Update kernel-build-tools to ab/8664722android-t-beta-3.2_r0.4

https://ci.android.com/builds/branches/aosp_kernel-build-tools/grid?head=8664722&tail=8664722

Test: treehugger
Change-Id: I5304ffd81f8f1f96be12b07dd1c3a0877af8ebfc

22 files changed, 167 insertions, 81 deletions

diff --git a/linux-x86/bin/abitidy b/linux-x86/bin/abitidy
index 906010e..abed941 100755
--- a/linux-x86/bin/abitidy
+++ b/linux-x86/bin/abitidy
diff --git a/linux-x86/bin/avbtool b/linux-x86/bin/avbtool
index a804bce..e7c3289 100755
--- a/linux-x86/bin/avbtool
+++ b/linux-x86/bin/avbtool
diff --git a/linux-x86/bin/build_image b/linux-x86/bin/build_image
index bef4693..45d1324 100755
--- a/linux-x86/bin/build_image
+++ b/linux-x86/bin/build_image
diff --git a/linux-x86/bin/build_super_image b/linux-x86/bin/build_super_image
index 37923c4..2eca448 100755
--- a/linux-x86/bin/build_super_image
+++ b/linux-x86/bin/build_super_image
diff --git a/linux-x86/bin/certify_bootimg b/linux-x86/bin/certify_bootimg
index 02c7867..e037662 100755
--- a/linux-x86/bin/certify_bootimg
+++ b/linux-x86/bin/certify_bootimg
diff --git a/linux-x86/bin/fec b/linux-x86/bin/fec
index 9b90462..eca3e5d 100755
--- a/linux-x86/bin/fec
+++ b/linux-x86/bin/fec
diff --git a/linux-x86/include/openssl/aead.h b/linux-x86/include/openssl/aead.h
index 38eb076..5486b4b 100644
--- a/linux-x86/include/openssl/aead.h
+++ b/linux-x86/include/openssl/aead.h
@@ -212,15 +212,15 @@ union evp_aead_ctx_st_state {
   uint64_t alignment;
 };
 
-// An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
-// and message-independent IV.
-typedef struct evp_aead_ctx_st {
+// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD
+// algorithm configured with a specific key and message-independent IV.
+struct evp_aead_ctx_st {
   const EVP_AEAD *aead;
   union evp_aead_ctx_st_state state;
   // tag_len may contain the actual length of the authentication tag if it is
   // known at initialization time.
   uint8_t tag_len;
-} EVP_AEAD_CTX;
+};
 
 // EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
 // any AEAD defined in this header.
diff --git a/linux-x86/include/openssl/asn1.h b/linux-x86/include/openssl/asn1.h
index d6fa2f7..5ae0064 100644
--- a/linux-x86/include/openssl/asn1.h
+++ b/linux-x86/include/openssl/asn1.h
@@ -1650,6 +1650,8 @@ OPENSSL_EXPORT int ASN1_TIME_print(BIO *out, const ASN1_TIME *a);
 // replaced with '.'.
 OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str);
 
+// The following flags must not collide with |XN_FLAG_*|.
+
 // ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section
 // 2.4.
 #define ASN1_STRFLGS_ESC_2253 1
diff --git a/linux-x86/include/openssl/asn1t.h b/linux-x86/include/openssl/asn1t.h
index b65272d..75bc6f0 100644
--- a/linux-x86/include/openssl/asn1t.h
+++ b/linux-x86/include/openssl/asn1t.h
@@ -509,19 +509,8 @@ const char *sname;		/* Structure name */
 
 #define ASN1_ITYPE_MSTRING		0x5
 
-/* Cache for ASN1 tag and length, so we
- * don't keep re-reading it for things
- * like CHOICE
- */
-
-struct ASN1_TLC_st{
-	char valid;	/* Values below are valid */
-	int ret;	/* return value */
-	long plen;	/* length */
-	int ptag;	/* class value */
-	int pclass;	/* class value */
-	int hdrlen;	/* header length */
-};
+/* Deprecated tag and length cache */
+struct ASN1_TLC_st;
 
