Update BoringSSL to 53a17f55247101105ae35767d5c5a6c311843a8e

Package.swift

@@ -20,7 +20,7 @@
 // Sources/CCryptoBoringSSL directory. The source repository is at
 // https://boringssl.googlesource.com/boringssl.
 //
-// BoringSSL Commit: 5298ef99bf2b2d77600b3bb74dd572027bf495be
+// BoringSSL Commit: 53a17f55247101105ae35767d5c5a6c311843a8e
 
 import PackageDescription
 

Sources/CCryptoBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.linux.x86_64.S

@@ -3937,7 +3937,7 @@ do_length_block:
 	popq	%rbp
 .cfi_adjust_cfa_offset	-8
 	.byte	0xf3,0xc3
-.cfi_adjust_cfa_offset	(8 * 6) + 288 + 32
+.cfi_adjust_cfa_offset	(8 * 7) + 288 + 32
 
 seal_sse_128:
 	movdqu	.chacha20_consts(%rip),%xmm0

Sources/CCryptoBoringSSL/crypto/cipher_extra/derive_key.c

@@ -86,7 +86,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
   EVP_MD_CTX_init(&c);
   for (;;) {
     if (!EVP_DigestInit_ex(&c, md, NULL)) {
-      return 0;
+      goto err;
     }
     if (addmd++) {
       if (!EVP_DigestUpdate(&c, md_buf, mds)) {

Sources/CCryptoBoringSSL/crypto/cpu-arm-linux.c

@@ -146,11 +146,13 @@ extern uint32_t OPENSSL_armcap_P;
 static int g_has_broken_neon, g_needs_hwcap2_workaround;
 
 void OPENSSL_cpuid_setup(void) {
-  char *cpuinfo_data;
-  size_t cpuinfo_len;
-  if (!read_file(&cpuinfo_data, &cpuinfo_len, "/proc/cpuinfo")) {
-    return;
-  }
+  // We ignore the return value of |read_file| and proceed with an empty
+  // /proc/cpuinfo on error. If |getauxval| works, we will still detect
+  // capabilities. There may be a false positive due to
+  // |crypto_cpuinfo_has_broken_neon|, but this is now rare.
+  char *cpuinfo_data = NULL;
+  size_t cpuinfo_len = 0;
+  read_file(&cpuinfo_data, &cpuinfo_len, "/proc/cpuinfo");
   STRING_PIECE cpuinfo;
   cpuinfo.data = cpuinfo_data;
   cpuinfo.len = cpuinfo_len;

Sources/CCryptoBoringSSL/crypto/cpu-intel.c

@@ -123,7 +123,9 @@ static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
 // and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.
 static void handle_cpu_env(uint32_t *out, const char *in) {
   const int invert = in[0] == '~';
-  const int hex = in[invert] == '0' && in[invert+1] == 'x';
+  const int or = in[0] == '|';
+  const int skip_first_byte = invert || or;
+  const int hex = in[skip_first_byte] == '0' && in[skip_first_byte+1] == 'x';
 
   int sscanf_result;
   uint64_t v;
@@ -140,6 +142,9 @@ static void handle_cpu_env(uint32_t *out, const char *in) {
   if (invert) {
     out[0] &= ~v;
     out[1] &= ~(v >> 32);
+  } else if (or) {
+    out[0] |= v;
+    out[1] |= (v >> 32);
   } else {
     out[0] = v;
     out[1] = v >> 32;
@@ -264,10 +269,14 @@ void OPENSSL_cpuid_setup(void) {
 
   // OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
   // Each value is a 64-bit, unsigned value which may start with "0x" to
-  // indicate a hex value. Prior to the 64-bit value, a '~' may be given.
+  // indicate a hex value. Prior to the 64-bit value, a '~' or '|' may be given.
   //
-  // If '~' isn't present, then the value is taken as the result of the CPUID.
-  // Otherwise the value is inverted and ANDed with the probed CPUID result.
+  // If the '~' prefix is present:
+  //   the value is inverted and ANDed with the probed CPUID result
+  // If the '|' prefix is present:
+  //   the value is ORed with the probed CPUID result
+  // Otherwise:
+  //   the value is taken as the result of the CPUID
   //
   // The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
   // and [3].

