Upstream merge 2023 05 05

.gitignore

@@ -17,9 +17,7 @@ bindings/rust/generate/target
 
 util/bot/android_ndk
 util/bot/android_sdk/public
-util/bot/cmake-linux64
-util/bot/cmake-mac
-util/bot/cmake-win32
+util/bot/cmake
 util/bot/golang
 util/bot/libFuzzer
 util/bot/libcxx

CMakeLists.txt

@@ -952,18 +952,18 @@ if(BUILD_TESTING)
 
       add_custom_target(
           run_tests
+          COMMAND ${GO_EXECUTABLE} test ${GO_TESTS}
           COMMAND ${GO_EXECUTABLE} run util/all_tests.go -build-dir
                  ${PROJECT_BINARY_DIR}
-          COMMAND ${GO_EXECUTABLE} test ${GO_TESTS}
           WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
           DEPENDS all_tests run_ssl_runner_tests
           ${MAYBE_USES_TERMINAL})
     else()
       add_custom_target(
           run_tests
+          COMMAND ${GO_EXECUTABLE} test ${GO_TESTS}
           COMMAND ${GO_EXECUTABLE} run util/all_tests.go -build-dir
                   ${PROJECT_BINARY_DIR} -ssl-tests=false
-          COMMAND ${GO_EXECUTABLE} test ${GO_TESTS}
           WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
           DEPENDS all_tests fips_specific_tests_if_any
           ${MAYBE_USES_TERMINAL}

crypto/asn1/a_mbstr.c

@@ -222,6 +222,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
     }
   }
 
+  CBB cbb;
+  CBB_zero(&cbb);
   // If both the same type just copy across
   if (inform == outform) {
     if (!ASN1_STRING_set(dest, in, len)) {
@@ -231,8 +233,6 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
     *out = dest;
     return str_type;
   }
-
-  CBB cbb;
   if (!CBB_init(&cbb, size_estimate + 1)) {
     goto err;
   }

crypto/asn1/asn1_test.cc

@@ -2575,4 +2575,66 @@ TEST(ASN1Test, DoublyTagged) {
   TestSerialize(obj.get(), i2d_DOUBLY_TAGGED, kTrueEmpty);
 }
 
+#define CHOICE_TYPE_OCT 0
+#define CHOICE_TYPE_BOOL 1
+
+struct CHOICE_TYPE {
+  int type;
+  union {
+    ASN1_OCTET_STRING *oct;
+    ASN1_BOOLEAN b;
+  } value;
+};
+
+DECLARE_ASN1_FUNCTIONS(CHOICE_TYPE)
+ASN1_CHOICE(CHOICE_TYPE) = {
+    ASN1_SIMPLE(CHOICE_TYPE, value.oct, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(CHOICE_TYPE, value.b, ASN1_BOOLEAN),
+} ASN1_CHOICE_END(CHOICE_TYPE)
+IMPLEMENT_ASN1_FUNCTIONS(CHOICE_TYPE)
+
+struct OPTIONAL_CHOICE {
+  CHOICE_TYPE *choice;
+};
+
+DECLARE_ASN1_FUNCTIONS(OPTIONAL_CHOICE)
+ASN1_SEQUENCE(OPTIONAL_CHOICE) = {
+    ASN1_OPT(OPTIONAL_CHOICE, choice, CHOICE_TYPE),
+} ASN1_SEQUENCE_END(OPTIONAL_CHOICE)
+IMPLEMENT_ASN1_FUNCTIONS(OPTIONAL_CHOICE)
+
+TEST(ASN1Test, OptionalChoice) {
+  std::unique_ptr<OPTIONAL_CHOICE, decltype(&OPTIONAL_CHOICE_free)> obj(
+      nullptr, OPTIONAL_CHOICE_free);
+
+  // Value omitted.
+  static const uint8_t kOmitted[] = {0x30, 0x00};
+  const uint8_t *inp = kOmitted;
+  obj.reset(d2i_OPTIONAL_CHOICE(nullptr, &inp, sizeof(kOmitted)));
+  ASSERT_TRUE(obj);
+  EXPECT_FALSE(obj->choice);
+  TestSerialize(obj.get(), i2d_OPTIONAL_CHOICE, kOmitted);
+
+  // Value is present as an OCTET STRING.
+  static const uint8_t kOct[] = {0x30, 0x02, 0x04, 0x00};
+  inp = kOct;
+  obj.reset(d2i_OPTIONAL_CHOICE(nullptr, &inp, sizeof(kOct)));
+  ASSERT_TRUE(obj);
+  ASSERT_TRUE(obj->choice);
+  ASSERT_EQ(obj->choice->type, CHOICE_TYPE_OCT);
+  ASSERT_TRUE(obj->choice->value.oct);
+  EXPECT_EQ(ASN1_STRING_length(obj->choice->value.oct), 0);
+  TestSerialize(obj.get(), i2d_OPTIONAL_CHOICE, kOct);
+
+  // Value is present as TRUE.
+  static const uint8_t kTrue[] = {0x30, 0x03, 0x01, 0x01, 0xff};
+  inp = kTrue;
+  obj.reset(d2i_OPTIONAL_CHOICE(nullptr, &inp, sizeof(kTrue)));
+  ASSERT_TRUE(obj);
+  ASSERT_TRUE(obj->choice);
+  ASSERT_EQ(obj->choice->type, CHOICE_TYPE_BOOL);
+  EXPECT_EQ(obj->choice->value.b, ASN1_BOOLEAN_TRUE);
+  TestSerialize(obj.get(), i2d_OPTIONAL_CHOICE, kTrue);
+}
+
 #endif  // !WINDOWS || !SHARED_LIBRARY

