grpc 1.57.0 → 1.58.0.pre1

data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c

@@ -26,8 +26,7 @@
 #include "../internal.h"
 
 
-// This file implements hash-to-curve, as described in
-// draft-irtf-cfrg-hash-to-curve-16.
+// This file implements hash-to-curve, as described in RFC 9380.
 //
 // This hash-to-curve implementation is written generically with the
 // expectation that we will eventually wish to support other curves. If it
@@ -48,8 +47,7 @@
 //   templates to make specializing more convenient.
 
 // expand_message_xmd implements the operation described in section 5.3.1 of
-// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// RFC 9380. It returns one on success and zero on error.
 static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,
                               const uint8_t *msg, size_t msg_len,
                               const uint8_t *dst, size_t dst_len) {
@@ -138,7 +136,7 @@ err:
 
 // num_bytes_to_derive determines the number of bytes to derive when hashing to
 // a number modulo |modulus|. See the hash_to_field operation defined in
-// section 5.2 of draft-irtf-cfrg-hash-to-curve-16.
+// section 5.2 of RFC 9380.
 static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) {
   size_t bits = BN_num_bits(modulus);
   size_t L = (bits + k + 7) / 8;
@@ -171,8 +169,7 @@ static void big_endian_to_words(BN_ULONG *out, size_t num_words,
 }
 
 // hash_to_field implements the operation described in section 5.2
-// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security
-// factor.
+// of RFC 9380, with count = 2. |k| is the security factor.
 static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
                           EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst,
                           size_t dst_len, unsigned k, const uint8_t *msg,
@@ -221,8 +218,7 @@ static inline void mul_A(const EC_GROUP *group, EC_FELEM *out,
   ec_felem_sub(group, out, in, &tmp);     // out = -3*in
 }
 
-// sgn0 implements the operation described in section 4.1.2 of
-// draft-irtf-cfrg-hash-to-curve-16.
+// sgn0 implements the operation described in section 4.1.2 of RFC 9380.
 static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) {
   uint8_t buf[EC_MAX_BYTES];
   size_t len;
@@ -235,7 +231,7 @@ OPENSSL_UNUSED static int is_3mod4(const EC_GROUP *group) {
 }
 
 // sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2
-// of draft-irtf-cfrg-hash-to-curve-16.
+// of RFC 9380.
 static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,
                                  const BN_ULONG *c1, size_t num_c1,
                                  const EC_FELEM *c2, EC_FELEM *out_y,
@@ -270,8 +266,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,
 }
 
 // map_to_curve_simple_swu implements the operation described in section 6.6.2
-// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation
-// in appendix F.2.
+// of RFC 9380, using the straight-line implementation in appendix F.2.
 static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
                                     const BN_ULONG *c1, size_t num_c1,
                                     const EC_FELEM *c2, EC_JACOBIAN *out,
@@ -405,7 +400,7 @@ int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group,
                                           EC_JACOBIAN *out, const uint8_t *dst,
                                           size_t dst_len, const uint8_t *msg,
                                           size_t msg_len) {
-  // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
+  // See section 8.3 of RFC 9380.
   if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) {
     OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
     return 0;
@@ -438,7 +433,7 @@ int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group,
                                           EC_JACOBIAN *out, const uint8_t *dst,
                                           size_t dst_len, const uint8_t *msg,
                                           size_t msg_len) {
-  // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16.
+  // See section 8.3 of RFC 9380.
   if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {
     OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
     return 0;

data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h

@@ -30,24 +30,22 @@ extern "C" {
 
 // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and
 // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
 OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(
     const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
     const uint8_t *msg, size_t msg_len);
 
 // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and
 // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite
-// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on
-// error.
+// from RFC 9380. It returns one on success and zero on error.
 OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(
     const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,
     const uint8_t *msg, size_t msg_len);
 
 // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|
 // and writes the result to |out|, using the hash_to_field operation from the
-// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but
-// generating a value modulo the group order rather than a field element.
+// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo
+// the group order rather than a field element.
 OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384(
     const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
     const uint8_t *msg, size_t msg_len);

data/third_party/boringssl-with-bazel/src/crypto/err/err.c

@@ -552,22 +552,21 @@ char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) {
   const char *lib_str = err_lib_error_string(packed_error);
   const char *reason_str = err_reason_error_string(packed_error);
 
-  char lib_buf[64], reason_buf[64];
+  char lib_buf[32], reason_buf[32];
   if (lib_str == NULL) {
-    BIO_snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib);
+    snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib);
     lib_str = lib_buf;
   }
 
