external/boringssl: Sync to 4d50a595b49a2e7b7017060a4d402c4ee9fe28a2.

This includes the following changes:


* Make googletest a full dependency, not a dev_dependency
* Rename function pointers to avoid shadowing global declaration
* Don't add extra 'informational' errors in the delegate
* Remove remnants of C++ runtime workarounds
* Add a standalone Bazel build
* Reset DTLS1_BITMAP without resorting to memset
* Add an OUT_DIR option for finding bindgen output for Android
Update-Note: When this rolls into Android, remove the sed logic from
Android.bp and instead set up the OUT_DIR cargo emulation.
* Discuss pointer rules in even more detail in API-CONVENTIONS
* short-circuit verification on invalid SPKI
* Add certificates to a couple of tests
* Change unsupported KEM identifier
* Add a CLIENT_AUTH_STRICT_LEAF and SERVER_AUTH_STRICT_LEAF which do STRICT requirements on the leaf certificate, and not STRICT on the rest of the chain.
* Make SSL_CTX_set_keylog_callback constant time
* clarify a few tests
* Add some tests for SSL_CTX_set_keylog_callback
* Switch some pointer arithmetic to spans
* Disable fork detection for Zephyr and CrOS EC
* Enable thread support for Zephyr RTOS
* Fix Zephyr define and description
* Remove unnecessary NULL checks
* Avoid strdup in crypto/err/err.c
* Increase DTLS window size from 64 to 256
* delocate: handle more SVE2 forms.
* Disable `-Wcast-function-type-strict` for `BORINGSSL_DEFINE_STACK_OF_IMPL.`
* Set service indicator for TLS 1.3 KDF.
* Rewrite RAND_enable_fork_unsafe_buffering documentation
* Document that our Unicode APIs reject noncharacters
* Add missing public header for libpki
* Switch EVP_CIPHERs to C99 initializers
* Add a PrivacyInfo plist file
* Make Go an optional build dependency for the CMake build
* Install the Windows toolchain under util/bot
* Reflect latest FIPS updates, including 186-5.
* Update CI build tools
* [rust] Tell Cargo to link cpp runtime library
* Update run_android_tests to exit on invalid ABI
* Move fips_fragments into bcm.internal_hdrs in build.json
* Move internal headers to build.json
* Flatten crypto/CMakeLists.txt into the top-level
* Move crypto_sources to build.json
* Specify public headers in build.json
* Rework the test data story
Update-Note: This will require some tweaks to downstream builds. We no
longer emit an (unwieldy) crypto_test_data.cc file. Instead, tests will
expect test data be available at the current working directory. This can
be overridden with the BORINGSSL_TEST_DATA_ROOT environment variable.
* Move the rest of sources.cmake into util/pregenerate
* Use source lists to find pki_test data in run_android_tests.go
* Move test data lists to util/pregenerate
* Support glob patterns in build.json
* Correctly sort err_data.c inputs
* Regenerate err_data.c
* Check in pre-generated perlasm and error data files
Update-Note: generate_build_files.py no longer generates assembly files
or err_data.c. Those are now checked into the tree directly.
* Flatten crypto/fipsmodule/CMakeLists.txt up a layer
* Document that null STACK_OF(T) can be used with several functions
* Remove unused flags argument from trust handlers
* Build fips_shared_support.c as part of libcrypto
* Make it plainly obvious this is experimental code.
