summaryrefslogtreecommitdiff
path: root/src/go.mod
AgeCommit message (Collapse)Author
2021-07-23external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91.Pete Bentley
Re-lands https://r.android.com/1774909 This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91 * Add 'generate-ech' command to bssl tool * Don't enable atomics in NO_THREADS configurations. * Check strtoul return for overflow error in GetUnsigned() * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: Idb0a37fccba5d1c3f6a40fe91a81c5189170ed23
2021-07-23Revert "external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91."Sergey Volnov
This reverts commit d03f4c0ac5663fb300b1f40f1059c4194dd0652a. Reason for revert: Investigating b/194282044 Change-Id: I168d73caae2cbc83921133cd47aef37d3bce8c37
2021-07-22external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91.Pete Bentley
Re-lands https://r.android.com/1772605 plus three newer upstream changes. This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91 * Add 'generate-ech' command to bssl tool * Don't enable atomics in NO_THREADS configurations. * Check strtoul return for overflow error in GetUnsigned() * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. Change-Id: Iecea7c3dcf9d3e2644a3b7afaf61511310b45d5f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47584 Reviewed-by: Adam Langley <agl@google.com> * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I894552c1cfb97c327808e9cdadcc7e6a7b1874e2
2021-07-21Revert "external/boringssl: Sync to 897a2ca3f184b34278641138c726ef902ab1fab2."Pete Bentley
This reverts commit a769e3be7b5b02e3a0ee4043b6642ab0361a1420. Reason for revert: Breaks x86 builds: b/194262305 Change-Id: I9074b7d01972b3f1162eb3ece0a591077d0b3451
2021-07-20external/boringssl: Sync to 897a2ca3f184b34278641138c726ef902ab1fab2.Pete Bentley
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..897a2ca3f184b34278641138c726ef902ab1fab2 * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I86bd269475ed5598d81787e7ecfec010c4a128fa
2020-09-30external/boringssl: Sync to 3743aafdacff2f7b083615a043a37101f740fa53.Pete Bentley
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/2fb729d4f36beaf263ad85e24a790b571652679c..3743aafdacff2f7b083615a043a37101f740fa53 * Add SSL_CIPHER_get_protocol_id. * Add TrustTokenV2. * Add X509_get_pathlen and X509_REVOKED_get0_extensions. * Add some accommodations for FreeRDP * Require non-NULL store in X509_STORE_CTX_init. Update-Note: X509_STORE_CTX_init will now fail when the store is NULL, rather than report success, only to crash later in X509_verify_cert. Breakage should thus be limited to code which was passing in a NULL store but never used the resulting X509_STORE_CTX. * Const-correct X509V3_CONF_METHOD. Update-Note: External definitions of X509V3_CONF_METHOD will need fix the types of their functions. There should not be any of these (probably hide this struct), but if there are, this aligns with upstream OpenSSL. * Avoid unions in X509_NAME logic. * Bump OPENSSL_VERSION_NUMBER to 1.1.1. Update-Note: Some OPENSSL_VERSION_NUMBER/OPENSSL_IS_BORINGSSL checks may need to be updated. Hopefully even more can go away. * Document more of x509.h. * Fix potential leak in bssl::Array::Shrink. * Remove ASN1_STRING_length_set. Update-Note: Use ASN1_STRING_set instead, though this function appears to be unused. * Revert "Check AlgorithmIdentifier parameters for RSA and ECDSA signatures." * Implement PSK variants of HPKE setup functions. * acvp: support working with files. * Document a few more functions in x509.h. * Add subject key ID and authority key ID accessors. * Remove sxnet and pkey_usage_period extensions. Update-Note: Parsers for these two extensions are removed. Parsing the types directly or passing NID_sxnet and NID_pkey_usage_period into X509V3_get_d2i, or *_get_ext_d2i will no longer work. * Const-correct various X509 functions. * Make X509_set_not{Before,After} functions rather than macros. * Add X509_get0_uids from OpenSSL 1.1.0. * Bound RSA and DSA key sizes better. Update-Note: Some invalid or overly large RSA and DSA keys may previously have been accepted that are now rejected at parse time. For public keys, this only moves the error from verification to parsing. In some private key cases, we would previously allow signing with those keys, but the resulting signatures