tree 31fbdf562ae2ed29aef441c54525a28740de56d2
parent 7222ea9db496ec58576447b84c50c96087eb0b89
author Piotr Sikora <piotrsikora@google.com> 1595990980 -0700
committer Piotr Sikora <piotrsikora@google.com> 1596013916 +0000

Bazel: update BoringSSL to 430a742 / 597b810 (master-with-bazel).

430a74230 Const-correct various functions in crypto/asn1.
d1d8eee76 Remove uneeded switch statement.
33f8d33af Convert X.509 accessor macros to proper functions.
d206a11d4 Remove X509_CINF_get_issuer and X509_CINF_get_extensions.
beaf594f8 Remove X509_get_signature_type.
991d31bbf clang-format x509.h and run comment converter.
9dd9d4fc2 Check AlgorithmIdentifier parameters for RSA and ECDSA signatures.
a3cc7780e Remove some unimplemented prototypes.
dd86e75b2 Check the X.509 version when parsing.
fd86eaa86 Fix x509v3_cache_extensions error-handling.
cbac9c3a2 Work around Windows command-line limits in embed_test_data.go.
5ddc5b14d Move crypto/x509 test data into its own directory.
1b8194715 Test resumability of same, different, and default ticket keys.
c17985424 Fixes warning when redefining PATH_MAX when building with MINGW.
8afdbf04b Abstract fd operations better in tool.
884614c24 Use CMAKE_SIZEOF_VOID_P instead of CMAKE_CL_64
cd8f3d36f Enforce the keyUsage extension in TLS 1.2 client certs.
72b095d0d Reword some comments.
7f90eda55 Add “Z Computation” KAT.
9c256d1d7 acvptool: handle negative sizeConstraint.
0313b59d5 Let memory hooks override the size prefix.
fbaf1c054 acvptool: go fmt
251b5169f Assert md_size > 0.
88024df12 Remove -enable-ed25519 compat hack.
53a17f552 Add a |SSL_process_tls13_new_session_ticket|.
2309f645e Use ctr32 optimizations for AES_ctr128_encrypt.
8819e0be6 Test AES mode wrappers.
81a998a63 Bump minimum CMake version.
851943277 Modify how QUIC 0-RTT go/no-go decision is made.
9701e84ef Remove RAND_set_urandom_fd.
7b31d69f1 Document that getrandom support must be consistent.
8f12996be Fix docs link for SSL_CTX_load_verify_locations
78b3337a1 Fix TRUST_TOKEN experiment_v1 SRR map.
3e4dfbb2f Add CRYPTO_pre_sandbox_init.
9cf9d3eb0 Still query getauxval if reading /proc/cpuinfo fails.
be28dd623 Add missing header to ec/wnaf.c
b7acfff8e Fix OPENSSL_TSAN typo.
49e95dc0f Fix p256-x86_64-table.h indentation.
1274d1d97 Enable avx2 implementation of sha1.
d4d501c15 Trim Z coordinates from the OPENSSL_SMALL P-256 tables.
a810d8257 Use public multi-scalar mults in Trust Tokens where applicable.
b55a8c158 Use batched DLEQ proofs for Trust Token.
7c522995d Restrict when 0-RTT will be accepted in QUIC.
e32549edf Disable TLS 1.3 compatibility mode for QUIC.
d4a97fa65 Use a 5-bit comb for some Trust Tokens multiplications.
5f43b12d5 Use a (mostly) constant-time multi-scalar mult for Trust Tokens.
ce1665b82 Batch inversions in Trust Tokens.
54a59c68b Rearrange the DLEQ logic slightly.
54304734e Use token hash to encode private metadata for Trust Token Experiment V1.
802523aa5 Introduce an EC_AFFINE abstraction.
73e0401e3 Make the fuzzer PRNG thread-safe.
cccfb9bcf Disable fork-detect tests under TSAN.
aa764c46e Introduce TRUST_TOKENS_experiment_v1.
69402f33f Route PMBToken calls through TRUST_TOKEN_METHOD.
239634da1 Introduce a TRUST_TOKEN_METHOD hook to select TRUST_TOKEN variations.
ad5582985 fork_detect: be robust to qemu.
90bb72c6a Move serialization of points inside pmbtoken.c.
090ee96bf Introduce PMBTOKENS key abstractions.
17078f21a Fix the types used in token counts.
dc06e320d Remove unused code from ghash-x86_64.pl.
eeb5bb356 Switch the P-384 hash-to-curve to draft-07.
6a7184066 Add hash-to-curve code for P384.
b36f52d18 Write down the expressions for all the NIST primes.
21aede917 Move fork_detect files into rand/
b1086cdb1 Harden against fork via MADV_WIPEONFORK.
14d192e93 Fix typo in comment.
21f694210 Use faster addition chains for P-256 field inversion.
47b1e3904 Tidy up third_party/fiat.
25ab623a8 Prefix g_pre_comp in p256.c as well.
8bbc5e9a6 Add missing curve check to ec_hash_to_scalar_p521_xmd_sha512.
1d8ef2c66 Add a tool to compare the output of bssl speed.
21712d52c Benchmark ECDH slightly more accurately.
c878b651c Align remaining Intel copyright notice.
e2af857dd Don't retain T in PMBTOKEN_PRETOKEN.
cbe128b3e Check for trailing data in TRUST_TOKEN_CLIENT_finish_issuance.