crypto/asn1/tasn_enc.c

@@ -97,6 +97,7 @@ int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) {
     p = buf;
     int len2 = ASN1_item_ex_i2d(&val, &p, it, /*tag=*/-1, /*aclass=*/0);
     if (len2 <= 0) {
+      OPENSSL_free(buf);
       return len2;
     }
     assert(len == len2);

crypto/compiler_test.cc

@@ -58,27 +58,49 @@ static void CheckRepresentation(T value) {
 }
 
 TEST(CompilerTest, IntegerRepresentation) {
-  EXPECT_EQ(8, CHAR_BIT);
-  EXPECT_EQ(0xff, static_cast<int>(UCHAR_MAX));
+  static_assert(CHAR_BIT == 8, "BoringSSL only supports 8-bit chars");
+  static_assert(UCHAR_MAX == 0xff, "BoringSSL only supports 8-bit chars");
 
-  // uint8_t is assumed to be unsigned char. I.e., casting to uint8_t should be
-  // as good as unsigned char for strict aliasing purposes.
+  // Require that |unsigned char| and |uint8_t| be the same type. We require
+  // that type-punning through |uint8_t| is not a strict aliasing violation. In
+  // principle, type-punning should be done with |memcpy|, which would make this
+  // moot.
+  //
+  // However, C made too many historical mistakes with the types and signedness
+  // of character strings. As a result, aliasing between all variations on 8-bit
+  // chars are a practical necessity for all real C code. We do not support
+  // toolchains that break this assumption.
+  static_assert(
+      std::is_same<unsigned char, uint8_t>::value,
+      "BoringSSL requires uint8_t and unsigned char be the same type");
   uint8_t u8 = 0;
   unsigned char *ptr = &u8;
   (void)ptr;
 
   // Sized integers have the expected size.
-  EXPECT_EQ(1u, sizeof(uint8_t));
-  EXPECT_EQ(2u, sizeof(uint16_t));
-  EXPECT_EQ(4u, sizeof(uint32_t));
-  EXPECT_EQ(8u, sizeof(uint64_t));
+  static_assert(sizeof(uint8_t) == 1u, "uint8_t has the wrong size");
+  static_assert(sizeof(uint16_t) == 2u, "uint16_t has the wrong size");
+  static_assert(sizeof(uint32_t) == 4u, "uint32_t has the wrong size");
+  static_assert(sizeof(uint64_t) == 8u, "uint64_t has the wrong size");
 
   // size_t does not exceed uint64_t.
-  EXPECT_LE(sizeof(size_t), 8u);
+  static_assert(sizeof(size_t) <= 8u, "size_t must not exceed uint64_t");
 
-  // int must be 32-bit or larger.
-  EXPECT_LE(0x7fffffff, INT_MAX);
-  EXPECT_LE(0xffffffffu, UINT_MAX);
+  // Require that |int| be exactly 32 bits. OpenSSL historically mixed up
+  // |unsigned| and |uint32_t|, so we require it be at least 32 bits. Requiring
+  // at most 32-bits is a bit more subtle. C promotes arithemetic operands to
+  // |int| when they fit. But this means, if |int| is 2N bits wide, multiplying
+  // two maximum-sized |uintN_t|s is undefined by integer overflow!
+  //
+  // We attempt to handle this for |uint16_t|, assuming a 32-bit |int|, but we
+  // make no attempts to correct for this with |uint32_t| for a 64-bit |int|.
+  // Thus BoringSSL does not support ILP64 platforms.
+  //
+  // This test is on |INT_MAX| and |INT32_MAX| rather than sizeof because it is
+  // theoretically allowed for sizeof(int) to be 4 but include padding bits.
+  static_assert(INT_MAX == INT32_MAX, "BoringSSL requires int be 32-bit");
+  static_assert(UINT_MAX == UINT32_MAX,
+                "BoringSSL requires unsigned be 32-bit");
 
