external/boringssl: Sync to 26ecb2a275ca7444d10899b8a3fe76d84831fca4.

For now, I've omitted the experimental new PKI library, as it's not yet
ready for Android to use.

I've also updated the script to automate the workaround for b/291253039.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/32b51305debe43e38e7bf2c2b13c4ebf3b474e80..26ecb2a275ca7444d10899b8a3fe76d84831fca4

* Add combined source lists to the other generators
* Remove old style asm source lists for GN and Bazel
Update-Note: I believe all GN and Bazel consumers have been migrated to
the new style of asm source list, so this change should be a no-op. If
any remain that still need the old ones, either migrate them to
crypto_sources_asm and crypto_sources_nasm, or let us know.
* Clarify what __TRUSTY__ and OPENSSL_NANOLIBC are
* Temporarily disable the Trusty CRYPTO_sysrand implementation
* Fix aarch64 build with GCC
* Fix error condition in new iOS CRYPTO_sysrand
* Make the old sk_* functions into full functions
* Move file_test_gtest.cc to CRYPTO_TEST_SOURCES for now
* Use constant curve-specific groups whenever possible
* [acvptool] skip connection to the server if input json or regdump is on
* Entropy changes for trusty and windows.
Update-Note:
Prior to API version 24, Trusty maintained their own CRYPTO_sysrand
implementations outside of the BoringSSL tree.  With this change
they are not expected to provide CRYPTO_sysrand, it is maintained
inside the BoringSSL tree.
* Use std::make_unique when possible
* Make built-in curves static.
* Update the documentation of RAND_cleanup
* Resolve an old TODO in TestState::Deserialize
* Fix truncation warnings with the iteration count
* sync pki to chrome 6e6fa5a08b94199de10eea22845963baf548628b
* Fix spelling nits
* Clear some size_t truncations
* Add Intel Indirect Branch Tracking support.
* Embed the generator into EC_GROUP
* Const-correct a handful of time functions
* Don't include stdalign.h in refcount.c
* Fuchsia has getentropy() via musl - use it and drop the custom file
* Remove remnants of malloc.cc
* Embed BN_MONT_CTX into EC_GROUP.
* Move to preferring getentropy() for system provided entropy
Update-Note: Non-macOS Apple platforms now use CCRandomGenerateBytes
instead of /dev/urandom. Linux behavior remains unchanged. Platforms
which were not explicitly supported with a different codepath will also
switch from /dev/urandom to getentropy. If your platform specifically
requires /dev/urandom, let us know.know
* Use sources.cmake for the bssl tool
* Fix Android shared library tests
* Use sources.cmake for the test_support library
Update-Note: If something odd happens with the test_support library in
downstream builds, this CL is probably to blame.
* Use sources.cmake for test binaries
Update-Note: In the standalone CMake build, build/crypto/crypto_test is
now build/crypto_test, etc. For now, the build still copies the outputs
to the subdirectories (it's cheap and avoids some workflow turbulence),
but I'm thinking we keep that for six months or so and then remove it.
* Don't store a redundant copy of the EC_GROUP field modulus
* Revert "Build with C11 on MSVC in the standalone Bazel build"
* Configure explicitly whether to shard tests
* Use sources.cmake for pki and pki_test
* Remove field_minus_order from EC_GROUP.
* Use file(STRINGS) to read go_tests.txt
* Use individual files for lists of source files.
* Sync pki to chrome 28e4a1b838b2ffbf9e2151ae5fcfffe5ab0ffac0
* Build with C11 on MSVC in the standalone Bazel build
* Replace byteBuilder and byteReader with cryptobyte
* Don't store a redundant copy of the order in EC_GROUP
* Make the curve compat APIs into real functions
* Add pki test files for android, adapt PathService fillin.
* Remove some unused fields
* Temporarily add sk_new_null, etc., wrappers in bssl-sys
* Fix libpki build
* Fix the Windows fuzzer build
* Consistently include BTI markers in every assembly file
* Use ProcessPrng instead of RtlGenRandom on Windows
* Bring in the core of  chromium certificate verifier as libpki
* Slightly tidy BIO_C_SET_FILENAME logic
* Credit CryptOpt in third_party/fiat/README.md
* Start recognizing the OPENSSL_NANOLIBC define
* Use a single TCP server port in runner
* Simplify shimProcess accept and wait
* Turn SocketCloser in bssl_shim into a proper owning type
* Pass IPv6 vs IPv4 down to the shim
* Add more tests for recognizing explicit forms of built-in curves
* Log failure to create SSL objects in handshakers
* Remove -D__ASSEMBLER__=1 when shelling out to the preprocessor
* Remove p > q normalization in RSA keys
* Implement BN_MONT_CTX_new_consttime with Montgomery reduction
* Make bn_mod_lshift_consttime faster
* Fix tests on Arm when NEON is unavailable
* Fix fiat asm .private_extern declaration on Apple platforms