* Add some barebones support for DH in EVP
* Add verify_errors as public error API
* Fix EVP_PKEY_CTX_dup with EC generation
* Start making asserts constant-time too
* Clear some more false positives from constant-time validation
* Fix X509_ALGOR_set_md()
* Trim unused files from PKI_TEST_DATA
* Remove unnecessary LINKER_LANGUAGE setting in CMake build
* Move ssl and decrepit sources to sources.cmake
* Add threading documentation to DH and DSA
* Make EVP_PKEY_type into the identity function
Update-Note: EVP_PKEY_type used to return NID_undef when given a garbage
key type. Given it is only ever used in concert with EVP_PKEY_id, this
is unlikely to impact anyone. If it does, we can do the more tedious
* Move EVP_PKEY setters to their corresponding type-specific files
* Avoid EVP_PKEY_set_type in EVP_PKEY_new_raw_*_key
* Remove some unnecessary dependencies on EVP_PKEY_set_type
* Gate -Wframe-larger-than on Clang 13
* Make ninja run_tests output less confusing
* X509_ALGOR_set_md is a mess, document it
* Filter out DW.ref.__gxx_personality_v0 in read_symbols.go
* Remove unused app_data from EVP_CIPHER
* Re-remove unnecesary stat calls from by_dir.c
* Add a regression test for error handling and hash_dir
* Fix spelling of Identifier
* Revert "Remove unnecessary stat calls from by_dir.c"
* Don't dereference hs->credential on TLS 1.2 PSK ciphers
* Add ERR_lib_symbol_name and ERR_reason_symbol_name
* Fix a number of cases overwriting certificates, keys, etc. with SSL_CREDENTIAL
* Set -Wframe-larger-than=25344 for a typical cmake clang compile.
* Make crypto_test build with -Wframe-larger-than=25344
* Revert "Add a Dilithium implementation."
* Fix sha1 dynamic dispatch issues.
* Remove an unused runner/shim flag in SSL tests
* Only negotiate ECDHE curves and sigalgs once
* Add an SSL_CREDENTIAL API for ECDSA/RSA and delegated credentials
Update-Note: The delegated credentials API has been revamped.
Previously, it worked by configuring an optional delegated credential
and key with your normal certificate chain. This has the side effect of
forcing your DC issuer and your fallback certificate to be the same. The
SSL_CREDENTIAL API lifts this restriction.
* Rename CRYPTO_get_ex_new_index to CRYPTO_get_ex_new_index_ex
* Remove unused group_id parameter in TLS 1.3 cipher suite selection
* Check ECDSA curves in TLS 1.2 servers
Update-Note: A TLS 1.2 (or below) server, using an ECDSA certificate,
connecting to a client which doesn't advertise its ECDSA curve will now
fail the connection slightly earlier, rather than sending the
certificate and waiting for the client to reject it. The connection
should fail either way, but now it will fail earlier with
SSL_R_WRONG_CURVE. If the client was buggy and did not correctly
advertise its own capabilities, this may cause a connection to fail
despite previously succeeding. We have included a temporary API,
SSL_set_check_ecdsa_curve, to disable this behavior in the event this
has any impact, but please contact the BoringSSL team if you need it,
as it will interfere with improvements down the line.
* Inline CBS_init, CBS_data, and CBS_len
* Check client certificate types in TLS <= 1.2
Update-Note: A TLS 1.2 (or below) client, using client certificates,
connecting to a TLS server which doesn't support its certificate type
will now fail the connection slightly earlier, rather than sending the
certificate and waiting for the server to reject it. The connection
should fail either way, but now it will fail earlier with
SSL_R_UNKNOWN_CERTIFICATE_TYPE. If the server was buggy and did not
correctly advertise its own capabilities (very very unlikely), this may
cause a connection to fail despite previously succeeding. We have
included a temporary API, SSL_set_check_client_certificate_type, to
disable this behavior in the unlikely event this has any impact, but
please contact the BoringSSL team if you need it, as it will interfere
with improvements down the line.
* runner: Add a test for hint mismatch due to public key
* Add a Dilithium implementation.
* Tidy up Rust HPKE binding.
* Move spx from internal to include/openssl/experimental
* runner: Configure all relevant fields from the Credential type
* runner: Rename CertificateChain to Credential
* Align CRYPTO_get_ex_new_index with the public API's calling convention
* Make bssl_shim's setup logic infallible
* Slightly simplify ssl_x509.cc
* Forbid RSA delegated credentials
* Fix delegated credential signature algorithm handling
* Make DelegatedCredentials-KeyMismatch test less confusing
* Use slices.Contains in ssl/test/runner
* Fold ssl_add_cert_chain into its caller
* runner: Remove the ability to configure multiple certificates
* runner: Use go:embed
* Generate certs on the fly in runner, pass trusted cert to shim
* Make pki_sources available to Soong
* Finish documenting x509.h
* Add safety coments to bssl-sys
* Test X509_verify_cert with CAs that share a name
* Document the remaining struct types in x509.h
* Expand and document the remaining DECLARE_ASN1_* macros
* Unexport i2d, d2i, and ASN1_ITEM for X.509 interior types
Update-Note: Some interior ASN.1 types no longer have d2i and i2d
functions or ASN1_ITEMs. I checked code search and no one was using any
of these. We can restore them as needed.
