[dev.boringcrypto] all: merge master into dev.boringcrypto

Change-Id: I64346fbdbee03e28297ec202d5c8292d7fd60c2c

diff --cc src/cmd/go/go_test.go
Simple merge

diff --cc src/cmd/link/internal/ld/lib.go
Simple merge

diff --cc src/crypto/tls/cipher_suites.go
index 2475906ae17b133983ff8a58abb9a18b041f2c52,d948fac8cdd304efbd36645a1d25cab0c3589d5b..20e45e505043bfe2360ea87d46dae4166ad78af0
--- 1/src/crypto/tls/cipher_suites.go
--- 2/src/crypto/tls/cipher_suites.go
+++ b/src/crypto/tls/cipher_suites.go
@@@ -223,11 -238,10 +243,14 @@@ func (f *xorNonceAEAD) Open(out, nonce
        return result, err
  }
  
- func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
 +type gcmtls interface {
 +      NewGCMTLS() (cipher.AEAD, error)
 +}
 +
+ func aeadAESGCM(key, noncePrefix []byte) aead {
+       if len(noncePrefix) != noncePrefixLength {
+               panic("tls: internal error: wrong nonce length")
+       }
        aes, err := aes.NewCipher(key)
        if err != nil {
                panic(err)

diff --cc src/crypto/tls/common.go
index 98d13b038dc39846ff0da7b0b77395096a596907,4808c01f9ca02c81e26fe5df80d154e79fd35f4d..a3cfe05bc0ed9513b9651c26f1f3a7a38e56568b
--- 1/src/crypto/tls/common.go
--- 2/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@@ -935,18 -966,17 +979,18 @@@ func initDefaultCipherSuites() 
        var topCipherSuites []uint16
  
        // Check the cpu flags for each platform that has optimized GCM implementations.
-       // Worst case, these variables will just all be false
-       hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+       // Worst case, these variables will just all be false.
+       var (
+               hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+               hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
+               // Keep in sync with crypto/aes/cipher_s390x.go.
+               hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
  
-       hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
- 
-       // Keep in sync with crypto/aes/cipher_s390x.go.
-       hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
- 
-       hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+               hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+       )
  
 -      if hasGCMAsm {
 +      if hasGCMAsm || boring.Enabled {
 +              // If BoringCrypto is enabled, always prioritize AES-GCM.
                // If AES-GCM hardware is provided then prioritise AES-GCM
                // cipher suites.
                topCipherSuites = []uint16{

diff --cc src/crypto/tls/handshake_messages_test.go
index 08622eac05acb58503ac92b63d76be8bd2992599,d32f33f378871f6189021a5f328534acd25d47ee..fdf096b4733dfebf3c12885e415c98c095530972
--- 1/src/crypto/tls/handshake_messages_test.go
--- 2/src/crypto/tls/handshake_messages_test.go
+++ b/src/crypto/tls/handshake_messages_test.go
@@@ -143,8 -144,11 +144,11 @@@ func (*clientHelloMsg) Generate(rand *r
                }
        }
        if rand.Intn(10) > 5 {
 -              m.supportedSignatureAlgorithms = supportedSignatureAlgorithms
 +              m.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
        }
 -              m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms
+       if rand.Intn(10) > 5 {
++              m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms()
+       }
        for i := 0; i < rand.Intn(5); i++ {
                m.alpnProtocols = append(m.alpnProtocols, randomString(rand.Intn(20)+1, rand))
        }