grpc 1.0.1 → 1.1.2

data/third_party/boringssl/crypto/x509/x509_vpm.c

@@ -192,25 +192,36 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
     OPENSSL_free(param);
 }
 
-/*
+/*-
  * This function determines how parameters are "inherited" from one structure
- * to another. There are several different ways this can happen. 1. If a
- * child structure needs to have its values initialized from a parent they are
- * simply copied across. For example SSL_CTX copied to SSL. 2. If the
- * structure should take on values only if they are currently unset.  For
- * example the values in an SSL structure will take appropriate value for SSL
- * servers or clients but only if the application has not set new ones. The
- * "inh_flags" field determines how this function behaves. Normally any
- * values which are set in the default are not copied from the destination and
- * verify flags are ORed together. If X509_VP_FLAG_DEFAULT is set then
- * anything set in the source is copied to the destination. Effectively the
- * values in "to" become default values which will be used only if nothing new
- * is set in "from". If X509_VP_FLAG_OVERWRITE is set then all value are
- * copied across whether they are set or not. Flags is still Ored though. If
- * X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead of
- * ORed. If X509_VP_FLAG_LOCKED is set then no values are copied. If
- * X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed after
- * the next call.
+ * to another. There are several different ways this can happen.
+ *
+ * 1. If a child structure needs to have its values initialized from a parent
+ *    they are simply copied across. For example SSL_CTX copied to SSL.
+ * 2. If the structure should take on values only if they are currently unset.
+ *    For example the values in an SSL structure will take appropriate value
+ *    for SSL servers or clients but only if the application has not set new
+ *    ones.
+ *
+ * The "inh_flags" field determines how this function behaves.
+ *
+ * Normally any values which are set in the default are not copied from the
+ * destination and verify flags are ORed together.
+ *
+ * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
+ * to the destination. Effectively the values in "to" become default values
+ * which will be used only if nothing new is set in "from".
+ *
+ * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
+ * they are set or not. Flags is still Ored though.
+ *
+ * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
+ * of ORed.
+ *
+ * If X509_VP_FLAG_LOCKED is set then no values are copied.
+ *
+ * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
+ * after the next call.
  */
 
 /* Macro to test if a field should be copied from src to dest */

data/third_party/boringssl/crypto/x509/x509cset.c

@@ -129,9 +129,10 @@ int X509_CRL_sort(X509_CRL *c)
     return 1;
 }
 
-void X509_CRL_up_ref(X509_CRL *crl)
+int X509_CRL_up_ref(X509_CRL *crl)
 {
     CRYPTO_refcount_inc(&crl->references);
+    return 1;
 }
 
 int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)

data/third_party/boringssl/crypto/x509/x_crl.c

@@ -460,14 +460,14 @@ static int def_crl_lookup(X509_CRL *crl,
 
     CRYPTO_STATIC_MUTEX_lock_read(&g_crl_sort_lock);
     const int is_sorted = sk_X509_REVOKED_is_sorted(crl->crl->revoked);
-    CRYPTO_STATIC_MUTEX_unlock(&g_crl_sort_lock);
+    CRYPTO_STATIC_MUTEX_unlock_read(&g_crl_sort_lock);
 
     if (!is_sorted) {
         CRYPTO_STATIC_MUTEX_lock_write(&g_crl_sort_lock);
         if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {
             sk_X509_REVOKED_sort(crl->crl->revoked);
         }
-        CRYPTO_STATIC_MUTEX_unlock(&g_crl_sort_lock);
+        CRYPTO_STATIC_MUTEX_unlock_write(&g_crl_sort_lock);
     }
 
     if (!sk_X509_REVOKED_find(crl->crl->revoked, &idx, &rtmp))

data/third_party/boringssl/crypto/x509/x_name.c

@@ -71,6 +71,13 @@
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                             const unsigned char **in, long len,
                             const ASN1_ITEM *it,
@@ -87,10 +94,6 @@ static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in);
 static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * intname,
                           unsigned char **in);
 
