delocation: large memory model support.

Large memory models on x86-64 allow the code/data of a shared object / executable to be larger than 2GiB. This is typically impossible because x86-64 code frequently uses int32 offsets from RIP. Consider the following program: int getpid(); int main() { return getpid(); } This is turned into the following assembly under a large memory model: .L0$pb: leaq .L0$pb(%rip), %rax movabsq $_GLOBAL_OFFSET_TABLE_-.L0$pb, %rcx addq %rax, %rcx movabsq $getpid@GOT, %rdx xorl %eax, %eax jmpq *(%rcx,%rdx) # TAILCALL And, with relocations: 0: 48 8d 05 f9 ff ff ff lea -0x7(%rip),%rax # 0 <main> 7: 48 b9 00 00 00 00 00 movabs $0x0,%rcx e: 00 00 00 9: R_X86_64_GOTPC64 _GLOBAL_OFFSET_TABLE_+0x9 11: 48 01 c1 add %rax,%rcx 14: 48 ba 00 00 00 00 00 movabs $0x0,%rdx 1b: 00 00 00 16: R_X86_64_GOT64 getpid 1e: 31 c0 xor %eax,%eax 20: ff 24 11 jmpq *(%rcx,%rdx,1) We can see that, in the large memory model, function calls involve loading the address of _GLOBAL_OFFSET_TABLE_ (using `movabs`, which takes a 64-bit immediate) and then indexing into it. Both cause relocations. If we link the binary and disassemble we get: 0000000000001120 <main>: 1120: 48 8d 05 f9 ff ff ff lea -0x7(%rip),%rax # 1120 <main> 1127: 48 b9 e0 2e 00 00 00 movabs $0x2ee0,%rcx 112e: 00 00 00 1131: 48 01 c1 add %rax,%rcx 1134: 48 ba d8 ff ff ff ff movabs $0xffffffffffffffd8,%rdx 113b: ff ff ff 113e: 31 c0 xor %eax,%eax 1140: ff 24 11 jmpq *(%rcx,%rdx,1) Thus the _GLOBAL_OFFSET_TABLE_ symbol is at 0x1120+0x2ee0 = 0x4000. That's the address of the .got.plt section. But the offset “into” the table is -0x40, putting it at 0x3fd8, in .got: Idx Name Size VMA LMA File off Algn 18 .got 00000030 0000000000003fd0 0000000000003fd0 00002fd0 2**3 19 .got.plt 00000018 0000000000004000 0000000000004000 00003000 2**3 And, indeed, there's a dynamic relocation to setup that address: OFFSET TYPE VALUE 0000000000003fd8 R_X86_64_GLOB_DAT getpid@GLIBC_2.2.5 Accessing data or BSS works the same: the address of the variable is stored relative to _GLOBAL_OFFSET_TABLE_. This is a bit of a pain because we want to delocate the module into a single .text segment so that it moves through linking unaltered. If we took the obvious path and built our own offset table then it would need to contain absolute addresses, but they are only available at runtime and .text segments aren't supposed to be run-time patched. (That's why .rela.dyn is a separate segment.) If we use a different segment then we have the same problem as with the original offset table: the offset to the segment is unknown when compiling the module. Trying to pattern match this two-step lookup to do extensive rewriting seems fragile: I'm sure the compilers will move things around and interleave other work in time, if they don't already. So, in order to handle movabs trying to load _GLOBAL_OFFSET_TABLE_ we define a symbol in the same segment, but outside of the hashed region of the module, that contains the offset from that position to _GLOBAL_OFFSET_TABLE_: .boringssl_got_delta: .quad _GLOBAL_OFFSET_TABLE_-.boringssl_got_delta Then a movabs of $_GLOBAL_OFFSET_TABLE_-.Lfoo turns into: movq .boringssl_got_delta(%rip), %destreg addq $.boringssl_got_delta-.Lfoo, %destreg This works because it's calculating _GLOBAL_OFFSET_TABLE_ - got_delta + (got_delta - .Lfoo) When that value is added to .Lfoo, as the original code will do, the correct address results. Also it doesn't need an extra register because we know that 32-bit offsets are sufficient for offsets within the module. As for the offsets within the offset table, we have to load them from locations outside of the hashed part of the module to get the relocations out of the way. Again, no extra registers are needed. Change-Id: I87b19a2f8886bd9f7ac538fd55754e526bcf3097 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42324 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Enforce presence of ALPN when QUIC is in use.
2020-08-10 23:46:33 +00:00 · 2020-07-30 16:41:06 +00:00 · 2020-07-29 21:19:25 +00:00 · 2020-07-29 19:27:59 +00:00 · 2020-07-28 18:16:41 +00:00 · 2020-07-28 15:36:02 +00:00
5800 changed files with 34580 additions and 282224 deletions
@@ -0,0 +1,11 @@
+BasedOnStyle: Google
+MaxEmptyLinesToKeep: 3
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+DerivePointerAlignment: false
+PointerAlignment: Right
+# TODO(davidben): The default for Google style is now Regroup, but the default
+# IncludeCategories does not recognize <openssl/header.h>. We should
+# reconfigure IncludeCategories to match. For now, keep it at Preserve.
+IncludeBlocks: Preserve
+
@@ -1,165 +0,0 @@
-# Copyright (c) 2016, Google Inc.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-licenses(["notice"])
-
-exports_files(["LICENSE"])
-
-load(
-    ":BUILD.generated.bzl",
-    "crypto_headers",
-    "crypto_internal_headers",
-    "crypto_sources",
-    "crypto_sources_linux_x86_64",
-    "crypto_sources_linux_ppc64le",
-    "crypto_sources_mac_x86_64",
-    "fips_fragments",
-    "ssl_headers",
-    "ssl_internal_headers",
-    "ssl_sources",
-    "tool_sources",
-    "tool_headers",
-)
-
-config_setting(
-    name = "linux_x86_64",
-    values = {"cpu": "k8"},
-)
-
-config_setting(
-    name = "linux_ppc64le",
-    values = {"cpu": "ppc"},
-)
-
-config_setting(
-    name = "mac_x86_64",
-    values = {"cpu": "darwin"},
-)
-
-config_setting(
-    name = "windows_x86_64",
-    values = {"cpu": "x64_windows"},
-)
-
-config_setting(
-    name = "android",
-    values = {"crosstool_top": "//external:android/crosstool"}
-)
-
-posix_copts = [
-    # Assembler option --noexecstack adds .note.GNU-stack to each object to
-    # ensure that binaries can be built with non-executable stack.
-    "-Wa,--noexecstack",
-
-    # This is needed on Linux systems (at least) to get rwlock in pthread.
-    "-D_XOPEN_SOURCE=700",
-
-    # This list of warnings should match those in the top-level CMakeLists.txt.
-    "-Wall",
-    "-Werror",
-    "-Wformat=2",
-    "-Wsign-compare",
-    "-Wmissing-field-initializers",
-    "-Wwrite-strings",
-    "-Wshadow",
-    "-fno-common",
-
-    # Modern build environments should be able to set this to use atomic
-    # operations for reference counting rather than locks. However, it's
-    # known not to work on some Android builds.
-    # "-DOPENSSL_C11_ATOMIC",
-]
-
-boringssl_copts = select({
-    ":linux_x86_64": posix_copts,
-    ":linux_ppc64le": posix_copts,
-    ":mac_x86_64": posix_copts,
-    ":windows_x86_64": [
-        "-DWIN32_LEAN_AND_MEAN",
-        "-DOPENSSL_NO_ASM",
-    ],
-    "//conditions:default": ["-DOPENSSL_NO_ASM"],
-})
-
-crypto_sources_asm = select({
-    ":linux_x86_64": crypto_sources_linux_x86_64,
-    ":linux_ppc64le": crypto_sources_linux_ppc64le,
-    ":mac_x86_64": crypto_sources_mac_x86_64,
-    "//conditions:default": [],
-})
-
-# For C targets only (not C++), compile with C11 support.
-posix_copts_c11 = [
-    "-std=c11",
-    "-Wmissing-prototypes",
-    "-Wold-style-definition",
-    "-Wstrict-prototypes",
-]
-
-boringssl_copts_c11 = boringssl_copts + select({
-    ":linux_x86_64": posix_copts_c11,
-    ":linux_ppc64le": posix_copts_c11,
-    ":mac_x86_64": posix_copts_c11,
-    "//conditions:default": [],
-})
-
-# For C++ targets only (not C), compile with C++11 support.
-posix_copts_cxx = [
-    "-std=c++11",
-    "-Wmissing-declarations",
-]
-
-boringssl_copts_cxx = boringssl_copts + select({
-    ":linux_x86_64": posix_copts_cxx,
-    ":linux_ppc64le": posix_copts_cxx,
-    ":mac_x86_64": posix_copts_cxx,
-    "//conditions:default": [],
-})
-
-cc_library(
-    name = "crypto",
-    srcs = crypto_sources + crypto_internal_headers + crypto_sources_asm,
-    hdrs = crypto_headers + fips_fragments,
-    copts = boringssl_copts_c11,
-    includes = ["src/include"],
-    linkopts = select({
-        ":mac_x86_64": [],
-        # Android supports pthreads, but does not provide a libpthread
-        # to link against.
-        ":android": [],
-        ":windows_x86_64": ["-defaultlib:advapi32.lib"],
-        "//conditions:default": ["-lpthread"],
-    }),
-    visibility = ["//visibility:public"],
-)
-
-cc_library(
-    name = "ssl",
-    srcs = ssl_sources + ssl_internal_headers,
-    hdrs = ssl_headers,
-    copts = boringssl_copts_cxx,
-    includes = ["src/include"],
-    visibility = ["//visibility:public"],
-    deps = [
-        ":crypto",
-    ],
-)
-
-cc_binary(
-    name = "bssl",
-    srcs = tool_sources + tool_headers,
-    copts = boringssl_copts_cxx,
-    visibility = ["//visibility:public"],
-    deps = [":ssl"],
-)
@@ -1,678 +0,0 @@
-# This file is created by generate_build_files.py. Do not edit manually.
-
-ssl_headers = [
-    "src/include/openssl/dtls1.h",
-    "src/include/openssl/srtp.h",
-    "src/include/openssl/ssl.h",
-    "src/include/openssl/ssl3.h",
-    "src/include/openssl/tls1.h",
-]
-
-fips_fragments = [
-    "src/crypto/fipsmodule/aes/aes.c",
-    "src/crypto/fipsmodule/aes/aes_nohw.c",
-    "src/crypto/fipsmodule/aes/key_wrap.c",
-    "src/crypto/fipsmodule/aes/mode_wrappers.c",