13d09f052 Properly namespace everything in third_party/fiat/p256.c.
baca5b4fa Update fiat-crypto.
a27ed585f Add missing ERR_LIB_TRUST_TOKEN constants.
188b65a79 Add bssl speed support for hashtocurve and trusttoken.
78987bb7b Implement DLEQ checks for Trust Token.
367d64f84 Fix error-handling in EVP_BytesToKey.
8f3019e84 Fix Trust Token CBOR.
785361955 Match parameter names between header and source.
538a124d7 Trust Token Implementation.
f37eb8d6a Include mem.h for |CRYPTO_memcmp|
9a798eb53 acvptool: add subprocess tests.
3c11bf53e Add SHA-512-256.
9fc31378f Make ec_GFp_simple_cmp constant-time.
f883b98cf Tidy up CRYPTO_sysrand variants.
3d22c8260 Do a better job testing EC_POINT_cmp.
2a8e294b7 Follow-up comments to hash_to_scalar.
28987cf08 Add a hash_to_scalar variation of P-521's hash_to_field.
f9e0cda2d Add SSL_SESSION_copy_without_early_data.
590265773 Double-check secret EC point multiplications.
d2c5b7da2 Make ec_felem_equal constant-time.
0f86c142a Fix hash-to-curve comment.
f20772cc0 Make ec_GFp_simple_is_on_curve constant-time.
a49c61719 Implement draft-irtf-cfrg-hash-to-curve-06.
414394308 Update list of tested SDE configurations.
7a22a6509 Only draw from RDRAND for additional_data if it's fast.
ea53011c6 Generalize bn_from_montgomery_small.
ad5e3e359 Remove BIGNUM from uncompressed coordinate parsing.
58add794d Add EC_RAW_POINT serialization function.
1d43e57c3 Base EC_FELEM conversions on bytes rather than BIGNUMs.
47a6f5b4b runner: Replace supportsVersions calls with allVersions.
e8434d304 Enable QUIC for some perMessageTest runner tests
b65e630ec Move BN_nnmod calls out of low-level group_set_curve.
bd1fa86fe Clean up various EC inversion functions.
243a29241 Start to organize ec/internal.h a little.
12840915a Fix CFI for AVX2 ChaCha20-Poly1305.
300ef4767 Remove unused function prototype.
af6bfbee4 Enable more runner tests for QUIC
72cff8193 Require QUIC method with Transport Parameters and vice versa
ee2660203 acvptool: support non-interactive mode.
6bfd25c75 Add is_quic bit to SSL_SESSION
d5aae81fb Update SDE.
7c719d124 Update tools.
cdc5c184b Add simpler getters for DH and DSA.
0cf14d3ec Don't define default implementations for weak symbols.
732b70ee2 Don't automatically run all tests for ABI testing.
577eadc42 Fix test build with recent Clang.
141062fe7 Remove LCM dependency from RSA_check_key.
ce9b8737c Simplify bn_sub_part_words.
8b4fa1b6b No-op commit to test Windows SDE bots.
6c1779720 ABI-test each AEAD.
9ae40ce9a Add memory tracking and sanitization hooks
5cd0724ec Add X509_STORE_CTX_get0_chain.
0064c290d Add DH_set_length.
dea1d4498 Static assert that CRYPTO_MUTEX is sufficiently aligned.
7fe639cc2 [bazel] Format toplevel BUILD file with buildifier
964256d06 Add |SSL_CTX_get0_chain|.
5298ef99b Configure QUIC secrets inside set_{read,write}_state.
80ddfc7d1 Allow setting QUIC transport parameters after parsing the client's
959c76d92 Fix comment for |BORINGSSL_self_test|.
0b710a305 Trust Token Key Generation.
1e859054c Revise QUIC encryption secret APIs.
bfe527fa3 Fix ec_point_mul_scalar_public's documentation.
2fb729d4f Don't infinite loop when QUIC tests fail.
44099d592 Tidy up transitions out of 0-RTT keys on the client.
3280287c0 Remove bn_sub_part_words assembly.
b09219296 Keep the encryption state and encryption level in sync.
6432bb46a Add ECDSA_SIG_get0_r and ECDSA_SIG_get0_s.
472d91c39 Fix a couple of comment typos.
a12a2497f Const-correct various X509_NAME APIs.
7940ed1f3 Ignore old -enable-ed25519 flag.
f1efbc8f8 Provide __NR_getrandom fillins in urandom test too.
aadb46369 Skip RSATest.DISABLED_BlindingCacheConcurrency in SDE.
754d4c99c Fix client handling of 0-RTT rejects with cipher mismatch.
83ea777db runner: Tidy up 0-RTT support.
0dc70e462 Add X509_getm_notBefore and X509_getm_notAfter.
0c30649ba Clean up TLS 1.3 handback logic.
f9cc26f9c Require handshake flights end at record boundaries.
21a879a78 Delete unreachable DTLS check.
82a4b2234 Rename TLS-specific functions to tls_foo from ssl3_foo.
f6cc8ddf5 Rename ssl3_choose_cipher.
8f299d5e0 SSL_apply_handback: don't choke on trailing data.
4f3e8212e ssl_test: test early data with split handshakes.