 /* Typedefs for ASN1 function pointers */
 
diff --git a/linux-x86/include/openssl/base.h b/linux-x86/include/openssl/base.h
index b630236..4ab9eca 100644
--- a/linux-x86/include/openssl/base.h
+++ b/linux-x86/include/openssl/base.h
@@ -402,6 +402,7 @@ typedef struct engine_st ENGINE;
 typedef struct env_md_ctx_st EVP_MD_CTX;
 typedef struct env_md_st EVP_MD;
 typedef struct evp_aead_st EVP_AEAD;
+typedef struct evp_aead_ctx_st EVP_AEAD_CTX;
 typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
 typedef struct evp_cipher_st EVP_CIPHER;
 typedef struct evp_encode_ctx_st EVP_ENCODE_CTX;
@@ -448,7 +449,6 @@ typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER;
 typedef struct trust_token_method_st TRUST_TOKEN_METHOD;
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct x509_attributes_st X509_ATTRIBUTE;
-typedef struct x509_crl_method_st X509_CRL_METHOD;
 typedef struct x509_lookup_st X509_LOOKUP;
 typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
 typedef struct x509_object_st X509_OBJECT;
diff --git a/linux-x86/include/openssl/bytestring.h b/linux-x86/include/openssl/bytestring.h
index 199d89c..68c1ba4 100644
--- a/linux-x86/include/openssl/bytestring.h
+++ b/linux-x86/include/openssl/bytestring.h
@@ -265,6 +265,10 @@ OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,
 // also true for empty elements so |*out_indefinite| should be checked). If
 // |out_ber_found| is not NULL then it is set to one if any case of invalid DER
 // but valid BER is found, and to zero otherwise.
+//
+// This function will not successfully parse an end-of-contents (EOC) as an
+// element. Callers parsing indefinite-length encoding must check for EOC
+// separately.
 OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out,
                                                 unsigned *out_tag,
                                                 size_t *out_header_len,
diff --git a/linux-x86/include/openssl/crypto.h b/linux-x86/include/openssl/crypto.h
index 117b347..b1f696f 100644
--- a/linux-x86/include/openssl/crypto.h
+++ b/linux-x86/include/openssl/crypto.h
@@ -178,6 +178,9 @@ OPENSSL_EXPORT void OPENSSL_cleanup(void);
 // |BORINGSSL_FIPS| and zero otherwise.
 OPENSSL_EXPORT int FIPS_mode_set(int on);
 
+// FIPS_module_name returns the name of the FIPS module.
+OPENSSL_EXPORT const char *FIPS_module_name(void);
+
 // FIPS_version returns the version of the FIPS module, or zero if the build
 // isn't exactly at a verified version. The version, expressed in base 10, will
 // be a date in the form yyyymmddXX where XX is often "00", but can be
diff --git a/linux-x86/include/openssl/pkcs8.h b/linux-x86/include/openssl/pkcs8.h
index 968640b..8774681 100644
--- a/linux-x86/include/openssl/pkcs8.h
+++ b/linux-x86/include/openssl/pkcs8.h
@@ -122,6 +122,8 @@ OPENSSL_EXPORT EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs,
 // and decrypts it using |password|, sets |*out_key| to the included private
 // key and appends the included certificates to |out_certs|. It returns one on
 // success and zero on error. The caller takes ownership of the outputs.
+// Any friendlyName attributes (RFC 2985) in the PKCS#12 structure will be
+// returned on the |X509| objects as aliases. See also |X509_alias_get0|.
 OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key,
                                             STACK_OF(X509) *out_certs,
                                             CBS *in, const char *password);
@@ -219,6 +221,11 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
 // implemented for compatibility with external packages. Note the output still
 // requires a password for the MAC. Unencrypted keys in PKCS#12 are also not
 // widely supported and may not open in other implementations.
+//
+// If |cert| or |chain| have associated aliases (see |X509_alias_set1|), they
+// will be included in the output as friendlyName attributes (RFC 2985). It is
+// an error to specify both an alias on |cert| and a non-NULL |name|
+// parameter.
 OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,
                                      const EVP_PKEY *pkey, X509 *cert,
                                      const STACK_OF(X509) *chain, int key_nid,
@@ -278,5 +285,6 @@ BSSL_NAMESPACE_END
 #define PKCS8_R_UNSUPPORTED_PRF 130
 #define PKCS8_R_INVALID_CHARACTERS 131
 #define PKCS8_R_UNSUPPORTED_OPTIONS 132
+#define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
 