* Document filesystem-based X509_STORE APIs
* Document APIs relating to built-in and custom extensions
* Add tests for what happens when no certificate is configured
* Introduce a test helper for asserting on the error
* Make an include/openssl/experimental. Move kyber to it for now.
Update-Note: <openssl/kyber.h> has moved to
* Deprecate and simplify SSL_CTX_check_private_key
* Use a more fine-grained lock in by_dir.c
* Remove unnecessary stat calls from by_dir.c
* Use std::copy instead of OPENSSL_memcpy for the internal bssl::Array::CopyFrom
* Consistently open files in binary mode on Windows
Update-Note: BIO_read_filename, etc., now open in binary mode on
Windows. This matches OpenSSL behavior.
* Add some tests for X509_LOOKUP_hash_dir
* Add some utilities for testing temporary files
* Remove redundant piece of DC state
* Test an unusual split between context and connection configuration
* Remove redundant bssl_sys import
* Remove some impossible null checks
* Remove some indirection in SSL_certs_clear
* Make an internal RefCounted base class for libssl
* Const-correct the 'kstr' parameter of PEM functions
* Implement Hybrid Public Key Encryption in Rust.
* Use BIO_TYPE_* constants for flags
* Move capability checks in sha256-586.pl to C
* Integrate TLS 1.2 sigalg and cipher suite selection
Update-Note: TLS 1.2 servers will now consider RSA key exchange when the
signature algorithm portion of ECDHE_RSA fails. Previously, the
connection would just fail. This change will not impact any connections
that previously succeeded, only make some previously failing connections
start to succeed. It also changes the error returned in some cases from
* Remove old "check for P4" in sha256-586.pl
* Document some miscellaneous x509.h functions
* Move capability checks in sha1-586.pl to C
* Write down the bounds for the sha*_block_data_order functions
* Move capability checks in chacha-x86.pl to C
* Remove OPENSSL_IA32_SSE2 checks in x86 perlasm
* Update delegated credentials to the final RFC
* Don't report libpki headers as part of libcrypto
Update-Note: Downstream Bazel and GN builds that build libpki may need
to also list the pki_headers variable.
* bssl-crypto: remove unused code.
* Add x509.h to doc.config
* Unexport DIST_POINT_set_dpname
* Allow a C++ runtime dependency in libssl
Update-Note: libssl now requires a C++ runtime, in addition to the
pre-existing C++ requirement. Contact the BoringSSL team if this
causes an issue. Some projects may need to switch the final link to
use a C++ linker rather than a C linker.
* Rewrite the warning about X509_AUX
* Remove pki/tag.h
Update-Note: pki/tag.h no longer exists. Use CBS_ASN1_TAG instead of
bssl::der::Tag and CBS_ASN1_* instead of bssl::der::k*.
* Work around bindgen bug around constants
* Guard C++ headers.
* Include verify_unittest files in PKI_TEST_DATA
* Switch to bindgen's static inline support
Update-Note: Rust support now requires your build correctly handle
--wrap-static-fns. On Android, you will need to enable the
unsupported_inline_wrappers cfg option until b/290347127 is fixed.
Chromium doesn't actually use any of the inline functions yet, so we can
handle --wrap-static-fns asynchronously, but I have a CL ready to enable
* Document X509_V_FLAG_*
* Merge X509_PURPOSE/X509_TRUST IDs and indices
* Unexport most of X509_TRUST and X509_PURPOSE and simplify
* Add X509_STORE_get1_objects
* Mark ASN1_STRFLAGS_* and XN_FLAG_* with the right type
* Remove unused include in now public header
* Move signature_verify_cache.h to openssl/pki as public api
* Make ContainsError look only for Errors, not Warnings.
