This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/e40d0f8ee1361fbff2927a6806c755acea79a521..8aa51ddfcf1fbf2e5f976762657e21c7aee2f922

* Add OPENSSL_EXPORT to BN_mod_inverse_blinded
* Add prefetch to sha1_block_data_order_shaext
* Remove EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD from public headers
* test_fips: flush stdout before aborting on failure.
* Work around a NASM bug
* Plug a leak in ASN1_item_i2d()
* Add a few more assertions to compiler_test.cc.
* Fix use of unitialized cbb on failure case.
* urandom_test: force MADV_WIPEONFORK both ways.
* Use KEM terminology in TLS ECDHE and key_share abstractions
* Define a NID for P-384 + Kyber768.
* Use the common location for CMake in the bots
* Fix ninja run_tests
* Workaround yet more NULL + 0 language bugs
* Fix the generated CMake build
* Replace almost all instances of CMAKE_SOURCE_DIR and CMAKE_BINARY_DIR
* Ignore elf.ErrNoSymbols in util/read_symbols.go
* Run Go tests as part of run_tests
* Pick up a VS 2022 toolchain from Chromium
* Switch to CIPD's copy of perl
* Simplify ECKeyShare slightly.
* Move the ASN.1-based SSLKeyShare serialization to handoff.cc.
* Create the SSLKeyShare object in TLS 1.2 client ECDHE slightly later
* Require getauxval on 32-bit Arm Linux
Update-Note: BoringSSL now requires API level 18 or later. Projects
needing to support API level of 17 or below will fail to build due to
the use of getauxval. If any such projects exist, please contact
BoringSSL maintainers.
* Go back to breaking syscalls with the syscall number
* Pass the full user_regs_struct to PTRACE_SETREGS
* Print the reason the child stopped in urandom_test
* Move data from .text to .rodata on x86_64
* Start a Kyber implementation with basic Keccak code.
* Tweak urandom_test for Android devices without getrandom.
* Cap the number of ECDSA and DSA sign iterations.
Update-Note: If signing starts failing with ECDSA_R_INVALID_ITERATIONS,
something went horribly wrong because it should not be possible with
real curves. (Needing even one retry has probability 2^-256 or so.)
* Add more DSA consistency checks.
Update-Note: Some invalid DSA keys will be rejected by the parser and at
use. Nothing should be using DSA anymore.
* Revert "Revert "Fetch entropy from a system daemon in FIPS mode on Android.""
* Reject zero ECDSA keys in EC_KEY_set_private_key
Update-Note: Systems that manually construct an EC_KEY (i.e. not from
parsing), and either omit the public key or don't call EC_KEY_check_key
will start rejecting the zero private key. If such a system *also* signs
untrusted digests, this fixes an infinite loop in ECDSA.
* Gracefully handle DSA objects with missing fields
* Fix Android tests with new recipe changes
* acvp: update test expectations
* acvp: write updated tests without `.bz2` suffix
* acvp: fix tests
* Update Go dependencies
* Move constants from .text to .rodata on aarch64
* Add bbe@ to list of reviewers
* Revert go:build ignore lines
* Replace the union inside EVP_PKEY with void*.
* Make EVP_PKEY opaque.
Update-Note: Code that reaches into the EVP_PKEY struct will no longer
compile, like in OpenSSL. I believe I've fixed all the cases. If I
missed any, the fix is to switch code to accessors. EVP_PKEY_id(pkey)
for pkey->type is the most common fix.
* Make boringssl_gtest_main a STATIC library
* Update build tools
* Use --allowlist-file in bssl-sys
* Tidy up check_chain_extensions after proxy certificate removal
* Remove proxy certificate support.
* Remove global_target from build.
* Don't include custom builds of libc++ in CMake installs
* Specify -Iinclude with the crypto target.
* Unify the two copies of bn_add_words and bn_sub_words
* Implement P256_XMD:SHA-256_SSWU_RO_ and P384_XMD:SHA-384_SSWU_RO_
* Align the hash-to-curve formulation with draft-16.
* Fix a -Wignored-qualifiers warning in trust_token_test.cc
* Make OPENSSL_malloc push ERR_R_MALLOC_FAILURE on failure.
* Cap decimal input sizes in s2i_ASN1_INTEGER
Update-Note: The stringly-typed API for constructing X.509 extensions
now has (very generous) maximum input length for decimal integers of
8,192 digits. If anyone was relying on a higher input, this will break.
