tree 365be456e3fe5cb1b88fd54f3c8cab713ebbc0d1
parent 08f1b2ef26b4759a44e131935ad49056e9f11a81
author Piotr Sikora <piotrsikora@google.com> 1520472765 -0800
committer Piotr Sikora <piotrsikora@google.com> 1521532243 +0000

Bazel: update BoringSSL to ec55dc1 / 25999bc (master-with-bazel).

This update includes the following changes:

ec55dc15 Update tools.
929a9d7d Don't bother retrying in bn_blinding_create_param.
f8058d41 Add M=8 L=2 AES-128-CCM as well.
8df8e642 Record whether dummy PQ padding was used.
8d4f7e54 Remove redundant assertion in fe_mul_121666_impl.
4702db63 Update dummy PQ extension for round two.
8041d8c4 third_party: re-format METATADA files
c0178640 Update link to CMVP certificate.
e745b25d Remove trailing whitespace from ssl/.
672f6fc2 Always use adr with __thumb2__.
36714fc8 Remove redundant length-check in |ec_wNAF_mul|.
02d696f2 Delete |pthread_key_t| on dlclose.
ed626ec9 Merge NIAP and FIPS test suites.
085955c5 Actually use the u64 cast.
f16cd427 Add AES_128_CCM AEAD.
78a832d7 Document RSAZ slightly better.
c03ecb93 Remove SSLv3_method and friends.
1bf2337f Reject compressed ECDH coordinates in TLS.
67968895 Remove unused strings.h #include from crypto/mem.c
02cca198 clang-format RSAZ C code.
10443f5a Adjust comment on potential R^3 optimization.
862e0d2e Add cpu-aarch64-fuchsia.c
638a408c Add a tuned variable-time P-256 multiplication function.
6e4ff114 Merge Intel copyright notice into standard
f6cf8bbc Sync up AES assembly.
6dc99426 Sync up some perlasm license headers and easy fixes.
0f4f6c2e p256-x86_64.pl: add CFI directives.
02808ddc p256-x86_64-asm.pl: Win64 SEH face-lift.
05640fd3 p256-x86_64-asm.pl: Add OpenSSL copyright
8ae929f1 p256-x86_64.pl: update commentary with before-after performance data.
d25e62e7 Return NULL instead of zero in |bn_resized_from_ctx|.
38c20fe8 Fix threading issues with RSA freeze_private_key.
61dedd68 Don't crash when failing to set affine coordinates when the generator is missing.
376f3f17 Add BN_count_low_zero_bits.
d24cb22c Make BN_cmp constant-time.
ac383701 Simplify bn_mul_part_recursive.
6488f4e2 Fix over-allocated bounds on bn_mul_part_recursive.
2bf82975 Make bn_mul_part_recursive constant-time.
6541308f Don't allocate oversized arrays for bn_mul_recursive.
34a2c5e4 Make bn_mul_recursive constant-time.
b01dd1c6 Make bn_sqr_recursive constant-time.
3b3e12d8 Simplify BN_bn2bin_padded.
be837402 Make the rest of RSA CRT constant-time.
150ad30d Split BN_uadd into a bn_uadd_fixed.
5b10def1 Compute mont->RR in constant-time.
6f564afb Make BN_mod_*_quick constant-time.
eaa80b70 Remove DSA k+q kludge.
08805fe2 Normalize RSA private component widths.
c7b6e0a6 Don't leak widths in bn_mod_mul_montgomery_fallback.
08d774a4 Remove some easy bn_set_minimal_width calls.
09633cc3 Rename bn->top to bn->width.
23223ebb Tidy BN_bn2hex and BN_print with non-minimal inputs.
cb4e300f Store EC field and orders in minimal form.
226b4b51 Make the rest of BIGNUM accept non-minimal values.
45210dd4 Tidy up |ec_GFp_simple_point2oct| and friend.
2044181e Set output point to the generator when not on the curve.
a3123910 cavp_tlskdf_test.cc: include errno.h since errno is referenced.
091b455f Support running CAVP tests on an Android device.
472ba2c2 Require that Ed25519 |s| values be < order.
f4b708cc Add a function which folds BN_MONT_CTX_{new,set} together.
feffb871 Make BN_bn2bin_padded work with non-minimal BIGNUMs.
385e4e9d Handle directive arguments with * in them.
6c414655 Remove redundant bn->top computation.
7979dbed Use bn_resize_words in BN_from_montgomery_word.
76ce04be Fix up BN_MONT_CTX_set with non-minimal values.
0758b683 Reject negative numbers in BN_{mod_mul,to,from}_montgomery.
9a5bfc03 Tidy up BN_mod_mul_montgomery.
2ccdf584 Factor out BN_to_montgomery(1) optimization.
dc8b1abb Do RSA sqrt(2) business in BIGNUM.
43cf27e7 Add bn_copy_words.
ad5cfdf5 Add initial support for non-minimal BIGNUMs.
884086e0 Remove x86_64 x25519 assembly.
fa651134 Push an error if custom private keys fail.
48669209 Fix fuzzer mode suppressions.
ddb57cfb Add tests for split handshakes.
3fe8fa74 Add initial, experimental support for split handshakes.
7e5dd25d Remove draft22 and experiment2.
3c034b2c Add support for QUIC transport params.
a62dbf88 Move OPENSSL_FALLTHROUGH to internal headers.
5301c10c ssl_verify_peer_cert: implement |SSL_VERIFY_NONE| as advertised.
e8d2439c Expose ssl_session_serialize to libssl.
0ab3f0ca Notice earlier if a server echoes the TLS 1.3 compatibility session ID.
0ab86cf6 Require only that the nonce be strictly monotonic in TLS's AES-GCM
449a9e6a Make the gdb window larger.
ab5a947d Reslice TLS AEAD setup.
