Roll src/third_party/boringssl/src 7f4f41fa8..fb86b888e

https://boringssl.googlesource.com/boringssl/+log/7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107..fb86b888ef1c1265719208fd6c27a53ceb4920f7

BUG=none

Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I5f9f8df83c33c9eb3787e4385c20e0f68a0d8335
Reviewed-on: https://chromium-review.googlesource.com/1246406
Commit-Queue: David Benjamin <davidben@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#594800}

DEPS

@@ -137,7 +137,7 @@ vars = {
   # Three lines of non-changing comments so that
   # the commit queue can handle CLs rolling BoringSSL
   # and whatever else without interference from each other.
-  'boringssl_revision': '7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107',
+  'boringssl_revision': 'fb86b888ef1c1265719208fd6c27a53ceb4920f7',
   # Three lines of non-changing comments so that
   # the commit queue can handle CLs rolling google-toolbox-for-mac
   # and whatever else without interference from each other.

net/ssl/ssl_config.cc

@@ -8,11 +8,13 @@
 
 namespace net {
 
+// Note these lines must be kept in sync with
+// services/network/public/mojom/ssl_config.mojom.
 const uint16_t kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_TLS1;
 
 const uint16_t kDefaultSSLVersionMax = SSL_PROTOCOL_VERSION_TLS1_2;
 
-const TLS13Variant kDefaultTLS13Variant = kTLS13VariantDraft23;
+const TLS13Variant kDefaultTLS13Variant = kTLS13VariantFinal;
 
 SSLConfig::CertAndStatus::CertAndStatus() = default;
 SSLConfig::CertAndStatus::CertAndStatus(scoped_refptr<X509Certificate> cert_arg,

services/network/public/mojom/ssl_config.mojom

@@ -26,11 +26,12 @@ struct SSLConfig {
   bool sha1_local_anchors_enabled = false;
   bool symantec_enforcement_disabled = false;
 
-  // SSL 2.0 and 3.0 are not supported.
+  // SSL 2.0 and 3.0 are not supported. Note these lines must be kept in sync
+  // with net/ssl/ssl_config.cc.
   SSLVersion version_min = kTLS1;
   SSLVersion version_max = kTLS12;
 
-  TLS13Variant tls13_variant = kDraft23;
+  TLS13Variant tls13_variant = kFinal;
 
   // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in
   // big-endian form, they should be declared in host byte order, with the

third_party/boringssl/BUILD.generated.gni

@@ -79,6 +79,7 @@ crypto_sources = [
   "src/crypto/cpu-aarch64-fuchsia.c",
   "src/crypto/cpu-aarch64-linux.c",
   "src/crypto/cpu-arm-linux.c",
+  "src/crypto/cpu-arm-linux.h",
   "src/crypto/cpu-arm.c",
   "src/crypto/cpu-intel.c",
   "src/crypto/cpu-ppc64le.c",
@@ -548,6 +549,7 @@ crypto_sources_win_x86_64 = [
 ]
 
 fuzzers = [
+  "arm_cpuinfo",
   "bn_div",
   "bn_mod_exp",
   "cert",

third_party/boringssl/BUILD.generated_tests.gni

@@ -36,6 +36,7 @@ crypto_test_sources = [
   "src/crypto/cmac/cmac_test.cc",
   "src/crypto/compiler_test.cc",
   "src/crypto/constant_time_test.cc",
+  "src/crypto/cpu-arm-linux_test.cc",
   "src/crypto/curve25519/ed25519_test.cc",
   "src/crypto/curve25519/spake25519_test.cc",
   "src/crypto/curve25519/x25519_test.cc",
@@ -65,6 +66,7 @@ crypto_test_sources = [
   "src/crypto/pkcs8/pkcs8_test.cc",
   "src/crypto/poly1305/poly1305_test.cc",
   "src/crypto/pool/pool_test.cc",
+  "src/crypto/rand_extra/rand_test.cc",
   "src/crypto/refcount_test.cc",
   "src/crypto/rsa_extra/rsa_test.cc",
   "src/crypto/self_test.cc",