-static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
-                              int indent,
-                              const char *fname, const ASN1_PCTX *pctx);
-
 ASN1_SEQUENCE(X509_NAME_ENTRY) = {
         ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT),
         ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE)
@@ -126,7 +129,7 @@ static const ASN1_EXTERN_FUNCS x509_name_ff = {
     0,                          /* Default clear behaviour is OK */
     x509_name_ex_d2i,
     x509_name_ex_i2d,
-    x509_name_ex_print
+    NULL,
 };
 
 IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff)
@@ -208,6 +211,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
     int ret;
     STACK_OF(X509_NAME_ENTRY) *entries;
     X509_NAME_ENTRY *entry;
+    /* Bound the size of an X509_NAME we are willing to parse. */
+    if (len > X509_NAME_MAX) {
+        len = X509_NAME_MAX;
+    }
     q = p;
 
     /* Get internal representation of Name */
@@ -323,16 +330,6 @@ static int x509_name_encode(X509_NAME *a)
     return -1;
 }
 
-static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
-                              int indent,
-                              const char *fname, const ASN1_PCTX *pctx)
-{
-    if (X509_NAME_print_ex(out, (X509_NAME *)*pval,
-                           indent, pctx->nm_flags) <= 0)
-        return 0;
-    return 2;
-}
-
 /*
  * This function generates the canonical encoding of the Name structure. In
  * it all strings are converted to UTF8, leading, trailing and multiple
@@ -453,10 +450,10 @@ static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in)
         len--;
     }
 
-    to = from + len - 1;
+    to = from + len;
 
     /* Ignore trailing spaces */
-    while ((len > 0) && !(*to & 0x80) && isspace(*to)) {
+    while ((len > 0) && !(to[-1] & 0x80) && isspace(to[-1])) {
         to--;
         len--;
     }

data/third_party/boringssl/crypto/x509/x_pubkey.c

@@ -54,6 +54,8 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
+#include <openssl/x509.h>
+
 #include <limits.h>
 
 #include <openssl/asn1.h>
@@ -64,7 +66,6 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/thread.h>
-#include <openssl/x509.h>
 
 #include "../internal.h"
 
@@ -139,10 +140,11 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 
     CRYPTO_STATIC_MUTEX_lock_read(&g_pubkey_lock);
     if (key->pkey != NULL) {
-        CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock);
-        return EVP_PKEY_up_ref(key->pkey);
+        CRYPTO_STATIC_MUTEX_unlock_read(&g_pubkey_lock);
+        EVP_PKEY_up_ref(key->pkey);
+        return key->pkey;
     }
-    CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock);
+    CRYPTO_STATIC_MUTEX_unlock_read(&g_pubkey_lock);
 
     /* Re-encode the |X509_PUBKEY| to DER and parse it. */
     int spki_len = i2d_X509_PUBKEY(key, &spki);
@@ -160,16 +162,17 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
     /* Check to see if another thread set key->pkey first */
     CRYPTO_STATIC_MUTEX_lock_write(&g_pubkey_lock);
     if (key->pkey) {
-        CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock);
+        CRYPTO_STATIC_MUTEX_unlock_write(&g_pubkey_lock);
         EVP_PKEY_free(ret);
         ret = key->pkey;
     } else {
         key->pkey = ret;
-        CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock);
+        CRYPTO_STATIC_MUTEX_unlock_write(&g_pubkey_lock);
     }
 
     OPENSSL_free(spki);
-    return EVP_PKEY_up_ref(ret);
+    EVP_PKEY_up_ref(ret);
+    return ret;
 
  error:
     OPENSSL_free(spki);

data/third_party/boringssl/crypto/x509/x_x509.c

@@ -55,6 +55,7 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
+#include <assert.h>
 #include <stdio.h>
 
 #include <openssl/asn1t.h>
@@ -95,7 +96,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     switch (operation) {
 
     case ASN1_OP_NEW_POST:
-        ret->valid = 0;
         ret->name = NULL;
         ret->ex_flags = 0;
         ret->ex_pathlen = -1;
@@ -142,10 +142,10 @@ IMPLEMENT_ASN1_FUNCTIONS(X509)
 
 IMPLEMENT_ASN1_DUP_FUNCTION(X509)
 
