grpc 1.69.0 → 1.70.1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/{service_indicator.c.inc → service_indicator.cc.inc}

@@ -45,11 +45,13 @@ struct fips_service_indicator_state {
 // for approved services irrespective of whether the user queries it or not.
 // Hence, it is lazily initialized in any call to an approved service.
 static struct fips_service_indicator_state *service_indicator_get(void) {
-  struct fips_service_indicator_state *indicator = CRYPTO_get_thread_local(
-      OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE);
+  struct fips_service_indicator_state *indicator =
+      reinterpret_cast<fips_service_indicator_state *>(CRYPTO_get_thread_local(
+          OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE));
 
   if (indicator == NULL) {
-    indicator = OPENSSL_malloc(sizeof(struct fips_service_indicator_state));
+    indicator = reinterpret_cast<fips_service_indicator_state *>(
+        OPENSSL_malloc(sizeof(struct fips_service_indicator_state)));
     if (indicator == NULL) {
       return NULL;
     }
@@ -184,9 +186,9 @@ static int is_md_fips_approved_for_verifying(int md_type) {
 
 static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
                                                 int (*md_ok)(int md_type)) {
-  if (EVP_MD_CTX_md(ctx) == NULL) {
+  if (EVP_MD_CTX_get0_md(ctx) == NULL) {
     // Signature schemes without a prehash are currently never FIPS approved.
-    goto err;
+    return;
   }
 
   EVP_PKEY_CTX *const pctx = ctx->pctx;
@@ -242,7 +244,7 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
     }
   }
 
- err:
+err:
   // Ensure that junk errors aren't left on the queue.
   ERR_clear_error();
 }
@@ -300,12 +302,9 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) {
 }
 
 void TLSKDF_verify_service_indicator(const EVP_MD *md) {
-  // HMAC-MD5/HMAC-SHA1 (both used concurrently) is approved for use in the KDF
-  // in TLS 1.0/1.1. HMAC-SHA{256, 384, 512} are approved for use in the KDF in
-  // TLS 1.2. These Key Derivation functions are to be used in the context of
-  // the TLS protocol.
+  // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2. These
+  // Key Derivation functions are to be used in the context of the TLS protocol.
   switch (EVP_MD_type(md)) {
-    case NID_md5_sha1:
     case NID_sha256:
     case NID_sha384:
     case NID_sha512:

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2018, Google Inc.
+/* Copyright 2018 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -196,9 +196,7 @@ void sha256_block_data_order_ssse3(uint32_t state[8], const uint8_t *data,
 
 #define SHA512_ASM_AVX
 OPENSSL_INLINE int sha512_avx_capable(void) {
-  // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the
-  // discussion in sha1-586.pl.
-  return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu();
+  return CRYPTO_is_AVX_capable();
 }
 void sha512_block_data_order_avx(uint64_t state[8], const uint8_t *data,
                                  size_t num);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/{sha1.c.inc → sha1.cc.inc}

@@ -54,35 +54,25 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <openssl/sha.h>
-
 #include <string.h>
 
 #include <openssl/mem.h>
 
 #include "../../internal.h"
+#include "../bcm_interface.h"
 #include "../digest/md32_common.h"
 #include "../service_indicator/internal.h"
 #include "internal.h"
 
 
-int SHA1_Init(SHA_CTX *sha) {
+bcm_infallible BCM_sha1_init(SHA_CTX *sha) {
   OPENSSL_memset(sha, 0, sizeof(SHA_CTX));
   sha->h[0] = 0x67452301UL;
   sha->h[1] = 0xefcdab89UL;
   sha->h[2] = 0x98badcfeUL;
   sha->h[3] = 0x10325476UL;
   sha->h[4] = 0xc3d2e1f0UL;
-  return 1;
-}
-
-uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) {
-  SHA_CTX ctx;
-  SHA1_Init(&ctx);
-  SHA1_Update(&ctx, data, len);
-  SHA1_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
+  return bcm_infallible::approved;
 }
 
 #if !defined(SHA1_ASM)
@@ -90,14 +80,16 @@ static void sha1_block_data_order(uint32_t state[5], const uint8_t *data,
                                   size_t num);
 #endif
 