 #endif  // OPENSSL_HEADER_PKCS8_H
diff --git a/linux-x86/include/openssl/service_indicator.h b/linux-x86/include/openssl/service_indicator.h
new file mode 100644
index 0000000..33b38b2
--- /dev/null
+++ b/linux-x86/include/openssl/service_indicator.h
@@ -0,0 +1,96 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H
+#define OPENSSL_HEADER_SERVICE_INDICATOR_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
+// both currently return the same local thread counter which is slowly
+// incremented whenever approved services are called. The
+// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
+// these functions directly.
+//
+// |FIPS_service_indicator_before_call| is intended to be called immediately
+// before an approved service, while |FIPS_service_indicator_after_call| should
+// be called immediately after. If the values returned from these two functions
+// are not equal, this means that the service called inbetween is deemed to be
+// approved. If the values are still the same, this means the counter has not
+// been incremented, and the service called is not approved for FIPS.
+//
+// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
+// and |FIPS_service_indicator_after_call| always returns one. Thus calls always
+// appear to be approved. This is intended to simplify testing.
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
+OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
+
+#if defined(__cplusplus)
+}
+
+#if !defined(BORINGSSL_NO_CXX)
+
+extern "C++" {
+
+// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
+// |FIPSStatus*| values, above, depending on whether |func| invoked an
+// approved service. The result of |func| becomes the result of this macro.
+#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func)         \
+  [&] {                                                       \
+    bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \
+    return func;                                                \
+  }()
+
+namespace bssl {
+
+enum class FIPSStatus {
+  NOT_APPROVED = 0,
+  APPROVED = 1,
+};
+
+// FIPSIndicatorHelper records whether the service indicator counter advanced
+// during its lifetime.
+class FIPSIndicatorHelper {
+ public:
+  FIPSIndicatorHelper(FIPSStatus *result)
+      : result_(result), before_(FIPS_service_indicator_before_call()) {
+    *result_ = FIPSStatus::NOT_APPROVED;
+  }
+
+  ~FIPSIndicatorHelper() {
+    uint64_t after = FIPS_service_indicator_after_call();
+    if (after != before_) {
+      *result_ = FIPSStatus::APPROVED;
+    }
+  }
+
+  FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
+  FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
+
+ private:
+  FIPSStatus *const result_;
+  const uint64_t before_;
+};
+
+}  // namespace bssl
+}  // extern "C++"
+
+#endif  // !BORINGSSL_NO_CXX
+#endif  // __cplusplus
+
+#endif  // OPENSSL_HEADER_SERVICE_INDICATOR_H
diff --git a/linux-x86/include/openssl/span.h b/linux-x86/include/openssl/span.h
index 38e9a96..67a1a5c 100644
--- a/linux-x86/include/openssl/span.h
+++ b/linux-x86/include/openssl/span.h
@@ -99,12 +99,11 @@ class Span : private internal::SpanBase<const T> {
   // Heuristically test whether C is a container type that can be converted into
   // a Span by checking for data() and size() member functions.
   //
-  // TODO(davidben): Require C++14 support and switch to std::enable_if_t.
-  // Perhaps even C++17 now?
+  // TODO(davidben): Require C++17 support for std::is_convertible_v, etc.
   template <typename C>
-  using EnableIfContainer = typename std::enable_if<
+  using EnableIfContainer = std::enable_if_t<
       std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
-      std::is_integral<decltype(std::declval<C>().size())>::value>::type;
+      std::is_integral<decltype(std::declval<C>().size())>::value>;
 
  public:
   constexpr Span() : Span(nullptr, 0) {}
@@ -113,14 +112,12 @@ class Span : private internal::SpanBase<const T> {
   template <size_t N>
   constexpr Span(T (&array)[N]) : Span(array, N) {}
 
-  template <
-      typename C, typename = EnableIfContainer<C>,
-      typename = typename std::enable_if<std::is_const<T>::value, C>::type>
+  template <typename C, typename = EnableIfContainer<C>,
+            typename = std::enable_if_t<std::is_const<T>::value, C>>
   Span(const C &container) : data_(container.data()), size_(container.size()) {}
 
