Merge BoringSSL commits staged in current-upstream-merge-20220318#445
Merged
Merge BoringSSL commits staged in current-upstream-merge-20220318#445
current-upstream-merge-20220318#445Conversation
This change imports upstream's openssl/openssl@c045224 Change-Id: Ib50ff9eb8c48d9580aa2ffcae92d3990cc987e30 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50905 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
140-3 says > the zeroisation of protected and unprotected SSPs > shall be performed in the following scenarios: > ... > For temporary value(s) generated during the integrity test of the > module’s software or firmware upon completion of the integrity test. (IG 9.7.B) Change-Id: I911f294860bf33b13b2c997fc633c9bda777fc48 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50945 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This matches our other free functions. Fixed: 473 Change-Id: Ie147995c2f5b429f78e95cfc9a08ed54181af94e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51005 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Description: Creating just a Gerrit password isn't enough. Before you can push a change to Gerrit, you must also create/associate a Gerrit account with the google account used to create the password. This avoids "git push ..." rejections like this: remote: PERMISSION_DENIED: The caller does not have permission remote: [type.googleapis.com/google.rpc.LocalizedMessage] remote: locale: "en-US" remote: message: "\'git push\' requires a Gerrit user account." Change-Id: Id02c1a69ccb0c2b8bf4c63b77ed3064125966eb3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50985 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This is designed to be the minimal infrastructure required to support using BoringSSL in the Rust ecosystem without fear of ABI drift. Bindgen is used to generate Rust bindings in lockstep with the rest of the build. `rust-openssl` can consume these generated bindings with minimal changes. Change-Id: I1dacd36a4131e22a930ebb01da00407e8465ad7e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49645 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
See https://fuchsia-review.googlesource.com/c/fuchsia/+/624684. Also pick up the new, more specific, name for ZX_ARM64_FEATURE_ISA_SHA2. Update-Note: This CL is written assuming we can just rely on the SDK changes. Per go/fuchsia-sdk-age, this seems fairly safe. If this file fails to build due to missing symbols, update your project's Fuchsia SDK. If this blocks something, let us know. Change-Id: I28b0c234b577cc0de90e7ef096c15bb75a4ba501 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50926 Reviewed-by: Adam Langley <agl@google.com>
…ndings for the targeted Arch Change-Id: I8ccd53bce0d73bd9d79f65770e544a75753ce4f8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51025 Reviewed-by: David Benjamin <davidben@google.com>
We were fetching the mac-amd64 package even on mac-arm64. Change-Id: Iad842ebd46d467c0def9bdbd14c77698a03f58d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51045 Reviewed-by: Adam Langley <agl@google.com>
The check finds implicit conversions of integer literals to bools: bool b1 = 1; bool b2 = static_cast<bool>(1); and transforms them to: bool b1 = true; bool b2 = true; Bug: chromium:1290142 Change-Id: I15579e28f544d07b331a230b70a8278e0651150d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51085 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This hash table, in applications that use pooling, can dedup received certificates in memory and thus should use a keyed hash. Change-Id: Idc40dc8f7463025183121642b30ea0de43ebac0e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51125 Reviewed-by: Adam Langley <agl@google.com>
u8 strings in C++20 are char8_t instead of char; in order to compile on both C++17 and C++20 we need to remove the prefix. Change-Id: I85d1a9d72d24e8fa96ca22b1d99be9982fee8fb5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51065 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
POSIX feature macros are a mess. Reportedly, FreeBSD also breaks with _XOPEN_SOURCE, so try leaving it unset by default. Update-Note: It's possible this will break yet another obscure UNIX. Hopefully we can eventually find a combination that works? Bug: 471 Change-Id: I103f8093110d343789b9c5a22eb056ab78d9cd14 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51145 Reviewed-by: Adam Langley <agl@google.com>
Upstream used the macro originally, but later added a bespoke implementation to transparently support X9.42 DH parameter serialization (DHXPARAMS in OpenSSL) in 2ca873e8d898e8a232ea707227400213980059a4. We don't support DHXPARAMS, so revert to the macro. Change-Id: Ib17902c6c640bb88ee55881945ce57a032f7061b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51105 Reviewed-by: Adam Langley <agl@google.com>
