Upstream merge 2024 06 03 (aws#1621)

### Description of changes: 
Merging from Upstream considering commits
- then commits between
google/boringssl@5b6a9cf
(Dec 19, 2023) and
google/boringssl@1749dc9
(Jan 4 2023)

### Call-outs:
See internal document as well as "AWS-LC" notes inserted in some of the
commit messages for additions/deviations from the upstream commit.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

crypto/chacha/asm/chacha-armv4.pl

@@ -199,39 +199,14 @@ sub ROUND {
 .long	0x61707865,0x3320646e,0x79622d32,0x6b206574	@ endian-neutral
 .Lone:
 .long	1,0,0,0
-#if __ARM_MAX_ARCH__>=7
-.LOPENSSL_armcap:
-.word   OPENSSL_armcap_P-.Lsigma
-#else
-.word	-1
-#endif
 
-.globl	ChaCha20_ctr32
-.type	ChaCha20_ctr32,%function
+.globl	ChaCha20_ctr32_nohw
+.type	ChaCha20_ctr32_nohw,%function
 .align	5
-ChaCha20_ctr32:
-.LChaCha20_ctr32:
+ChaCha20_ctr32_nohw:
 	ldr	r12,[sp,#0]		@ pull pointer to counter and nonce
 	stmdb	sp!,{r0-r2,r4-r11,lr}
 	adr	r14,.Lsigma
-	cmp	r2,#0			@ len==0?
-#ifdef	__thumb2__
-	itt	eq
-#endif
-	addeq	sp,sp,#4*3
-	beq	.Lno_data
-#if __ARM_MAX_ARCH__>=7
-	cmp	r2,#192			@ test len
-	bls	.Lshort
-	ldr	r4,[r14,#32]
-	ldr	r4,[r14,r4]
-# ifdef	__APPLE__
-	ldr	r4,[r4]
-# endif
-	tst	r4,#ARMV7_NEON
-	bne	.LChaCha20_neon
-.Lshort:
-#endif
 	ldmia	r12,{r4-r7}		@ load counter and nonce
 	sub	sp,sp,#4*(16)		@ off-load area
 	stmdb	sp!,{r4-r7}		@ copy counter and nonce
@@ -624,9 +599,8 @@ sub ROUND {
 
 .Ldone:
 	add	sp,sp,#4*(32+3)
-.Lno_data:
 	ldmia	sp!,{r4-r11,pc}
-.size	ChaCha20_ctr32,.-ChaCha20_ctr32
+.size	ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw
 ___
 
 {{{
@@ -668,12 +642,12 @@ sub NEONROUND {
 .arch	armv7-a
 .fpu	neon
 
-.type	ChaCha20_neon,%function
+.globl	ChaCha20_ctr32_neon
+.type	ChaCha20_ctr32_neon,%function
 .align	5
-ChaCha20_neon:
+ChaCha20_ctr32_neon:
 	ldr		r12,[sp,#0]		@ pull pointer to counter and nonce
 	stmdb		sp!,{r0-r2,r4-r11,lr}
-.LChaCha20_neon:
 	adr		r14,.Lsigma
 	vstmdb		sp!,{d8-d15}		@ ABI spec says so
 	stmdb		sp!,{r0-r3}
@@ -1148,8 +1122,7 @@ sub NEONROUND {
 	vldmia		sp,{d8-d15}
 	add		sp,sp,#4*(16+3)
 	ldmia		sp!,{r4-r11,pc}
-.size	ChaCha20_neon,.-ChaCha20_neon
-.comm	OPENSSL_armcap_P,4,4
+.size	ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon
 #endif
 ___
 }}}

crypto/chacha/asm/chacha-armv8.pl

@@ -126,9 +126,6 @@ sub ROUND {
 $code.=<<___;
 #include <openssl/arm_arch.h>
 
-.extern	OPENSSL_armcap_P
-.hidden	OPENSSL_armcap_P
-
 .section .rodata
 
 .align	5
@@ -140,24 +137,10 @@ sub ROUND {
 
 .text
 
-.globl	ChaCha20_ctr32
-.type	ChaCha20_ctr32,%function
+.globl	ChaCha20_ctr32_nohw
+.type	ChaCha20_ctr32_nohw,%function
 .align	5
-ChaCha20_ctr32:
-	AARCH64_VALID_CALL_TARGET
-	cbz	$len,.Labort
-#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10
-	adrp	@x[0],:pg_hi21_nc:OPENSSL_armcap_P
-#else
-	adrp	@x[0],:pg_hi21:OPENSSL_armcap_P
-#endif
-	cmp	$len,#192
-	b.lo	.Lshort
-	ldr	w17,[@x[0],:lo12:OPENSSL_armcap_P]
-	tst	w17,#ARMV7_NEON
-	b.ne	ChaCha20_neon
-
-.Lshort:
+ChaCha20_ctr32_nohw:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-96]!
 	add	x29,sp,#0
@@ -280,7 +263,6 @@ sub ROUND {
 	ldp	x27,x28,[x29,#80]
 	ldp	x29,x30,[sp],#96
 	AARCH64_VALIDATE_LINK_REGISTER
-.Labort:
 	ret
 