- if (reason_str == NULL) {
-    BIO_snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason);
+  if (reason_str == NULL) {
+    snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason);
     reason_str = reason_buf;
   }
 
-  BIO_snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s",
-               packed_error, lib_str, reason_str);
-
-  if (strlen(buf) == len - 1) {
-    // output may be truncated; make sure we always have 5 colon-separated
+  int ret = snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s",
+                     packed_error, lib_str, reason_str);
+  if (ret >= 0 && (size_t)ret >= len) {
+    // The output was truncated; make sure we always have 5 colon-separated
     // fields, i.e. 4 colons.
     static const unsigned num_colons = 4;
     unsigned i;
@@ -617,8 +616,8 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {
     }
 
     ERR_error_string_n(packed_error, buf, sizeof(buf));
-    BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", thread_hash, buf,
-                 file, line, (flags & ERR_FLAG_STRING) ? data : "");
+    snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", thread_hash, buf, file,
+             line, (flags & ERR_FLAG_STRING) ? data : "");
     if (callback(buf2, strlen(buf2), ctx) <= 0) {
       break;
     }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c

@@ -57,12 +57,40 @@
 #include <openssl/dh.h>
 
 #include <openssl/bn.h>
+#include <openssl/err.h>
 
 #include "internal.h"
 
 
+int dh_check_params_fast(const DH *dh) {
+  // Most operations scale with p and q.
+  if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) ||
+      BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
+    return 0;
+  }
+
+  // q must be bounded by p.
+  if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) {
+    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
+    return 0;
+  }
+
+  // g must be an element of p's multiplicative group.
+  if (BN_is_negative(dh->g) || BN_is_zero(dh->g) ||
+      BN_ucmp(dh->g, dh->p) >= 0) {
+    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
+    return 0;
+  }
+
+  return 1;
+}
+
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {
   *out_flags = 0;
+  if (!dh_check_params_fast(dh)) {
+    return 0;
+  }
 
   BN_CTX *ctx = BN_CTX_new();
   if (ctx == NULL) {
@@ -73,17 +101,14 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {
   int ok = 0;
 
   // Check |pub_key| is greater than 1.
-  BIGNUM *tmp = BN_CTX_get(ctx);
-  if (tmp == NULL ||
-      !BN_set_word(tmp, 1)) {
-    goto err;
-  }
-  if (BN_cmp(pub_key, tmp) <= 0) {
+  if (BN_cmp(pub_key, BN_value_one()) <= 0) {
     *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;
   }
 
   // Check |pub_key| is less than |dh->p| - 1.
-  if (!BN_copy(tmp, dh->p) ||
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  if (tmp == NULL ||
+      !BN_copy(tmp, dh->p) ||
       !BN_sub_word(tmp, 1)) {
     goto err;
   }
@@ -113,6 +138,11 @@ err:
 
 
 int DH_check(const DH *dh, int *out_flags) {
+  *out_flags = 0;
+  if (!dh_check_params_fast(dh)) {
+    return 0;
+  }
+
   // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
   // suitable generator where:
   //   for 2, p mod 24 == 11
@@ -124,7 +154,6 @@ int DH_check(const DH *dh, int *out_flags) {
   BN_ULONG l;
   BIGNUM *t1 = NULL, *t2 = NULL;
 
-  *out_flags = 0;
   ctx = BN_CTX_new();
   if (ctx == NULL) {
     goto err;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c

@@ -70,8 +70,6 @@
 #include "internal.h"
 
 
-#define OPENSSL_DH_MAX_MODULUS_BITS 10000
-
 DH *DH_new(void) {
   DH *dh = OPENSSL_malloc(sizeof(DH));
   if (dh == NULL) {
@@ -191,15 +189,14 @@ int DH_set_length(DH *dh, unsigned priv_length) {
 int DH_generate_key(DH *dh) {
   boringssl_ensure_ffdh_self_test();
 
+  if (!dh_check_params_fast(dh)) {
+    return 0;
+  }
+
   int ok = 0;
   int generate_new_key = 0;
   BN_CTX *ctx = NULL;
-  BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-  if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-    OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
-    goto err;
-  }
+  BIGNUM *pub_key = NULL, *priv_key = NULL, *priv_key_limit = NULL;
 
   ctx = BN_CTX_new();
   if (ctx == NULL) {
@@ -232,22 +229,44 @@ int DH_generate_key(DH *dh) {
 