-    "src/crypto/fipsmodule/bn/add.c",
-    "src/crypto/fipsmodule/bn/asm/x86_64-gcc.c",
-    "src/crypto/fipsmodule/bn/bn.c",
-    "src/crypto/fipsmodule/bn/bytes.c",
-    "src/crypto/fipsmodule/bn/cmp.c",
-    "src/crypto/fipsmodule/bn/ctx.c",
-    "src/crypto/fipsmodule/bn/div.c",
-    "src/crypto/fipsmodule/bn/div_extra.c",
-    "src/crypto/fipsmodule/bn/exponentiation.c",
-    "src/crypto/fipsmodule/bn/gcd.c",
-    "src/crypto/fipsmodule/bn/gcd_extra.c",
-    "src/crypto/fipsmodule/bn/generic.c",
-    "src/crypto/fipsmodule/bn/jacobi.c",
-    "src/crypto/fipsmodule/bn/montgomery.c",
-    "src/crypto/fipsmodule/bn/montgomery_inv.c",
-    "src/crypto/fipsmodule/bn/mul.c",
-    "src/crypto/fipsmodule/bn/prime.c",
-    "src/crypto/fipsmodule/bn/random.c",
-    "src/crypto/fipsmodule/bn/rsaz_exp.c",
-    "src/crypto/fipsmodule/bn/shift.c",
-    "src/crypto/fipsmodule/bn/sqrt.c",
-    "src/crypto/fipsmodule/cipher/aead.c",
-    "src/crypto/fipsmodule/cipher/cipher.c",
-    "src/crypto/fipsmodule/cipher/e_aes.c",
-    "src/crypto/fipsmodule/cipher/e_des.c",
-    "src/crypto/fipsmodule/des/des.c",
-    "src/crypto/fipsmodule/digest/digest.c",
-    "src/crypto/fipsmodule/digest/digests.c",
-    "src/crypto/fipsmodule/ec/ec.c",
-    "src/crypto/fipsmodule/ec/ec_key.c",
-    "src/crypto/fipsmodule/ec/ec_montgomery.c",
-    "src/crypto/fipsmodule/ec/felem.c",
-    "src/crypto/fipsmodule/ec/oct.c",
-    "src/crypto/fipsmodule/ec/p224-64.c",
-    "src/crypto/fipsmodule/ec/p256-x86_64.c",
-    "src/crypto/fipsmodule/ec/scalar.c",
-    "src/crypto/fipsmodule/ec/simple.c",
-    "src/crypto/fipsmodule/ec/simple_mul.c",
-    "src/crypto/fipsmodule/ec/util.c",
-    "src/crypto/fipsmodule/ec/wnaf.c",
-    "src/crypto/fipsmodule/ecdh/ecdh.c",
-    "src/crypto/fipsmodule/ecdsa/ecdsa.c",
-    "src/crypto/fipsmodule/hmac/hmac.c",
-    "src/crypto/fipsmodule/md4/md4.c",
-    "src/crypto/fipsmodule/md5/md5.c",
-    "src/crypto/fipsmodule/modes/cbc.c",
-    "src/crypto/fipsmodule/modes/cfb.c",
-    "src/crypto/fipsmodule/modes/ctr.c",
-    "src/crypto/fipsmodule/modes/gcm.c",
-    "src/crypto/fipsmodule/modes/gcm_nohw.c",
-    "src/crypto/fipsmodule/modes/ofb.c",
-    "src/crypto/fipsmodule/modes/polyval.c",
-    "src/crypto/fipsmodule/rand/ctrdrbg.c",
-    "src/crypto/fipsmodule/rand/rand.c",
-    "src/crypto/fipsmodule/rand/urandom.c",
-    "src/crypto/fipsmodule/rsa/blinding.c",
-    "src/crypto/fipsmodule/rsa/padding.c",
-    "src/crypto/fipsmodule/rsa/rsa.c",
-    "src/crypto/fipsmodule/rsa/rsa_impl.c",
-    "src/crypto/fipsmodule/self_check/self_check.c",
-    "src/crypto/fipsmodule/sha/sha1-altivec.c",
-    "src/crypto/fipsmodule/sha/sha1.c",
-    "src/crypto/fipsmodule/sha/sha256.c",
-    "src/crypto/fipsmodule/sha/sha512.c",
-    "src/crypto/fipsmodule/tls/kdf.c",
-    "src/third_party/fiat/p256.c",
-]
-
-ssl_internal_headers = [
-    "src/ssl/internal.h",
-]
-
-ssl_sources = [
-    "src/ssl/bio_ssl.cc",
-    "src/ssl/d1_both.cc",
-    "src/ssl/d1_lib.cc",
-    "src/ssl/d1_pkt.cc",
-    "src/ssl/d1_srtp.cc",
-    "src/ssl/dtls_method.cc",
-    "src/ssl/dtls_record.cc",
-    "src/ssl/handoff.cc",
-    "src/ssl/handshake.cc",
-    "src/ssl/handshake_client.cc",
-    "src/ssl/handshake_server.cc",
-    "src/ssl/s3_both.cc",
-    "src/ssl/s3_lib.cc",
-    "src/ssl/s3_pkt.cc",
-    "src/ssl/ssl_aead_ctx.cc",
-    "src/ssl/ssl_asn1.cc",
-    "src/ssl/ssl_buffer.cc",
-    "src/ssl/ssl_cert.cc",
-    "src/ssl/ssl_cipher.cc",
-    "src/ssl/ssl_file.cc",
-    "src/ssl/ssl_key_share.cc",
-    "src/ssl/ssl_lib.cc",
-    "src/ssl/ssl_privkey.cc",
-    "src/ssl/ssl_session.cc",
-    "src/ssl/ssl_stat.cc",
-    "src/ssl/ssl_transcript.cc",
-    "src/ssl/ssl_versions.cc",
-    "src/ssl/ssl_x509.cc",
-    "src/ssl/t1_enc.cc",
-    "src/ssl/t1_lib.cc",
-    "src/ssl/tls13_both.cc",
-    "src/ssl/tls13_client.cc",
-    "src/ssl/tls13_enc.cc",
-    "src/ssl/tls13_server.cc",
-    "src/ssl/tls_method.cc",
-    "src/ssl/tls_record.cc",
-]
-
-crypto_headers = [
-    "src/include/openssl/aead.h",
-    "src/include/openssl/aes.h",
-    "src/include/openssl/arm_arch.h",
-    "src/include/openssl/asn1.h",
-    "src/include/openssl/asn1_mac.h",
-    "src/include/openssl/asn1t.h",
-    "src/include/openssl/base.h",
-    "src/include/openssl/base64.h",
-    "src/include/openssl/bio.h",
-    "src/include/openssl/blowfish.h",
-    "src/include/openssl/bn.h",
-    "src/include/openssl/buf.h",
-    "src/include/openssl/buffer.h",
-    "src/include/openssl/bytestring.h",
-    "src/include/openssl/cast.h",
-    "src/include/openssl/chacha.h",
-    "src/include/openssl/cipher.h",
-    "src/include/openssl/cmac.h",
-    "src/include/openssl/conf.h",
-    "src/include/openssl/cpu.h",
-    "src/include/openssl/crypto.h",
-    "src/include/openssl/curve25519.h",
-    "src/include/openssl/des.h",
-    "src/include/openssl/dh.h",
-    "src/include/openssl/digest.h",
-    "src/include/openssl/dsa.h",
-    "src/include/openssl/e_os2.h",
-    "src/include/openssl/ec.h",
-    "src/include/openssl/ec_key.h",
-    "src/include/openssl/ecdh.h",
-    "src/include/openssl/ecdsa.h",
-    "src/include/openssl/engine.h",
-    "src/include/openssl/err.h",
-    "src/include/openssl/evp.h",
-    "src/include/openssl/ex_data.h",
-    "src/include/openssl/hkdf.h",
-    "src/include/openssl/hmac.h",
-    "src/include/openssl/hrss.h",
-    "src/include/openssl/is_boringssl.h",
-    "src/include/openssl/lhash.h",
-    "src/include/openssl/md4.h",
-    "src/include/openssl/md5.h",
-    "src/include/openssl/mem.h",
-    "src/include/openssl/nid.h",
-    "src/include/openssl/obj.h",
-    "src/include/openssl/obj_mac.h",
-    "src/include/openssl/objects.h",
-    "src/include/openssl/opensslconf.h",
-    "src/include/openssl/opensslv.h",
-    "src/include/openssl/ossl_typ.h",
-    "src/include/openssl/pem.h",
-    "src/include/openssl/pkcs12.h",
-    "src/include/openssl/pkcs7.h",
-    "src/include/openssl/pkcs8.h",
-    "src/include/openssl/poly1305.h",
-    "src/include/openssl/pool.h",
-    "src/include/openssl/rand.h",
-    "src/include/openssl/rc4.h",
-    "src/include/openssl/ripemd.h",
-    "src/include/openssl/rsa.h",
-    "src/include/openssl/safestack.h",
-    "src/include/openssl/sha.h",
-    "src/include/openssl/siphash.h",
-    "src/include/openssl/span.h",
-    "src/include/openssl/stack.h",
-    "src/include/openssl/thread.h",
-    "src/include/openssl/type_check.h",
-    "src/include/openssl/x509.h",
-    "src/include/openssl/x509_vfy.h",
-    "src/include/openssl/x509v3.h",
-]
-
-crypto_internal_headers = [
-    "src/crypto/asn1/asn1_locl.h",
-    "src/crypto/bio/internal.h",
-    "src/crypto/bytestring/internal.h",
-    "src/crypto/chacha/internal.h",
-    "src/crypto/cipher_extra/internal.h",
-    "src/crypto/conf/conf_def.h",
-    "src/crypto/conf/internal.h",
-    "src/crypto/cpu-arm-linux.h",
-    "src/crypto/err/internal.h",
-    "src/crypto/evp/internal.h",
-    "src/crypto/fipsmodule/aes/internal.h",
-    "src/crypto/fipsmodule/bn/internal.h",
-    "src/crypto/fipsmodule/bn/rsaz_exp.h",
-    "src/crypto/fipsmodule/cipher/internal.h",
-    "src/crypto/fipsmodule/delocate.h",
-    "src/crypto/fipsmodule/des/internal.h",
-    "src/crypto/fipsmodule/digest/internal.h",
-    "src/crypto/fipsmodule/digest/md32_common.h",
-    "src/crypto/fipsmodule/ec/internal.h",
-    "src/crypto/fipsmodule/ec/p256-x86_64-table.h",
-    "src/crypto/fipsmodule/ec/p256-x86_64.h",
-    "src/crypto/fipsmodule/md5/internal.h",
-    "src/crypto/fipsmodule/modes/internal.h",
-    "src/crypto/fipsmodule/rand/internal.h",
-    "src/crypto/fipsmodule/rsa/internal.h",
-    "src/crypto/fipsmodule/sha/internal.h",
-    "src/crypto/fipsmodule/tls/internal.h",
-    "src/crypto/hrss/internal.h",
-    "src/crypto/internal.h",
-    "src/crypto/obj/obj_dat.h",
-    "src/crypto/pkcs7/internal.h",
-    "src/crypto/pkcs8/internal.h",
-    "src/crypto/poly1305/internal.h",
-    "src/crypto/pool/internal.h",
-    "src/crypto/x509/charmap.h",
-    "src/crypto/x509/internal.h",
-    "src/crypto/x509/vpm_int.h",
-    "src/crypto/x509v3/ext_dat.h",
-    "src/crypto/x509v3/internal.h",
-    "src/crypto/x509v3/pcy_int.h",
-    "src/third_party/fiat/curve25519_32.h",
-    "src/third_party/fiat/curve25519_64.h",
-    "src/third_party/fiat/curve25519_tables.h",
-    "src/third_party/fiat/internal.h",
-    "src/third_party/fiat/p256_32.h",
-    "src/third_party/fiat/p256_64.h",
-]
-
-crypto_sources = [
-    "err_data.c",
-    "src/crypto/asn1/a_bitstr.c",
-    "src/crypto/asn1/a_bool.c",
-    "src/crypto/asn1/a_d2i_fp.c",
-    "src/crypto/asn1/a_dup.c",
-    "src/crypto/asn1/a_enum.c",
-    "src/crypto/asn1/a_gentm.c",
-    "src/crypto/asn1/a_i2d_fp.c",
-    "src/crypto/asn1/a_int.c",
-    "src/crypto/asn1/a_mbstr.c",
-    "src/crypto/asn1/a_object.c",
-    "src/crypto/asn1/a_octet.c",
-    "src/crypto/asn1/a_print.c",
-    "src/crypto/asn1/a_strnid.c",
-    "src/crypto/asn1/a_time.c",
-    "src/crypto/asn1/a_type.c",
-    "src/crypto/asn1/a_utctm.c",
-    "src/crypto/asn1/a_utf8.c",
-    "src/crypto/asn1/asn1_lib.c",
