deps: Bump boringssl -> 0.20260413.0 (#44446)

Created by Envoy dependency bot for @phlax

Fix #44436


Signed-off-by: dependency-envoy[bot]
<148525496+dependency-envoy[bot]@users.noreply.github.com>

---------

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>
Signed-off-by: Jonh Wendell <jwendell@redhat.com>
Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>
Co-authored-by: Jonh Wendell <jwendell@redhat.com>

Author: dependency-envoy[bot]

bazel/deps.yaml

@@ -53,7 +53,7 @@ boringssl:
   project_name: "BoringSSL"
   project_desc: "Minimal OpenSSL fork"
   project_url: "https://github.com/google/boringssl"
-  release_date: "2026-03-30"
+  release_date: "2026-04-14"
   use_category:
   - controlplane
   - dataplane_core

bazel/repository_locations.bzl

@@ -61,8 +61,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
     boringssl = dict(
         # To update BoringSSL, which tracks BCR tags, open https://registry.bazel.build/modules/boringssl
         # and select an appropriate tag for the new version.
-        version = "0.20260327.0",
-        sha256 = "6af7037a8891d0e3d097dd61de6d195f6c2b532ed69d138a16da47c06a6cd022",
+        version = "0.20260413.0",
+        sha256 = "3560f7dd3f08e16b9f84d877a5be21ec62071564783009571af5fcc6fad734d2",
         strip_prefix = "boringssl-{version}",
         urls = ["https://github.com/google/boringssl/archive/{version}.tar.gz"],
     ),

compat/openssl/BUILD

@@ -502,6 +502,7 @@ mapping_func_filegroup(
         "EVP_PKEY_assign_RSA",
         "EVP_PKEY_bits",
         "EVP_PKEY_cmp",
+        "EVP_PKEY_eq",
         "EVP_PKEY_CTX_set_rsa_mgf1_md",
         "EVP_PKEY_CTX_set_rsa_padding",
         "EVP_PKEY_free",
@@ -812,6 +813,7 @@ mapping_func_filegroup(
         "X509_getm_notAfter",
         "X509_getm_notBefore",
         "X509_INFO_free",
+        "X509_NAME_add_entry_by_NID",
         "X509_NAME_add_entry_by_txt",
         "X509_NAME_cmp",
         "X509_NAME_digest",

