external/boringssl: Sync to c1e156ae16fa8b61af9b5d2b74e59d3f86e141be.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/3989c99706bf30054798ff82f1cb010e50e385f5..c1e156ae16fa8b61af9b5d2b74e59d3f86e141be

* Add DH_compute_key_padded.
Update-Note: No compatibility impact, but callers that use
DH_compute_key and then fix up the removed leading zeros can switch to
this function. Then they should migrate to something else.
* Fix client 0-RTT handling with ALPS.
* acvp: add XTS support.
* doc: fix SSL_set0_rbio
* Add support for the new QUIC TLS extension codepoint
* delocate: preprocess perlasm output on Aarch64
* Replace MockQUICTransport tags with record types.
* Run extension tests at all protocols.
* Make QUIC tests work with early data.
* Make QUIC work with -async tests.
* Fix ALPS state machine in QUIC servers.
* runner: Allow tokbind without RI/EMS in TLS 1.3.
* Test that ALPS can be deferred to the ALPN callback.
* Send ECH acceptance signal from backend server.
* delocate: handle Aarch64 assembly in parser.
* Add ASM optimizations for Windows on Arm
* Use gai_strerrorA on Windows.
* Optimize suffix building in FileTest::ReadNext().
* A handful more compatibility functions.
* Update HPKE to draft-irtf-cfrg-hpke-07.
* acvp: drop subprocess_test.go
* Add some OpenSSL-compatibility aliases
* delocate: eliminate expression from vpaes assembly.
* delocate: support alternative comment indicators
* Update third_party/googletest.
* acvp: add tests
* Fix chacha20_poly1305_x86_64.pl comments.
* Fix awkward wording in comment.
* Update ECH GREASE to draft-ietf-tls-esni-09
* Gerrit ignores <sup>; use Unicode superscript instead.
* acvp: better document the subprocess protocol.
* Add .text.unlikely.* pattern to fips_shared.lds.
* acvp: fix silly errors.
* acvp: load config later.
* Allow some non-minimal lengths in BER.
* Export tool_sources to GN.
* Use more efficient std::string::find overload.
* Revert "Add support for the new QUIC TLS extension codepoint"
* Move DH parameter generation out of the FIPS module.
* Add support for the new QUIC TLS extension codepoint
* Use stdlib.h instead of cstdlib in span.h.
* Check for trailing data in X509Test.GeneralName.
* Fix ChaCha20-Poly1305 x86-64 asm on Windows
* Include bn.h from bn/internal.h
* acvp: add support for finite-field Diffie–Hellman.
* Move DH code into the FIPS module.
* Remove unused Netware codepaths in x86 perlasm.
* Finish switching to NASM.
Update-Note: If a x86 Windows asm build breaks, switch from Yasm to
NASM. We're also no longer testing NASM on x86_64 Windows, but there
wasn't any patch to revert.
* Switch to passive entropy collection for Android FIPS.
* Skip ASN.1 template tests in Windows shared library builds.
* Add TLS_KDF to documented break tests.
* acvp: add support for KAS
* Align armv8.pl references to OPENSSL_armcap_P.
Update-Note: If aarch64 builds get some weird error about relocations,
it's this CL's fault.
* Reject bad ASN.1 templates with implicitly-tagged CHOICEs.
* Implement GREASE for ECH (draft-ietf-tls-esni-08).
* acvp: add TLS KDF support
* acvp: tweak config
* acvp: fix subprocess_test.go
* Const-correct GENERAL_NAME_cmp.
* Fix EDIPartyName parsing and GENERAL_NAME_cmp.
* PWCT failures should clear the generated key.
* Get closer to Ed25519 boundary conditions.
* draft-ietf-tls-certificate-compression is now RFC 8879.
* Update FIPS.md to include latest FIPS certificate.
* Only accept little-endian ARM and MIPS variants in base.h.
Update-Note: CPU processor defines are a mess. If a little-endian ARM or
MIPS build breaks, some of the assumptions above may be wrong. In that
case, the output $CC -dM -E - < /dev/null on the offending toolchain
will be useful to fix it. If a big-endian ARM or MIPS build breaks, this
is working as intended. Any resulting binaries weren't producing the
right outputs.
* aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
* Improve sk_dup.
* Poly1305: Use |size_t|; assert |poly1305_state| is large enough.
