grpc 1.69.0 → 1.70.1

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{wnaf.c.inc → wnaf.cc.inc}

@@ -75,9 +75,9 @@
 #include <openssl/mem.h>
 #include <openssl/thread.h>
 
-#include "internal.h"
-#include "../bn/internal.h"
 #include "../../internal.h"
+#include "../bn/internal.h"
+#include "internal.h"
 
 
 // This file implements the wNAF-based interleaving multi-exponentiation method
@@ -186,22 +186,34 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
   size_t bits = EC_GROUP_order_bits(group);
   size_t wNAF_len = bits + 1;
 
-  int ret = 0;
+  // Stack-allocated space, which will be used if the task is small enough.
   int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1];
-  int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;
-  int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1];
   EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
-  EC_JACOBIAN (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
-  EC_JACOBIAN (*precomp)[EC_WNAF_TABLE_SIZE];
+
+  // Allocated pointers, which will remain NULL unless needed.
+  EC_JACOBIAN(*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
+  int8_t(*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;
+
+  // These fields point either to the stack or heap buffers of the same name.
+  int8_t(*wNAF)[EC_MAX_BYTES * 8 + 1];
+  EC_JACOBIAN(*precomp)[EC_WNAF_TABLE_SIZE];
+
   if (num <= EC_WNAF_STACK) {
     wNAF = wNAF_stack;
     precomp = precomp_stack;
   } else {
-    wNAF_alloc = OPENSSL_calloc(num, sizeof(wNAF_alloc[0]));
-    precomp_alloc = OPENSSL_calloc(num, sizeof(precomp_alloc[0]));
-    if (wNAF_alloc == NULL || precomp_alloc == NULL) {
-      goto err;
+    wNAF_alloc = reinterpret_cast<decltype(wNAF_alloc)>(
+        OPENSSL_calloc(num, sizeof(wNAF_alloc[0])));
+    if (wNAF_alloc == NULL) {
+      return 0;
+    }
+    precomp_alloc = reinterpret_cast<decltype(precomp_alloc)>(
+        OPENSSL_calloc(num, sizeof(precomp_alloc[0])));
+    if (precomp_alloc == NULL) {
+      OPENSSL_free(wNAF_alloc);
+      return 0;
     }
+
     wNAF = wNAF_alloc;
     precomp = precomp_alloc;
   }
@@ -255,10 +267,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,
     ec_GFp_simple_point_set_to_infinity(group, r);
   }
 
-  ret = 1;
-
-err:
   OPENSSL_free(wNAF_alloc);
   OPENSSL_free(precomp_alloc);
-  return ret;
+  return 1;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/{ecdh.c.inc → ecdh.cc.inc}

@@ -72,7 +72,6 @@
 #include <openssl/ec_key.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/sha.h>
 
 #include "../../internal.h"
 #include "../ec/internal.h"
@@ -105,18 +104,28 @@ int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key,
   }
 
   FIPS_service_indicator_lock_state();
+  SHA256_CTX ctx;
+  SHA512_CTX ctx_512;
   switch (out_len) {
     case SHA224_DIGEST_LENGTH:
-      SHA224(buf, buflen, out);
+      BCM_sha224_init(&ctx);
+      BCM_sha224_update(&ctx, buf, buflen);
+      BCM_sha224_final(out, &ctx);
       break;
     case SHA256_DIGEST_LENGTH:
-      SHA256(buf, buflen, out);
+      BCM_sha256_init(&ctx);
+      BCM_sha256_update(&ctx, buf, buflen);
+      BCM_sha256_final(out, &ctx);
       break;
     case SHA384_DIGEST_LENGTH:
-      SHA384(buf, buflen, out);
+      BCM_sha384_init(&ctx_512);
+      BCM_sha384_update(&ctx_512, buf, buflen);
+      BCM_sha384_final(out, &ctx_512);
       break;
     case SHA512_DIGEST_LENGTH:
-      SHA512(buf, buflen, out);
+      BCM_sha512_init(&ctx_512);
+      BCM_sha512_update(&ctx_512, buf, buflen);
+      BCM_sha512_final(out, &ctx_512);
       break;
     default:
       OPENSSL_PUT_ERROR(ECDH, ECDH_R_UNKNOWN_DIGEST_LENGTH);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/{ecdsa.c.inc → ecdsa.cc.inc}

@@ -58,7 +58,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/sha.h>
 
 #include "../../internal.h"
 #include "../bn/internal.h"
@@ -268,17 +267,17 @@ int ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig,
 
