Update BoringSSL to 54858b63c1d886f6c8d903d4a4f594f1485de189 (#47)

Package.swift

@@ -20,7 +20,7 @@
 // Sources/CCryptoBoringSSL directory. The source repository is at
 // https://boringssl.googlesource.com/boringssl.
 //
-// BoringSSL Commit: 53a17f55247101105ae35767d5c5a6c311843a8e
+// BoringSSL Commit: 54858b63c1d886f6c8d903d4a4f594f1485de189
 
 import PackageDescription
 

Sources/CCryptoBoringSSL/crypto/asn1/a_bitstr.c

@@ -70,7 +70,7 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
     return M_ASN1_BIT_STRING_set(x, d, len);
 }
 
-int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
+int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *a, unsigned char **pp)
 {
     int ret, j, bits, len;
     unsigned char *p, *d;
@@ -233,7 +233,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
     return (1);
 }
 
-int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
+int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
 {
     int w, v;
 
@@ -250,7 +250,7 @@ int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
  * which is not specified in 'flags', 1 otherwise.
  * 'len' is the length of 'flags'.
  */
-int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a,
+int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a,
                           unsigned char *flags, int flags_len)
 {
     int i, ok;

Sources/CCryptoBoringSSL/crypto/asn1/a_enum.c

@@ -108,7 +108,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
     return (1);
 }
 
-long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a)
 {
     int neg = 0, i;
 
@@ -147,7 +147,7 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
     return r;
 }
 
-ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai)
 {
     ASN1_ENUMERATED *ret;
     int len, j;
@@ -183,7 +183,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
     return (NULL);
 }
 
-BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn)
 {
     BIGNUM *ret;
 

Sources/CCryptoBoringSSL/crypto/asn1/a_int.c

@@ -115,7 +115,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
  * followed by optional zeros isn't padded.
  */
 
-int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp)
 {
     int pad = 0, ret, i, neg;
     unsigned char *p, *n, pb = 0;

Sources/CCryptoBoringSSL/crypto/asn1/a_object.c

@@ -66,7 +66,7 @@
 #include "../internal.h"
 
 
-int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
+int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
 {
     unsigned char *p, *allocated = NULL;
     int objsize;
@@ -98,12 +98,12 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
     return objsize;
 }
 
-int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
+int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
 {
     return OBJ_obj2txt(buf, buf_len, a, 0);
 }
 
-int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
+int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
 {
     char buf[80], *p = buf;
     int i;

Sources/CCryptoBoringSSL/crypto/asn1/a_time.c

@@ -100,7 +100,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
     return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
 }
 
-int ASN1_TIME_check(ASN1_TIME *t)
+int ASN1_TIME_check(const ASN1_TIME *t)
 {
     if (t->type == V_ASN1_GENERALIZEDTIME)
         return ASN1_GENERALIZEDTIME_check(t);
@@ -110,7 +110,7 @@ int ASN1_TIME_check(ASN1_TIME *t)
 }
 
 /* Convert an ASN1_TIME structure to GeneralizedTime */
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
                                                    ASN1_GENERALIZEDTIME **out)
 {
     ASN1_GENERALIZEDTIME *ret = NULL;

Sources/CCryptoBoringSSL/crypto/asn1/a_type.c

@@ -61,7 +61,7 @@
 #include <CCryptoBoringSSL_mem.h>
 #include <CCryptoBoringSSL_obj.h>
 
-int ASN1_TYPE_get(ASN1_TYPE *a)
+int ASN1_TYPE_get(const ASN1_TYPE *a)
 {
     if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
         return (a->type);

Sources/CCryptoBoringSSL/crypto/asn1/asn1_lib.c

@@ -430,7 +430,7 @@ void ASN1_STRING_length_set(ASN1_STRING *x, int len)
     return;
 }
 
-int ASN1_STRING_type(ASN1_STRING *x)
+int ASN1_STRING_type(const ASN1_STRING *x)
 {
     return M_ASN1_STRING_type(x);
 }

Sources/CCryptoBoringSSL/crypto/asn1/asn_pack.c

@@ -93,7 +93,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 
 /* Extract an ASN1 object from an ASN1_STRING */
 
-void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
+void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it)
 {
     const unsigned char *p;
     void *ret;

