RubyGems - grpc - Versions diffs - 1.63.2 → 1.64.0.pre1 - Mend

grpc 1.63.2 → 1.64.0.pre1

Files changed (1055) hide show

data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c CHANGED Viewed

@@ -209,3 +209,33 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
     int_rsa_free,
 };
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) {
+  if (EVP_PKEY_assign_RSA(pkey, key)) {
+    RSA_up_ref(key);
+    return 1;
+  }
+  return 0;
+}
+int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) {
+  evp_pkey_set_method(pkey, &rsa_asn1_meth);
+  pkey->pkey = key;
+  return key != NULL;
+}
+RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
+  if (pkey->type != EVP_PKEY_RSA) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY);
+    return NULL;
+  }
+  return pkey->pkey;
+}
+RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) {
+  RSA *rsa = EVP_PKEY_get0_RSA(pkey);
+  if (rsa != NULL) {
+    RSA_up_ref(rsa);
+  }
+  return rsa;
+}

data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c CHANGED Viewed

@@ -30,10 +30,7 @@ static int pkey_x25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
     return 0;
   }
-  if (!EVP_PKEY_set_type(pkey, EVP_PKEY_X25519)) {
-    OPENSSL_free(key);
-    return 0;
-  }
+  evp_pkey_set_method(pkey, &x25519_asn1_meth);
   X25519_keypair(key->pub, key->priv);
   key->has_private = 1;

data/third_party/boringssl-with-bazel/src/crypto/ex_data.c CHANGED Viewed

@@ -132,11 +132,11 @@ struct crypto_ex_data_func_st {
   CRYPTO_EX_DATA_FUNCS *next;
 };
-int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index,
-                            long argl, void *argp, CRYPTO_EX_free *free_func) {
+int CRYPTO_get_ex_new_index_ex(CRYPTO_EX_DATA_CLASS *ex_data_class, long argl,
+                               void *argp, CRYPTO_EX_free *free_func) {
   CRYPTO_EX_DATA_FUNCS *funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
   if (funcs == NULL) {
-    return 0;
+    return -1;
   }
   funcs->argl = argl;
@@ -151,7 +151,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index,
   if (num_funcs > (size_t)(INT_MAX - ex_data_class->num_reserved)) {
     OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);
     CRYPTO_MUTEX_unlock_write(&ex_data_class->lock);
-    return 0;
+    return -1;
   }
   // Append |funcs| to the linked list.
@@ -166,8 +166,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index,
   CRYPTO_atomic_store_u32(&ex_data_class->num_funcs, num_funcs + 1);
   CRYPTO_MUTEX_unlock_write(&ex_data_class->lock);
-  *out_index = (int)num_funcs + ex_data_class->num_reserved;
-  return 1;
+  return (int)num_funcs + ex_data_class->num_reserved;
 }
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) {
@@ -215,7 +214,7 @@ void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
   }
   uint32_t num_funcs = CRYPTO_atomic_load_u32(&ex_data_class->num_funcs);
-  // |CRYPTO_get_ex_new_index| will not allocate indices beyond |INT_MAX|.
+  // |CRYPTO_get_ex_new_index_ex| will not allocate indices beyond |INT_MAX|.
   assert(num_funcs <= (size_t)(INT_MAX - ex_data_class->num_reserved));
   // Defer dereferencing |ex_data_class->funcs| and |funcs->next|. It must come

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c CHANGED Viewed

@@ -186,7 +186,7 @@ void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) {
 void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,
                             size_t in_len) {
   // The caller should have selected an output length without truncation.
-  assert(fits_in_bytes(in, in_len, out_len));
+  declassify_assert(fits_in_bytes(in, in_len, out_len));
   // We only support little-endian platforms, so the internal representation is
   // also little-endian as bytes. We can simply copy it in reverse.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c CHANGED Viewed

