Upstream merge 2024 04 11 (#1527)

Merging from Upstream considering commits from
google/boringssl@09febb3
(Nov 27, 2023) to
google/boringssl@58906ea
(Nov 30, 2023).


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

crypto/CMakeLists.txt

@@ -460,7 +460,42 @@ add_library(
   x509/t_req.c
   x509/t_x509.c
   x509/t_x509a.c
-  x509/x509.c
+  x509/v3_akey.c
+  x509/v3_akeya.c
+  x509/v3_alt.c
+  x509/v3_bcons.c
+  x509/v3_bitst.c
+  x509/v3_conf.c
+  x509/v3_cpols.c
+  x509/v3_crld.c
+  x509/v3_enum.c
+  x509/v3_extku.c
+  x509/v3_genn.c
+  x509/v3_ia5.c
+  x509/v3_info.c
+  x509/v3_int.c
+  x509/v3_lib.c
+  x509/v3_ncons.c
+  x509/v3_ocsp.c
+  x509/v3_pcons.c
+  x509/v3_pmaps.c
+  x509/v3_prn.c
+  x509/v3_purp.c
+  x509/v3_skey.c
+  x509/v3_utl.c
+  x509/x_algor.c
+  x509/x_all.c
+  x509/x_attrib.c
+  x509/x_crl.c
+  x509/x_exten.c
+  x509/x_name.c
+  x509/x_pubkey.c
+  x509/x_req.c
+  x509/x_sig.c
+  x509/x_spki.c
+  x509/x_val.c
+  x509/x_x509.c
+  x509/x_x509a.c
   x509/x509_att.c
   x509/x509_cmp.c
   x509/x509_d2.c
@@ -475,46 +510,11 @@ add_library(
   x509/x509_v3.c
   x509/x509_vfy.c
   x509/x509_vpm.c
+  x509/x509.c
   x509/x509cset.c
   x509/x509name.c
   x509/x509rset.c
   x509/x509spki.c
-  x509/x_algor.c
-  x509/x_all.c
-  x509/x_attrib.c
-  x509/x_crl.c
-  x509/x_exten.c
-  x509/x_name.c
-  x509/x_pubkey.c
-  x509/x_req.c
-  x509/x_sig.c
-  x509/x_spki.c
-  x509/x_val.c
-  x509/x_x509.c
-  x509/x_x509a.c
-  x509v3/v3_akey.c
-  x509v3/v3_akeya.c
-  x509v3/v3_alt.c
-  x509v3/v3_bcons.c
-  x509v3/v3_bitst.c
-  x509v3/v3_conf.c
-  x509v3/v3_cpols.c
-  x509v3/v3_crld.c
-  x509v3/v3_enum.c
-  x509v3/v3_extku.c
-  x509v3/v3_genn.c
-  x509v3/v3_ia5.c
-  x509v3/v3_info.c
-  x509v3/v3_int.c
-  x509v3/v3_lib.c
-  x509v3/v3_ncons.c
-  x509v3/v3_ocsp.c
-  x509v3/v3_pcons.c
-  x509v3/v3_pmaps.c
-  x509v3/v3_prn.c
-  x509v3/v3_purp.c
-  x509v3/v3_skey.c
-  x509v3/v3_utl.c
   decrepit/bio/base64_bio.c
   decrepit/blowfish/blowfish.c
   decrepit/cast/cast.c
@@ -765,9 +765,9 @@ if(BUILD_TESTING)
     test/file_test_gtest.cc
     thread_test.cc
     trust_token/trust_token_test.cc
+    x509/tab_test.cc
     x509/x509_test.cc
     x509/x509_time_test.cc
-    x509v3/tab_test.cc
     decrepit/blowfish/blowfish_test.cc
     decrepit/cast/cast_test.cc
     decrepit/cfb/cfb_test.cc

crypto/decrepit/x509/x509_decrepit.c

@@ -12,7 +12,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/x509v3.h>
+#include <openssl/x509.h>
 
 #include <assert.h>
 

crypto/fipsmodule/bn/add.c

@@ -117,10 +117,7 @@ int bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {
 
   BN_ULONG carry = bn_add_words(r->d, a->d, b->d, min);
   for (int i = min; i < max; i++) {
-    // |r| and |a| may alias, so use a temporary.
-    BN_ULONG tmp = carry + a->d[i];
-    carry = tmp < a->d[i];
-    r->d[i] = tmp;
+    r->d[i] = CRYPTO_addc_w(a->d[i], 0, carry, &carry);
   }
 
   r->d[max] = carry;
@@ -241,10 +238,7 @@ int bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {
 