-X509 *X509_up_ref(X509 *x)
+int X509_up_ref(X509 *x)
 {
     CRYPTO_refcount_inc(&x->references);
-    return x;
+    return 1;
 }
 
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused * unused,
@@ -204,12 +204,73 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
     return NULL;
 }
 
+/*
+ * Serialize trusted certificate to *pp or just return the required buffer
+ * length if pp == NULL.  We ultimately want to avoid modifying *pp in the
+ * error path, but that depends on similar hygiene in lower-level functions.
+ * Here we avoid compounding the problem.
+ */
+static int i2d_x509_aux_internal(X509 *a, unsigned char **pp)
+{
+    int length, tmplen;
+    unsigned char *start = pp != NULL ? *pp : NULL;
+
+    assert(pp == NULL || *pp != NULL);
+
+    /*
+     * This might perturb *pp on error, but fixing that belongs in i2d_X509()
+     * not here.  It should be that if a == NULL length is zero, but we check
+     * both just in case.
+     */
+    length = i2d_X509(a, pp);
+    if (length <= 0 || a == NULL) {
+        return length;
+    }
+
+    tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+    if (tmplen < 0) {
+        if (start != NULL)
+            *pp = start;
+        return tmplen;
+    }
+    length += tmplen;
+
+    return length;
+}
+
+/*
+ * Serialize trusted certificate to *pp, or just return the required buffer
+ * length if pp == NULL.
+ *
+ * When pp is not NULL, but *pp == NULL, we allocate the buffer, but since
+ * we're writing two ASN.1 objects back to back, we can't have i2d_X509() do
+ * the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the
+ * allocated buffer.
+ */
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
     int length;
-    length = i2d_X509(a, pp);
-    if (a)
-        length += i2d_X509_CERT_AUX(a->aux, pp);
+    unsigned char *tmp;
+
+    /* Buffer provided by caller */
+    if (pp == NULL || *pp != NULL)
+        return i2d_x509_aux_internal(a, pp);
+
+    /* Obtain the combined length */
+    if ((length = i2d_x509_aux_internal(a, NULL)) <= 0)
+        return length;
+
+    /* Allocate requisite combined storage */
+    *pp = tmp = OPENSSL_malloc(length);
+    if (tmp == NULL)
+        return -1; /* Push error onto error stack? */
+
+    /* Encode, but keep *pp at the originally malloced pointer */
+    length = i2d_x509_aux_internal(a, &tmp);
+    if (length <= 0) {
+        OPENSSL_free(*pp);
+        *pp = NULL;
+    }
     return length;
 }
 

data/third_party/boringssl/crypto/x509v3/pcy_cache.c

@@ -241,7 +241,7 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x)
 
     CRYPTO_STATIC_MUTEX_lock_read(&g_x509_policy_cache_lock);
     cache = x->policy_cache;
-    CRYPTO_STATIC_MUTEX_unlock(&g_x509_policy_cache_lock);
+    CRYPTO_STATIC_MUTEX_unlock_read(&g_x509_policy_cache_lock);
 
     if (cache != NULL)
         return cache;
@@ -250,7 +250,7 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x)
     if (x->policy_cache == NULL)
         policy_cache_new(x);
     cache = x->policy_cache;
-    CRYPTO_STATIC_MUTEX_unlock(&g_x509_policy_cache_lock);
+    CRYPTO_STATIC_MUTEX_unlock_write(&g_x509_policy_cache_lock);
 
     return cache;
 }

data/third_party/boringssl/crypto/x509v3/pcy_tree.c

@@ -255,7 +255,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         level++;
         x = sk_X509_value(certs, i);
         cache = policy_cache_set(x);
-        level->cert = X509_up_ref(x);
+        X509_up_ref(x);
+        level->cert = x;
 
         if (!cache->anyPolicy)
             level->flags |= X509_V_FLAG_INHIBIT_ANY;