Sources/CCryptoBoringSSL/crypto/crypto.c

@@ -16,6 +16,8 @@
 
 #include <CCryptoBoringSSL_cpu.h>
 
+#include "fipsmodule/rand/fork_detect.h"
+#include "fipsmodule/rand/internal.h"
 #include "internal.h"
 
 
@@ -174,6 +176,15 @@ int CRYPTO_has_asm(void) {
 #endif
 }
 
+void CRYPTO_pre_sandbox_init(void) {
+  // Read from /proc/cpuinfo if needed.
+  CRYPTO_library_init();
+  // Open /dev/urandom if needed.
+  CRYPTO_init_sysrand();
+  // Set up MADV_WIPEONFORK state if needed.
+  CRYPTO_get_fork_generation();
+}
+
 const char *SSLeay_version(int which) { return OpenSSL_version(which); }
 
 const char *OpenSSL_version(int which) {

Sources/CCryptoBoringSSL/third_party/fiat/curve25519.c → Sources/CCryptoBoringSSL/crypto/curve25519/curve25519.c

@@ -1,29 +1,21 @@
-// The MIT License (MIT)
-//
-// Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file).
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all
-// copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-// SOFTWARE.
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
 // Some of this code is taken from the ref10 version of Ed25519 in SUPERCOP
 // 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
-// public domain but parts have been replaced with code generated by Fiat
-// (https://github.com/mit-plv/fiat-crypto), which is MIT licensed.
+// public domain. Other parts have been replaced to call into code generated by
+// Fiat (https://github.com/mit-plv/fiat-crypto) in //third_party/fiat.
 //
 // The field functions are shared by Ed25519 and X25519 where possible.
 
@@ -39,16 +31,16 @@
 #include <CCryptoBoringSSL_type_check.h>
 
 #include "internal.h"
-#include "../../crypto/internal.h"
+#include "../internal.h"
 
 
 // Various pre-computed constants.
 #include "./curve25519_tables.h"
 
 #if defined(BORINGSSL_CURVE25519_64BIT)
-#include "./curve25519_64.h"
+#include "../../third_party/fiat/curve25519_64.h"
 #else
-#include "./curve25519_32.h"
+#include "../../third_party/fiat/curve25519_32.h"
 #endif  // BORINGSSL_CURVE25519_64BIT
 
 

Sources/CCryptoBoringSSL/third_party/fiat/curve25519_tables.h → Sources/CCryptoBoringSSL/crypto/curve25519/curve25519_tables.h

@@ -1,24 +1,16 @@
-// The MIT License (MIT)
-//
-// Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file).
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-// SOFTWARE.
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
 // This file is generated from
 //    ./make_curve25519_tables.py > curve25519_tables.h

Sources/CCryptoBoringSSL/third_party/fiat/internal.h → Sources/CCryptoBoringSSL/crypto/curve25519/internal.h

@@ -1,24 +1,16 @@
-// The MIT License (MIT)
-//
-// Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file).
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all
-// copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-// SOFTWARE.
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
 #ifndef OPENSSL_HEADER_CURVE25519_INTERNAL_H
 #define OPENSSL_HEADER_CURVE25519_INTERNAL_H
@@ -29,7 +21,7 @@ extern "C" {
 
 #include <CCryptoBoringSSL_base.h>
 
-#include "../../crypto/internal.h"
+#include "../internal.h"
 
 
 #if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)

Sources/CCryptoBoringSSL/crypto/curve25519/spake25519.c

@@ -23,7 +23,7 @@
 #include <CCryptoBoringSSL_sha.h>
 
 #include "../internal.h"
-#include "../../third_party/fiat/internal.h"
+#include "./internal.h"
 
 
 // The following precomputation tables are for the following

Sources/CCryptoBoringSSL/crypto/dh/dh.c

@@ -113,6 +113,16 @@ void DH_free(DH *dh) {
   OPENSSL_free(dh);
 }
 
+const BIGNUM *DH_get0_pub_key(const DH *dh) { return dh->pub_key; }
+
+const BIGNUM *DH_get0_priv_key(const DH *dh) { return dh->priv_key; }
+
+const BIGNUM *DH_get0_p(const DH *dh) { return dh->p; }
+
+const BIGNUM *DH_get0_q(const DH *dh) { return dh->q; }
+
+const BIGNUM *DH_get0_g(const DH *dh) { return dh->g; }
+
 void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key,
                  const BIGNUM **out_priv_key) {
   if (out_pub_key != NULL) {
@@ -174,6 +184,11 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
   return 1;
 }
 
+int DH_set_length(DH *dh, unsigned priv_length) {
+  dh->priv_length = priv_length;
+  return 1;
+}
+
 int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
   // We generate DH parameters as follows
   // find a prime q which is prime_bits/2 bits long.

Sources/CCryptoBoringSSL/crypto/dsa/dsa.c

@@ -131,6 +131,16 @@ int DSA_up_ref(DSA *dsa) {
   return 1;
 }
 
+const BIGNUM *DSA_get0_pub_key(const DSA *dsa) { return dsa->pub_key; }
+
+const BIGNUM *DSA_get0_priv_key(const DSA *dsa) { return dsa->priv_key; }
+
+const BIGNUM *DSA_get0_p(const DSA *dsa) { return dsa->p; }
+
+const BIGNUM *DSA_get0_q(const DSA *dsa) { return dsa->q; }
+
+const BIGNUM *DSA_get0_g(const DSA *dsa) { return dsa->g; }
+
 void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,
                   const BIGNUM **out_priv_key) {
   if (out_pub_key != NULL) {