@@ -425,7 +425,7 @@ BN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry,
   //
   // Although |carry| may be one if it was one on input and |bn_sub_words|
   // returns zero, this would give |r| > |m|, violating our input assumptions.
-  assert(carry == 0 || carry == (BN_ULONG)-1);
+  declassify_assert(carry + 1 <= 1);
   bn_select_words(r, carry, a /* r < 0 */, r /* r >= 0 */, num);
   return carry;
 }
@@ -434,7 +434,7 @@ BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m,
                                  BN_ULONG *tmp, size_t num) {
   // See |bn_reduce_once| for why this logic works.
   carry -= bn_sub_words(tmp, r, m, num);
-  assert(carry == 0 || carry == (BN_ULONG)-1);
+  declassify_assert(carry + 1 <= 1);
   bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
   return carry;
 }
@@ -504,7 +504,7 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,
   // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated
   // without reductions. This significantly speeds up |RSA_check_key|. For
   // simplicity, we round down to a whole number of words.
-  assert(divisor_min_bits <= BN_num_bits(divisor));
+  declassify_assert(divisor_min_bits <= BN_num_bits(divisor));
   int initial_words = 0;
   if (divisor_min_bits > 0) {
     initial_words = (divisor_min_bits - 1) / BN_BITS2;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c CHANGED Viewed

@@ -39,7 +39,7 @@ static uint16_t mod_u16(uint32_t n, uint16_t d, uint32_t p, uint32_t m) {
   // Multiply and subtract to get the remainder.
   n -= d * t;
-  assert(n < d);
+  declassify_assert(n < d);
   return n;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c CHANGED Viewed

@@ -1013,7 +1013,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
   // Prepare a^1 in the Montgomery domain.
   assert(!a->neg);
-  assert(BN_ucmp(a, m) < 0);
+  declassify_assert(BN_ucmp(a, m) < 0);
   if (!BN_to_montgomery(&am, a, mont, ctx) ||
       !bn_resize_words(&am, top)) {
     goto err;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c CHANGED Viewed

@@ -93,7 +93,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x,
     // At least one of |u| and |v| is now even.
     BN_ULONG u_is_odd = word_is_odd_mask(u->d[0]);
     BN_ULONG v_is_odd = word_is_odd_mask(v->d[0]);
-    assert(!(u_is_odd & v_is_odd));
+    declassify_assert(!(u_is_odd & v_is_odd));
     // If both are even, the final GCD gains a factor of two.
     shift += 1 & (~u_is_odd & ~v_is_odd);
@@ -106,7 +106,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x,
   // One of |u| or |v| is zero at this point. The algorithm usually makes |u|
   // zero, unless |y| was already zero on input. Fix this by combining the
   // values.
-  assert(BN_is_zero(u) || BN_is_zero(v));
+  declassify_assert(BN_is_zero(u) | BN_is_zero(v));
   for (size_t i = 0; i < width; i++) {
     v->d[i] |= u->d[i];
   }
@@ -289,7 +289,7 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a,
     // and |v| is now even.
     BN_ULONG u_is_even = ~word_is_odd_mask(u->d[0]);
     BN_ULONG v_is_even = ~word_is_odd_mask(v->d[0]);
-    assert(u_is_even != v_is_even);
+    declassify_assert(u_is_even != v_is_even);
     // Halve the even one and adjust the corresponding coefficient.
     maybe_rshift1_words(u->d, u_is_even, tmp->d, n_width);
@@ -313,8 +313,11 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a,
     maybe_rshift1_words_carry(D->d, D_carry, v_is_even, tmp->d, a_width);
   }
-  assert(BN_is_zero(v));
-  if (!BN_is_one(u)) {
+  declassify_assert(BN_is_zero(v));
+  // While the inputs and output are secret, this function considers whether the
+  // input was invertible to be public. It is used as part of RSA key
+  // generation, where inputs are chosen to already be invertible.
+  if (constant_time_declassify_int(!BN_is_one(u))) {
     *out_no_inverse = 1;
     OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
     goto err;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c CHANGED Viewed

@@ -153,7 +153,7 @@ static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
   // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
 #if BN_BITS2 == 64 && defined(BN_ULLONG)
-  assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
+  declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
 #endif
   return v;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c CHANGED Viewed