-    "src/crypto/asn1/asn1_par.c",
-    "src/crypto/asn1/asn_pack.c",
-    "src/crypto/asn1/f_enum.c",
-    "src/crypto/asn1/f_int.c",
-    "src/crypto/asn1/f_string.c",
-    "src/crypto/asn1/tasn_dec.c",
-    "src/crypto/asn1/tasn_enc.c",
-    "src/crypto/asn1/tasn_fre.c",
-    "src/crypto/asn1/tasn_new.c",
-    "src/crypto/asn1/tasn_typ.c",
-    "src/crypto/asn1/tasn_utl.c",
-    "src/crypto/asn1/time_support.c",
-    "src/crypto/base64/base64.c",
-    "src/crypto/bio/bio.c",
-    "src/crypto/bio/bio_mem.c",
-    "src/crypto/bio/connect.c",
-    "src/crypto/bio/fd.c",
-    "src/crypto/bio/file.c",
-    "src/crypto/bio/hexdump.c",
-    "src/crypto/bio/pair.c",
-    "src/crypto/bio/printf.c",
-    "src/crypto/bio/socket.c",
-    "src/crypto/bio/socket_helper.c",
-    "src/crypto/bn_extra/bn_asn1.c",
-    "src/crypto/bn_extra/convert.c",
-    "src/crypto/buf/buf.c",
-    "src/crypto/bytestring/asn1_compat.c",
-    "src/crypto/bytestring/ber.c",
-    "src/crypto/bytestring/cbb.c",
-    "src/crypto/bytestring/cbs.c",
-    "src/crypto/bytestring/unicode.c",
-    "src/crypto/chacha/chacha.c",
-    "src/crypto/cipher_extra/cipher_extra.c",
-    "src/crypto/cipher_extra/derive_key.c",
-    "src/crypto/cipher_extra/e_aesccm.c",
-    "src/crypto/cipher_extra/e_aesctrhmac.c",
-    "src/crypto/cipher_extra/e_aesgcmsiv.c",
-    "src/crypto/cipher_extra/e_chacha20poly1305.c",
-    "src/crypto/cipher_extra/e_null.c",
-    "src/crypto/cipher_extra/e_rc2.c",
-    "src/crypto/cipher_extra/e_rc4.c",
-    "src/crypto/cipher_extra/e_tls.c",
-    "src/crypto/cipher_extra/tls_cbc.c",
-    "src/crypto/cmac/cmac.c",
-    "src/crypto/conf/conf.c",
-    "src/crypto/cpu-aarch64-fuchsia.c",
-    "src/crypto/cpu-aarch64-linux.c",
-    "src/crypto/cpu-arm-linux.c",
-    "src/crypto/cpu-arm.c",
-    "src/crypto/cpu-intel.c",
-    "src/crypto/cpu-ppc64le.c",
-    "src/crypto/crypto.c",
-    "src/crypto/curve25519/spake25519.c",
-    "src/crypto/dh/check.c",
-    "src/crypto/dh/dh.c",
-    "src/crypto/dh/dh_asn1.c",
-    "src/crypto/dh/params.c",
-    "src/crypto/digest_extra/digest_extra.c",
-    "src/crypto/dsa/dsa.c",
-    "src/crypto/dsa/dsa_asn1.c",
-    "src/crypto/ec_extra/ec_asn1.c",
-    "src/crypto/ec_extra/ec_derive.c",
-    "src/crypto/ecdh_extra/ecdh_extra.c",
-    "src/crypto/ecdsa_extra/ecdsa_asn1.c",
-    "src/crypto/engine/engine.c",
-    "src/crypto/err/err.c",
-    "src/crypto/evp/digestsign.c",
-    "src/crypto/evp/evp.c",
-    "src/crypto/evp/evp_asn1.c",
-    "src/crypto/evp/evp_ctx.c",
-    "src/crypto/evp/p_dsa_asn1.c",
-    "src/crypto/evp/p_ec.c",
-    "src/crypto/evp/p_ec_asn1.c",
-    "src/crypto/evp/p_ed25519.c",
-    "src/crypto/evp/p_ed25519_asn1.c",
-    "src/crypto/evp/p_rsa.c",
-    "src/crypto/evp/p_rsa_asn1.c",
-    "src/crypto/evp/p_x25519.c",
-    "src/crypto/evp/p_x25519_asn1.c",
-    "src/crypto/evp/pbkdf.c",
-    "src/crypto/evp/print.c",
-    "src/crypto/evp/scrypt.c",
-    "src/crypto/evp/sign.c",
-    "src/crypto/ex_data.c",
-    "src/crypto/fipsmodule/bcm.c",
-    "src/crypto/fipsmodule/fips_shared_support.c",
-    "src/crypto/fipsmodule/is_fips.c",
-    "src/crypto/hkdf/hkdf.c",
-    "src/crypto/hrss/hrss.c",
-    "src/crypto/lhash/lhash.c",
-    "src/crypto/mem.c",
-    "src/crypto/obj/obj.c",
-    "src/crypto/obj/obj_xref.c",
-    "src/crypto/pem/pem_all.c",
-    "src/crypto/pem/pem_info.c",
-    "src/crypto/pem/pem_lib.c",
-    "src/crypto/pem/pem_oth.c",
-    "src/crypto/pem/pem_pk8.c",
-    "src/crypto/pem/pem_pkey.c",
-    "src/crypto/pem/pem_x509.c",
-    "src/crypto/pem/pem_xaux.c",
-    "src/crypto/pkcs7/pkcs7.c",
-    "src/crypto/pkcs7/pkcs7_x509.c",
-    "src/crypto/pkcs8/p5_pbev2.c",
-    "src/crypto/pkcs8/pkcs8.c",
-    "src/crypto/pkcs8/pkcs8_x509.c",
-    "src/crypto/poly1305/poly1305.c",
-    "src/crypto/poly1305/poly1305_arm.c",
-    "src/crypto/poly1305/poly1305_vec.c",
-    "src/crypto/pool/pool.c",
-    "src/crypto/rand_extra/deterministic.c",
-    "src/crypto/rand_extra/forkunsafe.c",
-    "src/crypto/rand_extra/fuchsia.c",
-    "src/crypto/rand_extra/rand_extra.c",
-    "src/crypto/rand_extra/windows.c",
-    "src/crypto/rc4/rc4.c",
-    "src/crypto/refcount_c11.c",
-    "src/crypto/refcount_lock.c",
-    "src/crypto/rsa_extra/rsa_asn1.c",
-    "src/crypto/rsa_extra/rsa_print.c",
-    "src/crypto/siphash/siphash.c",
-    "src/crypto/stack/stack.c",
-    "src/crypto/thread.c",
-    "src/crypto/thread_none.c",
-    "src/crypto/thread_pthread.c",
-    "src/crypto/thread_win.c",
-    "src/crypto/x509/a_digest.c",
-    "src/crypto/x509/a_sign.c",
-    "src/crypto/x509/a_strex.c",
-    "src/crypto/x509/a_verify.c",
-    "src/crypto/x509/algorithm.c",
-    "src/crypto/x509/asn1_gen.c",
-    "src/crypto/x509/by_dir.c",
-    "src/crypto/x509/by_file.c",
-    "src/crypto/x509/i2d_pr.c",
-    "src/crypto/x509/rsa_pss.c",
-    "src/crypto/x509/t_crl.c",
-    "src/crypto/x509/t_req.c",
-    "src/crypto/x509/t_x509.c",
-    "src/crypto/x509/t_x509a.c",
-    "src/crypto/x509/x509.c",
-    "src/crypto/x509/x509_att.c",
-    "src/crypto/x509/x509_cmp.c",
-    "src/crypto/x509/x509_d2.c",
-    "src/crypto/x509/x509_def.c",
-    "src/crypto/x509/x509_ext.c",
-    "src/crypto/x509/x509_lu.c",
-    "src/crypto/x509/x509_obj.c",
-    "src/crypto/x509/x509_r2x.c",
-    "src/crypto/x509/x509_req.c",
-    "src/crypto/x509/x509_set.c",
-    "src/crypto/x509/x509_trs.c",
-    "src/crypto/x509/x509_txt.c",
-    "src/crypto/x509/x509_v3.c",
-    "src/crypto/x509/x509_vfy.c",
-    "src/crypto/x509/x509_vpm.c",
-    "src/crypto/x509/x509cset.c",
-    "src/crypto/x509/x509name.c",
-    "src/crypto/x509/x509rset.c",
-    "src/crypto/x509/x509spki.c",
-    "src/crypto/x509/x_algor.c",
-    "src/crypto/x509/x_all.c",
-    "src/crypto/x509/x_attrib.c",
-    "src/crypto/x509/x_crl.c",
-    "src/crypto/x509/x_exten.c",
-    "src/crypto/x509/x_info.c",
-    "src/crypto/x509/x_name.c",
-    "src/crypto/x509/x_pkey.c",
-    "src/crypto/x509/x_pubkey.c",
-    "src/crypto/x509/x_req.c",
-    "src/crypto/x509/x_sig.c",
-    "src/crypto/x509/x_spki.c",
-    "src/crypto/x509/x_val.c",
-    "src/crypto/x509/x_x509.c",
-    "src/crypto/x509/x_x509a.c",
-    "src/crypto/x509v3/pcy_cache.c",
-    "src/crypto/x509v3/pcy_data.c",
-    "src/crypto/x509v3/pcy_lib.c",
-    "src/crypto/x509v3/pcy_map.c",
-    "src/crypto/x509v3/pcy_node.c",
-    "src/crypto/x509v3/pcy_tree.c",
-    "src/crypto/x509v3/v3_akey.c",
-    "src/crypto/x509v3/v3_akeya.c",
-    "src/crypto/x509v3/v3_alt.c",
-    "src/crypto/x509v3/v3_bcons.c",
-    "src/crypto/x509v3/v3_bitst.c",
-    "src/crypto/x509v3/v3_conf.c",
-    "src/crypto/x509v3/v3_cpols.c",
-    "src/crypto/x509v3/v3_crld.c",
-    "src/crypto/x509v3/v3_enum.c",
-    "src/crypto/x509v3/v3_extku.c",
-    "src/crypto/x509v3/v3_genn.c",
-    "src/crypto/x509v3/v3_ia5.c",
-    "src/crypto/x509v3/v3_info.c",
-    "src/crypto/x509v3/v3_int.c",
-    "src/crypto/x509v3/v3_lib.c",
-    "src/crypto/x509v3/v3_ncons.c",
-    "src/crypto/x509v3/v3_ocsp.c",
-    "src/crypto/x509v3/v3_pci.c",
-    "src/crypto/x509v3/v3_pcia.c",
-    "src/crypto/x509v3/v3_pcons.c",
-    "src/crypto/x509v3/v3_pku.c",
-    "src/crypto/x509v3/v3_pmaps.c",
-    "src/crypto/x509v3/v3_prn.c",
-    "src/crypto/x509v3/v3_purp.c",
-    "src/crypto/x509v3/v3_skey.c",
-    "src/crypto/x509v3/v3_sxnet.c",
-    "src/crypto/x509v3/v3_utl.c",
-    "src/third_party/fiat/curve25519.c",
-]
-
-tool_sources = [
-    "src/tool/args.cc",
-    "src/tool/ciphers.cc",
-    "src/tool/client.cc",
-    "src/tool/const.cc",
-    "src/tool/digest.cc",
-    "src/tool/file.cc",
-    "src/tool/generate_ed25519.cc",
-    "src/tool/genrsa.cc",
-    "src/tool/pkcs12.cc",
-    "src/tool/rand.cc",
-    "src/tool/server.cc",
-    "src/tool/sign.cc",
-    "src/tool/speed.cc",
-    "src/tool/tool.cc",
-    "src/tool/transport_common.cc",
-]
-
-tool_headers = [
-    "src/tool/internal.h",
-    "src/tool/transport_common.h",
-]
-
-crypto_sources_ios_aarch64 = [
-    "ios-aarch64/crypto/chacha/chacha-armv8.S",
-    "ios-aarch64/crypto/fipsmodule/aesv8-armx64.S",
-    "ios-aarch64/crypto/fipsmodule/armv8-mont.S",
-    "ios-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
-    "ios-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
-    "ios-aarch64/crypto/fipsmodule/sha1-armv8.S",
-    "ios-aarch64/crypto/fipsmodule/sha256-armv8.S",
-    "ios-aarch64/crypto/fipsmodule/sha512-armv8.S",
-    "ios-aarch64/crypto/fipsmodule/vpaes-armv8.S",
-    "ios-aarch64/crypto/test/trampoline-armv8.S",
-]
-
-crypto_sources_ios_arm = [
-    "ios-arm/crypto/chacha/chacha-armv4.S",
-    "ios-arm/crypto/fipsmodule/aesv8-armx32.S",
-    "ios-arm/crypto/fipsmodule/armv4-mont.S",
-    "ios-arm/crypto/fipsmodule/bsaes-armv7.S",
-    "ios-arm/crypto/fipsmodule/ghash-armv4.S",
-    "ios-arm/crypto/fipsmodule/ghashv8-armx32.S",
-    "ios-arm/crypto/fipsmodule/sha1-armv4-large.S",
-    "ios-arm/crypto/fipsmodule/sha256-armv4.S",
-    "ios-arm/crypto/fipsmodule/sha512-armv4.S",
-    "ios-arm/crypto/fipsmodule/vpaes-armv7.S",
-    "ios-arm/crypto/test/trampoline-armv4.S",
-]
-
-crypto_sources_linux_aarch64 = [