   // Pass a SHA512 hash of the private key and digest as additional data
   // into the RBG. This is a hardening measure against entropy failure.
-  static_assert(SHA512_DIGEST_LENGTH >= 32,
+  static_assert(BCM_SHA512_DIGEST_LENGTH >= 32,
                 "additional_data is too large for SHA-512");
 
   FIPS_service_indicator_lock_state();
 
   SHA512_CTX sha;
-  uint8_t additional_data[SHA512_DIGEST_LENGTH];
-  SHA512_Init(&sha);
-  SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
-  SHA512_Update(&sha, digest, digest_len);
-  SHA512_Final(additional_data, &sha);
+  uint8_t additional_data[BCM_SHA512_DIGEST_LENGTH];
+  BCM_sha512_init(&sha);
+  BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));
+  BCM_sha512_update(&sha, digest, digest_len);
+  BCM_sha512_final(additional_data, &sha);
 
   // Cap iterations so callers who supply invalid values as custom groups do not
   // infinite loop. This does not impact valid parameters (e.g. those covered by

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2021, Google Inc.
+/* Copyright 2021 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/{fips_shared_support.c → fips_shared_support.cc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2019, Google Inc.
+/* Copyright 2019 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -20,8 +20,7 @@
 // that must be replaced with the real value during the build process. This
 // value need only be distinct, i.e. so that we can safely search-and-replace it
 // in an object file.
-const uint8_t BORINGSSL_bcm_text_hash[32];
-const uint8_t BORINGSSL_bcm_text_hash[32] = {
+extern const uint8_t BORINGSSL_bcm_text_hash[32] = {
     0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b,
     0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f,
     0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hkdf/{hkdf.c.inc → hkdf.cc.inc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2014, Google Inc.
+/* Copyright 2014 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/{hmac.c.inc → hmac.cc.inc}

@@ -98,7 +98,8 @@ void HMAC_CTX_init(HMAC_CTX *ctx) {
 }
 
 HMAC_CTX *HMAC_CTX_new(void) {
-  HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+  HMAC_CTX *ctx =
+      reinterpret_cast<HMAC_CTX *>(OPENSSL_malloc(sizeof(HMAC_CTX)));
   if (ctx != NULL) {
     HMAC_CTX_init(ctx);
   }
@@ -215,7 +216,7 @@ int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) {
 
   ret = 1;
 
- out:
+out:
   FIPS_service_indicator_unlock_state();
   if (ret) {
     HMAC_verify_service_indicator(ctx->md);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/{gcm.c.inc → gcm.cc.inc}

@@ -135,14 +135,42 @@ void gcm_init_ssse3(u128 Htable[16], const uint64_t H[2]) {
 #if defined(HW_GCM) && defined(OPENSSL_X86_64)
 static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                              const AES_KEY *key, uint8_t ivec[16],
-                             uint8_t Xi[16], const u128 Htable[16]) {
-  return aesni_gcm_encrypt(in, out, len, key, ivec, Htable, Xi);
+                             uint8_t Xi[16], const u128 Htable[16],
+                             enum gcm_impl_t impl) {
+  switch (impl) {
+    case gcm_x86_vaes_avx10_256:
+      len &= kSizeTWithoutLower4Bits;
+      aes_gcm_enc_update_vaes_avx10_256(in, out, len, key, ivec, Htable, Xi);
+      CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);
+      return len;
+    case gcm_x86_vaes_avx10_512:
+      len &= kSizeTWithoutLower4Bits;
+      aes_gcm_enc_update_vaes_avx10_512(in, out, len, key, ivec, Htable, Xi);
+      CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);
+      return len;
+    default:
+      return aesni_gcm_encrypt(in, out, len, key, ivec, Htable, Xi);
+  }
 }
 
 static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
                              const AES_KEY *key, uint8_t ivec[16],
-                             uint8_t Xi[16], const u128 Htable[16]) {
-  return aesni_gcm_decrypt(in, out, len, key, ivec, Htable, Xi);
+                             uint8_t Xi[16], const u128 Htable[16],
+                             enum gcm_impl_t impl) {
+  switch (impl) {
+    case gcm_x86_vaes_avx10_256:
+      len &= kSizeTWithoutLower4Bits;
+      aes_gcm_dec_update_vaes_avx10_256(in, out, len, key, ivec, Htable, Xi);
+      CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);
+      return len;
+    case gcm_x86_vaes_avx10_512:
+      len &= kSizeTWithoutLower4Bits;
+      aes_gcm_dec_update_vaes_avx10_512(in, out, len, key, ivec, Htable, Xi);
+      CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);
+      return len;
+    default:
+      return aesni_gcm_decrypt(in, out, len, key, ivec, Htable, Xi);
+  }
 }
 #endif  // HW_GCM && X86_64
 