* util/fipstools/acvp/acvptool: buffer signal channel to avoid losing signal
* Add digest.h to self_check.c
* Document ASN1_STRING.
* acvp: add SHA-512/256 support.
* Add FIPS self test for the TLS KDF.
* Rename the master_key field in SSL_SESSION to secret.
* Always check the TLS 1.3 downgrade signal.
Update-Note: SSL_CTX_set_ignore_tls13_downgrade,
SSL_set_ignore_tls13_downgrade, and SSL_is_tls13_downgrade now do
nothing. Calls sites should be removed. (There are some copies of older
Chromium lying around, so I haven't removed the functions yet.) The
enforcement was already on by default, so this CL does not affect
callers that don't use those functions.
* Fix NETSCAPE_SPKI_get_pubkey documentation.
* Const-correct and document more X509 functions.
* Add APIs for checking ASN.1 INTEGERs.
Update-Note: This CL does not change behavior, but I'm leaving a note to
myself to make net/der/parse_values.cc call the new functions.
* Remove some unnecessary pointer casts.
* Document the basic ASN1_STRING functions.
* Document some defaults for the EVP RSA interface.
* Rearrange ASN1_STRING_copy slightly.
* Remove the legacy MSTRING M_ASN1 macros.
Update-Note: Some M_ASN1 macros were removed. Code search says there
were no uses, and OpenSSL upstream removed all of them.
* Switch M_ASN1_TIME macros within the library.
* Unwind M_ASN1_* macros for primitive types.
Update-Note: Some external code uses the M_ASN1_* macros. This should
remain compatible, but some type errors may have gotten through
unnoticed. This CL restores type-checking.
* Reformat and convert comments in asn1.h.
* aarch64: Fix name of gnu property note section
* Re-reformat x509.h.
* Document X509V3_add1_i2d and friends.
* Remove ASN1_STRING_FLAG_NDEF.
* Unexport internal crypto/asn1 functions.
Update-Note: Code search says these are unused. If someone's using them,
we can reexport them.
* Unwind some old ASN.1 ifdefs.
* Unwind ASN1_PRIMITIVE_FUNCS.
* Remove some unused types from asn1t.h.
* Unwind ASN1_TFLG_NDEF.
Update-Note: Types that use one of the NDEF macros in asn1t.h will fail
to compile. This CL should not affect certificate parsing.
* Unwind ASN1_ITYPE_COMPAT.
Update-Note: Types using IMPLEMENT_COMPAT_ASN1 from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
* Unwind ASN1_AFLG_BROKEN.
Update-Note: Types using ASN1_BROKEN_SEQUENCE from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
* Const-correct various X509 string parameters.
* Document the next few functions in x509.h
* Remove sk_new_null call.
* acvp: move inner MCT loops into subprocess.
* Fix x509_rsa_ctx_to_pss when saltlen is md_size.
* Document the X509V3_get_d2i family of functions.
* runner: explicitly signal error from handshaker.
* runner: add -skip
* Add functions for manipulating X.509 TBS structures.
* Remove ASN1_STRING_length_set prototype.
* Update Go on the bots.
* Rework vs_toolchain.py and vs_env.py.
* Add ECDSA verify KAT to FIPS self-tests.
* Add AES-GCM AEADs with internal nonce generation.
* Define a constant for the standard GCM nonce length.
* Add test for X25519-containing certificate.
* Add SSL_early_data_reason_string.
* Add raw redeem API.
* aarch64: Remove some flavour conditionals
* Have fewer opaque booleans in aead_test.cc
* acvp: RSA signature verification tests.
* acvp: RSA signature generation tests.
* acvp: support RSA key generation tests.
* Support 4096-bit keys in FIPS mode.
* Reland "Check AlgorithmIdentifier parameters for RSA and ECDSA signatures.""
Update-Note: Some invalid certificates will now be rejected at
verification time. Parsing of certificates is unchanged.
* acvp: add 3DES-CBC support
* acvp: add 3DES-ECB support
* Clear some reported gcc -Wshadow warnings.
* Const-correct X509V3_extensions_print.
* clang-format and convert comments in x509v3.h.
* aarch64: Improve conditional compilation
* Silence some linter checks.
* acvp: update subprocess_test.go
* Update clang.
* Implement draft-vvv-tls-alps-01.
* Simplify 0-RTT tests.