would not be accepted by BoringSSL anyway. This CL makes us behave more consistently. * Add set1 versions of X509 timestamp setters. * Consistently sort generated build files. * delocate: use 64-bit GOT offsets in the large memory model. * Update HPKE implementation and test vectors to draft-irtf-cfrg-hpke-05. * Handle NULL arguments in some i2d_* functions. * aarch64: support BTI and pointer authentication in assembly * Support delegated credentials verison 06 * delocation: large memory model support. * Enforce presence of ALPN when QUIC is in use. Update-Note: If an SSL_QUIC_METHOD is set, connections will now fail if ALPN is not negotiated. This new behavior can be detected by checking if the value of BORINGSSL_API_VERSION is greater than 10. * Fix the naming of alert error codes. Update-Note: The renamed alerts will log slightly different strings, but the constants used by external code are still there. * Use golang.org/x/crypto in runner. Update-Note: The tests now have a golang.org/x/crypto dependency. This should be fetched transparently with Go modules. Monorepos with different import path conventions may need to rewrite these imports. * Disable ClientHello padding for QUIC. * Add X509_SIG_get0 and X509_SIG_getm. * Implement HPKE. * Disallow TLS 1.3 compatibility mode in QUIC. * Switch clang-format IncludeBlocks to Preserve. * Fix unterminated clang-format off. * Add line number to doc.go error messages. * Kick the bots. * Add a JSON output to generate_build_files.py. * Add details of 20190808 FIPS certification. * Link to ws2_32 more consistently. * Allow explicitly-encoded X.509v1 versions for now. * Opaquify PKCS8_PRIV_KEY_INFO. Update-Note: Direct accesses of PKCS8_PRIV_KEY_INFO now need to use the accessors. Code search suggests no one uses the fields. Even the accessors are virtually unused (the one thing which uses it doesn't need it). * Implement i2d_PUBKEY and friends without crypto/asn1. * Remove TRUST_TOKEN_experiment_v0. Update-Note: This gets rid of TRUST_TOKEN_experiment_v0. Existing callers should be updated to call TRUST_TOKEN_experiment_v1. * Clarify in-place rules for low-level AES mode functions. * acvp: add CMAC-AES support. * acvp: add SP800-108 KDF support. * Remove x509->name. Update-Note: instead of x509->name, use X509_NAME_oneline and X509_get_subject_name. * Maybe build for AArch64 Windows. * sha1-x86_64: fix CFI. * Use |crypto_word_t| and |size_t| more consistently in ECC scalar recoding. * Enable shaext path for sha1. * Avoid relying on SSL_get_session's behavior during the handshake. Update-Note: SSL_generate_key_block will now fail mid-handshake. It is ambiguous which key block to use and, in some cases, we may not even be able to compute the right key block. * Add a -wait-for-debugger flag to runner. * Add missing OPENSSL_EXPORT to X509_get_X509_PUBKEY. * Const-correct various functions in crypto/asn1. * Remove uneeded switch statement. * Convert X.509 accessor macros to proper functions. Update-Note: This should be compatible, but it is possible that someone, e.g., passed in a bssl::UniquePtr<X509> to an accessor and relied on operator->. Callers may also run afoul of const correctness. I mirrored OpenSSL 1.1.1's consts, so it should at least be compatible with third-party code. * Remove X509_CINF_get_issuer and X509_CINF_get_extensions. Update-Note: Two unused macros were removed. If there were uses, the X509-level accessors can be used instead. * Remove X509_get_signature_type. Update-Note: If there are any calls to X509_get_signature_type, remove them. It more-or-less always returned NID_undef. * clang-format x509.h and run comment converter. * Check AlgorithmIdentifier parameters for RSA and ECDSA signatures. * Remove some unimplemented prototypes. * Check the X.509 version when parsing. Update-Note: The X.509 parser is now a bit stricter. This may break some malformed certificates which were previously incorrectly accepted. * Fix x509v3_cache_extensions error-handling. Update-Note: The X.509 verifier now correctly rejects syntax errors in important certificate extensions. This may break some malformed certificates which were incorrectly accepted before. * Work around Windows command-line limits in embed_test_data.go. * Move crypto/x509 test data into its own directory. * Test resumability of