  CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
+  CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
 }
 
-// reverse_and_mulX_ghash interprets the bytes |b->c| as a reversed element of
-// the GHASH field, multiplies that by 'x' and serialises the result back into
-// |b|, but with GHASH's backwards bit ordering.
-static void reverse_and_mulX_ghash(polyval_block *b) {
-  uint64_t hi = b->u[0];
-  uint64_t lo = b->u[1];
+// reverse_and_mulX_ghash interprets |b| as a reversed element of the GHASH
+// field, multiplies that by 'x' and serialises the result back into |b|, but
+// with GHASH's backwards bit ordering.
+static void reverse_and_mulX_ghash(uint8_t b[16]) {
+  uint64_t hi = CRYPTO_load_u64_le(b);
+  uint64_t lo = CRYPTO_load_u64_le(b + 8);
   const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);
   hi >>= 1;
   hi |= lo << 63;
   lo >>= 1;
   lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56;
 
-  b->u[0] = CRYPTO_bswap8(lo);
-  b->u[1] = CRYPTO_bswap8(hi);
+  CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
+  CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
 }
 
 // POLYVAL(H, X_1, ..., X_n) =
 // ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
 // ByteReverse(X_n))).
 //
-// See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-A.
+// See https://www.rfc-editor.org/rfc/rfc8452.html#appendix-A.
 
 void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
-  polyval_block H;
-  OPENSSL_memcpy(H.c, key, 16);
-  reverse_and_mulX_ghash(&H);
+  alignas(8) uint8_t H[16];
+  OPENSSL_memcpy(H, key, 16);
+  reverse_and_mulX_ghash(H);
 
   int is_avx;
-  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, &is_avx,
-                    H.c);
+  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, &is_avx, H);
   OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
 }
 
 void CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,
                                   size_t in_len) {
   assert((in_len & 15) == 0);
-  polyval_block reversed[32];
+  alignas(8) uint8_t buf[32 * 16];
 
   while (in_len > 0) {
     size_t todo = in_len;
-    if (todo > sizeof(reversed)) {
-      todo = sizeof(reversed);
+    if (todo > sizeof(buf)) {
+      todo = sizeof(buf);
     }
-    OPENSSL_memcpy(reversed, in, todo);
+    OPENSSL_memcpy(buf, in, todo);
     in += todo;
     in_len -= todo;
 
-    size_t blocks = todo / sizeof(polyval_block);
+    size_t blocks = todo / 16;
     for (size_t i = 0; i < blocks; i++) {
-      byte_reverse(&reversed[i]);
+      byte_reverse(buf + 16 * i);
     }
 
-    ctx->ghash(ctx->S.u, ctx->Htable, (const uint8_t *) reversed, todo);
+    ctx->ghash(ctx->S, ctx->Htable, buf, todo);
   }
 }
 
 void CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]) {
-  polyval_block S = ctx->S;
-  byte_reverse(&S);
-  OPENSSL_memcpy(out, &S.c, sizeof(polyval_block));
+  OPENSSL_memcpy(out, &ctx->S, 16);
+  byte_reverse(out);
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c

@@ -59,9 +59,15 @@
 #endif  // OPENSSL_LINUX
 
 #if defined(OPENSSL_MACOS)
+// getentropy exists in any supported version of MacOS (Sierra and later)
 #include <sys/random.h>
 #endif
 
+#if defined(OPENSSL_OPENBSD)
+// getentropy exists in any supported version of OpenBSD
+#include <unistd.h>
+#endif
+
 #if defined(OPENSSL_FREEBSD) && __FreeBSD__ >= 12
 // getrandom is supported in FreeBSD 12 and up.
 #define FREEBSD_GETRANDOM
@@ -173,18 +179,9 @@ static void init_once(void) {
   }
 #endif  // USE_NR_getrandom
 