This is unlikely and should be caught by unit tests; if a project hits
this outside of tests, that means they are passing untrusted input into
this function, which is a security vulnerability in itself, and means
they especially need this change to avoid a DoS.
* Make ERR and thread use system malloc.
Update-Note: Any recent documentation (in all OpenSSL forks) for the ERR functions
cautions against freeing the returned ERR "data" strings, as freeing them is handled
by the error library. This change can make an existing double free bug more
obvious by being more likely to cause a crash with the double free.
* Add OPENSSL_asprintf and friends for asprintf(3) functionality.
* Add a note in INCORPORATING about which branch to use
* Generate Rust wrappers for HKDF
* Bound the overall output size of ASN1_generate_v3
Update-Note: The stringly-typed API for constructing X.509 extensions
now has a maximum output size. If anyone was constructing an extension
larger than 64K, this will break. This is unlikely and should be caught
by unit tests; if a project hits this outside of tests, that means they
are passing untrusted input into this function, which is a security
vulnerability in itself, and means they especially need this change to
avoid a DoS.
* VMS? I don't think so. Take this for a walk behind the barn.
* Revert "Drop HRSS assembly."
* Move Go CMake support into its own file.
* Get rid of time_t usage internally, change to int64_t
Update-Note: This is a potentially breaking change for things
that bind to the ASN1_[UTC|GENERALIZED]TIME_set and ASN1_TIME_adj
family of functions (and can not type convert a time_t to an
int64).
* Remove d2i_FOO object reuse
Update-Note: This slightly changes the calling convention of the d2i_FOO
functions. The change should be compatible with almost all valid calls.
If something goes wrong, it should hopefully be quite obvious. If
affected (or unaffected), prefer to set the output parameter to NULL
and use the return value instead.
* Don't use negative values for unimplemented modes
* Don't use object reuse in X509_parse_from_buffer.
* Remove stale TODO in util/bot/DEPS
* Remove if'd-out OCB-AES assembly
* Trim unnecessary -lrt and ws2_32 deps in the build.
* Unexport GENERAL_NAME_cmp
* Also test i2d_GENERAL_NAME in X509Test.GeneralName
* Fix the type of x400Address in GENERAL_NAME
* Remove old clang-cl workaround
* Limit the CMake -isysroot assembly workaround to older CMake
* Clean up test_support_lib and GTest dependencies slightly.
* Fix various malloc failure paths.
* Partially mitigate quadratic-time malloc tests in unit tests
* Add ABI tests for bn_add_words, etc.
* Avoid branches in GCC in bn/generic.c.
* Add bn_add_words and bn_sub_words assembly for aarch64.
* Rearrange bn/generic.c
* Reject even moduli in RSA_check_key.
Update-Note: RSA keys with even moduli already do not work. (In addition
to being nonsensical, all operations will fail with them because we
cannot do Montgomery reduction on even moduli.) This CL shifts the error
from when you use the key, to when you parse the key, like our other
validation steps. Also after this lands, the check for odd modulus in
cl/447099278 can be removed.
* Move malloc failure testing into OPENSSL_malloc
* Const-correct the various EVP_PKEY PEM writers
* Fix leak in set_dist_point_name error handling.
* Fix leak in error-handling for issuingDistributionPoint
* Clear false positives in RSA-OAEP constant time validation
* Fix some clang-format formatting.
* Stop clang from un-constant-timing copy_from_prebuf.
Update-Note: It is possible the above is wrong and some OPENSSL_NO_ASM
relied on value barriers being disabled. If so, this will break that
build and we'll need to reconsider.
* Clear various false positives in RSA constant-time validation
* Silence an uninitialized variable false positive in GCC.
* Fix leak on error in v2i_POLICY_MAPPINGS
* Cap bit indices in the unsafe string-based X.509 extensions API
Update-Note: If anyone is using FORMAT:BITLIST to create very large BIT
STRINGs, this will break. This is unlikely and should be caught by
unit tests; if a project hits this outside of tests, that means they are
passing untrusted input into this function, which is a security
vulnerability in itself, and means they especially need this change to
avoid a DoS.
* Move OpenSSLConfig.cmake into the cmake/ directory
* Align header guard style in the remaining headers.