-void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) {
+bcm_infallible BCM_sha1_transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) {
   sha1_block_data_order(c->h, data, 1);
+  return bcm_infallible::approved;
 }
 
-int SHA1_Update(SHA_CTX *c, const void *data, size_t len) {
+bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len) {
   crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
-                     &c->Nh, &c->Nl, data, len);
-  return 1;
+                     &c->Nh, &c->Nl, reinterpret_cast<const uint8_t *>(data),
+                     len);
+  return bcm_infallible::approved;
 }
 
 static void sha1_output_state(uint8_t out[SHA_DIGEST_LENGTH],
@@ -109,17 +101,17 @@ static void sha1_output_state(uint8_t out[SHA_DIGEST_LENGTH],
   CRYPTO_store_u32_be(out + 16, ctx->h[4]);
 }
 
-int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
+bcm_infallible BCM_sha1_final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
   crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
                     c->Nh, c->Nl, /*is_big_endian=*/1);
 
   sha1_output_state(out, c);
   FIPS_service_indicator_update_state();
-  return 1;
+  return bcm_infallible::approved;
 }
 
-void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len,
-                           const uint8_t xkey[SHA_DIGEST_LENGTH]) {
+bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len,
+                                  const uint8_t xkey[SHA_DIGEST_LENGTH]) {
   // XKEY and XVAL are 160-bit values, but are internally right-padded up to
   // block size. See FIPS 186-2, Appendix 3.3. This buffer maintains both the
   // current value of XKEY and the padding.
@@ -130,8 +122,8 @@ void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len,
     // We always use a zero XSEED, so we can merge the inner and outer loops.
     // XVAL is also always equal to XKEY.
     SHA_CTX ctx;
-    SHA1_Init(&ctx);
-    SHA1_Transform(&ctx, block);
+    BCM_sha1_init(&ctx);
+    BCM_sha1_transform(&ctx, block);
 
     // XKEY = (1 + XKEY + w_i) mod 2^b
     uint32_t carry = 1;
@@ -152,6 +144,7 @@ void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len,
     out += SHA_DIGEST_LENGTH;
     out_len -= SHA_DIGEST_LENGTH;
   }
+  return bcm_infallible::not_approved;
 }
 
 #define Xupdate(a, ix, ia, ib, ic, id)    \
@@ -223,22 +216,22 @@ void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len,
 #endif
 
 /* Originally X was an array. As it's automatic it's natural
-* to expect RISC compiler to accomodate at least part of it in
-* the register bank, isn't it? Unfortunately not all compilers
-* "find" this expectation reasonable:-( On order to make such
-* compilers generate better code I replace X[] with a bunch of
-* X0, X1, etc. See the function body below...
-*         <appro@fy.chalmers.se> */
-#define X(i)  XX##i
+ * to expect RISC compiler to accomodate at least part of it in
+ * the register bank, isn't it? Unfortunately not all compilers
+ * "find" this expectation reasonable:-( On order to make such
+ * compilers generate better code I replace X[] with a bunch of
+ * X0, X1, etc. See the function body below...
+ *         <appro@fy.chalmers.se> */
+#define X(i) XX##i
 
 #if !defined(SHA1_ASM)
 
 #if !defined(SHA1_ASM_NOHW)
 static void sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data,
                                        size_t num) {
-  register uint32_t A, B, C, D, E, T;
-  uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10,
-      XX11, XX12, XX13, XX14, XX15;
+  uint32_t A, B, C, D, E, T;
+  uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,
+      XX13, XX14, XX15;
 
   A = state[0];
   B = state[1];

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/{sha256.c.inc → sha256.cc.inc}

@@ -54,19 +54,18 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <openssl/sha.h>
-
 #include <string.h>
 
 #include <openssl/mem.h>
 
 #include "../../internal.h"
+#include "../bcm_interface.h"
 #include "../digest/md32_common.h"
 #include "../service_indicator/internal.h"
 #include "internal.h"
 