7964a1d67 Check for overflow in massive mallocs.
7e43e2e8e Add more convenient RSA getters.
1766935f7 Remove SSL_CTX_set_ed25519_enabled.
6ab75bf21 Improve signature algorithm tests.
2a4ce1724 bazel: explicitly load C++ rules
fbea9de16 Check enum values in handoff.
921bb9e22 Restore fuzz/cert_corpus.
bf17f4f6f Add a -sigalgs option to bssl client.
f0a815cce Add SSL_set_verify_algorithm_prefs.
ebad508ef Switch verify sigalg pref functions to SSL_HANDSHAKE.
10165d82c Add SSL_AD_NO_APPLICATION_PROTOCOL
3d53d1ffe Refresh corpora due to TLS 1.3 changes in handoff serialization.
9e23361aa handoff: set |enable_early_data| as part of handback.
032fc660b Add 109 and 120 to SSL_alert_desc_string_long
6192ccbbf runner: enable split handshake tests for TLS 1.3.
f3c98ce9b Make TLS 1.3 split handshakes work with early data.
093a82392 Split half-RTT tickets out into a separate TLS 1.3 state.
bc7e2cb92 Use BCryptGenRandom when building as Windows UWP app.
1cc95ac07 Define EVP compatibility constants for X448 and Ed448.
a0cdbf989 Allow shared libraries in the external CMake build.
a965a2595 Add a few little-endian functions to CBS/CBB.
89730072b Move iOS asm tricks up in external CMake build.
f22e5fbab Try again to deal with expensive tests.
e1148bdf8 Restore ARM CPU variation tests on builders.
f249840c9 Remove SSL_CTX_set_rsa_pss_rsae_certs_enabled.
986afedaa Work around another NULL/0 C language bug.
0416e8c30 Use the MAYBE/DISABLED pattern in RSATest.BlindingCacheConcurrency.
31e64a295 Switch an #if-0-gated test to DISABLED_Foo.
98b4cdba1 Proxy: send whole SSL records through the handshaker.
0dcc6e231 Disable Wycheproof primality test cases on non-x86 (too slow)
f06254c73 test_state.cc: serialize the test clock.
8e8759f0d Output after every Wycheproof primality test.
ff631133c Maybe fix generated-CMake build on Android and iOS.
f50a8a77b Detect the NDK path from CMAKE_TOOLCHAIN_FILE.
9351266ba Tell Go to build for GOOS=android when running on Android.
c556d87dd Reland bitsliced aes_nohw implementation.
3e96cd4b7 Add bssl client option to load a hashed directory of cacerts.
b0d449aea No-op change to run the new NO_SSE2 builders.
0deb91ab3 Clarify that we perform the point-on-curve check.
604320f8a Reduce size of BlindingCacheConcurrency test under TSAN.
2feab0c08 Compare vpaes/bsaes conversions against a reference implementation.
63d06626d Enable the SSE2 Poly1305 implementation on clang-cl.
056035edc Remove alignment requirement on CRYPTO_poly1305_finish.
2c58c2fda Fix double-free under load.
aaa1a84d6 Add some XTS tests.
8959a49cc Add EncodeHex and DecodeHex functions to test_util.h.
6c95434cc Revert "Replace aes_nohw with a bitsliced implementation."
b3ac6bb39 Replace aes_nohw with a bitsliced implementation.
cbae965ca Switch HRSS inversion algorithm.
6c5e4a4bc Run EVP_CIPHER tests in-place.
6887d5e81 Add an option to disable SSE2 intrinsics for testing.
522e2df08 Dummy change to trigger master-with-bazel builder.
c58a85f8c Drop use of alignas(64) in aead_test.cc
cfd80a9b2 Add standalone CMake build to generate_build_files.py
cc0c28654 TLS 1.3 split handshake initial support.
be1d14b78 Import Wycheproof primality tests.
0df6edff4 Split BN_prime_checks into two constants for generation and validation.
9511ca4c0 Add some Miller-Rabin tests from Wycheproof.
a16516827 Import Wycheproof PKCS#1 decrypt tests.
355828a2f Import Wycheproof OAEP tests.
e5905d01c Import Wycheproof PKCS#1 signing tests.
305a03a8b Skip JWK keys when converting Wycheproof tests.
55ed2a60d Import Wycheproof's size-specific RSA PKCS#1 verifying tests.
906bbef00 Handle "acceptable" Wycheproof inputs unambiguously.
62f662dbe Import Wycheproof XChaCha20-Poly1305 tests.
b19efcc1c Import Wycheproof HMAC tests.
8e71fe9ca Import Wycheproof HKDF tests.
82dbb53f7 bytestring: add methods for int64.
15cd8bf43 Update Wycheproof test vectors.
b14530e63 Add mock QUIC transport to runner
cb3f04f58 Add test vectors for CVE-2019-1551 (not affected).
b63123ca0 Fix check_bn_tests.go.
243b5cc9e Fix MSan error in SSLTest.Handoff test.
134fb89c4 SSLTest.Handoff: extend to include a session resumption.
9ad9cda08 inject_hash preserves filemode
08e1fe05e Move TLS 1.3 state machine constants to internal.h.
31db68195 Add a ppc64le ABI tester.
c73375467 Allocate small TLS read buffers inline.
b8b0e9f48 Remove unused labels from ARM ABI test assembly.
