external/boringssl: Sync to c1e156ae16fa8b61af9b5d2b74e59d3f86e141be.

This includes the following changes:


* Add DH_compute_key_padded.
Update-Note: No compatibility impact, but callers that use
DH_compute_key and then fix up the removed leading zeros can switch to
this function. Then they should migrate to something else.
* Fix client 0-RTT handling with ALPS.
* acvp: add XTS support.
* doc: fix SSL_set0_rbio
* Add support for the new QUIC TLS extension codepoint
* delocate: preprocess perlasm output on Aarch64
* Replace MockQUICTransport tags with record types.
* Run extension tests at all protocols.
* Make QUIC tests work with early data.
* Make QUIC work with -async tests.
* Fix ALPS state machine in QUIC servers.
* runner: Allow tokbind without RI/EMS in TLS 1.3.
* Test that ALPS can be deferred to the ALPN callback.
* Send ECH acceptance signal from backend server.
* delocate: handle Aarch64 assembly in parser.
* Add ASM optimizations for Windows on Arm
* Use gai_strerrorA on Windows.
* Optimize suffix building in FileTest::ReadNext().
* A handful more compatibility functions.
* Update HPKE to draft-irtf-cfrg-hpke-07.
* acvp: drop subprocess_test.go
* Add some OpenSSL-compatibility aliases
* delocate: eliminate expression from vpaes assembly.
* delocate: support alternative comment indicators
* Update third_party/googletest.
* acvp: add tests
* Fix chacha20_poly1305_x86_64.pl comments.
* Fix awkward wording in comment.
* Update ECH GREASE to draft-ietf-tls-esni-09
* Gerrit ignores <sup>; use Unicode superscript instead.
* acvp: better document the subprocess protocol.
* Add .text.unlikely.* pattern to fips_shared.lds.
* acvp: fix silly errors.
* acvp: load config later.
* Allow some non-minimal lengths in BER.
* Export tool_sources to GN.
* Use more efficient std::string::find overload.
* Revert "Add support for the new QUIC TLS extension codepoint"
* Move DH parameter generation out of the FIPS module.
* Add support for the new QUIC TLS extension codepoint
* Use stdlib.h instead of cstdlib in span.h.
* Check for trailing data in X509Test.GeneralName.
* Fix ChaCha20-Poly1305 x86-64 asm on Windows
* Include bn.h from bn/internal.h
* acvp: add support for finite-field Diffie–Hellman.
* Move DH code into the FIPS module.
* Remove unused Netware codepaths in x86 perlasm.
* Finish switching to NASM.
Update-Note: If a x86 Windows asm build breaks, switch from Yasm to
NASM. We're also no longer testing NASM on x86_64 Windows, but there
wasn't any patch to revert.
* Switch to passive entropy collection for Android FIPS.
* Skip ASN.1 template tests in Windows shared library builds.
* Add TLS_KDF to documented break tests.
* acvp: add support for KAS
* Align armv8.pl references to OPENSSL_armcap_P.
Update-Note: If aarch64 builds get some weird error about relocations,
it's this CL's fault.
* Reject bad ASN.1 templates with implicitly-tagged CHOICEs.
* Implement GREASE for ECH (draft-ietf-tls-esni-08).
* acvp: add TLS KDF support
* acvp: tweak config
* acvp: fix subprocess_test.go
* Const-correct GENERAL_NAME_cmp.
* Fix EDIPartyName parsing and GENERAL_NAME_cmp.
* PWCT failures should clear the generated key.
* Get closer to Ed25519 boundary conditions.
* draft-ietf-tls-certificate-compression is now RFC 8879.
* Update FIPS.md to include latest FIPS certificate.
* Only accept little-endian ARM and MIPS variants in base.h.
Update-Note: CPU processor defines are a mess. If a little-endian ARM or
MIPS build breaks, some of the assumptions above may be wrong. In that
case, the output $CC -dM -E - < /dev/null on the offending toolchain
will be useful to fix it. If a big-endian ARM or MIPS build breaks, this
is working as intended. Any resulting binaries weren't producing the
right outputs.
* aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
* Improve sk_dup.
* Poly1305: Use |size_t|; assert |poly1305_state| is large enough.
* util/fipstools/acvp/acvptool: buffer signal channel to avoid losing signal