* Don't expose EVP_PKEY internal representation through EVP_PKEY_assign
* Add memcmp binding to bssl-crypto
* Remove CRYPTO_MUTEX from public headers
* Make RSA opaque
Update-Note: Accessing the RSA struct directly is no longer supported.
Use accessors instead.
* Add target attributes to curve25519_64_adx.h
* Add ASN1_TIME_set_string_X509
* Don't allow timezone offsets in ASN1_UTCTIME_set_string
Update-Note: ASN1_UTCTIME_set_string and ASN1_TIME_set_string will no
longer accept times with timezone offsets, which is forbidden by RFC
5280. These functions are used when minting new certificates, rather
than parsing them. The parsing behavior is unchanged by this CL.
* Add SSL_CIPHER_get_handshake_digest
Update-Note: This change is backwards-compatible, but we should update
the QUIC code to use this new function when OPENSSL_API_VERSION is
high enough. It has the benefit of not pulling in random other hash
functions like MD4.
* Const-correct a few X509_PURPOSE and X509_TRUST functions
* Tidy bssl-crypto documentation
* Avoid another NULL+0 in BIO_s_mem
* Remove a layer of indirection from fiat curve25519 assembly
* Fix the combined asm source lists in generate_build_files.py
* Update build tools
* Give up on qsort for sk_FOO_sort
* Remove a pointer indirection in STACK_OF(T) comparisons
* Add fiat_curve25519_adx.S to generate_build_files.py
* Prefix the private stack functions
* Add .type, .hidden, and .size to the new fiat ADX assembly
* Use ADX asm for Curve25519 base-point multiplication
* Make DSA opaque
Update-Note: Accessing the DSA struct directly is no longer supported.
Use accessors instead.
* Add saturated X25519 for x86_64+ADX running Linux
* Handle ChaCha20 counter overflow consistently
* Use packed representation for large Curve25519 table
* Add SHA256 and SHA512 bindings to bssl-crypto
* Make BN_mod_inverse() deal with repeated arguments
* Remove BN_DEC_FMT2 and test the others
* Define TLSEXT_nid_unknown
* Constant-time test that X25519 has a single path.
* Add a value barrier when checking for point doubling.
* Align NIDs vs group IDs in TLS group APIs
* Align remaining TLS ECDH APIs on "group" terminology
* Align on using the "group" over "curve" for ECDH in TLS
* Remove SSL_CIPHER_get_value
Update-Note: SSL_CIPHER_get_value was our original name for the
function. OpenSSL later called it SSL_CIPHER_get_protocol_id. I believe
all external callers have since been updated to use the new function.
(If I missed a few stragglers, replace with SSL_CIPHER_get_protocol_id
to fix.)
* add rust bindings for ed25519
* Add an ABI test for x25519_NEON
* Add constant-time validation for curve25519
* Add prefetch to aes_hw_ctr32_encrypt_blocks
* Remove variable expansion from CONF fuzzer
Update-Note: NCONF_load and NCONF_load_bio no longer support the $foo
variable expansion syntax. If you are using these functions in your
project, remove them.
* Remove some unreachable character types in the CONF parser
* Remove some unnecessary NULL checks in conf.c.
* Test the CONF parser more extensively
* Miscellaneous size_t truncation fixes
* Add int casts as needed around STACK_OF(T) sizes and indices
* Bound STACK_OF(T) sizes by int
* acvptool: clean up better.
* Avoid locks in CRYPTO_free_ex_data
* Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA by default
Update-Note: This CL disables TLS_RSA_WITH_3DES_EDE_CBC_SHA by default.
Specifically, it will not be included unless explicitly listed in the
cipher config, as "TLS_RSA_WITH_3DES_EDE_CBC_SHA", its legacy OpenSSL
name "DES-CBC3-SHA", or the alias "3DES". To restore it, add one of the
above to your cipher config.
* Don't include <stdatomic.h> in C++
* Add a comment about the Chromium sandbox for macOS sysctls
* Update hkdf.c to avoid potentially vulnerable code pattern.
* Fix RAND_enable_fork_unsafe_buffering when called after fork
* Add a thread test for ex_data
* Remove read locks from PRNG steady state
* Add an atomics library to crypto/internal.h
* Remove the lock-based atomics fallback
Update-Note: On non-Windows platforms, we now require C11 atomics
support. Note we already require C11 itself. If this affects your build,
get in touch with BoringSSL maintainers.
* Use Windows Interlocked* APIs for refcounts when C11 isn't available
* Reject RSA keys under 512 bits
Update-Note: We no longer accept 511-bit RSA and below. If you run into
this, update test keys to more modern sizes as we plan to raise the
limit beyond 512-bit RSA in the future. 512-bit RSA was factored in
1999, so keys at or near this limit have been obsolete for a very, very
long time.
* Check public components in freeze_private_key
Update-Note: Manually constructed RSA private keys with invalid n or e
will now fail private key operations. Such keys would always fail at