469446c73 Update AAPCS and AAPCS64 links.
5746add69 Fix EVP_has_aes_hardware on ppc64le.
98ba3bd6e Remove remnants of end_of_early_data alert from tests.
f8fcab9d8 Add a test for ERR_error_string_n.
e0d95adb2 Remove post-quantum experiment signal extension.
35c1075e8 Give ERR_error_string_n a return value for convenience.
ee0716f38 Defer early keys to QUIC clients to after certificate reverification.
fd32089f4 Defer releasing early secrets to QUIC servers.
75148d7ab Halve the size of the kNIDsIn* constants
6ba98ff60 modulewrapper: manage buffer with |unique_ptr|.
af609d885 Add missing boringssl_prefix_symbols_asm.h include.
913a240c2 acvptool: add support for ECDSA
5d62952b2 Inline gcm_init_4bit into gcm_init_ssse3.
a2518dd07 Vectorize gcm_mul32_nohw and replace gcm_gmult_4bit_mmx.
9855c1c59 Add a constant-time fallback GHASH implementation.
98f969491 Conditionally define PTRACE_O_EXITKILL in urandom_test.cc
43890dbd6 Fix build warning if _SCL_SECURE_NO_WARNINGS is defined globally
279740ed8 modulewrapper: use a raw string.
d709b0d89 acvptool: add license headers.
58d56f4c5 Enable TLS 1.3 by default.
929430657 acvptool: Add support for DRBG
f0bdf5c9a Discard user_canceled alerts in TLS 1.3.
6be491b7b Work around more C language bugs with empty spans.
bf7b331d1 No-op commit to test the new builder.
2085c7c2c acvptool: Add support for HMAC
706da620b Add stub functions for RSA-PSS keygen parameters.
b11902a38 HelloRetryRequest getter
fe37af11a Add break-tests-android.sh script.
3ab3b1283 Add compatibility functions for sigalgs
de1d2881a Run AES-192-GCM in CAVP tests.
3ba9586bc Rename a number of BUF_* functions to OPENSSL_*.
31f94b0bf List bn_div fuzzer in documentation.
c951e5560 Reenable bn_div fuzzer.
7f02881e9 Drop CECPQ2b code.
7de9498a8 Add urandom_test to all_tests.json
e481d94a6 Fix the standalone Android FIPS build.
da8caf5b1 Add sanity checks to FIPS module construction.
20ae5e6f6 Correct relative path.
3e502c84f Add test for urandom.c
76918d016 break-hash.go: Search ELF dynamic symbols if symbols not found.
9709ad52e Fix $OPENSSL_ia32cap handling.
eec840da6 Switch probable_prime to rejection sampling.
a93bebafb Rename the last remnants of the early_data_info extension.
31302a473 Fix up BN_GENCB_call calls.
a7a75f208 Do fewer trial divisions for larger RSA keygens.
f3bd757ee Fix GRND_NONBLOCK flag when calling getrandom.
642664838 Simplify bn_miller_rabin_iteration slightly.
841a40a27 Add some notes on RSA key generation performance.
fba30c389 Break early on composites in the primality test.
18d145e65 Extract and test the deterministic part of Miller-Rabin.
5cf329814 Fix the FIPS + fuzzing build.
2865bce1b FIPS.md: document some recent Android changes.
bc4c09df6 Add a function to derive an EC key from some input secret.
7458ded26 Fix run_android_tests.go with shared library builds.
86ee70b6f No-op change to test new builders.
c48c8b6f6 Move no-exec-stack sections outside of #ifs.
12049fd3a Add |SSL_get_min_proto_version| and |SSL_get_max_proto_version|
4ca15d5dc Make FIPS build work for Android cross-compile.
56b6c714c Enable optional GRND_RANDOM flag to be passed to getrandom on Android.
8fe158402 Switch cert_compression_algs to GrowableArray.
ff746c103 Add GrowableArray<T> to ssl/internal.h.
49de1fc29 Fixed quic_method lookup in TLS 1.3 server side handshake.
9c49713ba Add .note.GNU-stack at the source level.
6a2609dae -Wno-vla -> -Wvla
0e7dbd579 Add an option for explicit renegotiations.
f10ea55e9 tool: add -json flag to |speed|
95017b9bf Set -Wno-vla.
6e7255c17 Use a pointer to module_hash in boringssl_fips_self_test() args.
9638f8fba Use a smaller hex digest in FIPS flag files when SHA-256 used.
1458b49a9 Switch to using SHA-256 for FIPS integrity check on Android.
40633ac19 Use getentropy on macOS 10.12 and later.
6f80629b6 Move #include of "internal.h", which defines |OPENSSL_URANDOM|.
b9a8fd766 Style nit.
45610f9af Assert that BN_CTX_end is actually called.
6784dc718 Test some known large primes.
e7e5a23b4 Test some Euler pseudoprimes.
6dfb47975 Be consistent about Miller-Rabin vs Rabin-Miller.
bd522862a fix build with armv6  Error: .size expression for _vpaes_decrypt_consts does not evaluate to a constant
0bb4345bf Mark ssl_early_data_reason_t values stable.
0de64a749 Make the dispatch tests opt-in.
63e96f2a2 Bound the number of API calls in ssl_ctx_api.cc.