third_party/boringssl/BUILD.gn

@@ -216,35 +216,43 @@ if (build_with_chromium) {
   }
 
   foreach(fuzzer, fuzzers) {
-    fuzzer_test("boringssl_${fuzzer}_fuzzer") {
-      sources = [
-        "src/fuzz/${fuzzer}.cc",
-        "src/ssl/test/fuzzer.h",
-        "src/ssl/test/fuzzer_tags.h",
-      ]
-      deps = [
-        ":boringssl_fuzzer",
-      ]
-      seed_corpus = "src/fuzz/${fuzzer}_corpus"
-
-      if ("cert" == fuzzer) {
-        libfuzzer_options = [ "max_len=3072" ]
-      } else if ("client" == fuzzer) {
-        libfuzzer_options = [ "max_len=20000" ]
-      } else if ("pkcs8" == fuzzer) {
-        libfuzzer_options = [ "max_len=2048" ]
-      } else if ("privkey" == fuzzer) {
-        libfuzzer_options = [ "max_len=2048" ]
-      } else if ("read_pem" == fuzzer) {
-        libfuzzer_options = [ "max_len=512" ]
-      } else if ("session" == fuzzer) {
-        libfuzzer_options = [ "max_len=8192" ]
-      } else if ("server" == fuzzer) {
-        libfuzzer_options = [ "max_len=4096" ]
-      } else if ("spki" == fuzzer) {
-        libfuzzer_options = [ "max_len=1024" ]
-      } else if ("ssl_ctx_api" == fuzzer) {
-        libfuzzer_options = [ "max_len=256" ]
+    # The arm_cpuinfo fuzzer depends on some internal symbols that are otherwise
+    # only used on ARM. But fuzzing infrastructure usually uses x86_64, so
+    # BoringSSL compiles them on all platforms and leaves them unexported so the
+    # static linker drops them. This works because fuzzers are usually
+    # statically linked. But Chromium builds fuzzers in all configurations, so
+    # we must exclude that fuzzer in the components build.
+    if (fuzzer != "arm_cpuinfo" || !is_component_build) {
+      fuzzer_test("boringssl_${fuzzer}_fuzzer") {
+        sources = [
+          "src/fuzz/${fuzzer}.cc",
+          "src/ssl/test/fuzzer.h",
+          "src/ssl/test/fuzzer_tags.h",
+        ]
+        deps = [
+          ":boringssl_fuzzer",
+        ]
+        seed_corpus = "src/fuzz/${fuzzer}_corpus"
+
+        if ("cert" == fuzzer) {
+          libfuzzer_options = [ "max_len=3072" ]
+        } else if ("client" == fuzzer) {
+          libfuzzer_options = [ "max_len=20000" ]
+        } else if ("pkcs8" == fuzzer) {
+          libfuzzer_options = [ "max_len=2048" ]
+        } else if ("privkey" == fuzzer) {
+          libfuzzer_options = [ "max_len=2048" ]
+        } else if ("read_pem" == fuzzer) {
+          libfuzzer_options = [ "max_len=512" ]
+        } else if ("session" == fuzzer) {
+          libfuzzer_options = [ "max_len=8192" ]
+        } else if ("server" == fuzzer) {
+          libfuzzer_options = [ "max_len=4096" ]
+        } else if ("spki" == fuzzer) {
+          libfuzzer_options = [ "max_len=1024" ]
+        } else if ("ssl_ctx_api" == fuzzer) {
+          libfuzzer_options = [ "max_len=256" ]
+        }
       }
     }
   }