@@ -292,7 +292,7 @@ static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
   }
   // The product should fit without carries.
-  assert(c == 0);
+  declassify_assert(c == 0);
 }
 // bn_mul_part_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r|
@@ -406,7 +406,7 @@ static void bn_mul_part_recursive(BN_ULONG *r, const BN_ULONG *a,
   }
   // The product should fit without carries.
-  assert(c == 0);
+  declassify_assert(c == 0);
 }
 // bn_mul_impl implements |BN_mul| and |bn_mul_consttime|. Note this function

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c CHANGED Viewed

@@ -487,7 +487,10 @@ err:
 static int bn_trial_division(uint16_t *out, const BIGNUM *bn) {
   const size_t num_primes = num_trial_division_primes(bn);
   for (size_t i = 1; i < num_primes; i++) {
-    if (bn_mod_u16_consttime(bn, kPrimes[i]) == 0) {
+    // During RSA key generation, |bn| may be secret, but only if |bn| was
+    // prime, so it is safe to leak failed trial divisions.
+    if (constant_time_declassify_int(bn_mod_u16_consttime(bn, kPrimes[i]) ==
+                                     0)) {
       *out = kPrimes[i];
       return 1;
     }
@@ -573,7 +576,8 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin,
   // To avoid leaking |a|, we run the loop to |w_bits| and mask off all
   // iterations once |j| = |a|.
   for (int j = 1; j < miller_rabin->w_bits; j++) {
-    if (constant_time_eq_int(j, miller_rabin->a) & ~is_possibly_prime) {
+    if (constant_time_declassify_w(constant_time_eq_int(j, miller_rabin->a) &
+                                   ~is_possibly_prime)) {
       // If the loop is done and we haven't seen z = 1 or z = w-1 yet, the
       // value is composite and we can break in variable time.
       break;
@@ -593,12 +597,14 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin,
     // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z
     // was not -1. There are no non-trivial square roots of 1 modulo a prime, so
     // w is composite and we may exit in variable time.
-    if (BN_equal_consttime(z, miller_rabin->one_mont) & ~is_possibly_prime) {
+    if (constant_time_declassify_w(
+            BN_equal_consttime(z, miller_rabin->one_mont) &
+            ~is_possibly_prime)) {
       break;
     }
   }
-  *out_is_possibly_prime = is_possibly_prime & 1;
+  *out_is_possibly_prime = constant_time_declassify_w(is_possibly_prime) & 1;
   ret = 1;
 err:
@@ -736,8 +742,9 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks,
   crypto_word_t uniform_iterations = 0;
   // Using |constant_time_lt_w| seems to prevent the compiler from optimizing
   // this into two jumps.
-  for (int i = 1; (i <= BN_PRIME_CHECKS_BLINDED) |
-                  constant_time_lt_w(uniform_iterations, checks);
+  for (int i = 1; constant_time_declassify_w(
+           (i <= BN_PRIME_CHECKS_BLINDED) |
+           constant_time_lt_w(uniform_iterations, checks));
        i++) {
     // Step 4.1-4.2
     int is_uniform;
@@ -766,7 +773,7 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks,
     }
   }
-  assert(uniform_iterations >= (crypto_word_t)checks);
+  declassify_assert(uniform_iterations >= (crypto_word_t)checks);
   *out_is_probably_prime = 1;
   ret = 1;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c CHANGED Viewed

@@ -339,7 +339,8 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
   // If the value is not in range, force it to be in range.
   r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);
   r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
-  assert(bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
+  declassify_assert(
+      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
   r->neg = 0;
   r->width = (int)words;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h CHANGED Viewed

@@ -134,9 +134,6 @@ struct evp_cipher_st {
   // flags contains the OR of a number of flags. See |EVP_CIPH_*|.
   uint32_t flags;
-  // app_data is a pointer to opaque, user data.
-  void *app_data;
   int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv,
               int enc);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c CHANGED Viewed