3a3552247 Only attempt to mprotect FIPS module for AArch64.
622e46bf2 Opportunistically read entropy from the OS in FIPS mode.
1f1af82f4 Update INSTANTIATE_TEST_SUITE_P calls missing first argument.
15b4fb2ac Ignore build32 and build64 subdirectories.
09a9ec036 Add page protection logic to BCM self test.
6e8d5f4a4 Disable unwind tests in FIPS mode.
398ca1c3d Disable RDRAND on AMD family 0x17, models 0x70–0x7f.
bb5078380 Don't allow SGC EKUs for server certificates.
04a89c843 Add |SSL_CIPHER_get_value| to get the IANA number of a cipher suite.
98e848aa3 Add XOF compilation compatibility flags
0c4d01391 Replace BIO_printf with ASN1_STRING_print in GENERAL_NAME_print
a7d9ac2af Trigger a build on the ARM mode builder.
053880d3f Fix vpaes-armv7.pl in ARM mode.
0142c87a2 Add AES-192-GCM support to EVP_AEAD.
012a44426 Add AES-256 CFB to libdecrepit.
ec92ec471 Parse explicit EC curves more strictly.
b82f945eb Use the Go 1.13 standard library ed25519.
68489e6da Update build tools.
f4d8b9692 Use ScopedEVP_AEAD_CTX in ImplDispatchTest.AEAD_AES_GCM.
ccaee0a64 Use a mix of bsaes and vpaes for CTR on NEON.
701d95a2a Use vpaes + conversion to setup CBC decrypt on NEON.
7d4b13b44 Add NEON vpaes-to-bsaes key converters.
68fb23864 Add vpaes-armv7.pl and replace non-parallel modes.
5588ec7a8 Correct comments for x86_64 _vpaes_encrypt_core_2x.
25e36da50 Add benchmarks for AES block operations.
e60b080dd Only write self test flag files if an environment variable is set.
5ce702239 Const-correct EC_KEY_set_public_key_affine_coordinates.
f7b830d8d Revert "Fix VS build when assembler is enabled"
356a9a089 Support compilation via emscripten
d041f1113 Fix cross-compile of Android on Windows.
3b62960c5 Move the config->async check into RetryAsync.
d0b979432 Clear *out in ReadHandshakeData's empty case.
d63435779 Add initial support for 0-RTT with QUIC.
95dd54e57 Have some more fun with spans.
1e547722d Add OPENSSL_FALLTHROUGH to a few files.
fbebe833b Limit __attribute__ ((fallthrough)) to Clang >= 5.
cf67ec09e Make |EVP_CIPHER_CTX_reset| return one.
05cd93068 Add Fallthru support for clang 10.
a8ffaf1bf Add self-test suppression flag file for Android FIPS builds.
f350351a9 Align 0-RTT and resumption state machines slightly
e39d13656 Require getrandom in Android FIPS builds.
9747a5328 acvp: allow passing custom subprocess I/O.
bd2a8d689 Add a function to convert SSL_ERROR_* values to strings.
f492830ed Fold SSL_want constants into SSL_get_error constants.
e530ea387 Use spans for the various TLS 1.3 secrets.
b244e3a5f Switch another low-level function to spans.
79b8b3a41 Switch tls13_enc.cc to spans.
9806ae005 Check the second ClientHello's PSK binder on resumption.
44544d9d2 Introduce libcrypto_bcm_sources for Android.
8c98bac1a Remove stale TODO.
eca48e52e Add an android-cmake option to generate_build_files.py
fd863b6a2 Add a QUIC test for HelloRetryRequest.
bc2a2013e Add missing ".text" to Windows code for dummy_chacha20_poly1305_asm
ae223d613 Update TODO to note that Clang git doesn't have the POWER bug.
f5270004a Fix paths in break-tests.sh.
ab26b556a Fix POWER build with OPENSSL_NO_ASM.
67f3ada0c Workaround Clang bug on POWER.
2c880a204 Add assembly support for -fsanitize=hwaddress tagged globals.
81080a729 Fix typo in valgrind constant-time annotations.
974f4dddf acvp: add support for AES-ECB and AES-CBC.
303f1a86a Fix misspelled TODO.
621c9d45e Move CCM fragments out of the FIPS module.
9f6acfc1f Add EVP_PKEY_base_id.
57de2c357 Add some project links to README.md.
ee4888c5e Make alert_dispatch into a bool.
bc42402f3 Trim some more per-connection memory.
94b2871bc Remove SSL_export_early_keying_material.
2c6570792 Add EVP_PKEY support for X25519.
a866ba5d7 Make EVP_PKEY_bits return 253 for Ed25519.
ef0183c53 Make SSL_get_servername work in the early callback.
4dfd5af70 Only bypass the signature verification itself in fuzzer mode.
9f5c419b9 Move the PQ-experiment signal to SSL_CTX.
b9e2b8adc Name cipher suite tests in runner by IETF names.
66e106026 Align TLS 1.3 cipher suite names with OpenSSL.
07432f325 Prefix all the SIKE symbols.
1a3178cf0 Rename SIKE's params.c.
a86c69888 Add post-quantum experiment signal extension.
0fc4979dd Fix shim error message endings.
b7f0c1b4d Add initial draft of ACVP tool.