Bug: 160351436
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I1fb4105341a73be9d5f978301f7318e16027f37d

5 files changed, 35 insertions, 25 deletions

diff --git a/ios-aarch64/crypto/fipsmodule/aesv8-armx64.S b/ios-aarch64/crypto/fipsmodule/aesv8-armx64.S
index 76b58032..13950f17 100644
--- a/ios-aarch64/crypto/fipsmodule/aesv8-armx64.S
+++ b/ios-aarch64/crypto/fipsmodule/aesv8-armx64.S
@@ -620,20 +620,34 @@ _aes_hw_ctr32_encrypt_blocks:
 	add	x7,x3,#32
 	mov	w6,w5
 	csel	x12,xzr,x12,lo
+
+	// ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are
+	// affected by silicon errata #1742098 [0] and #1655431 [1],
+	// respectively, where the second instruction of an aese/aesmc
+	// instruction pair may execute twice if an interrupt is taken right
+	// after the first instruction consumes an input register of which a
+	// single 32-bit lane has been updated the last time it was modified.
+	//
+	// This function uses a counter in one 32-bit lane. The vmov lines
+	// could write to v1.16b and v18.16b directly, but that trips this bugs.
+	// We write to v6.16b and copy to the final register as a workaround.
+	//
+	// [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
+	// [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice
 #ifndef __ARMEB__
 	rev	w8, w8
 #endif
-	orr	v1.16b,v0.16b,v0.16b
 	add	w10, w8, #1
-	orr	v18.16b,v0.16b,v0.16b
-	add	w8, w8, #2
 	orr	v6.16b,v0.16b,v0.16b
 	rev	w10, w10
-	mov	v1.s[3],w10
+	mov	v6.s[3],w10
+	add	w8, w8, #2
+	orr	v1.16b,v6.16b,v6.16b
 	b.ls	Lctr32_tail
 	rev	w12, w8
+	mov	v6.s[3],w12
 	sub	x2,x2,#3		// bias
-	mov	v18.s[3],w12
+	orr	v18.16b,v6.16b,v6.16b
 	b	Loop3x_ctr32
 
 .align	4
@@ -660,11 +674,11 @@ Loop3x_ctr32:
 	aese	v1.16b,v16.16b
 	aesmc	v5.16b,v1.16b
 	ld1	{v2.16b},[x0],#16
-	orr	v0.16b,v6.16b,v6.16b
+	add	w9,w8,#1
 	aese	v18.16b,v16.16b
 	aesmc	v18.16b,v18.16b
 	ld1	{v3.16b},[x0],#16
-	orr	v1.16b,v6.16b,v6.16b
+	rev	w9,w9
 	aese	v4.16b,v17.16b
 	aesmc	v4.16b,v4.16b
 	aese	v5.16b,v17.16b
@@ -673,8 +687,6 @@ Loop3x_ctr32:
 	mov	x7,x3
 	aese	v18.16b,v17.16b
 	aesmc	v17.16b,v18.16b
-	orr	v18.16b,v6.16b,v6.16b
-	add	w9,w8,#1
 	aese	v4.16b,v20.16b
 	aesmc	v4.16b,v4.16b
 	aese	v5.16b,v20.16b
@@ -689,21 +701,26 @@ Loop3x_ctr32:
 	aesmc	v4.16b,v4.16b
 	aese	v5.16b,v21.16b
 	aesmc	v5.16b,v5.16b
+	 // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work
+	 // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in
+	 // 32-bit mode. See the comment above.
 	eor	v19.16b,v19.16b,v7.16b
-	rev	w9,w9
+	mov	v6.s[3], w9
 	aese	v17.16b,v21.16b
 	aesmc	v17.16b,v17.16b
-	mov	v0.s[3], w9
+	orr	v0.16b,v6.16b,v6.16b
 	rev	w10,w10
 	aese	v4.16b,v22.16b
 	aesmc	v4.16b,v4.16b
+	mov	v6.s[3], w10
+	rev	w12,w8
 	aese	v5.16b,v22.16b
 	aesmc	v5.16b,v5.16b
-	mov	v1.s[3], w10
-	rev	w12,w8
+	orr	v1.16b,v6.16b,v6.16b
+	mov	v6.s[3], w12
 	aese	v17.16b,v22.16b
 	aesmc	v17.16b,v17.16b
-	mov	v18.s[3], w12
+	orr	v18.16b,v6.16b,v6.16b
 	subs	x2,x2,#3
 	aese	v4.16b,v23.16b
 	aese	v5.16b,v23.16b
diff --git a/ios-aarch64/crypto/fipsmodule/sha1-armv8.S b/ios-aarch64/crypto/fipsmodule/sha1-armv8.S
index 16f000ec..05eb9201 100644
--- a/ios-aarch64/crypto/fipsmodule/sha1-armv8.S
+++ b/ios-aarch64/crypto/fipsmodule/sha1-armv8.S
@@ -17,6 +17,7 @@
 .text
 
