Snap for 8952093 from f5716ffaefcb9486f7e22ff0deb3e5d6301a3fe9 to sdk-release

Change-Id: I07ddbcdfc26a0ffd4bbc15e00ef030c79022c612
diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs
index ce29210..5b5a4e0 100644
--- a/openssl/src/pkey.rs
+++ b/openssl/src/pkey.rs
@@ -93,7 +93,7 @@
     pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519);
     #[cfg(ossl111)]
     pub const ED448: Id = Id(ffi::EVP_PKEY_ED448);
-    #[cfg(ossl111)]
+    #[cfg(any(boringssl, ossl111))]
     pub const X25519: Id = Id(ffi::EVP_PKEY_X25519);
     #[cfg(ossl111)]
     pub const X448: Id = Id(ffi::EVP_PKEY_X448);
@@ -243,7 +243,7 @@
     /// This function only works for algorithms that support raw public keys.
     /// Currently this is: X25519, ED25519, X448 or ED448
     #[corresponds(EVP_PKEY_get_raw_public_key)]
-    #[cfg(ossl111)]
+    #[cfg(any(boringssl, ossl111))]
     pub fn raw_public_key(&self) -> Result<Vec<u8>, ErrorStack> {
         unsafe {
             let mut len = 0;
@@ -294,7 +294,7 @@
     /// This function only works for algorithms that support raw private keys.
     /// Currently this is: HMAC, X25519, ED25519, X448 or ED448
     #[corresponds(EVP_PKEY_get_raw_private_key)]
-    #[cfg(ossl111)]
+    #[cfg(any(boringssl, ossl111))]
     pub fn raw_private_key(&self) -> Result<Vec<u8>, ErrorStack> {
         unsafe {
             let mut len = 0;
@@ -483,7 +483,7 @@
     }
 
     /// Generates a new private Ed25519 key
-    #[cfg(ossl111)]
+    #[cfg(any(boringssl, ossl111))]
     pub fn generate_x25519() -> Result<PKey<Private>, ErrorStack> {
         PKey::generate_eddsa(Id::X25519)
     }
diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs
index 7b587a6..aecbaec 100644
--- a/openssl/src/sign.rs
+++ b/openssl/src/sign.rs
@@ -284,7 +284,7 @@
         self.len_intern()
     }
 
-    #[cfg(not(ossl111))]
+    #[cfg(not(any(boringssl, ossl111)))]
     fn len_intern(&self) -> Result<usize, ErrorStack> {
         unsafe {
             let mut len = 0;
@@ -297,7 +297,7 @@
         }
     }
 
-    #[cfg(ossl111)]
+    #[cfg(any(boringssl, ossl111))]
     fn len_intern(&self) -> Result<usize, ErrorStack> {
         unsafe {
             let mut len = 0;
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 0b1d6d6..4faa26f 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -352,6 +352,19 @@
         unsafe { cvt(ffi::X509_sign(self.0.as_ptr(), key.as_ptr(), hash.as_ptr())).map(|_| ()) }
     }
 
+    /// Signs the certificate with a private key but without a digest.
+    ///
+    /// This is the only way to sign with Ed25519 keys as BoringSSL doesn't support the null
+    /// message digest.
+    #[cfg(boringssl)]
+    #[corresponds(X509_sign)]
+    pub fn sign_without_digest<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>
+    where
+        T: HasPrivate,
+    {
+        unsafe { cvt(ffi::X509_sign(self.0.as_ptr(), key.as_ptr(), ptr::null())).map(|_| ()) }
+    }
+
     /// Consumes the builder, returning the certificate.
     pub fn build(self) -> X509 {
         self.0
@@ -1153,6 +1166,29 @@
         }
     }
 
+    /// Sign the request using a private key without a digest.
+    ///
+    /// This is the only way to sign with Ed25519 keys as BoringSSL doesn't support the null
+    /// message digest.
+    ///
+    /// This corresponds to [`X509_REQ_sign`].
+    ///
+    /// [`X509_REQ_sign`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_sign.html
+    #[cfg(boringssl)]
+    pub fn sign_without_digset<T>(&mut self, key: &PKeyRef<T>) -> Result<(), ErrorStack>
+    where
+        T: HasPrivate,
+    {
+        unsafe {
+            cvt(ffi::X509_REQ_sign(
+                self.0.as_ptr(),
+                key.as_ptr(),
+                ptr::null(),
+            ))
+            .map(|_| ())
+        }
+    }
+
     /// Returns the `X509Req`.
     pub fn build(self) -> X509Req {
         self.0