 .align	4
@@ -338,7 +320,7 @@ sub ROUND {
 	ldp	x29,x30,[sp],#96
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	ChaCha20_ctr32,.-ChaCha20_ctr32
+.size	ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw
 ___
 
 {{{
@@ -379,9 +361,10 @@ sub NEONROUND {
 
 $code.=<<___;
 
-.type	ChaCha20_neon,%function
+.globl	ChaCha20_ctr32_neon
+.type	ChaCha20_ctr32_neon,%function
 .align	5
-ChaCha20_neon:
+ChaCha20_ctr32_neon:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-96]!
 	add	x29,sp,#0
@@ -694,7 +677,7 @@ sub NEONROUND {
 	ldp	x29,x30,[sp],#96
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	ChaCha20_neon,.-ChaCha20_neon
+.size	ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon
 ___
 {
 my ($T0,$T1,$T2,$T3,$T4,$T5)=@K;

crypto/chacha/chacha.c

@@ -83,7 +83,22 @@ void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],
 #endif
 }
 
-#if defined(CHACHA20_ASM)
+#if defined(CHACHA20_ASM_NOHW)
+static void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
+                           const uint32_t key[8], const uint32_t counter[4]) {
+#if defined(CHACHA20_ASM_NEON)
+  if (ChaCha20_ctr32_neon_capable(in_len)) {
+    ChaCha20_ctr32_neon(out, in, in_len, key, counter);
+    return;
+  }
+#endif
+  if (in_len > 0) {
+    ChaCha20_ctr32_nohw(out, in, in_len, key, counter);
+  }
+}
+#endif
+
+#if defined(CHACHA20_ASM) || defined(CHACHA20_ASM_NOHW)
 
 void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
                       const uint8_t key[32], const uint8_t nonce[12],

crypto/chacha/chacha_test.cc

@@ -347,7 +347,25 @@ TEST(ChaChaTest, CounterOverflow) {
   }
 }
 
-#if defined(CHACHA20_ASM) && defined(SUPPORTS_ABI_TEST)
+#if defined(SUPPORTS_ABI_TEST)
+
+static void check_abi(uint8_t *out, const uint8_t *in, size_t in_len,
+                      const uint32_t key[8], const uint32_t counter[4]) {
+#if defined(CHACHA20_ASM)
+  CHECK_ABI(ChaCha20_ctr32, out, in, in_len, key, counter);
+#endif
+#if defined(CHACHA20_ASM_NEON)
+  if (ChaCha20_ctr32_neon_capable(in_len)) {
+    CHECK_ABI(ChaCha20_ctr32_neon, out, in, in_len, key, counter);
+  }
+#endif
+#if defined(CHACHA20_ASM_NOHW)
+  if (in_len > 0) {
+    CHECK_ABI(ChaCha20_ctr32_nohw, out, in, in_len, key, counter);
+  }
+#endif
+}
+
 TEST(ChaChaTest, ABI) {
   uint32_t key[8];
   OPENSSL_memcpy(key, kKey, sizeof(key));
@@ -357,14 +375,15 @@ TEST(ChaChaTest, ABI) {
   std::unique_ptr<uint8_t[]> buf(new uint8_t[sizeof(kInput)]);
   for (size_t len = 0; len <= 32; len++) {
     SCOPED_TRACE(len);
-    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len, key, kCounterNonce);
+    check_abi(buf.get(), kInput, len, key, kCounterNonce);
   }
 
   for (size_t len : {32 * 2, 32 * 4, 32 * 8, 32 * 16, 32 * 24}) {
     SCOPED_TRACE(len);
-    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len, key, kCounterNonce);
+    check_abi(buf.get(), kInput, len, key, kCounterNonce);
     // Cover the partial block paths.
-    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len + 15, key, kCounterNonce);
+    check_abi(buf.get(), kInput, len + 15, key, kCounterNonce);
   }
 }
-#endif  // CHACHA20_ASM && SUPPORTS_ABI_TEST
+
+#endif  // SUPPORTS_ABI_TEST

crypto/chacha/internal.h

@@ -17,6 +17,9 @@
 
 #include <openssl/base.h>
 
+#include "../fipsmodule/cpucap/internal.h"
+#include "../internal.h"
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -27,11 +30,25 @@ extern "C" {
 void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],
                       const uint8_t nonce[16]);
 
-#if !defined(OPENSSL_NO_ASM) &&                         \
-    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
-     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
+#if !defined(OPENSSL_NO_ASM) && \
+    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
+
 #define CHACHA20_ASM
 