-  template <
-      typename C, typename = EnableIfContainer<C>,
-      typename = typename std::enable_if<!std::is_const<T>::value, C>::type>
+  template <typename C, typename = EnableIfContainer<C>,
+            typename = std::enable_if_t<!std::is_const<T>::value, C>>
   explicit Span(C &container)
       : data_(container.data()), size_(container.size()) {}
 
diff --git a/linux-x86/include/openssl/ssl.h b/linux-x86/include/openssl/ssl.h
index a3b530e..f0ca7f7 100644
--- a/linux-x86/include/openssl/ssl.h
+++ b/linux-x86/include/openssl/ssl.h
@@ -2281,6 +2281,13 @@ OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
 OPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(
     SSL *ssl, const uint8_t *buf, size_t buf_len);
 
+// SSL_CTX_set_num_tickets configures |ctx| to send |num_tickets| immediately
+// after a successful TLS 1.3 handshake as a server. It returns one. Large
+// values of |num_tickets| will be capped within the library.
+//
+// By default, BoringSSL sends two tickets.
+OPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
+
 
 // Elliptic curve Diffie-Hellman.
 //
diff --git a/linux-x86/include/openssl/stack.h b/linux-x86/include/openssl/stack.h
index 04e942c..df54713 100644
--- a/linux-x86/include/openssl/stack.h
+++ b/linux-x86/include/openssl/stack.h
@@ -443,16 +443,14 @@ namespace internal {
 
 // Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|.
 template <typename Stack>
-struct DeleterImpl<
-    Stack, typename std::enable_if<StackTraits<Stack>::kIsConst>::type> {
+struct DeleterImpl<Stack, std::enable_if_t<StackTraits<Stack>::kIsConst>> {
   static void Free(Stack *sk) { sk_free(reinterpret_cast<_STACK *>(sk)); }
 };
 
 // Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the
 // corresponding type's deleter.
 template <typename Stack>
-struct DeleterImpl<
-    Stack, typename std::enable_if<!StackTraits<Stack>::kIsConst>::type> {
+struct DeleterImpl<Stack, std::enable_if_t<!StackTraits<Stack>::kIsConst>> {
   static void Free(Stack *sk) {
     // sk_FOO_pop_free is defined by macros and bound by name, so we cannot
     // access it from C++ here.
@@ -502,18 +500,17 @@ class StackIteratorImpl {
 };
 
 template <typename Stack>
-using StackIterator = typename std::enable_if<StackTraits<Stack>::kIsStack,
-                                              StackIteratorImpl<Stack>>::type;
+using StackIterator =
+    std::enable_if_t<StackTraits<Stack>::kIsStack, StackIteratorImpl<Stack>>;
 
 }  // namespace internal
 
 // PushToStack pushes |elem| to |sk|. It returns true on success and false on
 // allocation failure.
 template <typename Stack>
-inline
-    typename std::enable_if<!internal::StackTraits<Stack>::kIsConst, bool>::type
-    PushToStack(Stack *sk,
-                UniquePtr<typename internal::StackTraits<Stack>::Type> elem) {
+inline std::enable_if_t<!internal::StackTraits<Stack>::kIsConst, bool>
+PushToStack(Stack *sk,
+            UniquePtr<typename internal::StackTraits<Stack>::Type> elem) {
   if (!sk_push(reinterpret_cast<_STACK *>(sk), elem.get())) {
     return false;
   }
diff --git a/linux-x86/include/openssl/type_check.h b/linux-x86/include/openssl/type_check.h
index c267938..41de895 100644
--- a/linux-x86/include/openssl/type_check.h
+++ b/linux-x86/include/openssl/type_check.h
@@ -71,7 +71,12 @@ extern "C" {
 // C11 defines the |_Static_assert| keyword and the |static_assert| macro in
 // assert.h. While the former is available at all versions in Clang and GCC, the
 // later depends on libc and, in glibc, depends on being built in C11 mode. We
-// do not require this, for now, so use |_Static_assert| directly.
+// require C11 mode to build the library but, for now, do not require it in
+// public headers. Use |_Static_assert| directly.
+//
+// TODO(davidben): In July 2022, if the C11 change has not been reverted, switch
+// all uses of this macro within the library to C11 |static_assert|. This macro
+// will only be necessary in public headers.
 #define OPENSSL_STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
 #endif
 
diff --git a/linux-x86/include/openssl/x509.h b/linux-x86/include/openssl/x509.h
index 3633186..4d312c7 100644
--- a/linux-x86/include/openssl/x509.h
+++ b/linux-x86/include/openssl/x509.h
@@ -199,7 +199,8 @@ DEFINE_STACK_OF(X509_TRUST)
 #define X509_FLAG_NO_ATTRIBUTES (1L << 11)
 #define X509_FLAG_NO_IDS (1L << 12)
 
-// Flags specific to X509_NAME_print_ex()
+// Flags specific to X509_NAME_print_ex(). These flags must not collide with
+// |ASN1_STRFLGS_*|.
 