data/third_party/boringssl/crypto/x509v3/v3_conf.c

@@ -138,10 +138,12 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
             nval = NCONF_get_section(conf, value + 1);
         else
             nval = X509V3_parse_list(value);
-        if (sk_CONF_VALUE_num(nval) <= 0) {
+        if (nval == NULL || sk_CONF_VALUE_num(nval) <= 0) {
             OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_EXTENSION_STRING);
             ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
                                value);
+            if (*value != '@')
+                sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
             return NULL;
         }
         ext_struc = method->v2i(method, ctx, nval);
@@ -263,10 +265,9 @@ static int v3_check_generic(char **value)
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                             int crit, int gen_type,
                                             X509V3_CTX *ctx)
-    OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 {
     unsigned char *ext_der = NULL;
-    long ext_len;
+    long ext_len = 0;
     ASN1_OBJECT *obj = NULL;
     ASN1_OCTET_STRING *oct = NULL;
     X509_EXTENSION *extension = NULL;

data/third_party/boringssl/crypto/x509v3/v3_cpols.c

@@ -190,6 +190,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
                 goto err;
             }
             pol = POLICYINFO_new();
+            if (pol == NULL) {
+                OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
+                ASN1_OBJECT_free(pobj);
+                goto err;
+            }
             pol->policyid = pobj;
         }
         if (!sk_POLICYINFO_push(pols, pol)) {

data/third_party/boringssl/crypto/x509v3/v3_prn.c

@@ -207,9 +207,6 @@ static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
         return 1;
 
     case X509V3_EXT_PARSE_UNKNOWN:
-        return ASN1_parse_dump(out,
-                               ext->value->data, ext->value->length, indent,
-                               -1);
     case X509V3_EXT_DUMP_UNKNOWN:
         return BIO_hexdump(out, ext->value->data, ext->value->length, indent);
 

data/third_party/boringssl/crypto/x509v3/v3_purp.c

@@ -431,7 +431,7 @@ static void x509v3_cache_extensions(X509 *x)
     CRYPTO_STATIC_MUTEX_lock_write(&g_x509_cache_extensions_lock);
 
     if (x->ex_flags & EXFLAG_SET) {
-        CRYPTO_STATIC_MUTEX_unlock(&g_x509_cache_extensions_lock);
+        CRYPTO_STATIC_MUTEX_unlock_write(&g_x509_cache_extensions_lock);
         return;
     }
 
@@ -564,7 +564,7 @@ static void x509v3_cache_extensions(X509 *x)
     }
     x->ex_flags |= EXFLAG_SET;
 
-    CRYPTO_STATIC_MUTEX_unlock(&g_x509_cache_extensions_lock);
+    CRYPTO_STATIC_MUTEX_unlock_write(&g_x509_cache_extensions_lock);
 }
 
 /*

data/third_party/boringssl/crypto/x509v3/v3_utl.c

@@ -852,7 +852,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
             state = LABEL_START;
             ++dots;
         } else if (p[i] == '-') {
-            if (state & LABEL_HYPHEN)
+            /* no domain/subdomain starts with '-' */
+            if ((state & LABEL_START) != 0)
                 return NULL;
             state |= LABEL_HYPHEN;
         } else

data/third_party/boringssl/include/openssl/aead.h

@@ -82,10 +82,8 @@ extern "C" {
  * permits implicit context to be authenticated but may be empty if not needed.
  *
  * The "seal" and "open" operations may work in-place if the |out| and |in|
- * arguments are equal. They may also be used to shift the data left inside the
- * same buffer if |out| is less than |in|. However, |out| may not point inside
- * the input data otherwise the input may be overwritten before it has been
- * read. This situation will cause an error.
+ * arguments are equal. Otherwise, if |out| and |in| alias, input data may be
+ * overwritten before it is read. This situation will cause an error.
  *
  * The "seal" and "open" operations return one on success and zero on error. */
 
@@ -135,49 +133,6 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
 OPENSSL_EXPORT int EVP_has_aes_hardware(void);
 
 
-/* TLS-specific AEAD algorithms.
- *
- * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to TLS and should not be used outside of that context. They must
- * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
- * not be used concurrently. Any nonces are used as IVs, so they must be
- * unpredictable. They only accept an |ad| parameter of length 11 (the standard
- * TLS one with length omitted). */
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
-
-
-/* SSLv3-specific AEAD algorithms.
- *
- * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to SSLv3 and should not be used outside of that context. They
- * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
- * and may not be used concurrently. They only accept an |ad| parameter of
- * length 9 (the standard TLS one with length and version omitted). */
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
-
-
 /* Utility functions. */
 