compat/openssl/patch/crypto/x509/x509_test.cc.patch

@@ -3,64 +3,61 @@
 @@ -1535,6 +1535,9 @@
            Verify(root_cross_signed.get(), {cross_signing_root.get()}, {},
                   /*crls=*/{}, /*flags=*/0, configure_callback));
- 
+
 +#ifdef BSSL_COMPAT // This next check fails for negative depths on OpenSSL
 +      if (depth < 0) continue;
 +#endif
        // An explicitly trusted self-signed certificate is unaffected by depth
        // checks.
        EXPECT_EQ(X509_V_OK,
-@@ -2290,9 +2293,20 @@
+@@ -2310,7 +2313,18 @@
        {GEN_URI, "foo:///not-a-url", "not-a-url",
--       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+-       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
 +#ifdef BSSL_COMPAT
 +       // OpenSSL considers "foo:///not-a-url" to be a valid URI
-+       X509_V_ERR_PERMITTED_VIOLATION, X509_V_ERR_EXCLUDED_VIOLATION},
++       X509_V_ERR_PERMITTED_VIOLATION, SpecialCase::kExcludedViolation},
 +#else // BSSL_COMPAT
-+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
++       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
 +#endif // BSSL_COMPAT
        {GEN_URI, "foo://:not-a-url", "not-a-url",
-        X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
--      {GEN_URI, "foo://", "not-a-url", X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
--       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+        X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+-      {GEN_URI, "foo://", "not-a-url", X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
 +#ifdef BSSL_COMPAT
 +      // OpenSSL considers "foo://" to be a valid URI
-+      {GEN_URI, "foo://", "not-a-url", X509_V_ERR_PERMITTED_VIOLATION,
-+       X509_V_ERR_EXCLUDED_VIOLATION},
++      {GEN_URI, "foo://", "not-a-url",
++       X509_V_ERR_PERMITTED_VIOLATION, SpecialCase::kExcludedViolation},
 +#else // BSSL_COMPAT
-+      {GEN_URI, "foo://", "not-a-url", X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
-+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
++      {GEN_URI, "foo://", "not-a-url", X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
 +#endif // BSSL_COMPAT
        // Hosts are an exact match.
-       {GEN_URI, "foo://example.com", "example.com", X509_V_OK,
-        X509_V_ERR_EXCLUDED_VIOLATION},
-@@ -2363,6 +2374,12 @@
+       {GEN_URI, "foo://example.com", "example.com", X509_V_OK},
+@@ -2384,6 +2398,12 @@
 +#ifdef BSSL_COMPAT // FIXME: See StackTest.test4
-+      auto rule =
-+          exclude ? &nc->excludedSubtrees : &nc->permittedSubtrees;
-+      *rule = reinterpret_cast<std::remove_reference_t<decltype(*rule)>>(sk_GENERAL_SUBTREE_new_null());
++        auto rule =
++            exclude ? &nc->excludedSubtrees : &nc->permittedSubtrees;
++        *rule = reinterpret_cast<std::remove_reference_t<decltype(*rule)>>(sk_GENERAL_SUBTREE_new_null());
 +#else
-       STACK_OF(GENERAL_SUBTREE) **rule =
-           exclude ? &nc->excludedSubtrees : &nc->permittedSubtrees;
--      *rule = sk_GENERAL_SUBTREE_new_null();
-+      *rule = sk_GENERAL_SUBTREE_new_null();
+         STACK_OF(GENERAL_SUBTREE) **rule =
+             exclude ? &nc->excludedSubtrees : &nc->permittedSubtrees;
+-        *rule = sk_GENERAL_SUBTREE_new_null();
++        *rule = sk_GENERAL_SUBTREE_new_null();
 +#endif
-       ASSERT_TRUE(*rule);
-       UniquePtr<GENERAL_SUBTREE> subtree(GENERAL_SUBTREE_new());
-       ASSERT_TRUE(subtree);
-@@ -2371,6 +2393,10 @@
-       subtree->base = MakeGeneralName(t.type, t.constraint).release();
-       ASSERT_TRUE(subtree->base);
--      ASSERT_TRUE(PushToStack(*rule, std::move(subtree)));
+         ASSERT_TRUE(*rule);
+         UniquePtr<GENERAL_SUBTREE> subtree(GENERAL_SUBTREE_new());
+         ASSERT_TRUE(subtree);
+@@ -2392,6 +2412,10 @@
+         subtree->base = MakeGeneralName(t.type, t.constraint).release();
+         ASSERT_TRUE(subtree->base);