3c8ae0fd3 Implements SIKE/p434
09050cb49 Add SipHash-2-4.
365b7a0fc Remove android_tools checkout
0086bd65c Support key wrap with padding in CAVP.
3f98fde5a Add android_sdk checkout
60cc4d4b4 Move fipstools/ to util/fipstools/cavp
d6f9c359d Factor out TLS cipher selection to ssl_choose_tls_cipher.
cfcb0060e Emit empty signerInfos in PKCS#7 bundles.
7198a2336 Clarify language about default SSL_CTX session ticket key behavior.
629f321ff Add an API to record use of delegated credential
d59682c42 Fix runner tests with Go 1.13.
92b7c89e6 Add a value barrier to constant-time selects.
12d9ed670 Avoid leaking intermediate states in point doubling special case.
cef9d3f38 Split p224-64.c multiplication functions in three.
8f574c37d Add AES-KWP
18254e25a Discuss the doubling case in windowed Booth representation.
72791efa1 Update build tools.
4745051fb Set a minimum CMake version of 3.0.
5b89336b4 Replace addc64,subc64,mul64 in SIKE Go code with functions from math/bits
c0b4c72b6 Eliminate some superfluous conditions in SIKE Go code.
567e463ce Fix various typos.
20d43e2fa Fix name clash in test structures
95147ea89 bcm: don't forget to cleanup HMAC_CTX.
c37e64cba Handle fips_shared_support.c getting built in other builds.
326f12135 Fix various mistakes in ec_GFp_nistp_recode_scalar_bits comment.
4ef217a1e Fix filename in comment.
0ad091adc Split EC_METHOD.mul into two operations.
6c428307d Split ec_point_mul_scalar into two operations.
d72e47fdd Add FIPS shared mode.
9b896cf14 delocate: add test for .file handling.
09400e197 delocate: translate uleb128 and sleb128 directives
78c88c999 Integrate SIKE with TLS key exchange.
6676b9ad1 Convert ecdsa_p224_key.pem to PKCS#8.
2e0d35469 Disable RDRAND on AMD chips before Zen.
5274cea40 Always store early data tickets.
35a5a9e7b Align PKCS12_parse closer to OpenSSL.
ff62b38b4 Support PKCS#12 KeyBags.
302a4dee6 Support PKCS#8 blobs using PBES2 with HMAC-SHA256.
b86baef38 Make EVP_PKEY_keygen work for Ed25519.
d84cb4d16 Sync aesp8-ppc.pl with upstream.
e0c533aa2 Update generate_build_files.py for SIKE.
79ab5e8fa Fix the last casts in third_party/sike.
b4b41cad0 Remove no-op casts around tt1.
c93e525df Define p503 with crypto_word_t, not uint64_t.
7922e5abc Add support for SIKE/p503 post-quantum KEM
c12b7cda7 tool: fix speed tests.
f014d609c Add an option to skip crypto_test_data.cc in GN too.
b29e1e15a Save and restore errors when ignoring ssl_send_alert result.
8728af480 Reject obviously invalid DSA parameters during signing.
b19b79d71 Make expect/expected flag and variable names match.
0ad8d575a clang-format Flag arrays in test_config.cc.
262fd6a09 Rename remnants of ticket_early_data_info.
6433a91dc Enforce the ticket_age parameter for 0-RTT.
6477012ff Add SSL_get_early_data_reason.
572edbf00 Remove implicit -on-resume for -expect-early-data-accept.
787b26cc5 Use weak symbols only on supported platforms
ffe384cfe Fix spelling in comments.
b3239c626 Add functions for "raw" EVP_PKEY serializations.
f6eb56561 Remove stray underscores.
b96d47086 Add a compatibility EVP_DigestFinalXOF function.
e79cc432e Fix up EVP_DigestSign implementation for Ed25519.
1b878e7cc Check for errors when setting up X509_STORE_CTX.
1e77ef418 Convert a few more things from int to bool.
85eef297e Compute the delegated credentials length prefix with CBB.
a486c6c84 Convert the rest of ssl_test to GTest.
586235df2 Check for x18 usage in aarch64 assembly.
c1d8c5b0e Handle errors from close in perlasm scripts.
777a23917 Hold off flushing NewSessionTicket until write.
7540cc2ec Predeclare enums in base.h
c67076d65 Require certificates under name constraints use SANs.
e55c64fdd Make X509_verify_cert_error_string thread-safe.
d86eb1bbb Disable the common name fallback on *any* SAN list.
923feba60 Silently ignore X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT.
c60b42bf7 Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT.
9df41ae95 Give ENGINE_free a return value.
c9827e073 Output a ClientHello during handoff.
2e26348e2 Fix and test EVP_PKEY_CTX copying.
d1a6d2368 Test copying an EVP_MD_CTX.
65dc45cb5 Fix EVP_CIPHER_CTX_copy for AES-GCM.
4a8c05ffe Check key sizes in AES_set_*_key.
31ef16ac2 Add missing nonce_len check to aead_aes_gcm_siv_asm_open.
4a136ea00 Test AES-GCM-SIV with OPENSSL_SMALL.
ad9eee162 Handle CBB_cleanup on child CBBs more gracefully.
be7006ada Update third_party/googletest.