same, different, and default ticket keys. * Fixes warning when redefining PATH_MAX when building with MINGW. * Abstract fd operations better in tool. * Use CMAKE_SIZEOF_VOID_P instead of CMAKE_CL_64 * Enforce the keyUsage extension in TLS 1.2 client certs. Update-Note: Client certificates which do not support the digitalSignature key usage will be rejected. They should either include that bit or omit the keyUsage extension. * Reword some comments. * Add “Z Computation” KAT. * acvptool: handle negative sizeConstraint. * Let memory hooks override the size prefix. * acvptool: go fmt * Assert md_size > 0. * Remove -enable-ed25519 compat hack. * Add a |SSL_process_tls13_new_session_ticket|. * Use ctr32 optimizations for AES_ctr128_encrypt. * Test AES mode wrappers. * Bump minimum CMake version. * Modify how QUIC 0-RTT go/no-go decision is made. * Remove RAND_set_urandom_fd. Update-Note: RAND_set_urandom_fd no longer exists. This was only called by Chromium, which now uses CRYPTO_pre_sandbox_init. * Document that getrandom support must be consistent. * Fix docs link for SSL_CTX_load_verify_locations * Fix TRUST_TOKEN experiment_v1 SRR map. * Add CRYPTO_pre_sandbox_init. * Still query getauxval if reading /proc/cpuinfo fails. * Add missing header to ec/wnaf.c * Fix OPENSSL_TSAN typo. * Fix p256-x86_64-table.h indentation. * Enable avx2 implementation of sha1. * Trim Z coordinates from the OPENSSL_SMALL P-256 tables. * Use public multi-scalar mults in Trust Tokens where applicable. * Use batched DLEQ proofs for Trust Token. * Restrict when 0-RTT will be accepted in QUIC. * Disable TLS 1.3 compatibility mode for QUIC. * Use a 5-bit comb for some Trust Tokens multiplications. * Use a (mostly) constant-time multi-scalar mult for Trust Tokens. * Batch inversions in Trust Tokens. * Rearrange the DLEQ logic slightly. * Use token hash to encode private metadata for Trust Token Experiment V1. * Introduce an EC_AFFINE abstraction. * Make the fuzzer PRNG thread-safe. * Disable fork-detect tests under TSAN. * Introduce TRUST_TOKENS_experiment_v1. * Route PMBToken calls through TRUST_TOKEN_METHOD. * Introduce a TRUST_TOKEN_METHOD hook to select TRUST_TOKEN variations. Update-Note: Pass TRUST_TOKEN_experiment_v0() into any existing code that now needs a TRUST_TOKEN_METHOD. * fork_detect: be robust to qemu. * Move serialization of points inside pmbtoken.c. * Introduce PMBTOKENS key abstractions. * Fix the types used in token counts. Update-Note: Fix callers of TRUST_TOKEN_ISSUER_issue to use size_t instead of uint8_t. The max_batchsize changes should go through without changes to the caller. * Remove unused code from ghash-x86_64.pl. * Switch the P-384 hash-to-curve to draft-07. * Add hash-to-curve code for P384. * Write down the expressions for all the NIST primes. * Move fork_detect files into rand/ * Harden against fork via MADV_WIPEONFORK. * Fix typo in comment. * Use faster addition chains for P-256 field inversion. * Tidy up third_party/fiat. * Prefix g_pre_comp in p256.c as well. * Add missing curve check to ec_hash_to_scalar_p521_xmd_sha512. * Add a tool to compare the output of bssl speed. * Benchmark ECDH slightly more accurately. * Align remaining Intel copyright notice. * Don't retain T in PMBTOKEN_PRETOKEN. * Check for trailing data in TRUST_TOKEN_CLIENT_finish_issuance. * Properly namespace everything in third_party/fiat/p256.c. * Update fiat-crypto. * Add missing ERR_LIB_TRUST_TOKEN constants. * Add bssl speed support for hashtocurve and trusttoken. * Implement DLEQ checks for Trust Token. * Fix error-handling in EVP_BytesToKey. * Fix Trust Token CBOR. * Match parameter names between header and source. * Trust Token Implementation. * Include mem.h for |CRYPTO_memcmp| * acvptool: add subprocess tests. * Add SHA-512-256. * Make ec_GFp_simple_cmp constant-time. Update-Note: This does mean that we pay a 6M+2S Jacobian comparison where comparing two publicly affine points should cost no field operations at all. Code which compares two EC public keys for equality will be slightly slower. I wouldn't expect this to matter (if you actually use the public keys, you'll pay much much more) If it does, we can restore this optimization by keeping better track of affine vs. Jacobian forms. See https://crbug.com/boringssl/326. * Tidy up CRYPTO_sysrand variants. * Do a better job