 
+.private_extern	_OPENSSL_armcap_P
 .globl	_sha1_block_data_order
 .private_extern	_sha1_block_data_order
 
@@ -1231,6 +1232,4 @@ Lconst:
 .byte	83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	2
-.comm	_OPENSSL_armcap_P,4,4
-.private_extern	_OPENSSL_armcap_P
 #endif  // !OPENSSL_NO_ASM
diff --git a/ios-aarch64/crypto/fipsmodule/sha256-armv8.S b/ios-aarch64/crypto/fipsmodule/sha256-armv8.S
index 208d9489..c9b79916 100644
--- a/ios-aarch64/crypto/fipsmodule/sha256-armv8.S
+++ b/ios-aarch64/crypto/fipsmodule/sha256-armv8.S
@@ -58,6 +58,7 @@
 .text
 
 
+.private_extern	_OPENSSL_armcap_P
 .globl	_sha256_block_data_order
 .private_extern	_sha256_block_data_order
 
@@ -1207,8 +1208,4 @@ Loop_hw:
 	ret
 
 #endif
-#ifndef	__KERNEL__
-.comm	_OPENSSL_armcap_P,4,4
-.private_extern	_OPENSSL_armcap_P
-#endif
 #endif  // !OPENSSL_NO_ASM
diff --git a/ios-aarch64/crypto/fipsmodule/sha512-armv8.S b/ios-aarch64/crypto/fipsmodule/sha512-armv8.S
index 4c015246..97b3230e 100644
--- a/ios-aarch64/crypto/fipsmodule/sha512-armv8.S
+++ b/ios-aarch64/crypto/fipsmodule/sha512-armv8.S
@@ -58,6 +58,7 @@
 .text
 
 
+.private_extern	_OPENSSL_armcap_P
 .globl	_sha512_block_data_order
 .private_extern	_sha512_block_data_order
 
@@ -1077,8 +1078,4 @@ LK512:
 .byte	83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	2
-#ifndef	__KERNEL__
-.comm	_OPENSSL_armcap_P,4,4
-.private_extern	_OPENSSL_armcap_P
-#endif
 #endif  // !OPENSSL_NO_ASM
diff --git a/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S b/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S
index 12422e46..5985c550 100644
--- a/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S
+++ b/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S
@@ -1008,7 +1008,7 @@ Lschedule_mangle_dec:
 
 Lschedule_mangle_both:
 	tbl	v3.16b, {v3.16b}, v1.16b	// vpshufb	%xmm1,	%xmm3,	%xmm3
-	add	x8, x8, #64-16			// add	$-16,	%r8
+	add	x8, x8, #48			// add	$-16,	%r8
 	and	x8, x8, #~(1<<6)		// and	$0x30,	%r8
 	st1	{v3.2d}, [x2]			// vmovdqu	%xmm3,	(%rdx)
 	ret