@@ -242,7 +242,10 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
     return 0;
   }
   if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key) ||
-      ec_scalar_is_zero(key->group, &scalar->scalar)) {
+      // Zero is not a valid private key, so it is safe to leak the result of
+      // this comparison.
+      constant_time_declassify_int(
+          ec_scalar_is_zero(key->group, &scalar->scalar))) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY);
     ec_wrapped_scalar_free(scalar);
     return 0;
@@ -518,6 +521,11 @@ int EC_KEY_generate_key(EC_KEY *key) {
 }
 int EC_KEY_generate_key_fips(EC_KEY *eckey) {
+  if (eckey == NULL || eckey->group == NULL) {
+    OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
   boringssl_ensure_ecc_self_test();
   if (EC_KEY_generate_key(eckey) && EC_KEY_check_fips(eckey)) {
@@ -534,12 +542,8 @@ int EC_KEY_generate_key_fips(EC_KEY *eckey) {
 int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
                             CRYPTO_EX_dup *dup_unused,
                             CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(g_ec_ex_data_class_bss_get(), &index, argl, argp,
-                               free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(g_ec_ex_data_class_bss_get(), argl, argp,
+                                 free_func);
 }
 int EC_KEY_set_ex_data(EC_KEY *d, int idx, void *arg) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c CHANGED Viewed

@@ -23,8 +23,12 @@
 int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                         const BIGNUM *in) {
+  // Scalars, which are often secret, must be reduced modulo the order. Those
+  // that are not will be discarded, so leaking the result of the comparison is
+  // safe.
   if (!bn_copy_words(out->words, group->order.N.width, in) ||
-      !bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) {
+      !constant_time_declassify_int(bn_less_than_words(
+          out->words, group->order.N.d, group->order.N.width))) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h CHANGED Viewed

@@ -29,7 +29,8 @@
 // iOS doesn't normally allow fork in apps, but it's there.
 #define OPENSSL_FORK_DETECTION
 #define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK
-#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY)
+#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) || \
+    defined(__ZEPHYR__) || defined(CROS_EC)
 // These platforms do not fork.
 #define OPENSSL_DOES_NOT_FORK
 #endif

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c CHANGED Viewed

@@ -439,12 +439,8 @@ int RSA_is_opaque(const RSA *rsa) {
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl,
-                               argp, free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp,
+                                 free_func);
 }
 int RSA_set_ex_data(RSA *rsa, int idx, void *arg) {
@@ -762,7 +758,8 @@ err:
 static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
                              const BIGNUM *m, unsigned m_min_bits,
                              BN_CTX *ctx) {
-  if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) {
+  if (BN_is_negative(ainv) ||
+      constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) {
     *out_ok = 0;
     return 1;
   }
@@ -776,7 +773,7 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
             bn_mul_consttime(tmp, a, ainv, ctx) &&
             bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);
   if (ret) {
-    *out_ok = BN_is_one(tmp);
+    *out_ok = constant_time_declassify_int(BN_is_one(tmp));
   }
   BN_CTX_end(ctx);
   return ret;
@@ -835,8 +832,10 @@ int RSA_check_key(const RSA *key) {
   // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that
   // n was bound by |rsa_check_public_key|. This also implicitly checks p and q
   // are odd, which is a necessary condition for Montgomery reduction.
-  if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 ||
-      BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) {
+  if (BN_is_negative(key->p) ||
+      constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) ||
+      BN_is_negative(key->q) ||
+      constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
     goto out;
   }
@@ -867,7 +866,8 @@ int RSA_check_key(const RSA *key) {
     goto out;
   }
-  if (!BN_is_one(&tmp) || !BN_is_one(&de)) {
+  if (constant_time_declassify_int(!BN_is_one(&tmp)) ||
+      constant_time_declassify_int(!BN_is_one(&de))) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
     goto out;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c CHANGED Viewed