testing EC_POINT_cmp. * Follow-up comments to hash_to_scalar. * Add a hash_to_scalar variation of P-521's hash_to_field. * Add SSL_SESSION_copy_without_early_data. * Double-check secret EC point multiplications. * Make ec_felem_equal constant-time. * Fix hash-to-curve comment. * Make ec_GFp_simple_is_on_curve constant-time. * Implement draft-irtf-cfrg-hash-to-curve-06. * Update list of tested SDE configurations. * Only draw from RDRAND for additional_data if it's fast. * Generalize bn_from_montgomery_small. * Remove BIGNUM from uncompressed coordinate parsing. * Add EC_RAW_POINT serialization function. * Base EC_FELEM conversions on bytes rather than BIGNUMs. * runner: Replace supportsVersions calls with allVersions. * Enable QUIC for some perMessageTest runner tests * Move BN_nnmod calls out of low-level group_set_curve. * Clean up various EC inversion functions. * Start to organize ec/internal.h a little. * Fix CFI for AVX2 ChaCha20-Poly1305. * Remove unused function prototype. * Enable more runner tests for QUIC * Require QUIC method with Transport Parameters and vice versa * acvptool: support non-interactive mode. * Add is_quic bit to SSL_SESSION * Update SDE. * Update tools. * Add simpler getters for DH and DSA. * Don't define default implementations for weak symbols. * Don't automatically run all tests for ABI testing. * Fix test build with recent Clang. * Remove LCM dependency from RSA_check_key. * Simplify bn_sub_part_words. * No-op commit to test Windows SDE bots. * ABI-test each AEAD. * Add memory tracking and sanitization hooks * Add X509_STORE_CTX_get0_chain. * Add DH_set_length. * Static assert that CRYPTO_MUTEX is sufficiently aligned. * [bazel] Format toplevel BUILD file with buildifier * Add |SSL_CTX_get0_chain|. * Configure QUIC secrets inside set_{read,write}_state. Update-Note: See b/151142920#comment9 Change-Id: I4bbb76e15b5d95615ea643bccf796db87fae4989 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40244 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> * Allow setting QUIC transport parameters after parsing the client's * Fix comment for |BORINGSSL_self_test|. * Trust Token Key Generation. * Revise QUIC encryption secret APIs. Update-Note: This is an incompatible change to SSL_QUIC_METHOD. BORINGSSL_API_VERSION can be used to distinguish the two revisions. * Fix ec_point_mul_scalar_public's documentation. Test: atest CtsLibcoreTestCases CtsLibcoreTestCases Change-Id: I754169828a3e1cb461bf0d4a64d4d7b46951d730
2020-08-27Revert "external/boringssl: Sync to a0b49d63fdc33e54eac93674c86891d15d181d87."Pete Bentley
This reverts commit c960c43412e0632abb712fc465e70b6dfa2e9657. Reason for revert: <Breaks ART buildbot> Bug: 166619732 Change-Id: I5c843090e06a33aca391cde9c2da2bcb16995f05
2020-08-24external/boringssl: Sync to a0b49d63fdc33e54eac93674c86891d15d181d87.Daulet Zhanguzin
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/2fb729d4f36beaf263ad85e24a790b571652679c..a0b49d63fdc33e54eac93674c86891d15d181d87 Test: atest CtsLibcoreTestCases Change-Id: Ida4794d56d237422351b9ddcc7d0bc9295e816e1
2019-09-26external/boringssl: Sync to 3a3552247ecb0bfb260a36d9da7a3bce7fdc3f8a.Pete Bentley
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/e60b080dda138e1dd02d99fb34641ac22e46c85d..3a3552247ecb0bfb260a36d9da7a3bce7fdc3f8a Also changes Android.bp to compile with execute-only memory again as this should no longer be necessary with the mprotect changes in https://boringssl.googlesource.com/boringssl/+/09a9ec036030ac84896f5143548d05f3951d1817 Bug: 134580074 Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I0ec54998afd2e0b40ec930716397e20aa3c21bf2
2019-03-01external/boringssl: Sync to c3889634a1aa52575c5d26497696238208fbd0f5.Robert Sloan
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/41c10e2b5f37edce8b9f292f7f3bacb7e30e25c4..c3889634a1aa52575c5d26497696238208fbd0f5 Test: atest CtsLibcoreTestCases Change-Id: Ia1c2941ccf58a9e0d736b3409a2d13c21603a205
2018-09-17external/boringssl: Sync to 5baee45652d9de70ae957d1aa1e04a2d27101c3b.Robert Sloan
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/689019fe40d5ad94df46ffeebcd794ff359a7074..5baee45652d9de70ae957d1aa1e04a2d27101c3b Test: BoringSSL CTS Presubmits Change-Id: I6f92d4fa84a3b9d6f35b291cb0da0782219b2b05
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 21:07:59 +0000