public key operations (so the signatures would never verify). They also
already failed RSA_check_key and parsing.
* Remove now redundant RSA test
* Add documentation for X509_STORE_CTX_set_verify_cb and friends
* Add a multi-threaded mode to bssl speed
* Use a helper function to implement get_all_foo_names functions.
* Cap the input size to the conf fuzzer
* acvptool: implement pipelining.
* Update googletest
* Update build tools
* OpenBSD Support
Update-Note: Additionally, BoringSSL now requires macOS 10.12 or later
for getentropy support. This is consistent with
https://github.com/google/oss-policies-info/blob/main/foundational-cxx-support-matrix.md
* Remove unions in BLAKE2b implementation
* Bump the minimum supported MSVC version to VS2019
Update-Note: BoringSSL now requires VS2019 or later and no longer
supports VS2017. VS2017 has been past its "mainstream end date" for over
a year now, per
https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2017
* Add APIs to query a list of possible strings for TLS features
* Add back support for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Fix PKCS8Test to not rely on RSA-512
* Add a more general mechanism for deprecating TLS ciphers
* Add APIs to support RSA keys with large e.
* Remove unions in GCM implementation
* Rename EC_RAW_POINT to EC_JACOBIAN
* Clarify that X25519 also supports EVP_PKEY_new_raw_private_key, etc
* Align Kyber names with draft-tls-westerbaan-xyber768d00
Update-Note: Update references to NID_X25519Kyber768 to
NID_X25519Kyber768Draft00. For now, the old name is available as an
alias.
* Remove unions in polyval implementation
* Remove H from GCM128_KEY
* Don't make assumptions about GCM128_CONTEXT layout in aesni-gcm-x86_64.pl
* Don't make assumptions about GCM128_CONTEXT layout in aesv8-gcm-armv8.pl
* Implement the AuthEncap/AuthDecap HPKE modes
* Update references to draft-irtf-cfrg-gcmsiv
* Replace interface{} with any
* Add new APIs for creating RSA keys
* Disable BlindingCacheConcurrency on FreeBSD.
* Add Kyber to runner tests
* Invalidated cached RSA, DH, and DSA state when changing keys
* Support WPA 3.1 "enterprise" mode.
* runner: Remove an unnecessary use of AllCurves
* Move the old SPKAC types to their own section
* Remove unimplemented SSL BIO_ctrl values
Update-Note: I found no code using those symbols (that we build). If
anything was, they most likely were broken. Now they'll fail to build
and the brokenness will be more obvious. (If we find something needs it,
we can always go back and implement them.)
* Don't copy all of bssl-sys into the CMake build directory
* Remove go:build ignore from convert_wycheproof
* X509_sign, etc., should return the length of the signature on success
* Add some missing includes
* Specify the TLS cipher order more straightforwardly
* Squeeze a block at a time when computing the matrix in Kyber
* Align TRUST_TOKEN_pst_v1_voprf with draft-21 of VOPRF
* Re-add go:build ignore lines
* Move convert_wycheproof into its own package
* Allow passing extra flags to BoGo shim
* Remove TLS_RSA_WITH_NULL_SHA
Update-Note: TLS_RSA_WITH_NULL_SHA is no longer available. Nothing
should be enabling it anymore. Callers using
SSL_CTX_set_strict_cipher_list instead of SSL_CTX_set_cipher_list will
notice if they're affected very quickly, because the functino will
fail if this cipher is referenced. As a deprecated cipher suite, this
cipher was already unavailable unless explicitly named, so if your
configuration doesn't say "TLS_RSA_WITH_NULL_SHA" or "NULL-SHA", you
were not using this cipher.
* Only rerun bindgen when its dependencies change
* Add mechanism for deprecated declarations.
Update-Note: We are starting to mark some functions in
boringssl as deprecated declarations which will cause the
compiler to emit warnings if they are used. The intention
is both to prevent accidental use in new code, and to to call
attention to call sites in existing code so that the documentation
for the deprecated function can be revisted and appropriate action
taken.
* Spell includes in wrapper.h like the rest of the project
* Replace sort.Sort with sort.Slice
* Fix allowlist regex in bindgen invocation
* Update docs to recommend a much more convenient CMake invocation
* Trim some unused XN_FLAG_* values
Update-Note: Some seemingly unused XN_FLAG_* values were removed. If
some project fails to build, we can put them back but one shouldn't be
using this function in the first place.
* Remove --size_t-is-usize from bindgen call
* Clarify in ssl.h documentation not to use the verify callback
* Move the X509 time functions under "Convenience functions"
* Remove the X509at_* functions
* Organize X509_ATTRIBUTE functions into sections.
* Document a pile of X509 print functions
* Generate 64-bit Curve25519 and P256 code for MSVC