third_party/boringssl/err_data.c

@@ -215,15 +215,16 @@ const uint32_t kOpenSSLReasonValues[] = {
     0x2c3eaff2,
     0x2c3f300a,
     0x2c3fb022,
-    0x2c40302f,
+    0x2c40304c,
     0x2c4091d0,
-    0x2c413040,
-    0x2c41b053,
+    0x2c41305d,
+    0x2c41b070,
     0x2c421196,
-    0x2c42b064,
+    0x2c42b081,
     0x2c430722,
     0x2c43afa5,
     0x2c442f16,
+    0x2c44b02f,
     0x30320000,
     0x30328015,
     0x3033001f,
@@ -642,69 +643,69 @@ const uint32_t kOpenSSLReasonValues[] = {
     0x4c41152c,
     0x4c4193af,
     0x4c421518,
-    0x50323076,
-    0x5032b085,
-    0x50333090,
-    0x5033b0a0,
-    0x503430b9,
-    0x5034b0d3,
-    0x503530e1,
-    0x5035b0f7,
-    0x50363109,
-    0x5036b11f,
-    0x50373138,
-    0x5037b14b,
-    0x50383163,
-    0x5038b174,
-    0x50393189,
-    0x5039b19d,
-    0x503a31bd,
-    0x503ab1d3,
-    0x503b31eb,
-    0x503bb1fd,
-    0x503c3219,
-    0x503cb230,
-    0x503d3249,
-    0x503db25f,
-    0x503e326c,
-    0x503eb282,
-    0x503f3294,
+    0x50323093,
+    0x5032b0a2,
+    0x503330ad,
+    0x5033b0bd,
+    0x503430d6,
+    0x5034b0f0,
+    0x503530fe,
+    0x5035b114,
+    0x50363126,
+    0x5036b13c,
+    0x50373155,
+    0x5037b168,
+    0x50383180,
+    0x5038b191,
+    0x503931a6,
+    0x5039b1ba,
+    0x503a31da,
+    0x503ab1f0,
+    0x503b3208,
+    0x503bb21a,
+    0x503c3236,
+    0x503cb24d,
+    0x503d3266,
+    0x503db27c,
+    0x503e3289,
+    0x503eb29f,
+    0x503f32b1,
     0x503f837b,
-    0x504032a7,
-    0x5040b2b7,
-    0x504132d1,
-    0x5041b2e0,
-    0x504232fa,
-    0x5042b317,
-    0x50433327,
-    0x5043b337,
-    0x50443346,
+    0x504032c4,
+    0x5040b2d4,
+    0x504132ee,
+    0x5041b2fd,
+    0x50423317,
+    0x5042b334,
+    0x50433344,
+    0x5043b354,
+    0x50443363,
     0x50448431,
-    0x5045335a,
-    0x5045b378,
-    0x5046338b,
-    0x5046b3a1,
-    0x504733b3,
-    0x5047b3c8,
-    0x504833ee,
-    0x5048b3fc,
-    0x5049340f,
-    0x5049b424,
-    0x504a343a,
-    0x504ab44a,
-    0x504b346a,
-    0x504bb47d,
-    0x504c34a0,
-    0x504cb4ce,
-    0x504d34e0,
-    0x504db4fd,
-    0x504e3518,
-    0x504eb534,
-    0x504f3546,
-    0x504fb55d,
-    0x5050356c,
+    0x50453377,
+    0x5045b395,
+    0x504633a8,
+    0x5046b3be,
+    0x504733d0,
+    0x5047b3e5,
+    0x5048340b,
+    0x5048b419,
+    0x5049342c,
+    0x5049b441,
+    0x504a3457,
+    0x504ab467,
+    0x504b3487,
+    0x504bb49a,
+    0x504c34bd,
+    0x504cb4eb,
+    0x504d34fd,
+    0x504db51a,
+    0x504e3535,
+    0x504eb551,
+    0x504f3563,
+    0x504fb57a,
+    0x50503589,
     0x505086f1,
-    0x5051357f,
+    0x5051359c,
     0x58320f52,
     0x68320f14,
     0x68328c6c,
@@ -1322,6 +1323,7 @@ const char kOpenSSLReasonStringData[] =
     "PUBLIC_KEY_DECODE_ERROR\0"
     "PUBLIC_KEY_ENCODE_ERROR\0"
     "SHOULD_RETRY\0"
+    "SIGNATURE_ALGORITHM_MISMATCH\0"
     "UNKNOWN_KEY_TYPE\0"
     "UNKNOWN_PURPOSE_ID\0"
     "UNKNOWN_TRUST_ID\0"

third_party/boringssl/ios-aarch64/crypto/chacha/chacha-armv8.S

@@ -1,3 +1,13 @@
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
 #include <openssl/arm_arch.h>
 
 .text
@@ -1967,3 +1977,4 @@ Ldone_512_neon:
 	ldp	x29,x30,[sp],#96
 	ret
 
+#endif  // !OPENSSL_NO_ASM

third_party/boringssl/ios-aarch64/crypto/fipsmodule/aesv8-armx64.S

@@ -1,3 +1,13 @@
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
 #include <openssl/arm_arch.h>
 
 #if __ARM_MAX_ARCH__>=7
@@ -751,3 +761,4 @@ Lctr32_done:
 	ret
 
 #endif
+#endif  // !OPENSSL_NO_ASM

third_party/boringssl/ios-aarch64/crypto/fipsmodule/armv8-mont.S

@@ -1,3 +1,13 @@
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
 .text
 
 .globl	_bn_mul_mont
@@ -1403,3 +1413,4 @@ Lmul4x_done:
 .byte	77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	4
+#endif  // !OPENSSL_NO_ASM

third_party/boringssl/ios-aarch64/crypto/fipsmodule/ghashv8-armx64.S

@@ -1,3 +1,13 @@
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
 #include <openssl/arm_arch.h>
 
 .text
@@ -229,3 +239,4 @@ Ldone_v8:
 .byte	71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	2
+#endif  // !OPENSSL_NO_ASM

third_party/boringssl/ios-aarch64/crypto/fipsmodule/sha1-armv8.S

@@ -1,3 +1,13 @@
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif
+
+#if !defined(OPENSSL_NO_ASM)
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols_asm.h>
+#endif
 #include <openssl/arm_arch.h>
 
 .text
@@ -1220,3 +1230,4 @@ LOPENSSL_armcap_P:
 .align	2
 .align	2
 .comm	_OPENSSL_armcap_P,4,4
+#endif  // !OPENSSL_NO_ASM