-    "linux-aarch64/crypto/chacha/chacha-armv8.S",
-    "linux-aarch64/crypto/fipsmodule/aesv8-armx64.S",
-    "linux-aarch64/crypto/fipsmodule/armv8-mont.S",
-    "linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S",
-    "linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S",
-    "linux-aarch64/crypto/fipsmodule/sha1-armv8.S",
-    "linux-aarch64/crypto/fipsmodule/sha256-armv8.S",
-    "linux-aarch64/crypto/fipsmodule/sha512-armv8.S",
-    "linux-aarch64/crypto/fipsmodule/vpaes-armv8.S",
-    "linux-aarch64/crypto/test/trampoline-armv8.S",
-]
-
-crypto_sources_linux_arm = [
-    "linux-arm/crypto/chacha/chacha-armv4.S",
-    "linux-arm/crypto/fipsmodule/aesv8-armx32.S",
-    "linux-arm/crypto/fipsmodule/armv4-mont.S",
-    "linux-arm/crypto/fipsmodule/bsaes-armv7.S",
-    "linux-arm/crypto/fipsmodule/ghash-armv4.S",
-    "linux-arm/crypto/fipsmodule/ghashv8-armx32.S",
-    "linux-arm/crypto/fipsmodule/sha1-armv4-large.S",
-    "linux-arm/crypto/fipsmodule/sha256-armv4.S",
-    "linux-arm/crypto/fipsmodule/sha512-armv4.S",
-    "linux-arm/crypto/fipsmodule/vpaes-armv7.S",
-    "linux-arm/crypto/test/trampoline-armv4.S",
-    "src/crypto/curve25519/asm/x25519-asm-arm.S",
-    "src/crypto/poly1305/poly1305_arm_asm.S",
-]
-
-crypto_sources_linux_ppc64le = [
-    "linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S",
-    "linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S",
-    "linux-ppc64le/crypto/test/trampoline-ppc.S",
-]
-
-crypto_sources_linux_x86 = [
-    "linux-x86/crypto/chacha/chacha-x86.S",
-    "linux-x86/crypto/fipsmodule/aesni-x86.S",
-    "linux-x86/crypto/fipsmodule/bn-586.S",
-    "linux-x86/crypto/fipsmodule/co-586.S",
-    "linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S",
-    "linux-x86/crypto/fipsmodule/ghash-x86.S",
-    "linux-x86/crypto/fipsmodule/md5-586.S",
-    "linux-x86/crypto/fipsmodule/sha1-586.S",
-    "linux-x86/crypto/fipsmodule/sha256-586.S",
-    "linux-x86/crypto/fipsmodule/sha512-586.S",
-    "linux-x86/crypto/fipsmodule/vpaes-x86.S",
-    "linux-x86/crypto/fipsmodule/x86-mont.S",
-    "linux-x86/crypto/test/trampoline-x86.S",
-]
-
-crypto_sources_linux_x86_64 = [
-    "linux-x86_64/crypto/chacha/chacha-x86_64.S",
-    "linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S",
-    "linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/aesni-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/ghash-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/md5-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S",
-    "linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S",
-    "linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/rsaz-avx2.S",
-    "linux-x86_64/crypto/fipsmodule/sha1-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/sha256-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/sha512-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S",
-    "linux-x86_64/crypto/fipsmodule/x86_64-mont.S",
-    "linux-x86_64/crypto/fipsmodule/x86_64-mont5.S",
-    "linux-x86_64/crypto/test/trampoline-x86_64.S",
-    "src/crypto/hrss/asm/poly_rq_mul.S",
-]
-
-crypto_sources_mac_x86 = [
-    "mac-x86/crypto/chacha/chacha-x86.S",
-    "mac-x86/crypto/fipsmodule/aesni-x86.S",
-    "mac-x86/crypto/fipsmodule/bn-586.S",
-    "mac-x86/crypto/fipsmodule/co-586.S",
-    "mac-x86/crypto/fipsmodule/ghash-ssse3-x86.S",
-    "mac-x86/crypto/fipsmodule/ghash-x86.S",
-    "mac-x86/crypto/fipsmodule/md5-586.S",
-    "mac-x86/crypto/fipsmodule/sha1-586.S",
-    "mac-x86/crypto/fipsmodule/sha256-586.S",
-    "mac-x86/crypto/fipsmodule/sha512-586.S",
-    "mac-x86/crypto/fipsmodule/vpaes-x86.S",
-    "mac-x86/crypto/fipsmodule/x86-mont.S",
-    "mac-x86/crypto/test/trampoline-x86.S",
-]
-
-crypto_sources_mac_x86_64 = [
-    "mac-x86_64/crypto/chacha/chacha-x86_64.S",
-    "mac-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S",
-    "mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/aesni-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/ghash-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/md5-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/p256-x86_64-asm.S",
-    "mac-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S",
-    "mac-x86_64/crypto/fipsmodule/rdrand-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/rsaz-avx2.S",
-    "mac-x86_64/crypto/fipsmodule/sha1-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/sha256-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/sha512-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/vpaes-x86_64.S",
-    "mac-x86_64/crypto/fipsmodule/x86_64-mont.S",
-    "mac-x86_64/crypto/fipsmodule/x86_64-mont5.S",
-    "mac-x86_64/crypto/test/trampoline-x86_64.S",
-]
-
-crypto_sources_win_x86 = [
-    "win-x86/crypto/chacha/chacha-x86.asm",
-    "win-x86/crypto/fipsmodule/aesni-x86.asm",
-    "win-x86/crypto/fipsmodule/bn-586.asm",
-    "win-x86/crypto/fipsmodule/co-586.asm",
-    "win-x86/crypto/fipsmodule/ghash-ssse3-x86.asm",
-    "win-x86/crypto/fipsmodule/ghash-x86.asm",
-    "win-x86/crypto/fipsmodule/md5-586.asm",
-    "win-x86/crypto/fipsmodule/sha1-586.asm",
-    "win-x86/crypto/fipsmodule/sha256-586.asm",
-    "win-x86/crypto/fipsmodule/sha512-586.asm",
-    "win-x86/crypto/fipsmodule/vpaes-x86.asm",
-    "win-x86/crypto/fipsmodule/x86-mont.asm",
-    "win-x86/crypto/test/trampoline-x86.asm",
-]
-
-crypto_sources_win_x86_64 = [
-    "win-x86_64/crypto/chacha/chacha-x86_64.asm",
-    "win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.asm",
-    "win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/aesni-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/ghash-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/md5-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/p256-x86_64-asm.asm",
-    "win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.asm",
-    "win-x86_64/crypto/fipsmodule/rdrand-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/rsaz-avx2.asm",
-    "win-x86_64/crypto/fipsmodule/sha1-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/sha256-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/sha512-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/vpaes-x86_64.asm",
-    "win-x86_64/crypto/fipsmodule/x86_64-mont.asm",
-    "win-x86_64/crypto/fipsmodule/x86_64-mont5.asm",
-    "win-x86_64/crypto/test/trampoline-x86_64.asm",
-]
@@ -1,277 +0,0 @@
-# This file is created by generate_build_files.py. Do not edit manually.
-
-test_support_sources = [
-    "src/crypto/asn1/asn1_locl.h",
-    "src/crypto/bio/internal.h",
-    "src/crypto/bytestring/internal.h",
-    "src/crypto/chacha/internal.h",
-    "src/crypto/cipher_extra/internal.h",
-    "src/crypto/conf/conf_def.h",
-    "src/crypto/conf/internal.h",
-    "src/crypto/cpu-arm-linux.h",
-    "src/crypto/err/internal.h",
-    "src/crypto/evp/internal.h",
-    "src/crypto/fipsmodule/aes/internal.h",
-    "src/crypto/fipsmodule/bn/internal.h",
-    "src/crypto/fipsmodule/bn/rsaz_exp.h",
-    "src/crypto/fipsmodule/cipher/internal.h",
-    "src/crypto/fipsmodule/delocate.h",
-    "src/crypto/fipsmodule/des/internal.h",
-    "src/crypto/fipsmodule/digest/internal.h",
-    "src/crypto/fipsmodule/digest/md32_common.h",
-    "src/crypto/fipsmodule/ec/internal.h",
-    "src/crypto/fipsmodule/ec/p256-x86_64-table.h",
-    "src/crypto/fipsmodule/ec/p256-x86_64.h",
-    "src/crypto/fipsmodule/md5/internal.h",
-    "src/crypto/fipsmodule/modes/internal.h",
-    "src/crypto/fipsmodule/rand/internal.h",
-    "src/crypto/fipsmodule/rsa/internal.h",
-    "src/crypto/fipsmodule/sha/internal.h",
-    "src/crypto/fipsmodule/tls/internal.h",
-    "src/crypto/hrss/internal.h",
-    "src/crypto/internal.h",
-    "src/crypto/obj/obj_dat.h",
-    "src/crypto/pkcs7/internal.h",
-    "src/crypto/pkcs8/internal.h",
-    "src/crypto/poly1305/internal.h",
-    "src/crypto/pool/internal.h",
-    "src/crypto/test/abi_test.h",
-    "src/crypto/test/file_test.cc",
-    "src/crypto/test/file_test.h",
-    "src/crypto/test/gtest_main.h",
-    "src/crypto/test/test_util.cc",
-    "src/crypto/test/test_util.h",
-    "src/crypto/test/wycheproof_util.cc",
-    "src/crypto/test/wycheproof_util.h",
-    "src/crypto/x509/charmap.h",
-    "src/crypto/x509/internal.h",
-    "src/crypto/x509/vpm_int.h",
-    "src/crypto/x509v3/ext_dat.h",
-    "src/crypto/x509v3/internal.h",
-    "src/crypto/x509v3/pcy_int.h",
-    "src/ssl/internal.h",
-    "src/ssl/test/async_bio.h",
-    "src/ssl/test/fuzzer.h",
-    "src/ssl/test/fuzzer_tags.h",
-    "src/ssl/test/handshake_util.h",
-    "src/ssl/test/mock_quic_transport.h",
-    "src/ssl/test/packeted_bio.h",
-    "src/ssl/test/settings_writer.h",
-    "src/ssl/test/test_config.h",
-    "src/ssl/test/test_state.h",
-    "src/third_party/fiat/curve25519_32.h",
-    "src/third_party/fiat/curve25519_64.h",
-    "src/third_party/fiat/curve25519_tables.h",
-    "src/third_party/fiat/internal.h",
-    "src/third_party/fiat/p256_32.h",
-    "src/third_party/fiat/p256_64.h",
-]
-
-crypto_test_sources = [
-    "crypto_test_data.cc",
-    "src/crypto/abi_self_test.cc",