* Don't assume that Fiat assembly is available on Windows.
* Add public API for a certificate.
* Allow the delegate to indicate it wishes to accept PreCertificates when building chains.
* Use uint64_t for num_read and num_write in BIO
* Add functions to convert from Span<const uint8> and std::string_view
* Minor formatting fixes
* Expose OPENSSL_timegm in posix_time.h
* Add SSL_get0_chain method
* Tighten up the warning about RSAES-PKCS1-v1_5
* Avoid conversion overflow from struct tm.
* Ensure additions in this call can't overflow.
* Create a new NameConstraints constructor that takes in an already constructed GeneralNames object for permitted names.
* Fix strict aliasing issues with DES_cblock
* Require SSE2 when targetting 32-bit x86
Update-Note: Building for 32-bit x86 may require fixing your builds to
pass -msse2 to the compiler. This will also speed up the rest of the
code in your project. If your project needs to support the Pentium III,
please contact BoringSSL maintainers.
* Remove unused files from pki
* Move NEON dispatch in bn_mul_mont to C
* Rewrite bn_big_endian_to_words to avoid a GCC false positive
* Enable SSE2 intrinsics on MSVC
* Rename <openssl/time.h> to <openssl/posix_time.h>
Update-Note: <openssl/time.h> has moved to <openssl/posix_time.h>
* Tweak generate_build_files.py output to pass gn's formatter
* Remove remnants of the old Android CMake toolchain
* bn: Move ia32cap_P references from x86_64-mont.pl to C.
* Stop generating unused assembly for 32-bit iOS
* Fix SHA ABI tests
* sha: Move Armv7 dispatching to C (reland)
* bn: Move x86-64 argument-based dispatching of bn_mul_mont to C.
* Import upstream's tests for DES_ede3_cfb_encrypt
* Move single-use macros from internal.h to des.c
* Unexport uint32_t-based DES APIs
* Import upstream tests for CVE-2024-0727
* aes gcm: Remove Atom Silvermont optimizations.
* Arrange other X509_STORE, etc. symbols into sections
* Simplify purpose checks
* Stop processing the Netscape cert type extension
Update-Note: Certificates with a critical Netscape cert type extension
will now be rejected by the certificate verifier, matching the behavior
of the Chromium verifier. Non-critical extensions will continue to work
fine. They will instead be ignored.
* Remove X509_STORE_CTX_purpose_inherit
* Document and test X509_PURPOSE and X509_TRUST machinery
* Fix threads detection for CROS_EC/CROS_ZEPHYR
* Stop passing der::Input by const-ref
* Make der::Input a little closer to Span
* Remove pki/patches
* Document assumptions made by bssl-crypto's unboxed HMAC_CTX
* delocate: update to handle SVE2
* Use four-iterator std::equal for bssl::Span::operator==
* Avoid unions in CCM
* Reworking bssl_crypto: don't use zero keys in examples.
* Fix AES-GCM-SIV with huge inputs on 32-bit.
* Reworking bssl_crypto: support AES-GCM-SIV open_gather.
* Reworking bssl_crypto: bump version and fix license.
* Reworking bssl_crypto: Sync+Send for ECC and RSA.
* Reworking bssl_crypto: tidy up module list.
* Reworking bssl_crypto: Add RSA support
* Reworking bssl_crypto: Ed25519
* Reworking bssl_crypto: add ECDSA support
* Reworking bssl_crypto: rand
* Reworking bssl_crypto: ECDH
* Reworking bssl_crypto: make with_output_array_fallible use a bool.
* Reworking bssl_crypto: AES
* Reworking bssl_crypto: AEAD
* Clarify that X509_NAME_hash(_old) are specific to hash-dir
* Reduce the BER conversion recursion depth
* Fix a bug detecting BER deeply nested inside DER
* Replace CONF's internal representation with something more typesafe
* Elaborate a bit on static vs dynamic EC_GROUPs in documentation
* Have generate_build_files.py output Rust sources.
* Make the debug vs release build note in BUILDING.md more prominent
* Simplify Montgomery RR precomputation.