   CheckRepresentation(static_cast<signed char>(127));
   CheckRepresentation(static_cast<signed char>(1));

crypto/evp_extra/internal.h

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
 #include <openssl/base.h>
+#include "../fipsmodule/evp/internal.h"
 
 typedef struct {
   // key is the concatenation of the private seed and public key. It is stored

crypto/fipsmodule/evp/internal.h

@@ -70,6 +70,9 @@ extern "C" {
 // |EVP_MD_CTX_set_pkey_ctx|.
 #define EVP_MD_CTX_FLAG_KEEP_PKEY_CTX   0x0400
 
+typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
+typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
+
 struct evp_pkey_asn1_method_st {
   int pkey_id;
   uint8_t oid[11];

crypto/fipsmodule/rand/ctrdrbg_test.cc

@@ -63,13 +63,11 @@ TEST(CTRDRBGTest, Basic) {
 TEST(CTRDRBGTest, Allocated) {
   const uint8_t kSeed[CTR_DRBG_ENTROPY_LEN] = {0};
 
-  CTR_DRBG_STATE *allocated = CTR_DRBG_new(kSeed, nullptr, 0);
+  bssl::UniquePtr<CTR_DRBG_STATE> allocated(CTR_DRBG_new(kSeed, nullptr, 0));
   ASSERT_TRUE(allocated);
-  CTR_DRBG_free(allocated);
 
-  allocated = CTR_DRBG_new(kSeed, nullptr, 1<<20);
+  allocated.reset(CTR_DRBG_new(kSeed, nullptr, 1<<20));
   ASSERT_FALSE(allocated);
-  CTR_DRBG_free(allocated);
 }
 
 TEST(CTRDRBGTest, Large) {

crypto/fipsmodule/sha/asm/sha1-x86_64.pl

@@ -393,6 +393,7 @@ sub BODY_40_59 {
 	lea		0x40($inp),%r8		# next input block
 	paddd		@MSG[0],$E
 	cmovne		%r8,$inp
+	prefetcht0	512($inp)
 	movdqa		$ABCD,$ABCD_SAVE	# offload $ABCD
 ___
 for($i=0;$i<20-4;$i+=2) {

crypto/perlasm/x86_64-xlate.pl

@@ -1029,6 +1029,27 @@
     }
 }
 { package directive;	# pick up directives, which start with .
+    my %sections;
+    sub nasm_section {
+	my ($name, $qualifiers) = @_;
+	my $ret = "section\t$name";
+	if (exists $sections{$name}) {
+	    # Work around https://bugzilla.nasm.us/show_bug.cgi?id=3392701. Only
+	    # emit section qualifiers the first time a section is referenced.
+	    # For all subsequent references, require the qualifiers match and
+	    # omit them.
+	    #
+	    # See also https://crbug.com/1422018 and b/270643835.
+	    my $old = $sections{$name};
+	    die "Inconsistent qualifiers: $qualifiers vs $old" if ($qualifiers ne "" && $qualifiers ne $old);
+	} else {
+	    $sections{$name} = $qualifiers;
+	    if ($qualifiers ne "") {
+		$ret .= " $qualifiers";
+	    }
+	}
+	return $ret;
+    }
     sub re {
 	my	($class, $line) = @_;
 	my	$self = {};
@@ -1137,7 +1158,7 @@
 	    SWITCH: for ($dir) {
 		/\.text/    && do { my $v=undef;
 				    if ($nasm) {
-					$v="section	.text code align=64\n";
+					$v=nasm_section(".text", "code align=64")."\n";
 				    } else {
 					$v="$current_segment\tENDS\n" if ($current_segment);
 					$current_segment = ".text\$";
@@ -1150,7 +1171,7 @@
 				  };
 		/\.data/    && do { my $v=undef;
 				    if ($nasm) {
-					$v="section	.data data align=8\n";
+					$v=nasm_section(".data", "data align=8")."\n";
 				    } else {
 					$v="$current_segment\tENDS\n" if ($current_segment);
 					$current_segment = "_DATA";
@@ -1164,13 +1185,14 @@
 				    $$line = ".CRT\$XCU" if ($$line eq ".init");
 				    $$line = ".rdata" if ($$line eq ".rodata");
 				    if ($nasm) {
-					$v="section	$$line";
+					my $qualifiers = "";
 					if ($$line=~/\.([prx])data/) {
-					    $v.=" rdata align=";
-					    $v.=$1 eq "p"? 4 : 8;
+					    $qualifiers = "rdata align=";
+					    $qualifiers .= $1 eq "p"? 4 : 8;
 					} elsif ($$line=~/\.CRT\$/i) {
-					    $v.=" rdata align=8";
+					    $qualifiers = "rdata align=8";
 					}
+					$v = nasm_section($$line, $qualifiers);
 				    } else {
 					$v="$current_segment\tENDS\n" if ($current_segment);
 					$v.="$$line\tSEGMENT";