This matches the source, which only builds support for these tests on Linux. Note Android sets CMAKE_SYSTEM_NAME to "Android", so this covers the previous ANDROID check. Bug: 476 Change-Id: I41ca408706d0d0c5bb22006f4c31d51fc1267f69 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51165 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Description: Mark Wooden and Franck Rondepierre noted that the square-root-mod-p operations used in the EdDSA RFC (RFC 8032) can be simplified. For Ed25519, instead of computing u*v^3 * (u * v^7)^((p-5)/8), we can compute u * (u*v)^((p-5)/8). This saves 3 multiplications and 2 squarings. For more details (including a proof), see the following message from the CFRG mailing list: https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4/ Testing: Build and run the Ed25519 tests: mkdir build cd build cmake -GNinja .. ninja && ./crypto/crypto_test --gtest_filter="Ed25519Test*" Numerical testing of the square-root computation can be done using the following sage script: def legendre(x,p): return kronecker(x,p) # Ed25519 p = 2**255-19 # -1 is a square if legendre(-1,p)==1: print("-1 is a square") # 2 is a non-square if legendre(2,p)==-1: print("2 is a non-square") # 2 is a generator # this can be checked by factoring p-1 # and then showing 2**((p-1)/q) != 1 (mod p) # for all primes q dividing p-1. # suppose u/v is a square. # to compute one of its square roots, find x such that # x**4 == (u/v)**2 . # this implies # x**2 == u/v, or # x**2 == -(u/v) , # which implies either x or i*x is a square-root of u/v (where i is a square root of -1). # we can take x equal to u * (u*v)**((p-5)/8). g = 2 s = p>>2 # s = (p-1)/4 i = power_mod(g, s, p) t = p>>3 # t = (p-5)/8 COUNT = 1<<18 while COUNT > 0: COUNT -= 1 r = randint(0,p-1) # r = u/v v = randint(1,p-1) u = mod(r*v,p) # compute x = u * (u*v)**((p-5)/8) w = mod(u*v,p) x = mod(u*power_mod(w, t, p), p) # check that x**2 == r, or (i*x)**2 == r, or r is not a square rr = power_mod(x, 2, p) if rr==r: continue rr = power_mod(mod(i*x,p), 2, p) if rr==r: continue if legendre(r,p) != 1: continue print("failure!") exit() print("passed!") Change-Id: Iaa284d3365dd8c9fa18a4584121013f05a3f4cc6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50965 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
The ECH extension is not covered in the AAD and so should not be referenced in ech_outer_extensions. We end up rejecting this anyway when checking for valid ClientHelloInners, but better to reject this explicitly, as the spec suggests. As part of this, use the more specific error in the various tests, so we can distinguish the two cases. (DECODE_ERROR is coming from an extra, probably unnecessary, error in ssl_decode_client_hello_inner's caller.) Bug: 275 Change-Id: Ibeff55e5e1b7646ce9c68c5847cd1b40a47e6480 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51185 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Both call sites end up calling them in succession. This saves a little bit of code. Bug: 275 Change-Id: Ib87bd9be446c368f77beb3b329deaa84ef43ac95 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51186 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
In testing out the ECH bits on the Chromium side, it is much harder to tell what's going on without some indication that we sent a ClientHelloInner. This CL routes it into the callback. A corresponding CL in Chromium will add it to NetLog. Bug: 275 Change-Id: I945ab2679614583e875a0ba90d6cf1481ed315d9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51205 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This is the recommended way for detecting platforms: https://docs.bazel.build/versions/main/platforms.html Fixes cross-compilation with bazel-zig-cc. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Change-Id: Ifc7d2b502e01feb9cbad51127ca3ec90a54c6e90 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51265 Reviewed-by: Adam Langley <agl@google.com>
https://boringssl-review.googlesource.com/c/boringssl/+/51265 broke Linux and macOS platforms on architectures where we don't build assembly. OPENSSL_NO_ASM needs to match the assembly selector. While I'm here, remove the OPENSSL_C11_ATOMIC comment. We autodetect atomics these days, so the flag is only useful if you want to force it. Change-Id: I1f20f7577b5ca7e208dc90fb46a93b20da864ec5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51305 Reviewed-by: Piotr Sikora <piotrsikora@google.com> Reviewed-by: Adam Langley <agl@google.com>
Change-Id: I8bc146a951b77d2111b971e6472bfd7f010f8585 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51306 Reviewed-by: Adam Langley <agl@google.com>