 /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
@@ -226,12 +181,6 @@ typedef struct evp_aead_ctx_st {
  * be used. */
 #define EVP_AEAD_DEFAULT_TAG_LENGTH 0
 
-/* evp_aead_direction_t denotes the direction of an AEAD operation. */
-enum evp_aead_direction_t {
-  evp_aead_open,
-  evp_aead_seal,
-};
-
 /* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be
  * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not
  * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for
@@ -251,13 +200,6 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
                                      const uint8_t *key, size_t key_len,
                                      size_t tag_len, ENGINE *impl);
 
-/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
- * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
- * given direction. */
-OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
-    EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
-    size_t tag_len, enum evp_aead_direction_t dir);
-
 /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
  * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
  * all zeros. */
@@ -282,7 +224,7 @@ OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
  * insufficient, zero will be returned. (In this case, |*out_len| is set to
  * zero.)
  *
- * If |in| and |out| alias then |out| must be <= |in|. */
+ * If |in| and |out| alias then |out| must be == |in|. */
 OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                      size_t *out_len, size_t max_out_len,
                                      const uint8_t *nonce, size_t nonce_len,
@@ -307,20 +249,70 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  * insufficient, zero will be returned. (In this case, |*out_len| is set to
  * zero.)
  *
- * If |in| and |out| alias then |out| must be <= |in|. */
+ * If |in| and |out| alias then |out| must be == |in|. */
 OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                      size_t *out_len, size_t max_out_len,
                                      const uint8_t *nonce, size_t nonce_len,
                                      const uint8_t *in, size_t in_len,
                                      const uint8_t *ad, size_t ad_len);
 
+/* EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has
+ * not been set. */
+OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);
+
+
+/* TLS-specific AEAD algorithms.
+ *
+ * These AEAD primitives do not meet the definition of generic AEADs. They are
+ * all specific to TLS and should not be used outside of that context. They must
+ * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
+ * not be used concurrently. Any nonces are used as IVs, so they must be
+ * unpredictable. They only accept an |ad| parameter of length 11 (the standard
+ * TLS one with length omitted). */
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
+
+
+/* SSLv3-specific AEAD algorithms.
+ *
+ * These AEAD primitives do not meet the definition of generic AEADs. They are
+ * all specific to SSLv3 and should not be used outside of that context. They
+ * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
+ * and may not be used concurrently. They only accept an |ad| parameter of
+ * length 9 (the standard TLS one with length and version omitted). */
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
+
 
 /* Obscure functions. */
 
-/* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.
- * It returns one on success or zero if |ctx| doesn't have an RC4 key. */
-OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,
-                                              const RC4_KEY **out_key);
+/* evp_aead_direction_t denotes the direction of an AEAD operation. */
+enum evp_aead_direction_t {
+  evp_aead_open,
+  evp_aead_seal,
+};
+
+/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
+ * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
+ * given direction. */
+OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
+    EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
+    size_t tag_len, enum evp_aead_direction_t dir);
 
 /* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
  * sets |*out_iv| to point to that many bytes of the current IV. This is only
@@ -331,16 +323,23 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,
                                        const uint8_t **out_iv, size_t *out_len);
 
 
-/* Deprecated functions. */
+#if defined(__cplusplus)
+}  /* extern C */
+
+#if !defined(BORINGSSL_NO_CXX)
+extern "C++" {
+
+namespace bssl {
 
-/* EVP_aead_chacha20_poly1305_rfc7539 calls |EVP_aead_chacha20_poly1305|.
- *
- * TODO(davidben): Remove this. */
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305_rfc7539(void);
+using ScopedEVP_AEAD_CTX =
+    internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,
+                             EVP_AEAD_CTX_cleanup>;
 
+}  // namespace bssl
+
+}  // extern C++
+#endif
 
-#if defined(__cplusplus)
-}  /* extern C */
 #endif
 
 #endif  /* OPENSSL_HEADER_AEAD_H */