387b07b78 Rename 'md' output parameter to 'out' and add bounds.
a26d01719 Update other build tools.
98348562f Update SDE to 8.35.0-2019-03-11.
be9953acc nit: Update references to draft-ietf-tls-subcerts.
a4af5f85b Support get versions with get_{min,max}_proto_version for context
df11bed9e Update ImplDispatchTest for bsaes-x86_64 removal.
1a36dd493 Unwind the large_inputs hint in aes_ctr_set_key.
32ce6032f Add an optimized x86_64 vpaes ctr128_f and remove bsaes.
5501a2691 Add 16384 to the default bssl speed sizes.
4ca8d131d Rewrite BN_CTX.
c93be52c9 Save a temporary in BN_mod_exp_mont's w=1 case.
1c71844ef Reject long inputs in c2i_ASN1_INTEGER.
0dcab9302 Harden the lower level parts of crypto/asn1 against overflows.
bab14fa75 Remove d2i_ASN1_UINTEGER.
fdb48f986 Drop some unused bsaes to aes_nohw dependencies.
d22578f36 Adapt gcm_*_neon to aarch64.
485104196 Patch out the aes_nohw fallback in bsaes_cbc_encrypt.
885a63fb7 Patch out the aes_nohw fallback in bsaes_ctr32_encrypt_blocks.
aadcce380 Implement sk_find manually.
35941f292 Make vpaes-armv8.pl compatible with XOM.
1d1345377 Support three-argument instructions on x86-64.
3390fd88d Correct outdated comments
f9c8d3089 Remove SSL_get_structure_sizes.
b8d7b7498 Prefer vpaes over bsaes in AES-GCM-SIV and AES-CCM.
da8bb847f Tell ASan about the OPENSSL_malloc prefix.
8d685ec86 modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings.
55db667c6 Enable vpaes for aarch64, with CTR optimizations.
b1b4ff93c Check in vpaes-armv8.pl from OpenSSL unused and unmodified.
1fa5abc0b silence unused variable warnings when using OPENSSL_clear_free
19220dd6a Handle NULL public key in |EC_KEY_set_public_key|.
5ce12e643 Add a 32-bit SSSE3 GHASH implementation.
ae1e08709 Also include abi_test.cc in ssl_test_files.
c3889634a Don't pull abi_test.cc into non-GTest targets.
a6124742d Update *_set_cert_cb documentation regarding resumption
1e0262ad8 Add a reference for Linux ARM ABI.
a57435e13 Remove __ARM_ARCH__ guard on gcm_*_v8.
f1f73f896 Fix bsaes-armv7.pl getting disabled by accident.
6443173d0 Add an option to configure bssl speed chunk size.
98ad4d77e Appease GCC's uninitialized value warning.
a367d9267 Set VPAES flags in x86-64 code.
65dc32149 Enable vpaes for AES_* functions.
3c19830f6 Avoid double-dispatch with AES_* vs aes_nohw_*.
c18353d21 Add uint64_t support in CBS and CBB.
f109f2087 Clear out a bunch of -Wextra-semi warnings.
0326105aa Add compiled python files to .gitignore.
24a18b8a4 Fix x86_64-xlate.pl comment regex.
190866701 Add go 1.11 to go.mod.
104306f58 Remove STRICT_ALIGNMENT code from modes.
d8598ce03 Remove non-STRICT_ALIGNMENT code from xts.c.
4d8e1ce5e Patch XTS out of ARMv7 bsaes too.
fb35b147c Remove stray prototype.
eb2c2cdf1 Always define GHASH.
2f213f643 Update delegated credentials to draft-03
b22c9fea4 Use Windows symbol APIs in the unwind tester.
2e819d8be Unwind RDRAND functions correctly on Windows.
15ba2d11a Patch out unused aesni-x86_64 functions.
cc2b8e255 Add ABI tests for aesni-gcm-x86_64.pl.
7a3b94cd2 Add ABI tests for x86_64-mont5.pl.
7ef4223fb sync EVP_get_cipherbyname with EVP_do_all_sorted
d2a0ffdfa Hyperlink DOI to preferred resolver
a6c689e0d Remove stray semicolons.
2d38b8397 Remove separate default group list for servers.
fcc1ad78f Enable all curves (inc CECPQ2) during fuzzing.
70fe61055 Implement ABI testing for aarch64.
55b9acda9 Fix ABI error in bn_mul_mont on aarch64.
0a87c4982 Implement ABI testing for ARM.
0a67eba62 Fix the order of Windows unwind codes.
28f035f48 Implement unwind testing for Windows.
fc31677a1 Tolerate spaces when parsing .type directives.
20a9b409b runner: Don't generate an RSA key on startup.
33f456b8b Don't use bsaes over vpaes for CTR-DRBG.
470bd56c9 perlasm/x86_64-xlate.pl: refine symbol recognition in .xdata.
9978f0a86 Add instructions for debugging on Android with gdb.
d7266ecc9 Enforce key usage for RSA keys in TLS 1.2.
1a51a5b4a Remove infra/config folder in master branch.
73308b660 Avoid SCT/OCSP extensions in SH on {Omit|Empty}Extensions
23e1a1f2d Test and fix an ABI issue with small parameters.
ab578adf4 Add RSAZ ABI tests.
3859fc883 Better document RSAZ and tidy up types.
e569c7e25 Add ABI testing for 32-bit x86.