@@ -150,7 +178,8 @@ static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
 
 static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                              const AES_KEY *key, uint8_t ivec[16],
-                             uint8_t Xi[16], const u128 Htable[16]) {
+                             uint8_t Xi[16], const u128 Htable[16],
+                             enum gcm_impl_t impl) {
   const size_t len_blocks = len & kSizeTWithoutLower4Bits;
   if (!len_blocks) {
     return 0;
@@ -161,7 +190,8 @@ static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
 
 static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
                              const AES_KEY *key, uint8_t ivec[16],
-                             uint8_t Xi[16], const u128 Htable[16]) {
+                             uint8_t Xi[16], const u128 Htable[16],
+                             enum gcm_impl_t impl) {
   const size_t len_blocks = len & kSizeTWithoutLower4Bits;
   if (!len_blocks) {
     return 0;
@@ -173,21 +203,28 @@ static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
 #endif  // HW_GCM && AARCH64
 
 void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
-                       u128 out_table[16], int *out_is_avx,
-                       const uint8_t gcm_key[16]) {
-  *out_is_avx = 0;
-
+                       u128 out_table[16], const uint8_t gcm_key[16]) {
   // H is passed to |gcm_init_*| as a pair of byte-swapped, 64-bit values.
   uint64_t H[2] = {CRYPTO_load_u64_be(gcm_key),
                    CRYPTO_load_u64_be(gcm_key + 8)};
 
 #if defined(GHASH_ASM_X86_64)
   if (crypto_gcm_clmul_enabled()) {
+    if (CRYPTO_is_AVX512BW_capable() && CRYPTO_is_AVX512VL_capable() &&
+        CRYPTO_is_VPCLMULQDQ_capable() && CRYPTO_is_BMI2_capable()) {
+      gcm_init_vpclmulqdq_avx10(out_table, H);
+      *out_mult = gcm_gmult_vpclmulqdq_avx10;
+      if (CRYPTO_cpu_avoid_zmm_registers()) {
+        *out_hash = gcm_ghash_vpclmulqdq_avx10_256;
+      } else {
+        *out_hash = gcm_ghash_vpclmulqdq_avx10_512;
+      }
+      return;
+    }
     if (CRYPTO_is_AVX_capable() && CRYPTO_is_MOVBE_capable()) {
       gcm_init_avx(out_table, H);
       *out_mult = gcm_gmult_avx;
       *out_hash = gcm_ghash_avx;
-      *out_is_avx = 1;
       return;
     }
     gcm_init_clmul(out_table, H);
@@ -244,14 +281,25 @@ void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const AES_KEY *aes_key,
   OPENSSL_memset(ghash_key, 0, sizeof(ghash_key));
   (*block)(ghash_key, ghash_key, aes_key);
 
-  int is_avx;
-  CRYPTO_ghash_init(&gcm_key->gmult, &gcm_key->ghash, gcm_key->Htable, &is_avx,
+  CRYPTO_ghash_init(&gcm_key->gmult, &gcm_key->ghash, gcm_key->Htable,
                     ghash_key);
 
-#if defined(OPENSSL_AARCH64) && !defined(OPENSSL_NO_ASM)
-  gcm_key->use_hw_gcm_crypt = (gcm_pmull_capable() && block_is_hwaes) ? 1 : 0;
-#else
-  gcm_key->use_hw_gcm_crypt = (is_avx && block_is_hwaes) ? 1 : 0;
+#if !defined(OPENSSL_NO_ASM)
+#if defined(OPENSSL_X86_64)
+  if (gcm_key->ghash == gcm_ghash_vpclmulqdq_avx10_256 &&
+      CRYPTO_is_VAES_capable()) {
+    gcm_key->impl = gcm_x86_vaes_avx10_256;
+  } else if (gcm_key->ghash == gcm_ghash_vpclmulqdq_avx10_512 &&
+             CRYPTO_is_VAES_capable()) {
+    gcm_key->impl = gcm_x86_vaes_avx10_512;
+  } else if (gcm_key->ghash == gcm_ghash_avx && block_is_hwaes) {
+    gcm_key->impl = gcm_x86_aesni;
+  }
+#elif defined(OPENSSL_AARCH64)
+  if (gcm_pmull_capable() && block_is_hwaes) {
+    gcm_key->impl = gcm_arm64_aes;
+  }
+#endif
 #endif
 }
 