 
-int SHA224_Init(SHA256_CTX *sha) {
+bcm_infallible BCM_sha224_init(SHA256_CTX *sha) {
   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
   sha->h[0] = 0xc1059ed8UL;
   sha->h[1] = 0x367cd507UL;
@@ -76,11 +75,11 @@ int SHA224_Init(SHA256_CTX *sha) {
   sha->h[5] = 0x68581511UL;
   sha->h[6] = 0x64f98fa7UL;
   sha->h[7] = 0xbefa4fa4UL;
-  sha->md_len = SHA224_DIGEST_LENGTH;
-  return 1;
+  sha->md_len = BCM_SHA224_DIGEST_LENGTH;
+  return bcm_infallible::approved;
 }
 
-int SHA256_Init(SHA256_CTX *sha) {
+bcm_infallible BCM_sha256_init(SHA256_CTX *sha) {
   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
   sha->h[0] = 0x6a09e667UL;
   sha->h[1] = 0xbb67ae85UL;
@@ -90,28 +89,8 @@ int SHA256_Init(SHA256_CTX *sha) {
   sha->h[5] = 0x9b05688cUL;
   sha->h[6] = 0x1f83d9abUL;
   sha->h[7] = 0x5be0cd19UL;
-  sha->md_len = SHA256_DIGEST_LENGTH;
-  return 1;
-}
-
-uint8_t *SHA224(const uint8_t *data, size_t len,
-                uint8_t out[SHA224_DIGEST_LENGTH]) {
-  SHA256_CTX ctx;
-  SHA224_Init(&ctx);
-  SHA224_Update(&ctx, data, len);
-  SHA224_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
-}
-
-uint8_t *SHA256(const uint8_t *data, size_t len,
-                uint8_t out[SHA256_DIGEST_LENGTH]) {
-  SHA256_CTX ctx;
-  SHA256_Init(&ctx);
-  SHA256_Update(&ctx, data, len);
-  SHA256_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
+  sha->md_len = BCM_SHA256_DIGEST_LENGTH;
+  return bcm_infallible::approved;
 }
 
 #if !defined(SHA256_ASM)
@@ -119,31 +98,29 @@ static void sha256_block_data_order(uint32_t state[8], const uint8_t *in,
                                     size_t num);
 #endif
 
-void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) {
+bcm_infallible BCM_sha256_transform(SHA256_CTX *c,
+                                    const uint8_t data[BCM_SHA256_CBLOCK]) {
   sha256_block_data_order(c->h, data, 1);
+  return bcm_infallible::approved;
 }
 
-int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) {
-  crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
-                     &c->num, &c->Nh, &c->Nl, data, len);
-  return 1;
+bcm_infallible BCM_sha256_update(SHA256_CTX *c, const void *data, size_t len) {
+  crypto_md32_update(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK,
+                     &c->num, &c->Nh, &c->Nl,
+                     reinterpret_cast<const uint8_t *>(data), len);
+  return bcm_infallible::approved;
 }
 
-int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
-  return SHA256_Update(ctx, data, len);
+bcm_infallible BCM_sha224_update(SHA256_CTX *ctx, const void *data,
+                                 size_t len) {
+  return BCM_sha256_update(ctx, data, len);
 }
 
-static int sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) {
-  crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
+static void sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) {
+  crypto_md32_final(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK,
                     &c->num, c->Nh, c->Nl, /*is_big_endian=*/1);
 
-  // TODO(davidben): This overflow check one of the few places a low-level hash
-  // 'final' function can fail. SHA-512 does not have a corresponding check.
-  // These functions already misbehave if the caller arbitrarily mutates |c|, so
-  // can we assume one of |SHA256_Init| or |SHA224_Init| was used?
-  if (md_len > SHA256_DIGEST_LENGTH) {
-    return 0;
-  }
+  BSSL_CHECK(md_len <= BCM_SHA256_DIGEST_LENGTH);
 
   assert(md_len % 4 == 0);
   const size_t out_words = md_len / 4;
@@ -153,23 +130,26 @@ static int sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) {
   }
 
