external/boringssl: Sync to 27bc0f26c8d132df04f5b0b173aefeb8aaa13c33.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ba8f1864c15ec938ce0851f416663511c89f454a..27bc0f26c8d132df04f5b0b173aefeb8aaa13c33
Test: BoringSSL CTS Presubmits
Change-Id: Id63dac9fa22a3b41609f55bfe48d2cfaa53b25c6
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index adb5047..cc962f3 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -151,7 +151,7 @@
// A consumer may use this symbol in the preprocessor to temporarily build
// against multiple revisions of BoringSSL at the same time. It is not
// recommended to do so for longer than is necessary.
-#define BORINGSSL_API_VERSION 4
+#define BORINGSSL_API_VERSION 6
#if defined(BORINGSSL_SHARED_LIBRARY)
diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h
index 9960b75..bb32c2f 100644
--- a/src/include/openssl/bn.h
+++ b/src/include/openssl/bn.h
@@ -487,8 +487,8 @@
// zero on allocation failure.
OPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n);
-// BN_is_bit_set returns the value of the |n|th, least-significant bit in |a|,
-// or zero if the bit doesn't exist.
+// BN_is_bit_set returns one if the |n|th least-significant bit in |a| exists
+// and is set. Otherwise, it returns zero.
OPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n);
// BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one
@@ -618,17 +618,6 @@
// BN_pseudo_rand_range is an alias for BN_rand_range.
OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
-// BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
-// BN_rand_range, it also includes the contents of |priv| and |message| in the
-// generation so that an RNG failure isn't fatal as long as |priv| remains
-// secret. This is intended for use in DSA and ECDSA where an RNG weakness
-// leads directly to private key exposure unless this function is used.
-// It returns one on success and zero on error.
-OPENSSL_EXPORT int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
- const BIGNUM *priv,
- const uint8_t *message,
- size_t message_len, BN_CTX *ctx);
-
// BN_GENCB holds a callback function that is used by generation functions that
// can take a very long time to complete. Use |BN_GENCB_set| to initialise a
// |BN_GENCB| structure.
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 6d355b5..3906809 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -164,34 +164,36 @@
#define CBS_ASN1_UNIVERSALSTRING 0x1cu
#define CBS_ASN1_BMPSTRING 0x1eu
+// CBS_ASN1_TAG_SHIFT is how much the in-memory representation shifts the class
+// and constructed bits from the DER serialization. This allows representing tag
+// numbers beyond 31.
+//
+// Consumers must use the following constants to decompose or assemble tags.
+#define CBS_ASN1_TAG_SHIFT 24
+
// CBS_ASN1_CONSTRUCTED may be ORed into a tag to toggle the constructed
// bit. |CBS| and |CBB| APIs consider the constructed bit to be part of the
// tag.
-#define CBS_ASN1_CONSTRUCTED 0x20u
+#define CBS_ASN1_CONSTRUCTED (0x20u << CBS_ASN1_TAG_SHIFT)
-// The following values specify the constructed bit or tag class and may be ORed
-// into a tag number to produce the final tag. If none is used, the tag will be
-// UNIVERSAL.
-//
-// Note that although they currently match the DER serialization, consumers must
-// use these bits rather than make assumptions about the representation. This is
-// to allow for tag numbers beyond 31 in the future.
-#define CBS_ASN1_APPLICATION 0x40u
-#define CBS_ASN1_CONTEXT_SPECIFIC 0x80u
-#define CBS_ASN1_PRIVATE 0xc0u
+// The following values specify the tag class and may be ORed into a tag number
+// to produce the final tag. If none is used, the tag will be UNIVERSAL.
+#define CBS_ASN1_UNIVERSAL (0u << CBS_ASN1_TAG_SHIFT)
+#define CBS_ASN1_APPLICATION (0x40u << CBS_ASN1_TAG_SHIFT)
+#define CBS_ASN1_CONTEXT_SPECIFIC (0x80u << CBS_ASN1_TAG_SHIFT)
+#define CBS_ASN1_PRIVATE (0xc0u << CBS_ASN1_TAG_SHIFT)
-// CBS_ASN1_CLASS_MASK may be ANDed with a tag to query its class.
-#define CBS_ASN1_CLASS_MASK 0xc0u
+// CBS_ASN1_CLASS_MASK may be ANDed with a tag to query its class. This will
+// give one of the four values above.
+#define CBS_ASN1_CLASS_MASK (0xc0u << CBS_ASN1_TAG_SHIFT)
// CBS_ASN1_TAG_NUMBER_MASK may be ANDed with a tag to query its number.
-#define CBS_ASN1_TAG_NUMBER_MASK 0x1fu
+#define CBS_ASN1_TAG_NUMBER_MASK ((1u << (5 + CBS_ASN1_TAG_SHIFT)) - 1)
// CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not
// including tag and length bytes) and advances |cbs| over it. The ASN.1
// element must match |tag_value|. It returns one on success and zero
// on error.