@@ -795,7 +795,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
   // This is a pre-condition for |mod_montgomery|. It was already checked by the
   // caller.
-  assert(BN_ucmp(I, n) < 0);
+  declassify_assert(BN_ucmp(I, n) < 0);
   if (// |m1| is the result modulo |q|.
       !mod_montgomery(r1, I, q, rsa->mont_q, p, ctx) ||
@@ -831,7 +831,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
   // bound the width slightly higher, so fix it. This trips constant-time checks
   // because a naive data flow analysis does not realize the excess words are
   // publicly zero.
-  assert(BN_cmp(r0, n) < 0);
+  declassify_assert(BN_cmp(r0, n) < 0);
   bn_assert_fits_in_bytes(r0, BN_num_bytes(n));
   if (!bn_resize_words(r0, n->width)) {
     goto err;
@@ -1003,20 +1003,25 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
     // retrying. That is, we reject a negligible fraction of primes that are
     // within the FIPS bound, but we will never accept a prime outside the
     // bound, ensuring the resulting RSA key is the right size.
-    if (BN_cmp(out, sqrt2) <= 0) {
+    //
+    // Values over the threshold are discarded, so it is safe to leak this
+    // comparison.
+    if (constant_time_declassify_int(BN_cmp(out, sqrt2) <= 0)) {
       continue;
     }
     // RSA key generation's bottleneck is discarding composites. If it fails
     // trial division, do not bother computing a GCD or performing Miller-Rabin.
     if (!bn_odd_number_is_obviously_composite(out)) {
-      // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
+      // Check gcd(out-1, e) is one (steps 4.5 and 5.6). Leaking the final
+      // result of this comparison is safe because, if not relatively prime, the
+      // value will be discarded.
       int relatively_prime;
-      if (!BN_sub(tmp, out, BN_value_one()) ||
+      if (!bn_usub_consttime(tmp, out, BN_value_one()) ||
           !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) {
         goto err;
       }
-      if (relatively_prime) {
+      if (constant_time_declassify_int(relatively_prime)) {
         // Test |out| for primality (steps 4.5.1 and 5.6.1).
         int is_probable_prime;
         if (!BN_primality_test(&is_probable_prime, out,
@@ -1174,8 +1179,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
     }
     // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on
-    // values for d.
-  } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
+    // values for d. When we retry, p and q are discarded, so it is safe to leak
+    // this comparison.
+  } while (constant_time_declassify_int(BN_cmp(rsa->d, pow2_prime_bits) <= 0));
   assert(BN_num_bits(pm1) == (unsigned)prime_bits);
   assert(BN_num_bits(qm1) == (unsigned)prime_bits);
@@ -1189,6 +1195,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
   }
   bn_set_minimal_width(rsa->n);
+  // |rsa->n| is computed from the private key, but is public.
+  bn_declassify(rsa->n);
   // Sanity-check that |rsa->n| has the specified size. This is implied by
   // |generate_prime|'s bounds.
   if (BN_num_bits(rsa->n) != (unsigned)bits) {
@@ -1241,6 +1250,11 @@ static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits,
                                           int check_fips) {
   boringssl_ensure_rsa_self_test();
+  if (rsa == NULL) {
+    OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
   RSA *tmp = NULL;
   uint32_t err;
   int ret = 0;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c CHANGED Viewed

@@ -171,7 +171,6 @@ static int is_md_fips_approved_for_signing(int md_type) {
 // type is FIPS approved for verifying, and zero otherwise.
 static int is_md_fips_approved_for_verifying(int md_type) {
   switch (md_type) {
-    case NID_sha1:
     case NID_sha224:
     case NID_sha256:
     case NID_sha384:
@@ -184,7 +183,6 @@ static int is_md_fips_approved_for_verifying(int md_type) {
 }
 static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
-                                                int rsa_1024_ok,
                                                 int (*md_ok)(int md_type)) {
   if (EVP_MD_CTX_md(ctx) == NULL) {
     // Signature schemes without a prehash are currently never FIPS approved.
@@ -232,8 +230,7 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
     // Check if the MD type and the RSA key size are approved.
     if (md_ok(md_type) &&
-        ((rsa_1024_ok && pkey_size == 128) || pkey_size == 256 ||
-         pkey_size == 384 || pkey_size == 512)) {
+        (pkey_size == 256 || pkey_size == 384 || pkey_size == 512)) {
       FIPS_service_indicator_update_state();
     }
   } else if (pkey_type == EVP_PKEY_EC) {
@@ -280,12 +277,12 @@ void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx) {
 }
 void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx) {
-  return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/1,
+  return evp_md_ctx_verify_service_indicator(ctx,
                                              is_md_fips_approved_for_verifying);
 }
 void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx) {
-  return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/0,
+  return evp_md_ctx_verify_service_indicator(ctx,
                                              is_md_fips_approved_for_signing);
 }