Sources/CCryptoBoringSSL/crypto/asn1/f_enum.c

@@ -60,7 +60,7 @@
 
 /* Based on a_int.c: equivalent ENUMERATED functions */
 
-int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

Sources/CCryptoBoringSSL/crypto/asn1/f_int.c

@@ -58,7 +58,7 @@
 
 #include <CCryptoBoringSSL_bio.h>
 
-int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
+int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

Sources/CCryptoBoringSSL/crypto/asn1/f_string.c

@@ -58,7 +58,7 @@
 
 #include <CCryptoBoringSSL_bio.h>
 
-int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
+int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

Sources/CCryptoBoringSSL/crypto/cipher_extra/tls_cbc.c

@@ -133,6 +133,7 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
   assert(orig_len >= in_len);
   assert(in_len >= md_size);
   assert(md_size <= EVP_MAX_MD_SIZE);
+  assert(md_size > 0);
 
   // scan_start contains the number of bytes that we can ignore because
   // the MAC's position can only vary by 255 bytes.

Sources/CCryptoBoringSSL/crypto/ec_extra/hash_to_curve.c

@@ -50,12 +50,10 @@
 
 // expand_message_xmd implements the operation described in section 5.3.1 of
 // draft-irtf-cfrg-hash-to-curve-07. It returns one on success and zero on
-// allocation failure or if |out_len| was too large. If |is_draft06| is one, it
-// implements the operation from draft-irtf-cfrg-hash-to-curve-06 instead.
+// allocation failure or if |out_len| was too large.
 static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,
                               const uint8_t *msg, size_t msg_len,
-                              const uint8_t *dst, size_t dst_len,
-                              int is_draft06) {
+                              const uint8_t *dst, size_t dst_len) {
   int ret = 0;
   const size_t block_size = EVP_MD_block_size(md);
   const size_t md_size = EVP_MD_size(md);
@@ -88,9 +86,8 @@ static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,
       !EVP_DigestUpdate(&ctx, kZeros, block_size) ||
       !EVP_DigestUpdate(&ctx, msg, msg_len) ||
       !EVP_DigestUpdate(&ctx, l_i_b_str_zero, sizeof(l_i_b_str_zero)) ||
-      (is_draft06 && !EVP_DigestUpdate(&ctx, &dst_len_u8, 1)) ||
       !EVP_DigestUpdate(&ctx, dst, dst_len) ||
-      (!is_draft06 && !EVP_DigestUpdate(&ctx, &dst_len_u8, 1)) ||
+      !EVP_DigestUpdate(&ctx, &dst_len_u8, 1) ||
       !EVP_DigestFinal_ex(&ctx, b_0, NULL)) {
     goto err;
   }
@@ -114,9 +111,8 @@ static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,
     if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
         !EVP_DigestUpdate(&ctx, b_i, md_size) ||
         !EVP_DigestUpdate(&ctx, &i, 1) ||
-        (is_draft06 && !EVP_DigestUpdate(&ctx, &dst_len_u8, 1)) ||
         !EVP_DigestUpdate(&ctx, dst, dst_len) ||
-        (!is_draft06 && !EVP_DigestUpdate(&ctx, &dst_len_u8, 1)) ||
+        !EVP_DigestUpdate(&ctx, &dst_len_u8, 1) ||
         !EVP_DigestFinal_ex(&ctx, b_i, NULL)) {
       goto err;
     }
@@ -175,12 +171,11 @@ static void big_endian_to_words(BN_ULONG *out, size_t num_words,
 static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
                           EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst,
                           size_t dst_len, unsigned k, const uint8_t *msg,
-                          size_t msg_len, int is_draft06) {
+                          size_t msg_len) {
   size_t L;
   uint8_t buf[4 * EC_MAX_BYTES];
   if (!num_bytes_to_derive(&L, &group->field, k) ||
-      !expand_message_xmd(md, buf, 2 * L, msg, msg_len, dst, dst_len,
-                          is_draft06)) {
+      !expand_message_xmd(md, buf, 2 * L, msg, msg_len, dst, dst_len)) {
     return 0;
   }
   BN_ULONG words[2 * EC_MAX_WORDS];
@@ -196,12 +191,11 @@ static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,
 // group order rather than a field element. |k| is the security factor.
 static int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md,
                           EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
-                          unsigned k, const uint8_t *msg, size_t msg_len,
-                          int is_draft06) {
+                          unsigned k, const uint8_t *msg, size_t msg_len) {
   size_t L;
   uint8_t buf[EC_MAX_BYTES * 2];
   if (!num_bytes_to_derive(&L, &group->order, k) ||
-      !expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len, is_draft06)) {
+      !expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len)) {
     return 0;
   }
 