The current names are confusing because (ios, aarch64) is also used on macOS. The various Apple platforms all use the same ABI, and aarch64 is no longer limited to iOS. (For that matter, the iOS simulator on x86 Macs is x86 iOS.) Just call it 'apple'. Update-Note: References to 'mac' or 'ios' source lists in downstream builds should be renamed to 'apple'. Change-Id: Id1a0627f8ce3241f34ffa6bb245ee5783adc7c15 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51307 Reviewed-by: Adam Langley <agl@google.com>
Now that the naming for Apple platforms is aligned, we can select the variable uniformly. Change-Id: Id547d1a4ba0585d5f9e4ea0b5d8b255b2ab2ec38 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51345 Reviewed-by: Adam Langley <agl@google.com>
Bazel can shard tests, but runner runs a lot of tests inside a single “test”, as Go sees it. In order to shard within runner we implement support for Bazel's environment variables[1] directly. This does mean that the handful of other tests in runner are run in every shard. [1] https://docs.bazel.build/versions/1.1.0/test-encyclopedia.html#initial-conditions Change-Id: Idaa5c6ae5225cd86951cd40f47b5f86f31664e04 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51245 Reviewed-by: David Benjamin <davidben@google.com>
ACVP authorisation tokens expire and, once expired, need to be renewed by sending a new TOTP code. We almost never hit this but some FIPS modules are slow enough that they can't compute the response within the token lifetime. But the ACVP code was putting an Authorization header on the renewal message because it put that header on every message. But doing so breaks the renewal because the server rejects the request because the token has expired before noticing that it's a renewal request. Also, put a 10 second buffer on deciding if a token has expired to account for the transmission delay. Change-Id: I50643a223cdb313d07dd7b2c559ad160cbe608ff Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51385 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
FIPS no longer likes it. Change-Id: I32a4ba93a5849927ff75aa72b816cdc669e8a0af Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51325 Reviewed-by: David Benjamin <davidben@google.com>
The provision of FIPS that allowed the tests to be skipped based on a flag-file has been removed in 140-3. Therefore we expect to run the fast KATs on start-up, but to defer to slower ones until the functionality in question is first used. So this change splits off the fast KATs and removes support for skipping KATs based on a flag-file. Change-Id: Ib24cb1739cfef93e4a1349d786a0257ee1083cfb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51326 Reviewed-by: David Benjamin <davidben@google.com>
The word “calculated” is two letters longer than “expected” and it's nice to line up the ouptuts. Change-Id: Idac70e62d98fbe26c430f03f4643ba295e40853d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51327 Reviewed-by: David Benjamin <davidben@google.com>
AS10.20 requires that the self-test for the integrity algorithm pass before the integrity check itself. IG 10.3.A requires an HMAC self-test now. Therefore run these tests before the integrity check. Since we also need the ability to run all self-tests, both SHA self-tests and the HMAC test are run again when running self-tests. I'm assuming that they're so fast that it doesn't matter. Change-Id: I6b23b6fd3cb6107edd7420bc8680780719bd41d2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51328 Reviewed-by: David Benjamin <davidben@google.com>
Builds that compile the FIPS stuff separately don't get this header from other files. Change-Id: I8a1b30ae360b08d4f4b9f804cd234998889477bc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51405 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
- Uninitialised variable complained about by gcc-5. - A file without a license header; added to exclude list.
This is instead of having it in the output.
…57b2cc68f961c56c72b0ca4 Boringssl merge c7a3c46
current-upstream-merge-20220318
…rge-20220318 Regenerated generated-src/err_data.c which was conflicting.
This function was added in google/boringssl@ec476ef to zero out the values in the integrity check. Meanwhile the context was changed to be flat in 14decef and optimize the performance of HMAC EVP operations. That's why `cleanse` and `cleanup` are now the same.
dkostic
reviewed
Apr 5, 2022
Contributor
|
Verified merge with runbook and commit doc. |
samuel40791765
previously approved these changes
Apr 7, 2022
dkostic
previously approved these changes
Apr 8, 2022
dkostic
approved these changes
Apr 8, 2022
samuel40791765
approved these changes
Apr 8, 2022
R3hankhan123
pushed a commit
to R3hankhan123/aws-lc
that referenced
this pull request
Aug 29, 2025
* Missing comma * Add test coverage for pregenerating bindings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge BoringSSL commits between google/boringssl@f797570 (Jan 13) and google/boringssl@c7a3c46 (Mar 15)
See PR #439 for details on the changes.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.