   FIPS_service_indicator_update_state();
-  return 1;
 }
 
-int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) {
-  // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match
-  // the size hint, but calling code often pairs |SHA224_Init| with
+bcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH],
+                                SHA256_CTX *c) {
+  // Ideally we would assert |sha->md_len| is |BCM_SHA256_DIGEST_LENGTH| to
+  // match the size hint, but calling code often pairs |SHA224_Init| with
   // |SHA256_Final| and expects |sha->md_len| to carry the size over.
   //
   // TODO(davidben): Add an assert and fix code to match them up.
-  return sha256_final_impl(out, c->md_len, c);
+  sha256_final_impl(out, c->md_len, c);
+  return bcm_infallible::approved;
 }
 
-int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
+bcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH],
+                                SHA256_CTX *ctx) {
   // This function must be paired with |SHA224_Init|, which sets |ctx->md_len|
-  // to |SHA224_DIGEST_LENGTH|.
-  assert(ctx->md_len == SHA224_DIGEST_LENGTH);
-  return sha256_final_impl(out, SHA224_DIGEST_LENGTH, ctx);
+  // to |BCM_SHA224_DIGEST_LENGTH|.
+  assert(ctx->md_len == BCM_SHA224_DIGEST_LENGTH);
+  sha256_final_impl(out, BCM_SHA224_DIGEST_LENGTH, ctx);
+  return bcm_infallible::approved;
 }
 
 #if !defined(SHA256_ASM)
@@ -344,9 +324,11 @@ static void sha256_block_data_order(uint32_t state[8], const uint8_t *data,
 #endif  // !defined(SHA256_ASM)
 
 
-void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
-                            size_t num_blocks) {
+bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8],
+                                           const uint8_t *data,
+                                           size_t num_blocks) {
   sha256_block_data_order(state, data, num_blocks);
+  return bcm_infallible::approved;
 }
 
 #undef Sigma0

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/{sha512.c.inc → sha512.cc.inc}

@@ -54,13 +54,12 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <openssl/sha.h>
-
 #include <string.h>
 
 #include <openssl/mem.h>
 
 #include "../../internal.h"
+#include "../bcm_interface.h"
 #include "../service_indicator/internal.h"
 #include "internal.h"
 
@@ -71,9 +70,9 @@
 // this writing, so there is no need for a common collector/padding
 // implementation yet.
 
-static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha);
+static void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha);
 
-int SHA384_Init(SHA512_CTX *sha) {
+bcm_infallible BCM_sha384_init(SHA512_CTX *sha) {
   sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
   sha->h[1] = UINT64_C(0x629a292a367cd507);
   sha->h[2] = UINT64_C(0x9159015a3070dd17);
@@ -86,12 +85,12 @@ int SHA384_Init(SHA512_CTX *sha) {
   sha->Nl = 0;
   sha->Nh = 0;
   sha->num = 0;
-  sha->md_len = SHA384_DIGEST_LENGTH;
-  return 1;
+  sha->md_len = BCM_SHA384_DIGEST_LENGTH;
+  return bcm_infallible::approved;
 }
 
 
-int SHA512_Init(SHA512_CTX *sha) {
+bcm_infallible BCM_sha512_init(SHA512_CTX *sha) {
   sha->h[0] = UINT64_C(0x6a09e667f3bcc908);
   sha->h[1] = UINT64_C(0xbb67ae8584caa73b);
   sha->h[2] = UINT64_C(0x3c6ef372fe94f82b);
@@ -104,11 +103,11 @@ int SHA512_Init(SHA512_CTX *sha) {
   sha->Nl = 0;
   sha->Nh = 0;
   sha->num = 0;
-  sha->md_len = SHA512_DIGEST_LENGTH;
-  return 1;
+  sha->md_len = BCM_SHA512_DIGEST_LENGTH;
+  return bcm_infallible::approved;
 }
 