@@ -310,10 +304,9 @@ static int map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,
 static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,
                          const EC_FELEM *Z, const EC_FELEM *c2, unsigned k,
                          EC_RAW_POINT *out, const uint8_t *dst, size_t dst_len,
-                         const uint8_t *msg, size_t msg_len, int is_draft06) {
+                         const uint8_t *msg, size_t msg_len) {
   EC_FELEM u0, u1;
-  if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len,
-                      is_draft06)) {
+  if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len)) {
     return 0;
   }
 
@@ -376,7 +369,7 @@ int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
   ec_felem_neg(group, &Z, &Z);
 
   return hash_to_curve(group, EVP_sha512(), &Z, &c2, /*k=*/192, out, dst,
-                       dst_len, msg, msg_len, /*is_draft06=*/0);
+                       dst_len, msg, msg_len);
 }
 
 int ec_hash_to_scalar_p384_xmd_sha512_draft07(
@@ -388,38 +381,5 @@ int ec_hash_to_scalar_p384_xmd_sha512_draft07(
   }
 
   return hash_to_scalar(group, EVP_sha512(), out, dst, dst_len, /*k=*/192, msg,
-                        msg_len, /*is_draft06=*/0);
-}
-
-int ec_hash_to_curve_p521_xmd_sha512_sswu_draft06(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
-    size_t dst_len, const uint8_t *msg, size_t msg_len) {
-  // See section 8.3 of draft-irtf-cfrg-hash-to-curve-06.
-  if (EC_GROUP_get_curve_name(group) != NID_secp521r1) {
-    OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
-    return 0;
-  }
-
-  // Z = -4, c2 = 8.
-  EC_FELEM Z, c2;
-  if (!felem_from_u8(group, &Z, 4) ||
-      !felem_from_u8(group, &c2, 8)) {
-    return 0;
-  }
-  ec_felem_neg(group, &Z, &Z);
-
-  return hash_to_curve(group, EVP_sha512(), &Z, &c2, /*k=*/256, out, dst,
-                       dst_len, msg, msg_len, /*is_draft06=*/1);
-}
-
-int ec_hash_to_scalar_p521_xmd_sha512_draft06(
-    const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
-    const uint8_t *msg, size_t msg_len) {
-  if (EC_GROUP_get_curve_name(group) != NID_secp521r1) {
-    OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
-    return 0;
-  }
-
-  return hash_to_scalar(group, EVP_sha512(), out, dst, dst_len, /*k=*/256, msg,
-                        msg_len, /*is_draft06=*/1);
+                        msg_len);
 }

Sources/CCryptoBoringSSL/crypto/ec_extra/internal.h

@@ -48,28 +48,6 @@ OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha512_draft07(
     const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
     const uint8_t *msg, size_t msg_len);
 
-// ec_hash_to_curve_p521_xmd_sha512_sswu_draft06 hashes |msg| to a point on
-// |group| and writes the result to |out|, implementing the
-// P521_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-06. It
-// returns one on success and zero on error.
-//
-// This function implements an older version of the draft and should not be used
-// in new code.
-OPENSSL_EXPORT int ec_hash_to_curve_p521_xmd_sha512_sswu_draft06(
-    const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t *dst,
-    size_t dst_len, const uint8_t *msg, size_t msg_len);
-
-// ec_hash_to_scalar_p521_xmd_sha512_draft06 hashes |msg| to a scalar on |group|
-// and writes the result to |out|, using the hash_to_field operation from the
-// P521_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-06, but
-// generating a value modulo the group order rather than a field element.
-//
-// This function implements an older version of the draft and should not be used
-// in new code.
-OPENSSL_EXPORT int ec_hash_to_scalar_p521_xmd_sha512_draft06(
-    const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,
-    const uint8_t *msg, size_t msg_len);
-
 
 #if defined(__cplusplus)
 }  // extern C