   BN_ULONG borrow = bn_sub_words(r->d, a->d, b->d, b_width);
   for (int i = b_width; i < a->width; i++) {
-    // |r| and |a| may alias, so use a temporary.
-    BN_ULONG tmp = a->d[i];
-    r->d[i] = a->d[i] - borrow;
-    borrow = tmp < r->d[i];
+    r->d[i] = CRYPTO_subc_w(a->d[i], 0, borrow, &borrow);
   }
 
   if (borrow) {

crypto/fipsmodule/bn/generic.c

@@ -567,37 +567,6 @@ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) {
 
 #if !defined(BN_ADD_ASM)
 
-// bn_add_with_carry returns |x + y + carry|, and sets |*out_carry| to the
-// carry bit. |carry| must be zero or one.
-static inline BN_ULONG bn_add_with_carry(BN_ULONG x, BN_ULONG y, BN_ULONG carry,
-                                         BN_ULONG *out_carry) {
-  assert(carry == 0 || carry == 1);
-#if defined(BN_ULLONG)
-  BN_ULLONG ret = carry;
-  ret += (BN_ULLONG)x + y;
-  *out_carry = (BN_ULONG)(ret >> BN_BITS2);
-  return (BN_ULONG)ret;
-#else
-  x += carry;
-  carry = x < carry;
-  BN_ULONG ret = x + y;
-  carry += ret < x;
-  *out_carry = carry;
-  return ret;
-#endif
-}
-
-// bn_sub_with_borrow returns |x - y - borrow|, and sets |*out_borrow| to the
-// borrow bit. |borrow| must be zero or one.
-static inline BN_ULONG bn_sub_with_borrow(BN_ULONG x, BN_ULONG y,
-                                          BN_ULONG borrow,
-                                          BN_ULONG *out_borrow) {
-  assert(borrow == 0 || borrow == 1);
-  BN_ULONG ret = x - y - borrow;
-  *out_borrow = (x < y) | ((x == y) & borrow);
-  return ret;
-}
-
 BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
                       size_t n) {
   if (n == 0) {
@@ -606,17 +575,17 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
   BN_ULONG carry = 0;
   while (n & ~3) {
-    r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
-    r[1] = bn_add_with_carry(a[1], b[1], carry, &carry);
-    r[2] = bn_add_with_carry(a[2], b[2], carry, &carry);
-    r[3] = bn_add_with_carry(a[3], b[3], carry, &carry);
+    r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);
+    r[1] = CRYPTO_addc_w(a[1], b[1], carry, &carry);
+    r[2] = CRYPTO_addc_w(a[2], b[2], carry, &carry);
+    r[3] = CRYPTO_addc_w(a[3], b[3], carry, &carry);
     a += 4;
     b += 4;
     r += 4;
     n -= 4;
   }
   while (n) {
-    r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
+    r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);
     a++;
     b++;
     r++;
@@ -633,17 +602,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
   BN_ULONG borrow = 0;
   while (n & ~3) {
-    r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
-    r[1] = bn_sub_with_borrow(a[1], b[1], borrow, &borrow);
-    r[2] = bn_sub_with_borrow(a[2], b[2], borrow, &borrow);
-    r[3] = bn_sub_with_borrow(a[3], b[3], borrow, &borrow);
+    r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);
+    r[1] = CRYPTO_subc_w(a[1], b[1], borrow, &borrow);
+    r[2] = CRYPTO_subc_w(a[2], b[2], borrow, &borrow);
+    r[3] = CRYPTO_subc_w(a[3], b[3], borrow, &borrow);
     a += 4;
     b += 4;
     r += 4;
     n -= 4;
   }
   while (n) {
-    r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
+    r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);
     a++;
     b++;
     r++;

crypto/fipsmodule/bn/mul.c

@@ -144,17 +144,13 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
     // in |a| were zeros.
     dl = -dl;
     for (int i = 0; i < dl; i++) {
-      r[i] = 0u - b[i] - borrow;
-      borrow |= r[i] != 0;
+      r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow);
     }
   } else {
     // |b| is shorter than |a|. Complete the subtraction as if the excess words
     // in |b| were zeros.
     for (int i = 0; i < dl; i++) {
-      // |r| and |a| may alias, so use a temporary.
-      BN_ULONG tmp = a[i];
-      r[i] = a[i] - borrow;
-      borrow = tmp < r[i];
+      r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow);
     }
   }
 

crypto/fipsmodule/ec/p224-64.c

@@ -23,6 +23,7 @@
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/type_check.h>
 