-    "src/crypto/asn1/asn1_test.cc",
-    "src/crypto/base64/base64_test.cc",
-    "src/crypto/bio/bio_test.cc",
-    "src/crypto/buf/buf_test.cc",
-    "src/crypto/bytestring/bytestring_test.cc",
-    "src/crypto/chacha/chacha_test.cc",
-    "src/crypto/cipher_extra/aead_test.cc",
-    "src/crypto/cipher_extra/cipher_test.cc",
-    "src/crypto/cmac/cmac_test.cc",
-    "src/crypto/compiler_test.cc",
-    "src/crypto/constant_time_test.cc",
-    "src/crypto/cpu-arm-linux_test.cc",
-    "src/crypto/curve25519/ed25519_test.cc",
-    "src/crypto/curve25519/spake25519_test.cc",
-    "src/crypto/curve25519/x25519_test.cc",
-    "src/crypto/dh/dh_test.cc",
-    "src/crypto/digest_extra/digest_test.cc",
-    "src/crypto/dsa/dsa_test.cc",
-    "src/crypto/ecdh_extra/ecdh_test.cc",
-    "src/crypto/err/err_test.cc",
-    "src/crypto/evp/evp_extra_test.cc",
-    "src/crypto/evp/evp_test.cc",
-    "src/crypto/evp/pbkdf_test.cc",
-    "src/crypto/evp/scrypt_test.cc",
-    "src/crypto/fipsmodule/aes/aes_test.cc",
-    "src/crypto/fipsmodule/bn/bn_test.cc",
-    "src/crypto/fipsmodule/ec/ec_test.cc",
-    "src/crypto/fipsmodule/ec/p256-x86_64_test.cc",
-    "src/crypto/fipsmodule/ecdsa/ecdsa_test.cc",
-    "src/crypto/fipsmodule/md5/md5_test.cc",
-    "src/crypto/fipsmodule/modes/gcm_test.cc",
-    "src/crypto/fipsmodule/rand/ctrdrbg_test.cc",
-    "src/crypto/fipsmodule/sha/sha_test.cc",
-    "src/crypto/hkdf/hkdf_test.cc",
-    "src/crypto/hmac_extra/hmac_test.cc",
-    "src/crypto/hrss/hrss_test.cc",
-    "src/crypto/impl_dispatch_test.cc",
-    "src/crypto/lhash/lhash_test.cc",
-    "src/crypto/obj/obj_test.cc",
-    "src/crypto/pem/pem_test.cc",
-    "src/crypto/pkcs7/pkcs7_test.cc",
-    "src/crypto/pkcs8/pkcs12_test.cc",
-    "src/crypto/pkcs8/pkcs8_test.cc",
-    "src/crypto/poly1305/poly1305_test.cc",
-    "src/crypto/pool/pool_test.cc",
-    "src/crypto/rand_extra/rand_test.cc",
-    "src/crypto/refcount_test.cc",
-    "src/crypto/rsa_extra/rsa_test.cc",
-    "src/crypto/self_test.cc",
-    "src/crypto/siphash/siphash_test.cc",
-    "src/crypto/stack/stack_test.cc",
-    "src/crypto/test/abi_test.cc",
-    "src/crypto/test/file_test_gtest.cc",
-    "src/crypto/test/gtest_main.cc",
-    "src/crypto/thread_test.cc",
-    "src/crypto/x509/x509_test.cc",
-    "src/crypto/x509/x509_time_test.cc",
-    "src/crypto/x509v3/tab_test.cc",
-    "src/crypto/x509v3/v3name_test.cc",
-]
-
-ssl_test_sources = [
-    "src/crypto/test/abi_test.cc",
-    "src/crypto/test/gtest_main.cc",
-    "src/ssl/span_test.cc",
-    "src/ssl/ssl_c_test.c",
-    "src/ssl/ssl_test.cc",
-]
-
-crypto_test_data = [
-    "src/crypto/cipher_extra/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_cbc_sha1_tls_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_cbc_sha256_tls_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_ctr_hmac_sha256.txt",
-    "src/crypto/cipher_extra/test/aes_128_gcm_siv_tests.txt",
-    "src/crypto/cipher_extra/test/aes_128_gcm_tests.txt",
-    "src/crypto/cipher_extra/test/aes_192_gcm_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_cbc_sha1_tls_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_cbc_sha256_tls_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_cbc_sha384_tls_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_ctr_hmac_sha256.txt",
-    "src/crypto/cipher_extra/test/aes_256_gcm_siv_tests.txt",
-    "src/crypto/cipher_extra/test/aes_256_gcm_tests.txt",
-    "src/crypto/cipher_extra/test/chacha20_poly1305_tests.txt",
-    "src/crypto/cipher_extra/test/cipher_tests.txt",
-    "src/crypto/cipher_extra/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt",
-    "src/crypto/cipher_extra/test/des_ede3_cbc_sha1_tls_tests.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_128_cbc.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_128_ctr.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_128_gcm.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_192_cbc.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_192_ctr.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_256_cbc.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_256_ctr.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/aes_256_gcm.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/tdes_cbc.txt",
-    "src/crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt",
-    "src/crypto/cipher_extra/test/xchacha20_poly1305_tests.txt",
-    "src/crypto/cmac/cavp_3des_cmac_tests.txt",
-    "src/crypto/cmac/cavp_aes128_cmac_tests.txt",
-    "src/crypto/cmac/cavp_aes192_cmac_tests.txt",
-    "src/crypto/cmac/cavp_aes256_cmac_tests.txt",
-    "src/crypto/curve25519/ed25519_tests.txt",
-    "src/crypto/ecdh_extra/ecdh_tests.txt",
-    "src/crypto/evp/evp_tests.txt",
-    "src/crypto/evp/scrypt_tests.txt",
-    "src/crypto/fipsmodule/aes/aes_tests.txt",
-    "src/crypto/fipsmodule/bn/bn_tests.txt",
-    "src/crypto/fipsmodule/bn/miller_rabin_tests.txt",
-    "src/crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt",
-    "src/crypto/fipsmodule/ec/p256-x86_64_tests.txt",
-    "src/crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt",
-    "src/crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt",
-    "src/crypto/fipsmodule/modes/gcm_tests.txt",
-    "src/crypto/fipsmodule/rand/ctrdrbg_vectors.txt",
-    "src/crypto/hmac_extra/hmac_tests.txt",
-    "src/crypto/poly1305/poly1305_tests.txt",
-    "src/crypto/siphash/siphash_tests.txt",
-    "src/crypto/x509/many_constraints.pem",
-    "src/crypto/x509/many_names1.pem",
-    "src/crypto/x509/many_names2.pem",
-    "src/crypto/x509/many_names3.pem",
-    "src/crypto/x509/some_names1.pem",
-    "src/crypto/x509/some_names2.pem",
-    "src/crypto/x509/some_names3.pem",
-    "src/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt",
-    "src/third_party/wycheproof_testvectors/aes_cmac_test.txt",
-    "src/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt",
-    "src/third_party/wycheproof_testvectors/aes_gcm_test.txt",
-    "src/third_party/wycheproof_testvectors/chacha20_poly1305_test.txt",
-    "src/third_party/wycheproof_testvectors/dsa_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdh_secp521r1_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha224_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/ecdsa_secp521r1_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/eddsa_test.txt",
-    "src/third_party/wycheproof_testvectors/hkdf_sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/hkdf_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/hkdf_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/hkdf_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/hmac_sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/hmac_sha224_test.txt",
-    "src/third_party/wycheproof_testvectors/hmac_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/hmac_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/hmac_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/kw_test.txt",
-    "src/third_party/wycheproof_testvectors/kwp_test.txt",
-    "src/third_party/wycheproof_testvectors/primality_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha1_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha224_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha224_mgf1sha224_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha256_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha256_mgf1sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha384_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha384_mgf1sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha512_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_2048_sha512_mgf1sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_3072_sha256_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_3072_sha256_mgf1sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_3072_sha512_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_3072_sha512_mgf1sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_4096_sha256_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_4096_sha256_mgf1sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_4096_sha512_mgf1sha1_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_4096_sha512_mgf1sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_oaep_misc_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pkcs1_2048_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pkcs1_3072_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pkcs1_4096_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_2048_sha1_mgf1_20_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_2048_sha256_mgf1_0_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_2048_sha256_mgf1_32_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_3072_sha256_mgf1_32_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_4096_sha256_mgf1_32_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_4096_sha512_mgf1_32_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_pss_misc_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_sig_gen_misc_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_2048_sha224_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_2048_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_2048_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_2048_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_3072_sha256_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_3072_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_3072_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_4096_sha384_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_4096_sha512_test.txt",