crypto/x509/x509_test.cc

@@ -6093,3 +6093,83 @@ TEST(X509Test, AddUnserializableExtension) {
   ASSERT_TRUE(X509_EXTENSION_set_object(ext.get(), OBJ_nid2obj(NID_undef)));
   EXPECT_FALSE(X509_add_ext(x509.get(), ext.get(), /*loc=*/-1));
 }
+
+// Test that, when constructing an |X509_NAME|, names are sorted by DER order.
+TEST(X509Test, SortRDN) {
+  bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
+  ASSERT_TRUE(name);
+
+  auto append_entry_new_rdn = [&](const char *str) {
+    return X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_ASC,
+                                      reinterpret_cast<const uint8_t *>(str),
+                                      strlen(str), /*loc=*/-1, /*set=*/0);
+  };
+  auto append_entry_prev_rdn = [&](const char *str) {
+    return X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_ASC,
+                                      reinterpret_cast<const uint8_t *>(str),
+                                      strlen(str), /*loc=*/-1, /*set=*/-1);
+  };
+
+  // This is the sort order to expect.
+  ASSERT_TRUE(append_entry_new_rdn("A"));
+  ASSERT_TRUE(append_entry_prev_rdn("B"));
+  ASSERT_TRUE(append_entry_prev_rdn("AA"));
+  ASSERT_TRUE(append_entry_prev_rdn("AB"));
+
+  // The same RDN, with entries added in a different order.
+  ASSERT_TRUE(append_entry_new_rdn("AB"));
+  ASSERT_TRUE(append_entry_prev_rdn("AA"));
+  ASSERT_TRUE(append_entry_prev_rdn("B"));
+  ASSERT_TRUE(append_entry_prev_rdn("A"));
+
+  // The same RDN, with entries added in a different order.
+  ASSERT_TRUE(append_entry_new_rdn("A"));
+  ASSERT_TRUE(append_entry_prev_rdn("AA"));
+  ASSERT_TRUE(append_entry_prev_rdn("B"));
+  ASSERT_TRUE(append_entry_prev_rdn("AB"));
+
+  uint8_t *der = nullptr;
+  int der_len = i2d_X509_NAME(name.get(), &der);
+  ASSERT_GT(der_len, 0);
+  bssl::UniquePtr<uint8_t> free_der(der);
+
+  // SEQUENCE {
+  //   SET {
+  //     SEQUENCE {
+  //       # commonName
+  //       OBJECT_IDENTIFIER { 2.5.4.3 }
+  //       UTF8String { "A" }
+  //     }
+  //     SEQUENCE {
+  //       # commonName
+  //       OBJECT_IDENTIFIER { 2.5.4.3 }
+  //       UTF8String { "B" }
+  //     }
+  //     SEQUENCE {
+  //       # commonName
+  //       OBJECT_IDENTIFIER { 2.5.4.3 }
+  //       UTF8String { "AA" }
+  //     }
+  //     SEQUENCE {
+  //       # commonName
+  //       OBJECT_IDENTIFIER { 2.5.4.3 }
+  //       UTF8String { "AB" }
+  //     }
+  //   }
+  //   ...two more copies of the above SET...
+  // }
+  static uint8_t kExpected[] = {
+      0x30, 0x81, 0x84, 0x31, 0x2a, 0x30, 0x08, 0x06, 0x03, 0x55, 0x04, 0x03,
+      0x0c, 0x01, 0x41, 0x30, 0x08, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x01,
+      0x42, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x41, 0x41,
+      0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x41, 0x42, 0x31,
+      0x2a, 0x30, 0x08, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x01, 0x41, 0x30,
+      0x08, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x01, 0x42, 0x30, 0x09, 0x06,
+      0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x41, 0x41, 0x30, 0x09, 0x06, 0x03,
+      0x55, 0x04, 0x03, 0x0c, 0x02, 0x41, 0x42, 0x31, 0x2a, 0x30, 0x08, 0x06,
+      0x03, 0x55, 0x04, 0x03, 0x0c, 0x01, 0x41, 0x30, 0x08, 0x06, 0x03, 0x55,
+      0x04, 0x03, 0x0c, 0x01, 0x42, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03,
+      0x0c, 0x02, 0x41, 0x41, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+      0x02, 0x41, 0x42};
+  EXPECT_EQ(Bytes(kExpected), Bytes(der, der_len));
+}