@@ -565,11 +613,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
 
 #if defined(HW_GCM)
   // Check |len| to work around a C language bug. See https://crbug.com/1019588.
-  if (ctx->gcm_key.use_hw_gcm_crypt && len > 0) {
+  if (ctx->gcm_key.impl != gcm_separate && len > 0) {
     // |hw_gcm_encrypt| may not process all the input given to it. It may
     // not process *any* of its input if it is deemed too small.
     size_t bulk = hw_gcm_encrypt(in, out, len, key, ctx->Yi, ctx->Xi,
-                                 ctx->gcm_key.Htable);
+                                 ctx->gcm_key.Htable, ctx->gcm_key.impl);
     in += bulk;
     out += bulk;
     len -= bulk;
@@ -654,11 +702,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
 
 #if defined(HW_GCM)
   // Check |len| to work around a C language bug. See https://crbug.com/1019588.
-  if (ctx->gcm_key.use_hw_gcm_crypt && len > 0) {
+  if (ctx->gcm_key.impl != gcm_separate && len > 0) {
     // |hw_gcm_decrypt| may not process all the input given to it. It may
     // not process *any* of its input if it is deemed too small.
     size_t bulk = hw_gcm_decrypt(in, out, len, key, ctx->Yi, ctx->Xi,
-                                 ctx->gcm_key.Htable);
+                                 ctx->gcm_key.Htable, ctx->gcm_key.impl);
     in += bulk;
     out += bulk;
     len -= bulk;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/{gcm_nohw.c.inc → gcm_nohw.cc.inc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2019, Google Inc.
+/* Copyright 2019 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h

@@ -126,6 +126,15 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
 // can be safely copied. Additionally, |gcm_key| is split into a separate
 // struct.
 
+// gcm_impl_t specifies an assembly implementation of AES-GCM.
+enum gcm_impl_t {
+  gcm_separate = 0,  // No combined AES-GCM, but may have AES-CTR and GHASH.
+  gcm_x86_aesni,
+  gcm_x86_vaes_avx10_256,
+  gcm_x86_vaes_avx10_512,
+  gcm_arm64_aes,
+};
+
 typedef struct { uint64_t hi,lo; } u128;
 
 // gmult_func multiplies |Xi| by the GCM key and writes the result back to
@@ -148,10 +157,7 @@ typedef struct gcm128_key_st {
   ghash_func ghash;
 
   block128_f block;
-
-  // use_hw_gcm_crypt is true if this context should use platform-specific
-  // assembly to process GCM data.
-  unsigned use_hw_gcm_crypt:1;
+  enum gcm_impl_t impl;
 } GCM128_KEY;
 
 // GCM128_CONTEXT contains state for a single GCM operation. The structure
@@ -182,72 +188,62 @@ int crypto_gcm_clmul_enabled(void);
 
 // CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
 // |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
-// accelerated) functions for performing operations in the GHASH field. If the
-// AVX implementation was used |*out_is_avx| will be true.
+// accelerated) functions for performing operations in the GHASH field.
 void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
-                       u128 out_table[16], int *out_is_avx,
-                       const uint8_t gcm_key[16]);
+                       u128 out_table[16], const uint8_t gcm_key[16]);
 
 // CRYPTO_gcm128_init_key initialises |gcm_key| to use |block| (typically AES)
 // with the given key. |block_is_hwaes| is one if |block| is |aes_hw_encrypt|.
-OPENSSL_EXPORT void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key,
-                                           const AES_KEY *key, block128_f block,
-                                           int block_is_hwaes);
+void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const AES_KEY *key,
+                            block128_f block, int block_is_hwaes);
 
 // CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
 // same key that was passed to |CRYPTO_gcm128_init|.
-OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const AES_KEY *key,
-                                        const uint8_t *iv, size_t iv_len);
+void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const AES_KEY *key,
+                         const uint8_t *iv, size_t iv_len);
 
 // CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
 // This must be called before and data is encrypted. It returns one on success
 // and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
-                                     size_t len);
+int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len);
 
 // CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
 // must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
 // on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
-                                         const AES_KEY *key, const uint8_t *in,
-                                         uint8_t *out, size_t len);
+int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const AES_KEY *key,
+                          const uint8_t *in, uint8_t *out, size_t len);
 
 // CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
 // must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
 // on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
-                                         const AES_KEY *key, const uint8_t *in,
-                                         uint8_t *out, size_t len);
+int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const AES_KEY *key,
+                          const uint8_t *in, uint8_t *out, size_t len);
 
 // CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
 // a CTR function that only handles the bottom 32 bits of the nonce, like
 // |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
 // passed to |CRYPTO_gcm128_init|. It returns one on success and zero
 // otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
-                                               const AES_KEY *key,
-                                               const uint8_t *in, uint8_t *out,
-                                               size_t len, ctr128_f stream);
+int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
+                                ctr128_f stream);
 
 // CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
 // a CTR function that only handles the bottom 32 bits of the nonce, like
 // |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
 // passed to |CRYPTO_gcm128_init|. It returns one on success and zero
 // otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
-                                               const AES_KEY *key,
-                                               const uint8_t *in, uint8_t *out,
-                                               size_t len, ctr128_f stream);
+int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
+                                ctr128_f stream);
 
 // CRYPTO_gcm128_finish calculates the authenticator and compares it against
 // |len| bytes of |tag|. It returns one on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
-                                        size_t len);
+int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len);
 
 // CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
 // The minimum of |len| and 16 bytes are copied into |tag|.
-OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
-                                      size_t len);
+void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag, size_t len);
 
 
 // GCM assembly.
@@ -287,6 +283,30 @@ size_t aesni_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
 size_t aesni_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
                          const AES_KEY *key, uint8_t ivec[16],
                          const u128 Htable[16], uint8_t Xi[16]);
+
+void gcm_init_vpclmulqdq_avx10(u128 Htable[16], const uint64_t H[2]);
+void gcm_gmult_vpclmulqdq_avx10(uint8_t Xi[16], const u128 Htable[16]);
+void gcm_ghash_vpclmulqdq_avx10_256(uint8_t Xi[16], const u128 Htable[16],
+                                    const uint8_t *in, size_t len);
+void gcm_ghash_vpclmulqdq_avx10_512(uint8_t Xi[16], const u128 Htable[16],
+                                    const uint8_t *in, size_t len);
+void aes_gcm_enc_update_vaes_avx10_256(const uint8_t *in, uint8_t *out,
+                                       size_t len, const AES_KEY *key,
+                                       const uint8_t ivec[16],
+                                       const u128 Htable[16], uint8_t Xi[16]);
+void aes_gcm_dec_update_vaes_avx10_256(const uint8_t *in, uint8_t *out,
+                                       size_t len, const AES_KEY *key,
+                                       const uint8_t ivec[16],
+                                       const u128 Htable[16], uint8_t Xi[16]);
+void aes_gcm_enc_update_vaes_avx10_512(const uint8_t *in, uint8_t *out,
+                                       size_t len, const AES_KEY *key,
+                                       const uint8_t ivec[16],
+                                       const u128 Htable[16], uint8_t Xi[16]);
+void aes_gcm_dec_update_vaes_avx10_512(const uint8_t *in, uint8_t *out,
+                                       size_t len, const AES_KEY *key,
+                                       const uint8_t ivec[16],
+                                       const u128 Htable[16], uint8_t Xi[16]);
+
 #endif  // OPENSSL_X86_64
 
 #if defined(OPENSSL_X86)

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/{polyval.c.inc → polyval.cc.inc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2016, Google Inc.
+/* Copyright 2016 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -56,8 +56,7 @@ void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
   OPENSSL_memcpy(H, key, 16);
   reverse_and_mulX_ghash(H);
 
-  int is_avx;
-  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, &is_avx, H);
+  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, H);
   OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
 }
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/{ctrdrbg.c.inc → ctrdrbg.cc.inc}

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017, Google Inc.
+/* Copyright 2017 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +18,9 @@
 
 #include <openssl/mem.h>
 
-#include "internal.h"
 #include "../cipher/internal.h"
 #include "../service_indicator/internal.h"
+#include "internal.h"
 
 
 // Section references in this file refer to SP 800-90Ar1:
@@ -32,7 +32,8 @@ static const uint64_t kMaxReseedCount = UINT64_C(1) << 48;
 CTR_DRBG_STATE *CTR_DRBG_new(const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
                              const uint8_t *personalization,
                              size_t personalization_len) {
-  CTR_DRBG_STATE *drbg = OPENSSL_malloc(sizeof(CTR_DRBG_STATE));
+  CTR_DRBG_STATE *drbg = reinterpret_cast<CTR_DRBG_STATE *>(
+      OPENSSL_malloc(sizeof(CTR_DRBG_STATE)));
   if (drbg == NULL ||
       !CTR_DRBG_init(drbg, entropy, personalization, personalization_len)) {
     CTR_DRBG_free(drbg);
@@ -177,7 +178,7 @@ int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len,
       todo = out_len;
     }
 
-    todo &= ~(AES_BLOCK_SIZE-1);
+    todo &= ~(AES_BLOCK_SIZE - 1);
     const size_t num_blocks = todo / AES_BLOCK_SIZE;
 
     if (drbg->ctr) {

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, Google Inc.
+/* Copyright 2015 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above