+#elif !defined(OPENSSL_NO_ASM) && \
+    (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
+
+#define CHACHA20_ASM_NOHW
+
+#define CHACHA20_ASM_NEON
+OPENSSL_INLINE int ChaCha20_ctr32_neon_capable(size_t len) {
+  return (len >= 192) && CRYPTO_is_NEON_capable();
+}
+void ChaCha20_ctr32_neon(uint8_t *out, const uint8_t *in, size_t in_len,
+                         const uint32_t key[8], const uint32_t counter[4]);
+#endif
+
+#if defined(CHACHA20_ASM)
 // ChaCha20_ctr32 encrypts |in_len| bytes from |in| and writes the result to
 // |out|. If |in| and |out| alias, they must be equal.
 //
@@ -44,6 +61,12 @@ void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
                     const uint32_t key[8], const uint32_t counter[4]);
 #endif
 
+#if defined(CHACHA20_ASM_NOHW)
+// ChaCha20_ctr32_nohw is like |ChaCha20_ctr32| except |in_len| must be nonzero.
+void ChaCha20_ctr32_nohw(uint8_t *out, const uint8_t *in, size_t in_len,
+                         const uint32_t key[8], const uint32_t counter[4]);
+#endif
+
 
 #if defined(__cplusplus)
 }  // extern C

crypto/x509/internal.h

@@ -308,15 +308,13 @@ struct x509_store_st {
 
   // Callbacks for various operations
   X509_STORE_CTX_verify_cb verify_cb;       // error callback
-  X509_STORE_CTX_get_issuer_fn get_issuer;  // get issuers cert from ctx
   X509_STORE_CTX_get_crl_fn get_crl;        // retrieve CRL
   X509_STORE_CTX_check_crl_fn check_crl;    // Check CRL validity
 
   CRYPTO_refcount_t references;
   CRYPTO_EX_DATA ex_data;
 } /* X509_STORE */;
 
-
 // This is the functions plus an instance of the local variables.
 struct x509_lookup_st {
   const X509_LOOKUP_METHOD *method;  // the functions
@@ -337,11 +335,13 @@ struct x509_store_ctx_st {
   STACK_OF(X509_CRL) *crls;   // set of CRLs passed in
 
   X509_VERIFY_PARAM *param;
-  void *other_ctx;  // Other info for use with get_issuer()
+
+  // trusted_stack, if non-NULL, is a set of trusted certificates to consider
+  // instead of those from |X509_STORE|.
+  STACK_OF(X509) *trusted_stack;
 
   // Callbacks for various operations
   X509_STORE_CTX_verify_cb verify_cb;       // error callback
-  X509_STORE_CTX_get_issuer_fn get_issuer;  // get issuers cert from ctx
   X509_STORE_CTX_get_crl_fn get_crl;        // retrieve CRL
   X509_STORE_CTX_check_crl_fn check_crl;    // Check CRL validity
 
@@ -368,12 +368,6 @@ ASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf);
 
 int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
 
-// X509_PUBKEY_get0 decodes the public key in |key| and returns an |EVP_PKEY|
-// on success, or NULL on error. It is similar to |X509_PUBKEY_get|, but it
-// directly returns the reference to |pkey| of |key|. This means that the
-// caller must not free the result after use.
-EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
-
 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int suppress_error);
 
 // RSA-PSS functions.

crypto/x509/t_req.c

@@ -80,7 +80,6 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x) {
 int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags,
                       unsigned long cflag) {
   long l;
-  EVP_PKEY *pkey;
   STACK_OF(X509_ATTRIBUTE) *sk;
   char mlch = ' ';
 
@@ -127,13 +126,12 @@ int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags,
       goto err;
     }
 
-    pkey = X509_REQ_get_pubkey(x);
+    const EVP_PKEY *pkey = X509_REQ_get0_pubkey(x);
     if (pkey == NULL) {
       BIO_printf(bio, "%12sUnable to load Public Key\n", "");
       ERR_print_errors(bio);
     } else {
       EVP_PKEY_print_public(bio, pkey, 16, NULL);
-      EVP_PKEY_free(pkey);
     }
   }
 

crypto/x509/t_x509.c

@@ -212,13 +212,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
       return 0;
     }
 
-    EVP_PKEY *pkey = X509_get_pubkey(x);
+    const EVP_PKEY *pkey = X509_get0_pubkey(x);
     if (pkey == NULL) {
       BIO_printf(bp, "%12sUnable to load Public Key\n", "");
       ERR_print_errors(bp);
     } else {
       EVP_PKEY_print_public(bp, pkey, 16, NULL);
-      EVP_PKEY_free(pkey);
     }
   }
 

crypto/x509/v3_purp.c

@@ -399,9 +399,11 @@ int x509v3_cache_extensions(X509 *x) {
       break;
     }
   }
-  if (!x509_init_signature_info(x)) {
-    x->ex_flags |= EXFLAG_INVALID;
-  }
+
+  // Set x->sig_info. Errors here are ignored so that we emit similar errors
+  // to OpenSSL, instead of failing early.
+  (void)x509_init_signature_info(x);
+
   x->ex_flags |= EXFLAG_SET;
 
   CRYPTO_MUTEX_unlock_write(&x->lock);