c61b5771 Add some more utility functions to bytestring.
5a869aa3 Documentation typo.
610cdbb1 Switch some ints to bools and Spans.
32b59402 Don't leak the exponent bit width in BN_mod_exp_mont_consttime.
cb1ad205 Use 51-bit limbs from fiat-crypto in 64-bit.
a1bc1ba4 Fix up CTR_DRBG_update comment.
8017cdde Make BN_num_bits_word constant-time.
b9f30bb6 Unwind total_num from wNAF_mul.
d86c0d28 Pull the malloc out of compute_wNAF.
6ca09409 Always compute the maximum-length wNAF.
a42d7bee Reorganize curve25519.c slightly.
0c1eafc6 Add additional constants to make_curve25519_tables.py.
522ad7e8 Use EC_SCALAR for compute_wNAF.
338eeb0c Remove r_is_inverted logic.
2d77d408 Generate curve25519 tables with a script.
042b49cf Extract curve25519 tables into a separate header.
5d940871 Remove unnecessary window size cases.
4111dd2f Don't compute a per-scalar window size in wNAF code.
186df3a6 Implement fe_sq2_tt with fe_sq_tt.
a7bc9448 Don't use the client_random entropy for GREASE.
44fd6eee Split BORINGSSL_self_test into its own file.
98e24197 add missing #includes
a4f78775 [ndk] Change ndk deps in src and relocate to third_party/boringssl
cb15cfda Add draft23 tests.
f2e7b220 Extract FIPS KAT tests into a function.
36fcc4ca Implement Token Binding
8d67f6f0 Update tools.
017fbf09 Fix sort order.
05a84344 Support AVX-512 instructions with a writemask in delocate.
bb1e5cbb Use -gcv8 instead of -g cv8.
5ab54840 Support |alignof|/|alignas| in GCC 4.7.
c7ef069a Fix format-string error in delocate.go.
37c6eb42 Support TLS KDF test for NIAP.
e80c7c06 Support KAS tests for NIAP.
92b8ecdd Change from configuring a FAX scanner function to a FAX next-line function.
afd1cd95 Work around an NDK / Android bug.
7c5e1400 Fix reference to nonexistent function.
94cd196a Add files in third_party/fiat for Chromium to pick up.
b6317b98 Update googletest.
11a5726e tool: update selection of draft22 TLS 1.3 variant
512a289a Add support for dummy PQ padding.
3c92e80d Revert "Update tools."
9d1f9660 Update tools.
53ff70f6 Tidy up some warnings.
e2b8466f Update CMake on Windows bots to 3.10.1.
74666da5 Update key share extension number for draft23.
0c9b7b5d Align various point_get_affine_coordinates implementations.
9112631c Remove ftmp* comments from P-256 addition code.
3ab6ad6a Simplify EC_KEY_set_public_key_affine_coordinates.
99084cdd Fold away ec_point_set_Jprojective_coordinates_GFp.
1eddb4be Make EC_POINT_set_compressed_coordinates_GFp use BIGNUM directly.
9770532a Map NOT_YET_VALID errors to |certificate_expired|.
92e33250 Add a function for encoding SET OF.
00208b44 Use fiat-crypto's freeze function for fe_tobytes.
2f9b47fb Better pack structs in ssl/internal.h
11850d5f Rename all googletest CMake targets
915c121b Remove some outdated preconditions and postconditions.
3144d92a Add some missing array parameter length annotations.
d9f49974 Support high tag numbers in CBS/CBB.
5bcaa113 Tighten EC_KEY's association with its group.
e1501957 SSL_alert_from_verify_result: expose.
ef16f19e Support delocating vpbroadcastq.
380bc30f Fix |ASN1_INTEGER_set| when setting zero.
f8d05579 Add ASN1_INTEGET_set_uint64.
0a54e998 Add links to proofs of elliptic curve formulas.
80ede1df Fix early_mac_len computation.
36fce983 add fiat-crypto code generation readme
6df65407 Add a draft TLS 1.3 anti-downgrade signal.
02e6256b Move early_data_accepted to ssl->s3.
a0c87adb Add RSA_flags and RSA_METHOD_FLAG_NO_CHECK.
0551feb3 Trim some unused RSA flags.
d90b8033 Clear the error queue in fuzzer-mode Channel ID hooks.
287ac180 Refresh fuzzer corpora.
64cc121f Remove deprecated TLS 1.3 variants.
ea52ec98 Perform the RSA CRT reductions with Montgomery reduction.
f88242d1 SSL_export_keying_material should work in half-RTT.
ebd87230 Bring ERR_ERROR_STRING_BUF_LEN down to 120.
875095aa Silence ARMv8 deprecated IT instruction warnings.
9894ee9d Scope CMAKE_ASM_FLAGS workaround to the old NDK toolchain.
52887796 Document the NDK's built-in toolchain file.
4358f104 Remove clang assembler .arch workaround.
a9c5b7b3 Roll back CMake update on Windows bots.
d870cbdd Update CMake to 3.10.0 on the bots.
0c9c1aad Fix generate_build_files.py.
f98b582d Fix tls13_variant check to check max_version.
6fe960d1 Enable __asm__ and uint128_t code in clang-cl.
650d8c39 Implement TLS 1.3 early exporters.
8f53fc0a Fix fuzzer mode suppressions.
46304abf ec/p256.c: fiat-crypto field arithmetic (64, 32)
21baf642 Fix CustomExtensions-Server-EarlyDataAccepted test.
eb9232f0 Fully reduce scalars in EC_POINT_mul.
2b63addf Use uint32_t for unicode code points.

Change-Id: I6c21b13f5a4dd751ca39e635e2e6ef87a9282a1e
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://nginx-review.googlesource.com/3321