+-        ASSERT_TRUE(PushToStack(*rule, std::move(subtree)));
 +#ifdef BSSL_COMPAT // FIXME:
-+      ASSERT_TRUE(PushToStack(reinterpret_cast<STACK_OF(GENERAL_SUBTREE)*>(*rule), std::move(subtree)));
++        ASSERT_TRUE(PushToStack(reinterpret_cast<STACK_OF(GENERAL_SUBTREE)*>(*rule), std::move(subtree)));
 +#else
-+      ASSERT_TRUE(PushToStack(*rule, std::move(subtree)));
++        ASSERT_TRUE(PushToStack(*rule, std::move(subtree)));
 +#endif
- 
-       UniquePtr<X509> root =
-           MakeTestCert("Root", "Root", key.get(), /*is_ca=*/true);
-@@ -3476,11 +3497,13 @@
+
+         UniquePtr<X509> root =
+             MakeTestCert("Root", "Root", key.get(), /*is_ca=*/true);
+@@ -3476,11 +3500,13 @@
    // |X509_check_purpose| with |X509_PURPOSE_ANY| and purpose -1 do not check
    // basicConstraints, but other purpose types do. (This is redundant with the
    // actual basicConstraints check, but |X509_check_purpose| is public API.)
@@ -72,33 +69,33 @@
                                    /*ca=*/1));
 +#endif // BSSL_COMPAT
  }
- 
+
  TEST(X509Test, NoBasicConstraintsNetscapeCA) {
-@@ -4374,6 +4397,7 @@
+@@ -4374,6 +4400,7 @@
  t6uPxHrmpUY=
  -----END CERTIFICATE-----
  )";
 +#ifndef BSSL_COMPAT
  static const char kP256InvalidParam[] = R"(
  -----BEGIN CERTIFICATE-----
  MIIBMTCBz6ADAgECAgIE0jATBggqhkjOPQQDAgQHZ2FyYmFnZTAPMQ0wCwYDVQQD
-@@ -4385,6 +4409,7 @@
+@@ -4385,6 +4412,7 @@
  fLULTZnynuQUULQkRcF7S7T2WpIL
  -----END CERTIFICATE-----
  )";
 +#endif
  static const char kRSANoParam[] = R"(
  -----BEGIN CERTIFICATE-----
  MIIBWzCBx6ADAgECAgIE0jALBgkqhkiG9w0BAQswDzENMAsGA1UEAxMEVGVzdDAg
-@@ -4409,6 +4434,7 @@
+@@ -4409,6 +4437,7 @@
  SwmQUz4bRpckRBj+sIyp1We+pg==
  -----END CERTIFICATE-----
  )";
 +#ifndef BSSL_COMPAT
  static const char kRSAInvalidParam[] = R"(
  -----BEGIN CERTIFICATE-----
  MIIBbTCB0KADAgECAgIE0jAUBgkqhkiG9w0BAQsEB2dhcmJhZ2UwDzENMAsGA1UE
-@@ -4421,7 +4447,7 @@
+@@ -4421,7 +4450,7 @@
  5OMNZ/ajVwOssw61GcAlScRqEHkZFBoGp7e+QpgB2tf9
  -----END CERTIFICATE-----
  )";
@@ -107,24 +104,24 @@
  TEST(X509Test, AlgorithmParameters) {
    // P-256 parameters should be omitted, but we accept NULL ones.
    UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key);
-@@ -4435,11 +4461,13 @@
+@@ -4435,11 +4464,13 @@
    ASSERT_TRUE(cert);
    EXPECT_TRUE(X509_verify(cert.get(), key.get()));
- 
+
 +#ifndef BSSL_COMPAT
    cert = CertFromPEM(kP256InvalidParam);
    ASSERT_TRUE(cert);
    EXPECT_FALSE(X509_verify(cert.get(), key.get()));
    EXPECT_TRUE(
        ErrorEquals(ERR_get_error(), ERR_LIB_X509, X509_R_INVALID_PARAMETER));
 +#endif
- 
+
    // RSA parameters should be NULL, but we accept omitted ones.
    key = PrivateKeyFromPEM(kRSAKey);
-@@ -4453,11 +4481,13 @@
+@@ -4453,11 +4484,13 @@
    ASSERT_TRUE(cert);
    EXPECT_TRUE(X509_verify(cert.get(), key.get()));
- 
+
 +#ifndef BSSL_COMPAT
    cert = CertFromPEM(kRSAInvalidParam);
    ASSERT_TRUE(cert);
@@ -133,5 +130,5 @@
        ErrorEquals(ERR_get_error(), ERR_LIB_X509, X509_R_INVALID_PARAMETER));
 +#endif
  }
- 
+
  TEST(X509Test, GeneralName) {

compat/openssl/patch/include/openssl/evp.h.sh

@@ -7,6 +7,7 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl EVP_PKEY_free \
   --uncomment-func-decl EVP_PKEY_up_ref \
   --uncomment-func-decl EVP_PKEY_cmp \
+  --uncomment-func-decl EVP_PKEY_eq \
   --uncomment-func-decl EVP_PKEY_id \
   --uncomment-func-decl EVP_PKEY_assign_RSA \
   --uncomment-func-decl EVP_PKEY_get0_RSA \

compat/openssl/patch/include/openssl/x509.h.sh

@@ -37,6 +37,7 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl X509_NAME_entry_count \
   --uncomment-func-decl X509_NAME_get_index_by_NID \
   --uncomment-func-decl X509_NAME_get_entry \
+  --uncomment-func-decl X509_NAME_add_entry_by_NID \
   --uncomment-func-decl X509_NAME_add_entry_by_txt \
   --uncomment-func-decl X509_NAME_ENTRY_set \
   --uncomment-func-decl X509_EXTENSION_get_data \