-    "src/third_party/wycheproof_testvectors/rsa_signature_test.txt",
-    "src/third_party/wycheproof_testvectors/x25519_test.txt",
-    "src/third_party/wycheproof_testvectors/xchacha20_poly1305_test.txt",
-]
-
-urandom_test_sources = [
-    "src/crypto/fipsmodule/rand/urandom_test.cc",
-]
@@ -39,3 +39,4 @@ There are other files in this directory which might be helpful:
  * [FUZZING.md](/FUZZING.md): information about fuzzing BoringSSL.
  * [CONTRIBUTING.md](/CONTRIBUTING.md): how to contribute to BoringSSL.
  * [BREAKING-CHANGES.md](/BREAKING-CHANGES.md): notes on potentially-breaking changes.
+  * [SANDBOXING.md](/SANDBOXING.md): notes on using BoringSSL in a sandboxed environment.
@@ -0,0 +1,138 @@
+# Using BoringSSL in a Sandbox
+
+Sandboxes are a valuable tool for securing applications, so BoringSSL aims to
+support them. However, it is difficult to make concrete API guarantees with
+sandboxes. Sandboxes remove low-level OS resources and system calls, which
+breaks platform abstractions. A syscall-filtering sandbox may, for instance, be
+sensitive to otherwise non-breaking changes to use newer syscalls
+in either BoringSSL or the C library.
+
+Some functions in BoringSSL, such as `BIO_new_file`, inherently need OS
+resources like the filesystem. We assume that sandboxed consumers either avoid
+those functions or make necessary resources available. Other functions like
+`RSA_sign` are purely computational, but still have some baseline OS
+dependencies.
+
+Sandboxes which drop privileges partway through a process's lifetime are
+additionally sensitive to OS resources retained across the transitions. For
+instance, if a library function internally opened and retained a handle to the
+user's home directory, and then the application called `chroot`, that handle
+would be a sandbox escape.
+
+This document attempts to describe these baseline OS dependencies and long-lived
+internal resources. These dependencies may change over time, but we aim to
+[work with sandboxed consumers](/BREAKING-CHANGES.md) when they do. However,
+each sandbox imposes different constraints, so, above all, sandboxed consumers
+must have ample test coverage to detect issues as they arise.
+
+## Baseline dependencies
+
+Callers must assume that any BoringSSL function may perform one of the following
+operations:
+
+### Memory allocation
+
+Any BoringSSL function may allocate memory via `malloc` and related functions.
+
+### Thread synchronization
+
+Any BoringSSL function may call into the platform's thread synchronization
+primitives, including read/write locks and the equivalent of `pthread_once`.
+These must succeed, or BoringSSL will abort the process. Callers, however, can
+assume that BoringSSL functions will not spawn internal threads, unless
+otherwise documented.
+
+Syscall-filtering sandboxes should note that BoringSSL uses `pthread_rwlock_t`
+on POSIX systems, which is less common and may not be part of other libraries'
+syscall surface. Additionally, thread synchronization primitives usually have an
+atomics-based fast path. If a sandbox blocks a necessary pthreads syscall, it
+may not show up in testing without lock contention.
+
+### Standard error
+
+Any BoringSSL function may write to `stderr` or file descriptor
+`STDERR_FILENO` (2), either via `FILE` APIs or low-level functions like `write`.
+Writes to `stderr` may fail, but there must some file at `STDERR_FILENO` which
+will tolerate error messages from BoringSSL. (The file descriptor must be
+allocated so calls to `open` do not accidentally open something else there.)
+
+Note some C standard library implementations also log to `stderr`, so callers
+should ensure this regardless.
+
+### Entropy
+
+Any BoringSSL function may draw entropy from the OS. On Windows, this uses
+`RtlGenRandom` and, on POSIX systems, this uses `getrandom`, `getentropy`, or a
+`read` from a file descriptor to `/dev/urandom`. These operations must succeed
+or BoringSSL will abort the process. BoringSSL only probes for `getrandom`
+support once and assumes support is consistent for the lifetime of the address
+space (and any copies made via `fork`). If a syscall-filtering sandbox is
+enabled partway through this lifetime and changes whether `getrandom` works,
+BoringSSL may abort the process. Sandboxes are recommended to allow
+`getrandom`.
+
+Note even deterministic algorithms may require OS entropy. For example,
+RSASSA-PKCS1-v1_5 is deterministic, but BoringSSL draws entropy to implement
+RSA blinding.
+
+Entropy gathering additionally has some initialization dependencies described in
+the following section.
+
+## Initialization
+
+BoringSSL has some uncommon OS dependencies which are only used once to
+initialize some state. Sandboxes which drop privileges after some setup work may
+use `CRYPTO_pre_sandbox_init` to initialize this state ahead of time. Otherwise,
+callers must assume any BoringSSL function may depend on these resources, in
+addition to the operations above.
+
+### CPU capabilities
+
+On Linux ARM platforms, BoringSSL depends on OS APIs to query CPU capabilities.
+32-bit and 64-bit ARM both depend on the `getauxval` function. 32-bit ARM, to
+work around bugs in older Android devices, may additionally read `/proc/cpuinfo`
+and `/proc/self/auxv`.
+
+If querying CPU capabilities fails, BoringSSL will still function, but may not
+perform as well.
+
+### Entropy
+
+On Linux systems without a working `getrandom`, drawing entropy from the OS
+additionally requires opening `/dev/urandom`. If this fails, BoringSSL will
+abort the process. BoringSSL retains the resulting file descriptor, even across
+privilege transitions.
+
+### Fork protection
+
+On Linux, BoringSSL allocates a page and calls `madvise` with `MADV_WIPEONFORK`
+to protect single-use state from `fork`. This operation must not crash, but if
+it fails, BoringSSL will use alternate fork-safety strategies, potentially at a
+performance cost. If it succeeds, BoringSSL assumes `MADV_WIPEONFORK` is
+functional and relies on it for fork-safety. Sandboxes must not report success
+if they ignore the `MADV_WIPEONFORK` flag. As of writing, QEMU will ignore
+`madvise` calls and report success, so BoringSSL detects this by calling
+`madvise` with -1. Sandboxes must cleanly report an error instead of crashing.
+
+Once initialized, this mechanism does not require system calls in the steady
+state, though note the configured page will be inherited across privilege
+transitions.
+
+## C and C++ standard library
+
+BoringSSL depends on the C and C++ standard libraries which, themselves, do not
+make any guarantees about sandboxes. If it produces the correct answer and has
+no observable invalid side effects, it is possible, though unreasonable, for
+`memcmp` to create and close a socket.
+
+BoringSSL assumes that functions in the C and C++ library only have the platform
+dependencies which would be "reasonable". For instance, a function in BoringSSL
+which aims not to open files will still freely call any libc memory and
+string functions.
+
+Note some C functions, such as `strerror`, may read files relating to the user's
+locale. BoringSSL may trigger these paths and assumes the sandbox environment
+will tolerate this. BoringSSL additionally cannot make guarantees about which
+system calls are used by standard library's syscall wrappers. In some cases, the
+compiler may add dependencies. (Some C++ language features emit locking code.)
+Syscall-filtering sandboxes may need updates as these dependencies change.
@@ -1 +0,0 @@
-workspace(name = "boringssl")
@@ -184,6 +184,7 @@ add_custom_command(
  err/pkcs8.errordata
  err/rsa.errordata
  err/ssl.errordata
+  err/trust_token.errordata
  err/x509.errordata
  err/x509v3.errordata
  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/err
@@ -262,6 +263,7 @@ add_library(
  cpu-intel.c
  cpu-ppc64le.c
  crypto.c
+  curve25519/curve25519.c
  curve25519/spake25519.c
  dh/dh.c
  dh/params.c
@@ -274,6 +276,7 @@ add_library(
  ecdsa_extra/ecdsa_asn1.c
  ec_extra/ec_asn1.c
  ec_extra/ec_derive.c
+  ec_extra/hash_to_curve.c
  err/err.c
  err_data.c
  engine/engine.c
@@ -296,6 +299,7 @@ add_library(
  evp/sign.c
  ex_data.c
  hkdf/hkdf.c
+  hpke/hpke.c
  hrss/hrss.c
  lhash/lhash.c
  mem.c
@@ -334,6 +338,8 @@ add_library(
  thread_none.c
  thread_pthread.c
  thread_win.c
+  trust_token/pmbtoken.c
+  trust_token/trust_token.c
  x509/a_digest.c
  x509/a_sign.c
  x509/a_strex.c
@@ -416,7 +422,6 @@ add_library(
  x509v3/v3_skey.c
  x509v3/v3_sxnet.c
  x509v3/v3_utl.c
-  ../third_party/fiat/curve25519.c