* Add locale independent implementations of isalpha, isalnum, isdigit, and isxdigit.
* Fix OPENSSL_NO_ASM builds with the generated CMake build.
* Remove ASN1_TFLG_COMBINE.
* Unexport and remove support for implicit tagging on ASN1_ITYPE_EXTERN.
Update-Note: IMPLEMENT_EXTERN_ASN1 can no longer be used outside the
library. I found no callers using this machinery, and we're better off
gradually migrating every <openssl/asn1t.h> user to CBS/CBB anyway.
* Correctly handle optional ASN1_ITEM_TEMPLATE types.
* Remove the last of the broken NEON workaround
* Make X509V3_get_value_int free the old value before overwriting it.
* Fix leak on invalid input to a2i_GENERAL_NAME.
* Define BORINGSSL_IMPLEMENTATION in the Bazel build
* Simplify the external Bazel build.
* Simplify a pair of Go range expressions
* Fix stray */s in // line comment license headers
* Mark standalone Go scripts with go:build ignore
* Align the generated CMake build with the main one.
* Check for null value in set_dist_point_name.
* Fix error-handling in X509V3_EXT_add_nconf_sk and X509v3_add_ext.
* Remove now unnecessary check in CBS_peek_asn1_tag.
* Introduce a locale-independent version of isdigit
* Add a fuzzer for the config file machinery.
* Rewrite ASN1_generate_v3.
Update-Note: This code is reachable from the deprecated, string-based
X.509 extensions API. I've added tests for this, so it should behave
generally compatibly, but if anything changes for a caller using these
APIs, this CL is the likely cause. (NB: No one should be using these
APIs. They're fundamentally prone to string injection vulnerabilities.)
* Add some tests for optional and default ASN1_BOOLEAN.
* Introduce constants for ASN1_BOOLEAN
* Introduce a locale-independent version of isspace
* Add tests for X509_NAME_hash and X509_NAME_hash_old.
* Remove old Trust Token redeem API.
* Remove support for ppc64le.
Update-Note: BoringSSL no longer supports ppc64le.
* Switch ERR_GET_* to inline functions
* Remove ppc64le assembly.
Update-Note: After this change, ppc64le builds drop assembly
optimizations and will fallback to a generic C-based AES implementation.
* Remove ppc64le delocate and FIPS build.
* Add CBS_get_u64_decimal.
* Align ppc assembly setup with other architectures
* Use the same Deleter across all bssl::UniquePtr<T>.
* Set C11 in all compilers.
* Reduce architecture detection in CMake.
Update-Note: If the CMake build fails to build somewhere for an
assembly-related reasons, it's probably from this CL.
* Work around nasm bug with empty assembly files
* Also remove poly_rq_mul.S from generate_build_files.py
* Don't send two post-quantum initial key shares.
* Drop HRSS assembly.
* Add a WORKSPACE.toplevel file
* Unexport BN_MONT_CTX_set_locked.
Update-Note: This removes a function that can only be used by accessing
one of BoringSSL's private locks.
* Align headers in generate_build_files.py output.
* Maintain a frame pointer in aesni-gcm-x86_64.pl and add SEH unwind codes
* Don't automatically sync the two CONF parameters in X509V3_EXT_nconf.
* Convert ghash-x86_64.pl to new directives.
* Add initial support for SEH directives in x86_64 perlasm
* Fix inhibitPolicyMapping in the new policy tree code.
* Rewrite X.509 policy tree logic.
* Don't test for PMULL when NO_ASM.
* Indent DB lines in x86_64 NASM output.
* Reduce caller requirements on X509V3_CTX.
Update-Note: If using different CONFs in the X509V3_CTX and the function
parameter, the function parameter is now always used. No callers do
this, and it's somewhat arbitrary which is used. (The generic code
always uses the one in ctx. The @section syntax uses the parameter. Then
the per-extension callbacks use the ctx.)
* Rename CTX_TEST to X509V3_CTX_TEST.
Update-Note: CTX_TEST appears to be unused. If affected, switch to using
X509V3_set_ctx_test instead.
* Handle errors more normally in asn1_gen.c.
* Fix crash if '@section' is used with no CONF.
* Test requireAnyPolicy being a SkipCerts value
* Test policy mappings from invalid policies.
* Add stubs for hybrid Kyber768 with X25519 or P-256.