-int SHA512_256_Init(SHA512_CTX *sha) {
+bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha) {
   sha->h[0] = UINT64_C(0x22312194fc2bf72c);
   sha->h[1] = UINT64_C(0x9f555fa3c84c64c2);
   sha->h[2] = UINT64_C(0x2393b86b6f53b151);
@@ -121,38 +120,8 @@ int SHA512_256_Init(SHA512_CTX *sha) {
   sha->Nl = 0;
   sha->Nh = 0;
   sha->num = 0;
-  sha->md_len = SHA512_256_DIGEST_LENGTH;
-  return 1;
-}
-
-uint8_t *SHA384(const uint8_t *data, size_t len,
-                uint8_t out[SHA384_DIGEST_LENGTH]) {
-  SHA512_CTX ctx;
-  SHA384_Init(&ctx);
-  SHA384_Update(&ctx, data, len);
-  SHA384_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
-}
-
-uint8_t *SHA512(const uint8_t *data, size_t len,
-                uint8_t out[SHA512_DIGEST_LENGTH]) {
-  SHA512_CTX ctx;
-  SHA512_Init(&ctx);
-  SHA512_Update(&ctx, data, len);
-  SHA512_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
-}
-
-uint8_t *SHA512_256(const uint8_t *data, size_t len,
-                    uint8_t out[SHA512_256_DIGEST_LENGTH]) {
-  SHA512_CTX ctx;
-  SHA512_256_Init(&ctx);
-  SHA512_256_Update(&ctx, data, len);
-  SHA512_256_Final(out, &ctx);
-  OPENSSL_cleanse(&ctx, sizeof(ctx));
-  return out;
+  sha->md_len = BCM_SHA512_256_DIGEST_LENGTH;
+  return bcm_infallible::approved;
 }
 
 #if !defined(SHA512_ASM)
@@ -161,39 +130,48 @@ static void sha512_block_data_order(uint64_t state[8], const uint8_t *in,
 #endif
 
 
-int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
-  // This function must be paired with |SHA384_Init|, which sets |sha->md_len|
-  // to |SHA384_DIGEST_LENGTH|.
-  assert(sha->md_len == SHA384_DIGEST_LENGTH);
-  return sha512_final_impl(out, SHA384_DIGEST_LENGTH, sha);
+bcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH],
+                                SHA512_CTX *sha) {
+  // This function must be paired with |BCM_sha384_init|, which sets
+  // |sha->md_len| to |BCM_SHA384_DIGEST_LENGTH|.
+  assert(sha->md_len == BCM_SHA384_DIGEST_LENGTH);
+  sha512_final_impl(out, BCM_SHA384_DIGEST_LENGTH, sha);
+  return bcm_infallible::approved;
 }
 
-int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
-  return SHA512_Update(sha, data, len);
+bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data,
+                                 size_t len) {
+  return BCM_sha512_update(sha, data, len);
 }
 
-int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
-  return SHA512_Update(sha, data, len);
+bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data,
+                                     size_t len) {
+  return BCM_sha512_update(sha, data, len);
 }
 
-int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
-  // This function must be paired with |SHA512_256_Init|, which sets
-  // |sha->md_len| to |SHA512_256_DIGEST_LENGTH|.
-  assert(sha->md_len == SHA512_256_DIGEST_LENGTH);
-  return sha512_final_impl(out, SHA512_256_DIGEST_LENGTH, sha);
+bcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH],
+                                    SHA512_CTX *sha) {
+  // This function must be paired with |BCM_sha512_256_init|, which sets
+  // |sha->md_len| to |BCM_SHA512_256_DIGEST_LENGTH|.
+  assert(sha->md_len == BCM_SHA512_256_DIGEST_LENGTH);
+  sha512_final_impl(out, BCM_SHA512_256_DIGEST_LENGTH, sha);
+  return bcm_infallible::approved;
 }
 
-void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
+bcm_infallible BCM_sha512_transform(SHA512_CTX *c,
+                                    const uint8_t block[SHA512_CBLOCK]) {
   sha512_block_data_order(c->h, block, 1);
+  return bcm_infallible::approved;
 }
 
