Various Updates

BUILDING.md

@@ -14,7 +14,7 @@ Unless otherwise noted, build tools must at most five years old, matching
 [Abseil guidelines](https://abseil.io/about/compatibility). If in doubt, use the
 most recent stable version of each tool.
 
-  * [CMake](https://cmake.org/download/) 3.12 or later is required.
+  * [CMake](https://cmake.org/download/) 3.22 or later is required.
 
   * Building with [Ninja](https://ninja-build.org/) instead of Make is
     recommended, because it makes builds faster. On Windows, CMake's Visual
@@ -74,8 +74,8 @@ themselves automatically.
 ### Building for Android
 
 It's possible to build BoringSSL with the Android NDK using CMake. Recent
-versions of the NDK include a CMake toolchain file which works with CMake 3.6.0
-or later. This has been tested with version r16b of the NDK.
+versions of the NDK include a CMake toolchain file. This has been tested with
+version r16b of the NDK.
 
 Unpack the Android NDK somewhere and export `ANDROID_NDK` to point to the
 directory. Then run CMake like this:

CMakeLists.txt

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-cmake_minimum_required(VERSION 3.16)
+cmake_minimum_required(VERSION 3.22)
 
 # Defer enabling C and CXX languages.
 project(BoringSSL NONE)
@@ -43,11 +43,6 @@ include(GNUInstallDirs)
 
 set(INSTALL_ENABLED 1)
 
-if(CMAKE_VERSION VERSION_LESS 3.21 AND
-   CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
-  set(PROJECT_IS_TOP_LEVEL 1)
-endif()
-
 if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND NOT CMAKE_CROSSCOMPILING AND
    BUILD_TESTING)
   find_package(PkgConfig QUIET)
@@ -384,16 +379,6 @@ if(FIPS_DELOCATE OR NOT OPENSSL_NO_ASM)
     if (NOT OPENSSL_NO_ASM)
       set(OPENSSL_ASM TRUE)
     endif()
-    # Work around https://gitlab.kitware.com/cmake/cmake/-/issues/20771 in older
-    # CMake versions.
-    if(APPLE AND CMAKE_VERSION VERSION_LESS 3.19)
-      if(CMAKE_OSX_SYSROOT)
-        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot \"${CMAKE_OSX_SYSROOT}\"")
-      endif()
-      foreach(arch ${CMAKE_OSX_ARCHITECTURES})
-        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
-      endforeach()
-    endif()
     if(NOT WIN32)
       set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
     endif()
@@ -749,6 +734,8 @@ endif()
 if(FIPS)
   add_executable(modulewrapper ${MODULEWRAPPER_SOURCES})
   target_link_libraries(modulewrapper crypto)
+  add_executable(entropy_modulewrapper ${ENTROPY_MODULEWRAPPER_SOURCES})
+  target_link_libraries(entropy_modulewrapper crypto)
 endif()
 
 add_executable(bssl ${BSSL_SOURCES})
@@ -770,12 +757,8 @@ if(FUZZ)
 endif()
 
 if(RUST_BINDINGS)
-  find_program(BINDGEN_EXECUTABLE bindgen)
-  if(NOT BINDGEN_EXECUTABLE)
-    message(FATAL_ERROR "Could not find bindgen but was asked to generate Rust bindings.")
-  else()
-    add_subdirectory(rust)
-  endif()
+  find_program(BINDGEN_EXECUTABLE bindgen REQUIRED)
+  add_subdirectory(rust)
 endif()
 
 if(CMAKE_SYSTEM_NAME STREQUAL "Linux")

MODULE.bazel

@@ -16,7 +16,7 @@
 # the revision where we bump the version.
 module(
     name = "boringssl",
-    version = "0.20250818.0",
+    version = "0.20251002.0",
     compatibility_level = 2,
 )
 
@@ -30,7 +30,7 @@ module(
 # need to request they run tests when triaging issues. If
 # https://github.com/bazelbuild/bazel/issues/22187 is ever fixed, we can change
 # this.
-bazel_dep(name = "googletest", version = "1.17.0")
+bazel_dep(name = "googletest", version = "1.17.0.bcr.1")
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_cc", version = "0.2.0")
+bazel_dep(name = "rules_cc", version = "0.2.8")
 bazel_dep(name = "rules_license", version = "1.0.0")

README.md

@@ -28,7 +28,7 @@ Both liboqs and this fork are part of the **Open Quantum Safe (OQS) project**, w
 
 ## Status
 
-This fork is built on top of [commit 208361a](https://github.com/google/boringssl/commit/208361a22e217afca0081acf78b2a3f3cf328a7e), and adds:
+This fork is built on top of [commit 88d0c0f](https://github.com/google/boringssl/commit/88d0c0f4772f3abe74f4f1012fe580fa85bab417), and adds:
 
 - quantum-safe key exchange
 - hybrid (quantum-safe + elliptic curve) key exchange
@@ -93,8 +93,6 @@ The following quantum-safe digital signature algorithms from liboqs are supporte
 - **UOV**: `OV_Ip_pkc`, `OV_Ip_pkc_skc`
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->
 
-No [composite signature algorithms](https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/) are currently implemented. If you need those algorithms, please use the [OQS-provider](https://github.com/open-quantum-safe/oqs-provider) or implement them yourself and create a pull request.
-
 ## Quickstart
 
 We've only tested the fork on the latest Ubuntu LTS and Windows. This fork has limited support for other platforms and may not function properly.