Test: treehugger
Change-Id: Id9645b0bcd5e353e64777d1596cd91c7767b11fa

1 files changed, 4 insertions, 4 deletions

diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c
index e427e3c5..90a4404c 100644
--- a/src/crypto/fipsmodule/ec/ec_key.c
+++ b/src/crypto/fipsmodule/ec/ec_key.c
@@ -93,8 +93,8 @@ static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {
 
   OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR));
   wrapped->bignum.d = wrapped->scalar.words;
-  wrapped->bignum.width = group->order.width;
-  wrapped->bignum.dmax = group->order.width;
+  wrapped->bignum.width = group->order.N.width;
+  wrapped->bignum.dmax = group->order.N.width;
   wrapped->bignum.flags = BN_FLG_STATIC_DATA;
   return wrapped;
 }
@@ -311,7 +311,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
   // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP
   // 800-56Ar3, page 36.
   if (eckey->priv_key != NULL) {
-    EC_RAW_POINT point;
+    EC_JACOBIAN point;
     if (!ec_point_mul_scalar_base(eckey->group, &point,
                                   &eckey->priv_key->scalar)) {
       OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
@@ -485,7 +485,7 @@ int EC_KEY_generate_key(EC_KEY *key) {
   }
 
   // Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).
-  if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) {
+  if (EC_GROUP_order_bits(key->group) < 160) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
     return 0;
   }