external/boringssl: Sync to 345c86b1cfcc478a71a9a71f0206893fd16ae912.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/a9670a8b476470e6f874fef3554e8059683e1413..345c86b1cfcc478a71a9a71f0206893fd16ae912

* Switch CRYPTO_BUFFER_POOL to SipHash-2-4.
* LSC: Apply clang-tidy's modernize-use-bool-literals to boringssl
* Fix mac_arm64 builder.
* Put Rust binding generation behind an explicit flag and only build bindings for the targeted Arch
* Add ARMV8_SHA512 detection for Fuchsia.
Update-Note: This CL is written assuming we can just rely on the SDK
changes. Per go/fuchsia-sdk-age, this seems fairly safe. If this file
fails to build due to missing symbols, update your project's Fuchsia
SDK. If this blocks something, let us know.
* Generates "low-level" bindings for Rust using bindgen
* Add note about Gerrit account creation
* Make EVP_AEAD_CTX_free accept NULL.
* Zero out the values from the integrity check.
* Ignore duplicates in |X509_STORE_add_*|
* Don't #include "internal.h" twice.
* Version bump: 2 -> 3.
* Simplify __ARM_ARCH__ definition.
Update-Note: ARM assembly now requires the compiler define __ARM_ARCH.
This is not expected to break Clang or GCC from the last 8 or 9 years.
* Don't use __ARMEL__/__ARMEB__ in aarch64 assembly
* Switch __ARM_FEATURE_CRYPTO to __ARM_FEATURE_{AES,SHA2}.
* Move CPU detection symbols to crypto/internal.h.
* Move public APIs from cpu.h to crypto.h.
Update-Note: As part of this, I conditioned cpu-arm-linux.c on
OPENSSL_LINUX, so that the header files can have accurate conditions.
This means unrecognized ARM platforms that do not set
OPENSSL_STATIC_ARMCAP will fail to build, where previously we defaulted
to the Linux mechanisms. This matches cpu-aarch64-linux.c, which is
already gated on OPENSSL_LINUX. (And the file is quite Linux-specific.
Even if a non-Linux ELF target used getauxval for ARM capabilities, it's
unlikely that our hardcoded constants and /proc behavior applies
anyway.)
* Rename CPU feature files with underscores.
* Enable SHA-512 ARM acceleration when available.
Update-Note: Consumers with a different build setup may need to
limit -D_XOPEN_SOURCE=700 to Linux or non-Apple platforms. Otherwise,
<sys/types.h> won't define some typedef needed by <sys/sysctl.h>. If you
see a build error about u_char, etc., being undefined in some system
header, that is probably the cause.
* Sync sha512-armv8.pl up to 753316232243ccbf86b96c1c51ffcb41651d9ad5.
* Import sha512-armv8.pl transforms from upstream NEON code.
* Import a few test vectors from OpenSSL.
* Use uint16_t in TestConfig and enable -Wformat-signedness.
* Reorder flags to match TestConfig struct.
* Rewrite bssl_shim command-line parser.
* Fix X509_CRL_print error-handling.
* Silence -Wformat-signedness when printing X.509 versions.
* Don't print small, negative serial numbers in decimal.
* Fix the easy -Wformat-signedness errors.
* Add BIO_tell and BIO_seek wrappers.
* Remove non-standard wildcard input DNS names.
Update-Note: ".example.com" as an input DNS name will no longer match
"www.example.com" in a certificate. (Note this does not impact wildcard
certificates. Rather, it removes a non-standard "reverse wildcard" that
OpenSSL implemented.)
* Rewrite X.509 name-matching tests.
* Remove non-standard X.509 DNS wildcard matching.
Update-Note: BoringSSL will no longer accept wildcard patterns like
*www.example.com or www*.example.com. (It already did not accept
ww*w.example.com.) X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS will also be
ignored and can no longer be used to allow foo.bar.example.com to match
*.example.com.
* Make X509_REVOKED opaque.
Update-Note: Use X509_REVOKED accessors rather than reaching into the
struct.
* Document |SSL_set1_host| return values.
* Add |SSL_set1_host| and |SSL_set_hostflags|.
* Add ERR_set_error_data for compatibility.
* Add BN_GENCB_new, BN_GENCB_free, and RSA_test_flags.
* Remove X509_REVOKED.sequence.
* Binary tag bump: 1 -> 2
* Export PKCS12_DEFAULT_ITER.
* Add SSL_has_pending.
* Update HPKE test vectors.
* Add various OpenSSL compatibility functions.
* Add PKCS7_bundle_raw_certificates function which takes CRYPTO_BUFFERs

Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I6348ef26c5afb28e09132acd267be700de379cc8
170 files changed