build.json

@@ -406,7 +406,6 @@
             "crypto/x509/x_req.cc",
             "crypto/x509/x_sig.cc",
             "crypto/x509/x_spki.cc",
-            "crypto/x509/x_val.cc",
             "crypto/x509/x_x509.cc",
             "crypto/x509/x_x509a.cc",
             "crypto/xwing/xwing.cc"
@@ -775,6 +774,7 @@
     "test_support": {
         "srcs": [
             "crypto/test/abi_test.cc",
+            "crypto/test/der_trailing_data.cc",
             "crypto/test/file_test.cc",
             "crypto/test/file_test_gtest.cc",
             "crypto/test/file_util.cc",
@@ -784,6 +784,7 @@
         ],
         "internal_hdrs": [
             "crypto/test/abi_test.h",
+            "crypto/test/der_trailing_data.h",
             "crypto/test/file_test.h",
             "crypto/test/file_util.h",
             "crypto/test/gtest_main.h",
@@ -948,6 +949,7 @@
             "crypto/slhdsa/slhdsa_siggen.txt",
             "crypto/slhdsa/slhdsa_sigver.txt",
             "crypto/x509/test/*.pem",
+            "crypto/x509/test/*.pk8",
             "third_party/wycheproof_testvectors/*.txt"
         ]
     },
@@ -1087,7 +1089,18 @@
     "modulewrapper": {
         "srcs": [
             "util/fipstools/acvp/modulewrapper/main.cc",
-            "util/fipstools/acvp/modulewrapper/modulewrapper.cc"
+            "util/fipstools/acvp/modulewrapper/modulewrapper.cc",
+            "util/fipstools/acvp/modulewrapper/proto.cc"
+        ],
+        "internal_hdrs": [
+            "util/fipstools/acvp/modulewrapper/modulewrapper.h"
+        ]
+    },
+    "entropy_modulewrapper": {
+        "srcs": [
+            "util/fipstools/acvp/entropy_modulewrapper/main.cc",
+            "util/fipstools/acvp/entropy_modulewrapper/modulewrapper.cc",
+            "util/fipstools/acvp/modulewrapper/proto.cc"
         ],
         "internal_hdrs": [
             "util/fipstools/acvp/modulewrapper/modulewrapper.h"

cmake/go.cmake

@@ -25,37 +25,19 @@ endfunction()
 function(go_executable dest package)
   require_go()
   set(godeps "${PROJECT_SOURCE_DIR}/util/godeps.go")
-  if(NOT CMAKE_GENERATOR STREQUAL "Ninja")
-    # The DEPFILE parameter to add_custom_command only works with Ninja. Query
-    # the sources at configure time. Additionally, everything depends on go.mod.
-    # That affects what external packages to use.
-    #
-    # TODO(davidben): Starting CMake 3.20, it also works with Make. Starting
-    # 3.21, it works with Visual Studio and Xcode too.
-    execute_process(COMMAND ${GO_EXECUTABLE} run ${godeps} -format cmake
-                            -pkg ${package}
-                    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-                    OUTPUT_VARIABLE sources
-                    RESULT_VARIABLE godeps_result)
-    add_custom_command(OUTPUT ${dest}
-                       COMMAND ${GO_EXECUTABLE} build
-                               -o ${CMAKE_CURRENT_BINARY_DIR}/${dest} ${package}
-                       WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-                       DEPENDS ${sources} ${PROJECT_SOURCE_DIR}/go.mod)
-  else()
-    # Ninja expects the target in the depfile to match the output. This is a
-    # relative path from the build directory.
-    binary_dir_relative_path(${dest} target)
+  # Ninja expects the target in the depfile to match the output. This is a
+  # relative path from the build directory.
+  set(target "${CMAKE_CURRENT_BINARY_DIR}/${dest}")
+  cmake_path(RELATIVE_PATH target BASE_DIRECTORY "${CMAKE_BINARY_DIR}")
 
-    set(depfile "${CMAKE_CURRENT_BINARY_DIR}/${dest}.d")
-    add_custom_command(OUTPUT ${dest}
-                       COMMAND ${GO_EXECUTABLE} build
-                               -o ${CMAKE_CURRENT_BINARY_DIR}/${dest} ${package}
-                       COMMAND ${GO_EXECUTABLE} run ${godeps} -format depfile
-                               -target ${target} -pkg ${package} -out ${depfile}
-                       WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-                       DEPENDS ${godeps} ${PROJECT_SOURCE_DIR}/go.mod
-                       DEPFILE ${depfile})
-  endif()
+  set(depfile "${CMAKE_CURRENT_BINARY_DIR}/${dest}.d")
+  add_custom_command(OUTPUT ${dest}
+                      COMMAND ${GO_EXECUTABLE} build
+                              -o ${CMAKE_CURRENT_BINARY_DIR}/${dest} ${package}
+                      COMMAND ${GO_EXECUTABLE} run ${godeps} -format depfile
+                              -target ${target} -pkg ${package} -out ${depfile}
+                      WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+                      DEPENDS ${godeps} ${PROJECT_SOURCE_DIR}/go.mod
+                      DEPFILE ${depfile})
 endfunction()
 

cmake/paths.cmake

@@ -12,18 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# binary_dir_relative_path sets outvar to
-# ${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}, but expressed relative to
-# ${CMAKE_BINARY_DIR}.
-#
-# TODO(davidben): When we require CMake 3.20 or later, this can be replaced with
-# the built-in cmake_path(RELATIVE_PATH) function.
-function(binary_dir_relative_path cur_bin_dir_relative outvar)
-  string(LENGTH "${CMAKE_BINARY_DIR}/" root_dir_length)
-  string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}" ${root_dir_length} -1 result)
-  set(${outvar} ${result} PARENT_SCOPE)
-endfunction()
-
 # copy_post_build causes targets in ${ARGN} to be copied to
 # ${CMAKE_CURRENT_BINARY_DIR}/${dir} after being built.
 function(copy_post_build dir)