* Update build tools on CI
* Disable the __SHA__ static check for now
* Update Go dependencies
* Clear some false positives in constant-time validation
* Fix segfault if CRYPTO_set_thread_local fails and calls rand_thread_state_free.
* Move CRL_REASON_* back to x509v3.h
* Reworking bssl_crypto: HMAC
* Reworking bssl_crypto: HKDF
* Reworking bssl_crypto: imports_granularity = "Crate"
* Reworking bssl_crypto: digest
* Reworking bssl_crypto: x25519
* Revert "sha: Move Armv7 dispatching to C"
* acvp: test with internal nonce generation.
* chacha: Move x86-64 CPU & length dispatching from assembly to C.
* Do not condition CRYPTO_is_RDRAND_capable on __RDRND__
* Fix PKI test data list in sources.cmake
* Remove all -1 returns from X509_check_purpose
* Add some more TSan tests for crypto/x509
* Some miscellaneous openssl/x509.h documentation fixes
* Const-correct a bunch of X509_STORE_CTX functions
* Move some deprecated X.509 functions into the deprecated section
* Const-correct X509_alias_get0 and X509_keyid_get0
Update-Note: The above functions are now const-correct. Store the result
in a const pointer to avoid compatibility issues.
* Add a missing error check for sk_X509_push
* Fix error-handling convention in x509_vfy.c and avoid -1 returns
Update-Note: X509_verify_cert no longer returns -1 on some error
conditions, only zero.
* Forbid unusual return values out of verify_cb
Update-Note: If the verify callback returns anything other than 0 or 1,
X509_verify_cert will now crash in BSSL_CHECK. If this happens, fix the
callback to use the correct return value.
* get_issuer can never return -1
* Make X509_V_FLAG_NOTIFY_POLICY into a no-op
Update-Note: X509_V_FLAG_NOTIFY_POLICY is now a no-op. This is not
expected to impact anyone.
* Remove X509_STORE_CTX_get0_current_issuer
Update-Note: Removed an unused function.
Change-Id: I545e654d6c8f0a7973636217f3da27d05c0ef831
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65068
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
* Remove remnants of Netscape Server Gated Crypto from the new verifier
Update-Note: SHA-1 certificates with the Netscape SGC OID will no longer
skip their EKU check in the new verifier. By default, SHA-1
certificates are rejected, in which case this only impacts error
reporting, not which certificates are ultimately accepted.
* Make configure_callback in x509_test.cc take the X509_STORE_CTX
* Use X509_get0_pubkey to simplify things slightly
* Eagerly compute the cached EVP_PKEY in X509_PUBKEY
* Test signature verification in X509_verify_cert
* Fix X509_PUBKEY_set0_param to clear the cached EVP_PKEY
* Do a better job testing expiration checks
* Allow for the path builder to limit the number of valid paths.
* Warn more explicitly not to use the callback in SSL_set_verify
* Simplify some logic around X509_verify_cert callbacks
* Remove X509_STORE_set_get_issuer
Update-Note: Removed a handful of unused functions.
* chacha: Move 32-bit Arm CPU dispatch from assembly to C
* chacha: Move ARMv8 OPENSSL_armcap_P dispatching from assembly to C.
* Move dispatch from sha512-586.pl to C
* Allow creation of HKDF using PRK byteet.
* Remove SSE2 checks in 32-bit x86 assembly
* [DEPS] Migrate from Chromium git to CIPD
* Add re-exports for making inline functions available
* Add HPKE secret export and implement Send for EvpHpkeCtx.
* Make Dilithium pass constant-time validation
* bn: Move dispatching logic from x86_64-mont5.pl to C.
* Add verify.cc and verify.h as top level public API.
* Add certificates to the remaining ECH client tests
* Re-apply dilithium and make it work with a limited stack
* Add tests for some odd escaping behavior in the CONF parser
* Test some more CONF edge cases

Test: treehugger
Test: atest boringssl_crypto_test
Test: atest boringssl_ssl_test
Change-Id: I99443e9ead57e854ccb77e47bbab1c1f892be480
519 files changed