-#if defined(OPENSSL_MACOS)
-  // getentropy is available in macOS 10.12 and up. iOS 10 and up may also
-  // support it, but the header is missing. See https://crbug.com/boringssl/287.
-  if (__builtin_available(macos 10.12, *)) {
+#if defined(OPENSSL_MACOS) || defined(OPENSSL_OPENBSD) || defined(FREEBSD_GETRANDOM)
     *urandom_fd_bss_get() = kHaveGetrandom;
     return;
-  }
-#endif
-
-#if defined(FREEBSD_GETRANDOM)
-  *urandom_fd_bss_get() = kHaveGetrandom;
-  return;
 #endif
 
   // FIPS builds must support getrandom.
@@ -300,19 +297,10 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
       r = boringssl_getrandom(out, len, getrandom_flags);
 #elif defined(FREEBSD_GETRANDOM)
       r = getrandom(out, len, getrandom_flags);
-#elif defined(OPENSSL_MACOS)
-      if (__builtin_available(macos 10.12, *)) {
-        // |getentropy| can only request 256 bytes at a time.
-        size_t todo = len <= 256 ? len : 256;
-        if (getentropy(out, todo) != 0) {
-          r = -1;
-        } else {
-          r = (ssize_t)todo;
-        }
-      } else {
-        fprintf(stderr, "urandom fd corrupt.\n");
-        abort();
-      }
+#elif defined(OPENSSL_MACOS) || defined(OPENSSL_OPENBSD)
+      // |getentropy| can only request 256 bytes at a time.
+      size_t todo = len <= 256 ? len : 256;
+      r = getentropy(out, todo) != 0 ? -1 : (ssize_t)todo;
 #else  // USE_NR_getrandom
       fprintf(stderr, "urandom fd corrupt.\n");
       abort();

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h

@@ -60,6 +60,7 @@
 #include <openssl/base.h>
 
 #include <openssl/bn.h>
+#include <openssl/rsa.h>
 
 
 #if defined(__cplusplus)
@@ -67,6 +68,8 @@ extern "C" {
 #endif
 
 
+#define RSA_PKCS1_PADDING_SIZE 11
+
 // Default implementations of RSA operations.
 
 const RSA_METHOD *RSA_default_method(void);
@@ -75,8 +78,6 @@ size_t rsa_default_size(const RSA *rsa);
 int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
                          size_t max_out, const uint8_t *in, size_t in_len,
                          int padding);
-int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
-                        const uint8_t *in, size_t in_len, int padding);
 int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
                                   size_t len);
 
@@ -90,21 +91,13 @@ int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx,
                        BN_CTX *ctx);
 
 
+int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,
+               const EVP_MD *md);
 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
                                  const uint8_t *from, size_t from_len);
 int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
                                    size_t max_out, const uint8_t *from,
                                    size_t from_len);
-int RSA_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,
-                                 const uint8_t *from, size_t from_len);
-int RSA_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len,
-                                   size_t max_out, const uint8_t *from,
-                                   size_t from_len);
-int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,
-                                      size_t max_out, const uint8_t *from,
-                                      size_t from_len, const uint8_t *param,
-                                      size_t param_len, const EVP_MD *md,
-                                      const EVP_MD *mgf1md);
 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
                          size_t from_len);
 
@@ -112,12 +105,24 @@ int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
 // within DoS bounds.
 int rsa_check_public_key(const RSA *rsa);
 
-// RSA_private_transform calls either the method-specific |private_transform|
-// function (if given) or the generic one. See the comment for
-// |private_transform| in |rsa_meth_st|.
-int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
+// rsa_private_transform_no_self_test calls either the method-specific
+// |private_transform| function (if given) or the generic one. See the comment
+// for |private_transform| in |rsa_meth_st|.
+int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,
+                                       const uint8_t *in, size_t len);
+
+// rsa_private_transform acts the same as |rsa_private_transform_no_self_test|
+// but, in FIPS mode, performs an RSA self test before calling the default RSA
+// implementation.
+int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
                           size_t len);
 
+// rsa_invalidate_key is called after |rsa| has been mutated, to invalidate
+// fields derived from the original structure. This function assumes exclusive
+// access to |rsa|. In particular, no other thread may be concurrently signing,
+// etc., with |rsa|.
+void rsa_invalidate_key(RSA *rsa);
+
 
 // This constant is exported for test purposes.
 extern const BN_ULONG kBoringSSLRSASqrtTwo[];