 // The field separator information
 
@@ -311,11 +312,8 @@ struct Netscape_spki_st {
 #define X509_VERSION_2 1
 #define X509_VERSION_3 2
 
-// X509_get_version returns the numerical value of |x509|'s version. Callers may
-// compare the result to the |X509_VERSION_*| constants. Unknown versions are
-// rejected by the parser, but a manually-created |X509| object may encode
-// invalid versions. In that case, the function will return the invalid version,
-// or -1 on overflow.
+// X509_get_version returns the numerical value of |x509|'s version, which will
+// be one of the |X509_VERSION_*| constants.
 OPENSSL_EXPORT long X509_get_version(const X509 *x509);
 
 // X509_set_version sets |x509|'s version to |version|, which should be one of
@@ -393,15 +391,12 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509,
 // |EXFLAG_INVALID| bit.
 OPENSSL_EXPORT long X509_get_pathlen(X509 *x509);
 
-// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. Note no
-// other versions are defined.
+// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other
+// versions are defined.
 #define X509_REQ_VERSION_1 0
 
 // X509_REQ_get_version returns the numerical value of |req|'s version. This
-// will be |X509_REQ_VERSION_1| for valid certificate requests. If |req| is
-// invalid, it may return another value, or -1 on overflow.
-//
-// TODO(davidben): Enforce the version number in the parser.
+// will always be |X509_REQ_VERSION_1|.
 OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);
 
 // X509_REQ_get_subject_name returns |req|'s subject name. Note this function is
@@ -417,11 +412,8 @@ OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
 #define X509_CRL_VERSION_1 0
 #define X509_CRL_VERSION_2 1
 
-// X509_CRL_get_version returns the numerical value of |crl|'s version. Callers
-// may compare the result to |X509_CRL_VERSION_*| constants. If |crl| is
-// invalid, it may return another value, or -1 on overflow.
-//
-// TODO(davidben): Enforce the version number in the parser.
+// X509_CRL_get_version returns the numerical value of |crl|'s version, which
+// will be one of the |X509_CRL_VERSION_*| constants.
 OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);
 
 // X509_CRL_get0_lastUpdate returns |crl|'s lastUpdate time.
@@ -480,17 +472,6 @@ OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig,
 OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,
                                   ASN1_OCTET_STRING **out_digest);
 
-OPENSSL_EXPORT void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
-OPENSSL_EXPORT X509_CRL_METHOD *X509_CRL_METHOD_new(
-    int (*crl_init)(X509_CRL *crl), int (*crl_free)(X509_CRL *crl),
-    int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser,
-                      X509_NAME *issuer),
-    int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
-OPENSSL_EXPORT void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
-
-OPENSSL_EXPORT void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
-OPENSSL_EXPORT void *X509_CRL_get_meth_data(X509_CRL *crl);
-
 // X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is
 // not const-correct for legacy reasons. Callers should not modify the returned
 // object.
@@ -816,9 +797,6 @@ OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);
 OPENSSL_EXPORT const char *X509_get_default_private_dir(void);
 
-OPENSSL_EXPORT X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey,
-                                          const EVP_MD *md);
-
 DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
 
 DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
@@ -1087,7 +1065,8 @@ OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);
 // X509_REQ_set_version sets |req|'s version to |version|, which should be
 // |X509_REQ_VERSION_1|. It returns one on success and zero on error.
 //
-// Note no versions other than |X509_REQ_VERSION_1| are defined for CSRs.
+// The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to
+// call this function.
 OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);
 