   if (generate_new_key) {
     if (dh->q) {
-      if (!BN_rand_range_ex(priv_key, 2, dh->q)) {
+      // Section 5.6.1.1.4 of SP 800-56A Rev3 generates a private key uniformly
+      // from [1, min(2^N-1, q-1)].
+      //
+      // Although SP 800-56A Rev3 now permits a private key length N,
+      // |dh->priv_length| historically was ignored when q is available. We
+      // continue to ignore it and interpret such a configuration as N = len(q).
+      if (!BN_rand_range_ex(priv_key, 1, dh->q)) {
         goto err;
       }
     } else {
-      // secret exponent length
-      unsigned priv_bits = dh->priv_length;
-      if (priv_bits == 0) {
-        const unsigned p_bits = BN_num_bits(dh->p);
-        if (p_bits == 0) {
+      // If q is unspecified, we expect p to be a safe prime, with g generating
+      // the (p-1)/2 subgroup. So, we use q = (p-1)/2. (If g generates a smaller
+      // prime-order subgroup, q will still divide (p-1)/2.)
+      //
+      // We set N from |dh->priv_length|. Section 5.6.1.1.4 of SP 800-56A Rev3
+      // says to reject N > len(q), or N > num_bits(p) - 1. However, this logic
+      // originally aligned with PKCS#3, which allows num_bits(p). Instead, we
+      // clamp |dh->priv_length| before invoking the algorithm.
+
+      // Compute M = min(2^N, q).
+      priv_key_limit = BN_new();
+      if (priv_key_limit == NULL) {
+        goto err;
+      }
+      if (dh->priv_length == 0 || dh->priv_length >= BN_num_bits(dh->p) - 1) {
+        // M = q = (p - 1) / 2.
+        if (!BN_rshift1(priv_key_limit, dh->p)) {
+          goto err;
+        }
+      } else {
+        // M = 2^N.
+        if (!BN_set_bit(priv_key_limit, dh->priv_length)) {
           goto err;
         }
-
-        priv_bits = p_bits - 1;
       }
 
-      if (!BN_rand(priv_key, priv_bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
+      // Choose a private key uniformly from [1, M-1].
+      if (!BN_rand_range_ex(priv_key, 1, priv_key_limit)) {
         goto err;
       }
     }
@@ -273,14 +292,14 @@ err:
   if (dh->priv_key == NULL) {
     BN_free(priv_key);
   }
+  BN_free(priv_key_limit);
   BN_CTX_free(ctx);
   return ok;
 }
 
 static int dh_compute_key(DH *dh, BIGNUM *out_shared_key,
                           const BIGNUM *peers_key, BN_CTX *ctx) {
-  if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-    OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
+  if (!dh_check_params_fast(dh)) {
     return 0;
   }
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h

@@ -26,6 +26,8 @@ extern "C" {
 #endif
 
 
+#define OPENSSL_DH_MAX_MODULUS_BITS 10000
+
 struct dh_st {
   BIGNUM *p;
   BIGNUM *g;
@@ -44,6 +46,11 @@ struct dh_st {
   CRYPTO_refcount_t references;
 };
 
+// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It
+// does not check that |dh| forms a valid group, only that the sizes are within
+// DoS bounds.
+int dh_check_params_fast(const DH *dh);
+
 // dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|,
 // but doesn't try to run the self-test first. This is for use in the self tests
 // themselves, to prevent an infinite loop.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c

@@ -913,11 +913,6 @@ static int boringssl_self_test_fast(void) {
   }
 
   // TLS KDF KAT
-  static const uint8_t kTLSSecret[32] = {
-      0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
-      0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
-      0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
-  };
   static const char kTLSLabel[] = "FIPS self test";
   static const uint8_t kTLSSeed1[16] = {
       0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
@@ -927,17 +922,45 @@ static int boringssl_self_test_fast(void) {
       0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
       0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
   };
-  static const uint8_t kTLSOutput[32] = {
-      0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb,
-      0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a,
-      0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88,
+
+  static const uint8_t kTLS10Secret[32] = {
+      0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
+      0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
+      0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
+  };
+  static const uint8_t kTLS10Output[32] = {
+      0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90,
+      0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f,
+      0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8,
+  };
+  uint8_t tls10_output[sizeof(kTLS10Output)];
+  if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
+                       kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel,
+                       sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+                       kTLSSeed2, sizeof(kTLSSeed2)) ||
+      !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output),
+                  "TLS10-KDF KAT")) {
+    fprintf(stderr, "TLS KDF failed.\n");
+    goto err;
+  }
+
+  static const uint8_t kTLS12Secret[32] = {
+      0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9,
+      0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc,
+      0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81,
+  };
+  static const uint8_t kTLS12Output[32] = {
+      0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1,
+      0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85,
+      0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51,
   };
-  uint8_t tls_output[sizeof(kTLSOutput)];
-  if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret,
-                       sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel),
-                       kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2,
-                       sizeof(kTLSSeed2)) ||
-      !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) {
+  uint8_t tls12_output[sizeof(kTLS12Output)];
+  if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output),
+                       kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel,
+                       sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+                       kTLSSeed2, sizeof(kTLSSeed2)) ||
+      !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output),
+                  "TLS12-KDF KAT")) {
     fprintf(stderr, "TLS KDF failed.\n");
     goto err;
   }
@@ -978,7 +1001,7 @@ static int boringssl_self_test_fast(void) {
       !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
                   sizeof(kTLS13ExpandLabelOutput),
                   "CRYPTO_tls13_hkdf_expand_label")) {
-    fprintf(stderr, "TLSv1.3 KDF failed.\n");
+    fprintf(stderr, "TLS13-KDF failed.\n");
     goto err;
   }
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c