  $<TARGET_OBJECTS:fipsmodule>

@@ -452,7 +457,7 @@ endif()

 SET_TARGET_PROPERTIES(crypto PROPERTIES LINKER_LANGUAGE C)

-if(NOT MSVC AND NOT ANDROID)
+if(NOT WIN32 AND NOT ANDROID)
  target_link_libraries(crypto pthread)
 endif()

@@ -512,8 +517,10 @@ add_executable(
  fipsmodule/md5/md5_test.cc
  fipsmodule/modes/gcm_test.cc
  fipsmodule/rand/ctrdrbg_test.cc
+  fipsmodule/rand/fork_detect_test.cc
  fipsmodule/sha/sha_test.cc
  hkdf/hkdf_test.cc
+  hpke/hpke_test.cc
  hmac_extra/hmac_test.cc
  hrss/hrss_test.cc
  impl_dispatch_test.cc
@@ -533,6 +540,7 @@ add_executable(
  siphash/siphash_test.cc
  test/file_test_gtest.cc
  thread_test.cc
+  trust_token/trust_token_test.cc
  x509/x509_test.cc
  x509/x509_time_test.cc
  x509v3/tab_test.cc
@@ -70,7 +70,7 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
    return M_ASN1_BIT_STRING_set(x, d, len);
 }

-int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
+int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *a, unsigned char **pp)
 {
    int ret, j, bits, len;
    unsigned char *p, *d;
@@ -233,7 +233,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
    return (1);
 }

-int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
+int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
 {
    int w, v;

@@ -250,7 +250,7 @@ int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
 * which is not specified in 'flags', 1 otherwise.
 * 'len' is the length of 'flags'.
 */
-int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a,
+int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a,
                          unsigned char *flags, int flags_len)
 {
    int i, ok;
@@ -108,7 +108,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
    return (1);
 }

-long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a)
 {
    int neg = 0, i;

@@ -147,7 +147,7 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
    return r;
 }

-ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai)
 {
    ASN1_ENUMERATED *ret;
    int len, j;
@@ -183,7 +183,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
    return (NULL);
 }

-BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn)
 {
    BIGNUM *ret;

@@ -115,7 +115,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
 * followed by optional zeros isn't padded.
 */

-int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp)
 {
    int pad = 0, ret, i, neg;
    unsigned char *p, *n, pb = 0;
@@ -66,7 +66,7 @@
 #include "../internal.h"


-int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
+int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
 {
    unsigned char *p, *allocated = NULL;
    int objsize;
@@ -98,12 +98,12 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
    return objsize;
 }

-int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
+int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
 {
    return OBJ_obj2txt(buf, buf_len, a, 0);
 }

-int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
+int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
 {
    char buf[80], *p = buf;
    int i;
@@ -100,7 +100,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
    return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
 }

-int ASN1_TIME_check(ASN1_TIME *t)
+int ASN1_TIME_check(const ASN1_TIME *t)
 {
    if (t->type == V_ASN1_GENERALIZEDTIME)
        return ASN1_GENERALIZEDTIME_check(t);
@@ -110,7 +110,7 @@ int ASN1_TIME_check(ASN1_TIME *t)
 }

 /* Convert an ASN1_TIME structure to GeneralizedTime */
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
                                                   ASN1_GENERALIZEDTIME **out)
 {
    ASN1_GENERALIZEDTIME *ret = NULL;
@@ -61,7 +61,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>

-int ASN1_TYPE_get(ASN1_TYPE *a)
+int ASN1_TYPE_get(const ASN1_TYPE *a)
 {
    if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
        return (a->type);
@@ -430,7 +430,7 @@ void ASN1_STRING_length_set(ASN1_STRING *x, int len)
    return;
 }

-int ASN1_STRING_type(ASN1_STRING *x)
+int ASN1_STRING_type(const ASN1_STRING *x)
 {
    return M_ASN1_STRING_type(x);
 }
@@ -174,7 +174,7 @@ TEST(ASN1Test, SerializeObject) {
  static const uint8_t kDER[] = {0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
                                 0xf7, 0x0d, 0x01, 0x01, 0x01};
  const ASN1_OBJECT *obj = OBJ_nid2obj(NID_rsaEncryption);
-  TestSerialize(const_cast<ASN1_OBJECT *>(obj), i2d_ASN1_OBJECT, kDER);
+  TestSerialize(obj, i2d_ASN1_OBJECT, kDER);
 }