-//
-// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, unsigned tag_value);
// CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the
@@ -209,16 +211,12 @@
// (not including tag and length bytes), sets |*out_tag| to the tag number, and
// advances |*cbs|. It returns one on success and zero on error. Either of |out|
// and |out_tag| may be NULL to ignore the value.
-//
-// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag);
// CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from
// |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to
// the tag number and |*out_header_len| to the length of the ASN.1 header. Each
// of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value.
-//
-// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,
unsigned *out_tag,
size_t *out_header_len);
@@ -396,9 +394,7 @@
// CBB_add_asn1 sets |*out_contents| to a |CBB| into which the contents of an
// ASN.1 object can be written. The |tag| argument will be used as the tag for
-// the object. Passing in |tag| number 31 will return in an error since only
-// single octet identifiers are supported. It returns one on success or zero
-// on error.
+// the object. It returns one on success or zero on error.
OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag);
// CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on
diff --git a/src/include/openssl/dsa.h b/src/include/openssl/dsa.h
index 315e7ca..2966f9d 100644
--- a/src/include/openssl/dsa.h
+++ b/src/include/openssl/dsa.h
@@ -172,7 +172,7 @@
// DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
// and returns an allocated, DSA_SIG structure, or NULL on error.
OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,
- DSA *dsa);
+ const DSA *dsa);
// DSA_do_verify verifies that |sig| is a valid signature, by the public key in
// |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1
@@ -212,7 +212,7 @@
// (The |type| argument is ignored.)
OPENSSL_EXPORT int DSA_sign(int type, const uint8_t *digest, size_t digest_len,
uint8_t *out_sig, unsigned int *out_siglen,
- DSA *dsa);
+ const DSA *dsa);
// DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public
// key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid
@@ -284,19 +284,6 @@
OPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa);
-// Precomputation.
-
-// DSA_sign_setup precomputes the message independent part of the DSA signature
-// and writes them to |*out_kinv| and |*out_r|. Returns one on success, zero on
-// error.
-//
-// TODO(fork): decide what to do with this. Since making DSA* opaque there's no
-// way for the user to install them. Also, it forces the DSA* not to be const
-// when passing to the signing function.
-OPENSSL_EXPORT int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx,
- BIGNUM **out_kinv, BIGNUM **out_r);
-
-
// Conversion.
// DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is
@@ -411,9 +398,6 @@
BIGNUM *pub_key; // y public key
BIGNUM *priv_key; // x private key
- BIGNUM *kinv; // Signing pre-calc
- BIGNUM *r; // Signing pre-calc
-
int flags;
// Normally used to cache montgomery values
CRYPTO_MUTEX method_mont_lock;
diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h
index dee41b7..b34605f 100644
--- a/src/include/openssl/ec.h
+++ b/src/include/openssl/ec.h
@@ -402,5 +402,6 @@
#define EC_R_GROUP_MISMATCH 130
#define EC_R_INVALID_COFACTOR 131
#define EC_R_PUBLIC_KEY_VALIDATION_FAILED 132
+#define EC_R_INVALID_SCALAR 133
#endif // OPENSSL_HEADER_EC_H
diff --git a/src/include/openssl/ecdsa.h b/src/include/openssl/ecdsa.h
index ff26fe4..42da1c6 100644
--- a/src/include/openssl/ecdsa.h
+++ b/src/include/openssl/ecdsa.h
@@ -106,6 +106,16 @@
// ECDSA_SIG_free frees |sig| its member |BIGNUM|s.
OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
+// ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two
+// components of |sig|.
+OPENSSL_EXPORT void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,
+ const BIGNUM **out_s);
+
+// ECDSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may
+// be NULL. On success, it takes ownership of each argument and returns one.
+// Otherwise, it returns zero.
+OPENSSL_EXPORT int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
// ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns
// the resulting signature structure, or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,
@@ -118,34 +128,6 @@
const ECDSA_SIG *sig, const EC_KEY *key);
-// Signing with precomputation.
-//
-// Parts of the ECDSA signature can be independent of the message to be signed
-// thus it's possible to precompute them and reduce the signing latency.
-//
-// TODO(fork): remove support for this as it cannot support safe-randomness.
-
-// ECDSA_sign_setup precomputes parts of an ECDSA signing operation. It sets
-// |*kinv| and |*rp| to the precomputed values and uses the |ctx| argument, if
-// not NULL. It returns one on success and zero otherwise.
-OPENSSL_EXPORT int ECDSA_sign_setup(const EC_KEY *eckey, BN_CTX *ctx,
- BIGNUM **kinv, BIGNUM **rp);
-
-// ECDSA_do_sign_ex is the same as |ECDSA_do_sign| but takes precomputed values
-// as generated by |ECDSA_sign_setup|.
-OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign_ex(const uint8_t *digest,
- size_t digest_len,
- const BIGNUM *kinv, const BIGNUM *rp,
- const EC_KEY *eckey);
-
-// ECDSA_sign_ex is the same as |ECDSA_sign| but takes precomputed values as
-// generated by |ECDSA_sign_setup|.
-OPENSSL_EXPORT int ECDSA_sign_ex(int type, const uint8_t *digest,
- size_t digest_len, uint8_t *sig,
- unsigned int *sig_len, const BIGNUM *kinv,
- const BIGNUM *rp, const EC_KEY *eckey);
-
-
// ASN.1 functions.
// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and
diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index 74268cf..11aa8e4 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h
@@ -89,6 +89,9 @@
// Properties.
+// RSA_bits returns the size of |rsa|, in bits.
+OPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa);
+
// RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
// modulus, public exponent, and private exponent, respectively. If |rsa| is a
// public key, the private exponent will be set to NULL.
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 8c36ad5..53a8eb5 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -1125,16 +1125,7 @@
// key hooks. This is used to off-load signing operations to a custom,
// potentially asynchronous, backend. Metadata about the key such as the type
// and size are parsed out of the certificate.
-//
-// TODO(davidben): This API has a number of legacy hooks. Remove the last
-// consumer of |sign_digest| and trim it.
struct ssl_private_key_method_st {
- // type is ignored and should be NULL.
- int (*type)(SSL *ssl);
-
- // max_signature_len is ignored and should be NULL.
- size_t (*max_signature_len)(SSL *ssl);
-
// sign signs the message |in| in using the specified signature algorithm. On
// success, it returns |ssl_private_key_success| and writes at most |max_out|
// bytes of signature data to |out| and sets |*out_len| to the number of bytes
@@ -1156,30 +1147,6 @@
uint16_t signature_algorithm,
const uint8_t *in, size_t in_len);
- // sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash
- // function used to calculate |in|. On success, it returns
- // |ssl_private_key_success| and writes at most |max_out| bytes of signature
- // data to |out|. On failure, it returns |ssl_private_key_failure|. If the
- // operation has not completed, it returns |ssl_private_key_retry|. |sign|
- // should arrange for the high-level operation on |ssl| to be retried when the
- // operation is completed. This will result in a call to |complete|.
- //
- // If the key is an RSA key, implementations must use PKCS#1 padding. |in| is
- // the digest itself, so the DigestInfo prefix, if any, must be prepended by
- // |sign|. If |md| is |EVP_md5_sha1|, there is no prefix.
- //
- // It is an error to call |sign_digest| while another private key operation is
- // in progress on |ssl|.
- //
- // This function is deprecated. Implement |sign| instead.
- //
- // TODO(davidben): Remove this function.
- enum ssl_private_key_result_t (*sign_digest)(SSL *ssl, uint8_t *out,
- size_t *out_len, size_t max_out,
- const EVP_MD *md,
- const uint8_t *in,
- size_t in_len);
-
// decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it
// returns |ssl_private_key_success|, writes at most |max_out| bytes of
// decrypted data to |out| and sets |*out_len| to the actual number of bytes
@@ -3978,18 +3945,6 @@
OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
const char *dir);
-// SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
-// into |ssl|. These digests will be used, in decreasing order of preference,
-// when signing with |ssl|'s private key. It returns one on success and zero on
-// error.
-//
-// Use |SSL_set_signing_algorithm_prefs| instead.
-//
-// TODO(davidben): Remove this API when callers have been updated.
-OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
- const int *digest_nids,
- size_t num_digests);
-
// SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
//
// TODO(davidben): Remove this function once it has been removed from
@@ -4599,6 +4554,7 @@
#define SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA 279
#define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
#define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281
+#define SSL_R_EMPTY_HELLO_RETRY_REQUEST 282
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
diff --git a/src/include/openssl/stack.h b/src/include/openssl/stack.h
index 1a0347e..46f57a3 100644
--- a/src/include/openssl/stack.h
+++ b/src/include/openssl/stack.h
@@ -245,7 +245,7 @@
// are defined in a header.
#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \
- DECLARE_STACK_OF(name); \
+ DECLARE_STACK_OF(name) \
\
typedef int (*stack_##name##_cmp_func)(constptrtype *a, constptrtype *b); \
\
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 7db9466..430ffc0 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -680,8 +680,9 @@
OPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);
OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, const ASN1_OBJECT *aobj, int ptype, void *pval);
-OPENSSL_EXPORT void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
- X509_ALGOR *algor);
+OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype,
+ const void **ppval,
+ const X509_ALGOR *algor);
OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);