 // X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It
@@ -2398,7 +2377,6 @@ BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free)
 BORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free)
 BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)
 BORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref)
-BORINGSSL_MAKE_DELETER(X509_CRL_METHOD, X509_CRL_METHOD_free)
 BORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free)
 BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free)
 BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
diff --git a/linux-x86/lib64/libbase.so b/linux-x86/lib64/libbase.so
index e3c0ae2..87dd400 100755
--- a/linux-x86/lib64/libbase.so
+++ b/linux-x86/lib64/libbase.so
diff --git a/linux-x86/lib64/libcrypto-host.so b/linux-x86/lib64/libcrypto-host.so
index efbd04f..0ef2896 100755
--- a/linux-x86/lib64/libcrypto-host.so
+++ b/linux-x86/lib64/libcrypto-host.so
diff --git a/manifest.xml b/manifest.xml
index 7f2af47..723474d 100644
--- a/manifest.xml
+++ b/manifest.xml
@@ -7,15 +7,15 @@
 
   <superproject name="kernel/superproject" remote="aosp" revision="build-tools" />
 
-  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" revision="87c786adc3e4687344a6af2dafb345fe5de0869a" />
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" revision="1f9a169ac19d0a20c8266bc078eb5c48b572b134" />
 
-  <project path="build/blueprint" name="platform/build/blueprint" revision="57d5937e6fd4438aea9c0d6d06a85d2c69cbb61b" />
+  <project path="build/blueprint" name="platform/build/blueprint" revision="2a95e590b6727ead76d0474bc70bb14971595896" />
 
-  <project path="build/make" name="platform/build" groups="pdk" revision="d0035d5d8817fcbfd3ef92e3dc35c92805257890">
+  <project path="build/make" name="platform/build" groups="pdk" revision="4449692fa960bb10378ac8f779a0bfe710237851">
     <linkfile dest="build/tools" src="tools" />
 </project>
 
-  <project path="build/soong" name="platform/build/soong" revision="1db9d96d6ada504e5a95bbca09f3f2d35ad2e11c">
+  <project path="build/soong" name="platform/build/soong" revision="ced67ded0b9b962c575989c1835ebe9d9b776d50">
     <linkfile dest="Android.bp" src="root.bp" />
 
     <linkfile dest="bootstrap.bash" src="bootstrap.bash" />
@@ -35,7 +35,7 @@
 
   <project path="bionic" name="platform/bionic" revision="4ebdeebef74ffa09fe8176f73b32d5a21f4be4ae" />
 
-  <project path="external/boringssl" name="platform/external/boringssl" revision="a8f71fcea2b133b323af7c88bc074ccfd09f4fd1" />
+  <project path="external/boringssl" name="platform/external/boringssl" revision="e6e9a5d015a010d2fab0a13392eca548f7c370cc" />
 
   <project path="external/dwarves" name="platform/external/dwarves" revision="3c8f7e8b2cf7ff902b71c42d00fda30f30114b07" />
 
@@ -57,7 +57,7 @@
 
   <project path="external/libbpf" name="platform/external/libbpf" revision="ae6cd3345b78a75652e83afb072e99e70e5887d8" />
 
-  <project path="external/libabigail" name="platform/external/libabigail" revision="ebd2d3dda1d729bd411fade7edf58229fd02719b" />
+  <project path="external/libabigail" name="platform/external/libabigail" revision="8456ad92a96e0e0484766a44dada4e08c5144d81" />
 
   <project path="external/libcxx" name="platform/external/libcxx" revision="0b1ac82ded2bcb4e16abda1b2491fb34c39b554c" />
 
@@ -91,13 +91,13 @@
 
   <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="91f4dc745f5ac520ba307d41dcccfcf1da87c8e1" />
 
-  <project path="system/core" name="platform/system/core" revision="ab2d6cdc8fcab494f06effc7a9eb1855313bcf3b" />
+  <project path="system/core" name="platform/system/core" revision="762543a34fd8d5dccdaa842e92dc8c0f012b3d39" />
 
   <project path="system/logging" name="platform/system/logging" revision="24f69a13c3bb27aceac1b9a0ef13c4cd41f618cf" />
 
-  <project path="system/extras" name="platform/system/extras" revision="6bdbd3017db9c36dea28f92568d4bc1b525ee9eb" />
+  <project path="system/extras" name="platform/system/extras" revision="2e9d437cb773e29c144df4e4480487879fe8202a" />
 
-  <project path="system/libbase" name="platform/system/libbase" revision="91a10d912827b818d0c1931ede3a2afaa93b18cd" />
+  <project path="system/libbase" name="platform/system/libbase" revision="3e6e44249aa066e3b15620ac355d640268afa985" />
 
   <project path="system/security" name="platform/system/security" revision="cc15f26ecddc5b060d2ab70a07bb3af11a980142" />