* Add optimised Aarch64 GCM.
* Test that policy checking always succeeds with just a trust anchor
* Remove no-op entries from asn1_str2tag.
* Const-correct sk_FOO_deep_copy's copy callback.
* Deprecate, test, and document X.509 config APIs.
* Remove the last of the filename comments.
* Further const-correct config-based extension creation.
* Empty stacks are vacuously sorted
* Add sk_FOO_delete_if.
* Add over_message issuance and redemption to Trust Tokens.
* Remove hmac.h include from ssl.h.
* Simplify MSVC warning configuration
* Build rust bindings against header files under current source dir
* Drop the preference for 256-bit ciphers with CECPQ2.
* Remove custom CONF methods from X509V3_CTX.
Update-Note: X509V3_CONF_METHOD is removed. Code search says no one uses
this.
* Unexport various X509V3_CTX and NCONF helper functions.
* Reword hardware support for AES-GCM.
* Add a link for FIPS cert #4409.
* [clang-warning] Don't pass -stdlib=libc++ on Apple platforms
* Use -pthread instead of -lpthread in Bazel.
* Add some tests for policy mapping.
* Add some tests for anyPolicy.
* Fix some memory leaks in policy_cache_new.
* Add prefetch to aesni_ctr32_ghash_6x
* Add tests for rejecting duplicate policy OIDs.
* Fuzz x509v3_cache_extensions.
* Fix handling of EXFLAG_INVALID_POLICY on the leaf.
* Restore ASN1_TIME_set_string's behavior on NULL.
* Fix return value on malloc failure in tree_calculate_user_set.
* Const-correct and simplify X509_VERIFY_PARAM_set1_policies.
* Add a basic threading test for X509 verification.
* Explicitly warn about streaming AEADs with EVP_CIPHER_CTX.
* acvptool: add support for uploading results.
* acvptool: factor out getResultsWithRetry
* acvptool: factor out logic for connecting to the server
* Switch X509 ex_* flags to uint32_t.
* Rename and tidy up x509v3_name_cmp.
* Fix some more implicit size_t truncations.
* acvptool: factor out uploadResult
* Unexport X509V3_NAME_from_section and fix the type of chtype.
* Finish porting dh_test.cc and ripemd_test.cc to GTest.
* Replace comment with static assert.
* Add a tool to check whether a binary has an executable stack
* Disable blinding for boringssl_self_test_rsa().
* Drop the workaround for the third-party Android CMake toolchain.
* Fully condition all assembly files.
* See whether relative links work for the documentation.
* Add SSL_was_key_usage_invalid.
* Add an 'all' option to generate_build_files.py
* delocate: match all the ARM register extension patterns.
* Fix -Wshorten-64-to-32 errors in ex_data.c.
* acvptool: KDA replaces KAS-KDF for HKDF.
* Add NO_CHECK_TIME to SSLTest.ECHBuiltinVerifier too
* Rewrite i2o_ECPublicKey with CBB_finish_i2d.
* Fix timebomb by disabling time check in this test
* [Bazel] Support More Platforms
* Add int casts to BIO_ctrl calls where appropriate.
* Switch microsecond and iteration counts in bssl speed to uint64_t.
* Finish porting dsa_test.cc to GTest.
* Remove unnecessary L suffixes on DES constants.
* Fix up some integer types in crypto/asn1
* Use a sized type for asn1t.h flags.
* Don't allow the caller to configure invalid signature algorithms.
Update-Note: This CL makes unknown values fail
SSL_set_verify_algorithm_prefs, etc. SSL_SIGN_RSA_PKCS1_MD5_SHA1 is
silently dropped from the list, rather than an error because, although
documented as incorrect, this hole in the abstraction seems to be
confusing. I think there's some code in Chromium which accidentally puts
it in the signing prefs (wrong but harmless) and I often need to explain
to folks that it doesn't belowing in verify prefs (puts it in the
ClientHello). This makes us tolerate the value by ignoring it.
* Never accidentally use SSL_SIGN_RSA_PKCS1_MD5_SHA1 at TLS 1.2.
* Add a copy of ninja from CIPD to util/bot/DEPS
* Include ctrdrbg.h in the Rust wrapper.

Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases boringssl_crypto_test boringssl_ssl_test
Change-Id: I610a9df05083e51407fadb98a7cfc46d75028cce