@@ -303,14 +303,11 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) {
 }
 
 void TLSKDF_verify_service_indicator(const EVP_MD *md) {
-  // HMAC-MD5, HMAC-SHA1, and HMAC-MD5/HMAC-SHA1 (both used concurrently) are
-  // approved for use in the KDF in TLS 1.0/1.1.
-  // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2.
-  // These Key Derivation functions are to be used in the context of the TLS
-  // protocol.
+  // HMAC-MD5/HMAC-SHA1 (both used concurrently) is approved for use in the KDF
+  // in TLS 1.0/1.1. HMAC-SHA{256, 384, 512} are approved for use in the KDF in
+  // TLS 1.2. These Key Derivation functions are to be used in the context of
+  // the TLS protocol.
   switch (EVP_MD_type(md)) {
-    case NID_md5:
-    case NID_sha1:
     case NID_md5_sha1:
     case NID_sha256:
     case NID_sha384:

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c

@@ -352,6 +352,13 @@ int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {
   return 1;
 }
 
+void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) {
+  EVP_HPKE_KEY_cleanup(out);
+  // For now, |EVP_HPKE_KEY| is trivially movable.
+  OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY));
+  EVP_HPKE_KEY_zero(in);
+}
+
 int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,
                       const uint8_t *priv_key, size_t priv_key_len) {
   EVP_HPKE_KEY_zero(key);

data/third_party/boringssl-with-bazel/src/crypto/internal.h

@@ -109,6 +109,7 @@
 #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H
 #define OPENSSL_HEADER_CRYPTO_INTERNAL_H
 
+#include <openssl/arm_arch.h>
 #include <openssl/crypto.h>
 #include <openssl/ex_data.h>
 #include <openssl/stack.h>
@@ -1353,9 +1354,15 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) {
 
 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
 
-#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM)
-// We do not detect any features at runtime for Apple's 32-bit ARM platforms. On
-// 64-bit ARM, we detect some post-ARMv8.0 features.
+extern uint32_t OPENSSL_armcap_P;
+
+// We do not detect any features at runtime on several 32-bit Arm platforms.
+// Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8
+// extensions. Android baremetal does not aim to support 32-bit Arm at all, but
+// it simplifies things to make it build.
+#if defined(OPENSSL_ARM) && !defined(OPENSSL_STATIC_ARMCAP) && \
+    (defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD) ||     \
+     defined(ANDROID_BAREMETAL))
 #define OPENSSL_STATIC_ARMCAP
 #endif
 
@@ -1373,21 +1380,6 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) {
 #endif
 #endif
 
-#if !defined(OPENSSL_STATIC_ARMCAP)
-// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON
-// unit. Note that |OPENSSL_armcap_P| also exists and contains the same
-// information in a form that's easier for assembly to use.
-OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void);
-
-// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU
-// supports the ARMv8 AES instruction.
-int CRYPTO_is_ARMv8_AES_capable_at_runtime(void);
-
-// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU
-// supports the ARMv8 PMULL instruction.
-int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void);
-#endif  // !OPENSSL_STATIC_ARMCAP
-
 // CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If
 // this is known statically, it is a constant inline function.
 OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) {
@@ -1396,7 +1388,7 @@ OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) {
 #elif defined(OPENSSL_STATIC_ARMCAP)
   return 0;
 #else
-  return CRYPTO_is_NEON_capable_at_runtime();
+  return (OPENSSL_armcap_P & ARMV7_NEON) != 0;
 #endif
 }
 
@@ -1406,7 +1398,7 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) {
 #elif defined(OPENSSL_STATIC_ARMCAP)
   return 0;
 #else
-  return CRYPTO_is_ARMv8_AES_capable_at_runtime();
+  return (OPENSSL_armcap_P & ARMV8_AES) != 0;
 #endif
 }
 