-int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
+bcm_infallible BCM_sha512_update(SHA512_CTX *c, const void *in_data,
+                                 size_t len) {
   uint64_t l;
   uint8_t *p = c->p;
-  const uint8_t *data = in_data;
+  const uint8_t *data = reinterpret_cast<const uint8_t *>(in_data);
 
   if (len == 0) {
-    return 1;
+    return bcm_infallible::approved;
   }
 
   l = (c->Nl + (((uint64_t)len) << 3)) & UINT64_C(0xffffffffffffffff);
@@ -211,7 +189,7 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
     if (len < n) {
       OPENSSL_memcpy(p + c->num, data, len);
       c->num += (unsigned int)len;
-      return 1;
+      return bcm_infallible::approved;
     } else {
       OPENSSL_memcpy(p + c->num, data, n), c->num = 0;
       len -= n;
@@ -232,19 +210,21 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
     c->num = (int)len;
   }
 
-  return 1;
+  return bcm_infallible::approved;
 }
 
-int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
-  // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
-  // the size hint, but calling code often pairs |SHA384_Init| with
-  // |SHA512_Final| and expects |sha->md_len| to carry the size over.
+bcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH],
+                                SHA512_CTX *sha) {
+  // Ideally we would assert |sha->md_len| is |BCM_SHA512_DIGEST_LENGTH| to
+  // match the size hint, but calling code often pairs |BCM_sha384_init| with
+  // |BCM_sha512_final| and expects |sha->md_len| to carry the size over.
   //
   // TODO(davidben): Add an assert and fix code to match them up.
-  return sha512_final_impl(out, sha->md_len, sha);
+  sha512_final_impl(out, sha->md_len, sha);
+  return bcm_infallible::approved;
 }
 
-static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
+static void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
   uint8_t *p = sha->p;
   size_t n = sha->num;
 
@@ -262,12 +242,6 @@ static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
 
   sha512_block_data_order(sha->h, p, 1);
 
-  if (out == NULL) {
-    // TODO(davidben): This NULL check is absent in other low-level hash 'final'
-    // functions and is one of the few places one can fail.
-    return 0;
-  }
-
   assert(md_len % 8 == 0);
   const size_t out_words = md_len / 8;
   for (size_t i = 0; i < out_words; i++) {
@@ -276,7 +250,6 @@ static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
   }
 
   FIPS_service_indicator_update_state();
-  return 1;
 }
 
 #if !defined(SHA512_ASM)
@@ -423,7 +396,6 @@ static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in,
   int i;
 
   while (num--) {
-
     a = state[0];
     b = state[1];
     c = state[2];

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2018, Google Inc.
+/* Copyright 2018 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

data/third_party/boringssl-with-bazel/src/crypto/hpke/{hpke.c → hpke.cc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2020, Google Inc.
+/* Copyright 2020 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -137,7 +137,8 @@ static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
                                     const uint8_t *kem_context,
                                     size_t kem_context_len) {
   // concat("KEM", I2OSP(kem_id, 2))
-  uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
+  uint8_t suite_id[5] = {'K', 'E', 'M', static_cast<uint8_t>(kem_id >> 8),
+                         static_cast<uint8_t>(kem_id & 0xff)};
   uint8_t prk[EVP_MAX_MD_SIZE];
   size_t prk_len;
   return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
@@ -622,7 +623,8 @@ void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {
 }
 
 EVP_HPKE_KEY *EVP_HPKE_KEY_new(void) {
-  EVP_HPKE_KEY *key = OPENSSL_malloc(sizeof(EVP_HPKE_KEY));
+  EVP_HPKE_KEY *key =
+      reinterpret_cast<EVP_HPKE_KEY *>(OPENSSL_malloc(sizeof(EVP_HPKE_KEY)));
   if (key == NULL) {
     return NULL;
   }
@@ -847,7 +849,8 @@ void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
 }
 
 EVP_HPKE_CTX *EVP_HPKE_CTX_new(void) {
-  EVP_HPKE_CTX *ctx = OPENSSL_malloc(sizeof(EVP_HPKE_CTX));
+  EVP_HPKE_CTX *ctx =
+      reinterpret_cast<EVP_HPKE_CTX *>(OPENSSL_malloc(sizeof(EVP_HPKE_CTX)));
   if (ctx == NULL) {
     return NULL;
   }