 #include <string.h>
 
@@ -836,12 +837,12 @@ static void p224_select_point(const uint64_t idx, size_t size,
 
   for (size_t i = 0; i < size; i++) {
     const p224_limb *inlimbs = &pre_comp[i][0][0];
-    uint64_t mask = i ^ idx;
-    mask |= mask >> 4;
-    mask |= mask >> 2;
-    mask |= mask >> 1;
-    mask &= 1;
-    mask--;
+    OPENSSL_STATIC_ASSERT(sizeof(uint64_t) <= sizeof(crypto_word_t),
+                  crypto_word_t_is_too_small);
+    OPENSSL_STATIC_ASSERT(sizeof(size_t) <= sizeof(crypto_word_t),
+                  crypto_word_t_is_too_small);
+    // Without a value barrier, Clang adds a branch here.
+    uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx));
     for (size_t j = 0; j < 4 * 3; j++) {
       outlimbs[j] |= inlimbs[j] & mask;
     }

crypto/internal.h

@@ -210,6 +210,12 @@ typedef __uint128_t uint128_t;
 #define OPENSSL_ATTR_PURE
 #endif
 
+#if defined(__has_builtin)
+#define OPENSSL_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#define OPENSSL_HAS_BUILTIN(x) 0
+#endif
+
 
 // Pointer utility functions.
 
@@ -1078,6 +1084,110 @@ static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {
 }
 
 
+// Arithmetic functions.
+
+// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry
+// bit. |carry| must be zero or one.
+#if OPENSSL_HAS_BUILTIN(__builtin_addc)
+
+#define CRYPTO_GENERIC_ADDC(x, y, carry, out_carry) \
+  (_Generic((x),                                    \
+      unsigned: __builtin_addc,                     \
+      unsigned long: __builtin_addcl,               \
+      unsigned long long: __builtin_addcll))((x), (y), (carry), (out_carry))
+
+static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
+                                       uint32_t *out_carry) {
+  assert(carry <= 1);
+  return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
+}
+
+static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
+                                       uint64_t *out_carry) {
+  assert(carry <= 1);
+  return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
+}
+
+#else
+
+static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
+                                       uint32_t *out_carry) {
+  assert(carry <= 1);
+  uint64_t ret = carry;
+  ret += (uint64_t)x + y;
+  *out_carry = (uint32_t)(ret >> 32);
+  return (uint32_t)ret;
+}
+
+static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
+                                       uint64_t *out_carry) {
+  assert(carry <= 1);
+#if defined(BORINGSSL_HAS_UINT128)
+  uint128_t ret = carry;
+  ret += (uint128_t)x + y;
+  *out_carry = (uint64_t)(ret >> 64);
+  return (uint64_t)ret;
+#else
+  x += carry;
+  carry = x < carry;
+  uint64_t ret = x + y;
+  carry += ret < x;
+  *out_carry = carry;
+  return ret;
+#endif
+}
+#endif
+
+// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow
+// bit. |borrow| must be zero or one.
+#if OPENSSL_HAS_BUILTIN(__builtin_subc)
+
+#define CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow) \
+  (_Generic((x),                                      \
+      unsigned: __builtin_subc,                       \
+      unsigned long: __builtin_subcl,                 \
+      unsigned long long: __builtin_subcll))((x), (y), (borrow), (out_borrow))
+
+static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
+                                       uint32_t *out_borrow) {
+  assert(borrow <= 1);
+  return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow);
+}
+
+static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
+                                       uint64_t *out_borrow) {
+  assert(borrow <= 1);
+  return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow);
+}
+
+#else
+
+static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
+                                       uint32_t *out_borrow) {
+  assert(borrow <= 1);
+  uint32_t ret = x - y - borrow;
+  *out_borrow = (x < y) | ((x == y) & borrow);
+  return ret;
+}
+
+static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
+                                       uint64_t *out_borrow) {
+  assert(borrow <= 1);
+  uint64_t ret = x - y - borrow;
+  *out_borrow = (x < y) | ((x == y) & borrow);
+  return ret;
+}
+#endif
+
+#if defined(OPENSSL_64_BIT)
+#define CRYPTO_addc_w CRYPTO_addc_u64
+#define CRYPTO_subc_w CRYPTO_subc_u64
+#else
+#define CRYPTO_addc_w CRYPTO_addc_u32
+#define CRYPTO_subc_w CRYPTO_subc_u32
+#endif
+
+
 // FIPS functions.
 
 #if defined(AWSLC_FIPS)