8cbb5f8f2 Add a very roundabout EC keygen API.
23dcf88e1 Add some Node compatibility functions.
6c1b376e1 Implement server support for delegated credentials.
454550392 Add a constant-time pshufb-based GHASH implementation.
9801a0714 Tweak some slightly fragile tests.
4bfab5d9d Make 256-bit ciphers a preference for CECPQ2, not a requirement.
fa81cc65d Update comments around JDK11 workaround.
c47f7936d Add a RelWithAsserts build configuration.
51011b4a2 Remove union from |SHA512_CTX|.
4f3f597d3 Avoid unwind tests on libc functions.
14c611cf9 Don't pass NULL,0 to qsort.
9847cdd78 Fix signed left-shifts in curve25519.c.
fc27a1919 Add an option to build with UBSan.
2fe0360a4 Fix undefined pointer casts in SHA-512 code.
72f015562 HRSS: flatten sample distribution.
c1615719c Add test of assembly code dispatch.
eadef4730 Simplify HRSS mod3 circuits.
20f4a043e Add SSL_OP_NO_RENEGOTIATION
899835fad Rename Fiat include files to end in .h
32e59d2d3 Switch to new fiat pipeline.
f36c3ad3e Don't look for libunwind if cross-compiling.
5590c715e Mark some unmarked array sizes in curve25519.c.
823effe97 Revert "Fix protos_len size in SSL_set_alpn_protos and SSL_CTX_set_alpn_protos"
73b1f181b Add ABI tests for GCM.
8285ccd8f Fix SSL_R_TOO_MUCH_READ_EARLY_DATA.
b65ce68c8 Test CRYPTO_gcm128_tag in gcm_test.cc.
f18bd5524 Remove pointer cast in P-256 table.
3eac8b770 Ignore new fields in forthcoming Wycheproof tests.
5349ddb74 Fix RSAZ's OPENSSL_cleanse.
3cbb0299a Allow configuring QUIC method per-connection
de3c1f69c Fix header file for _byteswap_ulong and _byteswap_uint64 from MSVC CRT
2bee22910 Add ABI tests for HRSS assembly.
d99b549b8 Add AES ABI tests.
c0f4dbe4e Move aes_nohw, bsaes, and vpaes prototypes to aes/internal.h.
e592d595c Add direction flag checking to CHECK_ABI.
b2f56f928 Add ABI tests for ChaCha20_ctr32.
5e350d13f Add ABI tests for MD5.
7076be514 Refresh fuzzer corpus.
b84674b2d Delete the variants/draft code.
6c597be1c Update tools.
35771ff8a Fix protos_len size in SSL_set_alpn_protos and SSL_CTX_set_alpn_protos
9cde848bd Use handshake parameters to decide if cert/key are available
1aaa7aa83 Add ABI tests for bn_mul_mont.
005f61621 Add ABI tests for SHA*.
9dfaf2552 Make pkg-config optional.
5f85f2a06 Add DEPS rules to checkout Windows SDE.
2a622531a Add ABI tests for rdrand.
3c79ba815 Set NIDs for Blowfish and CAST.
17d553d29 Add a CFI tester to CHECK_ABI.
e67b625e4 Fix some size_t to long casts.
6effbf24b Add EVP_CIPHER support for Blowfish and CAST to decrepit.
f77c8a38b Be less clever with CHECK_ABI.
cc5a888fe Update SDE and add the Windows version.
e6bf9065a Remove pooling of PRNG state.
7177c1d29 Add EC_KEY_key2buf for OpenSSL compatibility
43e636a2e Remove bundled copy of android-cmake.
6f9f4cc44 Clarify build requirements.
79c7ec06f Add EC_GROUP_order_bits for OpenSSL compatibility
0eaf783fb Annotate leaf functions with .cfi_{startproc,endproc}
c2e8d016f Fix beeu_mod_inverse_vartime CFI annotations and preamble.
a306b1b90 Fix CFI annotations in p256-x86_64-asm.pl.
6ef1b6455 Add a comment about ecp_nistz256_point_add_affine's limitations.
1c55e54ed Refresh p256-x86_64_tests.txt.
fb3f0638b Fix some indentation nits.
8e8f25042 Use thread-local storage for PRNG states if fork-unsafe buffering is enabled.
74944287e Add Win64 SEH unwind codes for the ABI test trampoline.
5edf8957b Translate .L directives inside .byte too.
54efa1afc Add an ABI testing framework.
2cc6f449d Use same HKDF label as TLS 1.3 for QUIC as per draft-ietf-quic-tls-17
ba9ad6628 Add |SSL_key_update|.
9700b44ff HRSS: omit reconstruction of ciphertext.
a6a049a6f Add start of infrastructure for checking constant-time properties.
c2897a158 Don't enable intrinsics on x86 without ABI support.
f8068ce88 HRSS: be strict about unused bits being zero.
41c10e2b5 Disable AES-GCM-SIV assembly on Windows.
e1b2a65e7 Fix typo in AES-GCM-SIV comments.

Change-Id: Ided2c2808c2934281e74d3885b92b1dceb2b2b76
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://nginx-review.googlesource.com/c/nginx/+/3645
Reviewed-by: Daniel Berkovitch <dbrk@google.com>