 TEST(ASN1Test, SerializeBoolean) {
@@ -93,7 +93,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)

 /* Extract an ASN1 object from an ASN1_STRING */

-void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
+void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it)
 {
    const unsigned char *p;
    void *ret;
@@ -60,7 +60,7 @@

 /* Based on a_int.c: equivalent ENUMERATED functions */

-int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a)
 {
    int i, n = 0;
    static const char *h = "0123456789ABCDEF";
@@ -58,7 +58,7 @@

 #include <openssl/bio.h>

-int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
+int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a)
 {
    int i, n = 0;
    static const char *h = "0123456789ABCDEF";
@@ -58,7 +58,7 @@

 #include <openssl/bio.h>

-int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
+int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type)
 {
    int i, n = 0;
    static const char *h = "0123456789ABCDEF";
@@ -25,6 +25,7 @@

 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
+#include "../test/abi_test.h"
 #include "../test/file_test.h"
 #include "../test/test_util.h"
 #include "../test/wycheproof_util.h"
@@ -664,6 +665,91 @@ TEST_P(PerAEADTest, InvalidNonceLength) {
  }
 }

+#if defined(SUPPORTS_ABI_TEST)
+// CHECK_ABI can't pass enums, i.e. |evp_aead_seal| and |evp_aead_open|. Thus
+// these two wrappers.
+static int aead_ctx_init_for_seal(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+                                  const uint8_t *key, size_t key_len) {
+  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, 0,
+                                          evp_aead_seal);
+}
+
+static int aead_ctx_init_for_open(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+                                  const uint8_t *key, size_t key_len) {
+  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, 0,
+                                          evp_aead_open);
+}
+
+// CHECK_ABI can pass, at most, eight arguments. Thus these wrappers that
+// figure out the output length from the input length, and take the nonce length
+// from the configuration of the AEAD.
+static int aead_ctx_seal(EVP_AEAD_CTX *ctx, uint8_t *out_ciphertext,
+                         size_t *out_ciphertext_len, const uint8_t *nonce,
+                         const uint8_t *plaintext, size_t plaintext_len,
+                         const uint8_t *ad, size_t ad_len) {
+  const size_t nonce_len = EVP_AEAD_nonce_length(EVP_AEAD_CTX_aead(ctx));
+  return EVP_AEAD_CTX_seal(ctx, out_ciphertext, out_ciphertext_len,
+                           plaintext_len + EVP_AEAD_MAX_OVERHEAD, nonce,
+                           nonce_len, plaintext, plaintext_len, ad, ad_len);
+}
+
+static int aead_ctx_open(EVP_AEAD_CTX *ctx, uint8_t *out_plaintext,
+                         size_t *out_plaintext_len, const uint8_t *nonce,
+                         const uint8_t *ciphertext, size_t ciphertext_len,
+                         const uint8_t *ad, size_t ad_len) {
+  const size_t nonce_len = EVP_AEAD_nonce_length(EVP_AEAD_CTX_aead(ctx));
+  return EVP_AEAD_CTX_open(ctx, out_plaintext, out_plaintext_len,
+                           ciphertext_len, nonce, nonce_len, ciphertext,
+                           ciphertext_len, ad, ad_len);
+}
+
+TEST_P(PerAEADTest, ABI) {
+  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
+  OPENSSL_memset(key, 'K', sizeof(key));
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  ASSERT_LE(key_len, sizeof(key));
+
+  bssl::ScopedEVP_AEAD_CTX ctx_seal;
+  ASSERT_TRUE(
+      CHECK_ABI(aead_ctx_init_for_seal, ctx_seal.get(), aead(), key, key_len));
+
+  bssl::ScopedEVP_AEAD_CTX ctx_open;
+  ASSERT_TRUE(
+      CHECK_ABI(aead_ctx_init_for_open, ctx_open.get(), aead(), key, key_len));
+
+  alignas(2) uint8_t plaintext[512];
+  OPENSSL_memset(plaintext, 'P', sizeof(plaintext));
+
+  alignas(2) uint8_t ad_buf[512];
+  OPENSSL_memset(ad_buf, 'A', sizeof(ad_buf));
+  const uint8_t *const ad = ad_buf + 1;
+  ASSERT_LE(GetParam().ad_len, sizeof(ad_buf) - 1);
+  const size_t ad_len =
+      GetParam().ad_len != 0 ? GetParam().ad_len : sizeof(ad_buf) - 1;
+
+  uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
+  const size_t nonce_len = EVP_AEAD_nonce_length(aead());
+  ASSERT_LE(nonce_len, sizeof(nonce));
+
+  alignas(2) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD + 1];
+  size_t ciphertext_len;
+  // Knock plaintext, ciphertext, and AD off alignment and give odd lengths for
+  // plaintext and AD. This hopefully triggers any edge-cases in the assembly.
+  ASSERT_TRUE(CHECK_ABI(aead_ctx_seal, ctx_seal.get(), ciphertext + 1,
+                        &ciphertext_len, nonce, plaintext + 1,
+                        sizeof(plaintext) - 1, ad, ad_len));
+
+  alignas(2) uint8_t plaintext2[sizeof(ciphertext) + 1];
+  size_t plaintext2_len;
+  ASSERT_TRUE(CHECK_ABI(aead_ctx_open, ctx_open.get(), plaintext2 + 1,
+                        &plaintext2_len, nonce, ciphertext + 1, ciphertext_len,
+                        ad, ad_len));
+
+  EXPECT_EQ(Bytes(plaintext + 1, sizeof(plaintext) - 1),
+            Bytes(plaintext2 + 1, plaintext2_len));
+}
+#endif  // SUPPORTS_ABI_TEST
+
 TEST(AEADTest, AESCCMLargeAD) {
  static const std::vector<uint8_t> kKey(16, 'A');
  static const std::vector<uint8_t> kNonce(13, 'N');
@@ -1273,7 +1273,7 @@ do_length_block:\n";
    pop %rbp
 .cfi_adjust_cfa_offset -8
    ret
-.cfi_adjust_cfa_offset (8 * 6) + 288 + 32
+.cfi_adjust_cfa_offset (8 * 7) + 288 + 32
 ################################################################################
 seal_sse_128:
    movdqu .chacha20_consts(%rip), $A0\nmovdqa $A0, $A1\nmovdqa $A0, $A2
@@ -61,8 +61,10 @@

 #include <gtest/gtest.h>

+#include <openssl/aes.h>
 #include <openssl/cipher.h>
 #include <openssl/err.h>
+#include <openssl/nid.h>
 #include <openssl/span.h>

 #include "../test/file_test.h"
@@ -221,6 +223,91 @@ static void TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt,
        EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag.size(), rtag));
    EXPECT_EQ(Bytes(tag), Bytes(rtag, tag.size()));
  }
+
+  // Additionally test low-level AES mode APIs. Skip runs where |copy| because
+  // it does not apply.
+  if (!copy) {
+    int nid = EVP_CIPHER_nid(cipher);
+    bool is_ctr = nid == NID_aes_128_ctr || nid == NID_aes_192_ctr ||
+                  nid == NID_aes_256_ctr;
+    bool is_cbc = nid == NID_aes_128_cbc || nid == NID_aes_192_cbc ||
+                  nid == NID_aes_256_cbc;
+    bool is_ofb = nid == NID_aes_128_ofb128 || nid == NID_aes_192_ofb128 ||
+                  nid == NID_aes_256_ofb128;
+    if (is_ctr || is_cbc || is_ofb) {
+      AES_KEY aes;
+      if (encrypt || !is_cbc) {
+        ASSERT_EQ(0, AES_set_encrypt_key(key.data(), key.size() * 8, &aes));
+      } else {
+        ASSERT_EQ(0, AES_set_decrypt_key(key.data(), key.size() * 8, &aes));
+      }
+
+      // The low-level APIs all work in-place.
+      bssl::Span<const uint8_t> input = *in;
+      result.clear();
+      if (in_place) {
+        result = *in;
+        input = result;
+      } else {
+        result.resize(out->size());
+      }
+      bssl::Span<uint8_t> output = bssl::MakeSpan(result);
+      ASSERT_EQ(input.size(), output.size());
+
+      // The low-level APIs all use block-size IVs.
+      ASSERT_EQ(iv.size(), size_t{AES_BLOCK_SIZE});
+      uint8_t ivec[AES_BLOCK_SIZE];
+      OPENSSL_memcpy(ivec, iv.data(), iv.size());
+
+      if (is_ctr) {
+        unsigned num = 0;
+        uint8_t ecount_buf[AES_BLOCK_SIZE];
+        if (chunk_size == 0) {
+          AES_ctr128_encrypt(input.data(), output.data(), input.size(), &aes,
+                             ivec, ecount_buf, &num);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_ctr128_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                               ecount_buf, &num);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      } else if (is_cbc && chunk_size % AES_BLOCK_SIZE == 0) {
+        // Note |AES_cbc_encrypt| requires block-aligned chunks.
+        if (chunk_size == 0) {
+          AES_cbc_encrypt(input.data(), output.data(), input.size(), &aes, ivec,
+                          encrypt);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_cbc_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                            encrypt);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      } else if (is_ofb) {
+        int num = 0;
+        if (chunk_size == 0) {
+          AES_ofb128_encrypt(input.data(), output.data(), input.size(), &aes,
+                             ivec, &num);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_ofb128_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                               &num);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      }
+    }
+  }
 }

 static void TestCipher(FileTest *t) {
@@ -86,7 +86,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
  EVP_MD_CTX_init(&c);
  for (;;) {
    if (!EVP_DigestInit_ex(&c, md, NULL)) {
-      return 0;
+      goto err;
    }
    if (addmd++) {
      if (!EVP_DigestUpdate(&c, md_buf, mds)) {
--- a/Show More
+++ b/Show More