* Add digest.h to self_check.c
* Document ASN1_STRING.
* acvp: add SHA-512/256 support.
* Add FIPS self test for the TLS KDF.
* Rename the master_key field in SSL_SESSION to secret.
* Always check the TLS 1.3 downgrade signal.
Update-Note: SSL_CTX_set_ignore_tls13_downgrade,
SSL_set_ignore_tls13_downgrade, and SSL_is_tls13_downgrade now do
nothing. Calls sites should be removed. (There are some copies of older
Chromium lying around, so I haven't removed the functions yet.) The
enforcement was already on by default, so this CL does not affect
callers that don't use those functions.
* Fix NETSCAPE_SPKI_get_pubkey documentation.
* Const-correct and document more X509 functions.
* Add APIs for checking ASN.1 INTEGERs.
Update-Note: This CL does not change behavior, but I'm leaving a note to
myself to make net/der/parse_values.cc call the new functions.
* Remove some unnecessary pointer casts.
* Document the basic ASN1_STRING functions.
* Document some defaults for the EVP RSA interface.
* Rearrange ASN1_STRING_copy slightly.
* Remove the legacy MSTRING M_ASN1 macros.
Update-Note: Some M_ASN1 macros were removed. Code search says there
were no uses, and OpenSSL upstream removed all of them.
* Switch M_ASN1_TIME macros within the library.
* Unwind M_ASN1_* macros for primitive types.
Update-Note: Some external code uses the M_ASN1_* macros. This should
remain compatible, but some type errors may have gotten through
unnoticed. This CL restores type-checking.
* Reformat and convert comments in asn1.h.
* aarch64: Fix name of gnu property note section
* Re-reformat x509.h.
* Document X509V3_add1_i2d and friends.
* Unexport internal crypto/asn1 functions.
Update-Note: Code search says these are unused. If someone's using them,
we can reexport them.
* Unwind some old ASN.1 ifdefs.
* Remove some unused types from asn1t.h.
* Unwind ASN1_TFLG_NDEF.
Update-Note: Types that use one of the NDEF macros in asn1t.h will fail
to compile. This CL should not affect certificate parsing.
Update-Note: Types using IMPLEMENT_COMPAT_ASN1 from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
Update-Note: Types using ASN1_BROKEN_SEQUENCE from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
* Const-correct various X509 string parameters.
* Document the next few functions in x509.h
* Remove sk_new_null call.
* acvp: move inner MCT loops into subprocess.
* Fix x509_rsa_ctx_to_pss when saltlen is md_size.
* Document the X509V3_get_d2i family of functions.
* runner: explicitly signal error from handshaker.
* runner: add -skip
* Add functions for manipulating X.509 TBS structures.
* Remove ASN1_STRING_length_set prototype.
* Update Go on the bots.
* Rework vs_toolchain.py and vs_env.py.
* Add ECDSA verify KAT to FIPS self-tests.
* Add AES-GCM AEADs with internal nonce generation.
* Define a constant for the standard GCM nonce length.
* Add test for X25519-containing certificate.
* Add SSL_early_data_reason_string.
* Add raw redeem API.
* aarch64: Remove some flavour conditionals
* Have fewer opaque booleans in aead_test.cc
* acvp: RSA signature verification tests.
* acvp: RSA signature generation tests.
* acvp: support RSA key generation tests.
* Support 4096-bit keys in FIPS mode.
* Reland "Check AlgorithmIdentifier parameters for RSA and ECDSA signatures.""
Update-Note: Some invalid certificates will now be rejected at
verification time. Parsing of certificates is unchanged.
* acvp: add 3DES-CBC support
* acvp: add 3DES-ECB support
* Clear some reported gcc -Wshadow warnings.
* Const-correct X509V3_extensions_print.
* clang-format and convert comments in x509v3.h.
* aarch64: Improve conditional compilation
* Silence some linter checks.
* acvp: update subprocess_test.go
* Update clang.
* Implement draft-vvv-tls-alps-01.
* Simplify 0-RTT tests.

Bug: 160351436
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I1fb4105341a73be9d5f978301f7318e16027f37d
300 files changed