@@ -1416,7 +1408,7 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) {
 #elif defined(OPENSSL_STATIC_ARMCAP)
   return 0;
 #else
-  return CRYPTO_is_ARMv8_PMULL_capable_at_runtime();
+  return (OPENSSL_armcap_P & ARMV8_PMULL) != 0;
 #endif
 }
 

data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c

@@ -159,11 +159,10 @@ err:
 }
 
 int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {
-  int ret;
-
-  ret = a->length - b->length;
-  if (ret) {
-    return ret;
+  if (a->length < b->length) {
+    return -1;
+  } else if (a->length > b->length) {
+    return 1;
   }
   return OPENSSL_memcmp(a->data, b->data, a->length);
 }
@@ -189,15 +188,7 @@ size_t OBJ_length(const ASN1_OBJECT *obj) {
 // unsigned int in the array.
 static int obj_cmp(const void *key, const void *element) {
   uint16_t nid = *((const uint16_t *)element);
-  const ASN1_OBJECT *a = key;
-  const ASN1_OBJECT *b = &kObjects[nid];
-
-  if (a->length < b->length) {
-    return -1;
-  } else if (a->length > b->length) {
-    return 1;
-  }
-  return OPENSSL_memcmp(a->data, b->data, a->length);
+  return OBJ_cmp(key, &kObjects[nid]);
 }
 
 int OBJ_obj2nid(const ASN1_OBJECT *obj) {
@@ -474,14 +465,6 @@ static uint32_t hash_data(const ASN1_OBJECT *obj) {
   return OPENSSL_hash32(obj->data, obj->length);
 }
 
-static int cmp_data(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {
-  int i = a->length - b->length;
-  if (i) {
-    return i;
-  }
-  return OPENSSL_memcmp(a->data, b->data, a->length);
-}
-
 static uint32_t hash_short_name(const ASN1_OBJECT *obj) {
   return OPENSSL_strhash(obj->sn);
 }
@@ -509,7 +492,7 @@ static int obj_add_object(ASN1_OBJECT *obj) {
     global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid);
   }
   if (global_added_by_data == NULL) {
-    global_added_by_data = lh_ASN1_OBJECT_new(hash_data, cmp_data);
+    global_added_by_data = lh_ASN1_OBJECT_new(hash_data, OBJ_cmp);
   }
   if (global_added_by_short_name == NULL) {
     global_added_by_short_name =

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/getentropy.c

@@ -12,6 +12,10 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#if !defined(_DEFAULT_SOURCE)
+#define _DEFAULT_SOURCE  // Needed for getentropy on musl and glibc
+#endif
+
 #include <openssl/rand.h>
 
 #include "../fipsmodule/rand/internal.h"

data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c

@@ -532,3 +532,8 @@ void sk_free(OPENSSL_STACK *sk) { OPENSSL_sk_free(sk); }
 size_t sk_push(OPENSSL_STACK *sk, void *p) { return OPENSSL_sk_push(sk, p); }
 
 void *sk_pop(OPENSSL_STACK *sk) { return OPENSSL_sk_pop(sk); }
+
+void sk_pop_free_ex(OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func,
+                    OPENSSL_sk_free_func free_func) {
+  OPENSSL_sk_pop_free_ex(sk, call_free_func, free_func);
+}

data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c

@@ -64,8 +64,6 @@
 #include <openssl/thread.h>
 #include <openssl/x509.h>
 
-#if !defined(OPENSSL_TRUSTY)
-
 #include "../internal.h"
 #include "internal.h"
 
@@ -312,8 +310,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
         hent = NULL;
       }
       for (;;) {
-        BIO_snprintf(b->data, b->max, "%s/%08lx.%s%d", ent->dir, h, postfix,
-                     k);
+        snprintf(b->data, b->max, "%s/%08lx.%s%d", ent->dir, h, postfix, k);
 #ifndef OPENSSL_NO_POSIX_IO
 #if defined(_WIN32) && !defined(stat)
 #define stat _stat
@@ -403,5 +400,3 @@ finish:
   BUF_MEM_free(b);
   return ok;
 }
-
-#endif  // OPENSSL_TRUSTY

data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c

@@ -62,7 +62,6 @@
 
 #include "internal.h"
 
-#ifndef OPENSSL_NO_STDIO
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
                         char **ret);
@@ -278,5 +277,3 @@ err:
   sk_X509_INFO_pop_free(inf, X509_INFO_free);
   return count;
 }
-
-#endif  // OPENSSL_NO_STDIO