grpc 1.10.0 → 1.11.0.pre2

data/third_party/boringssl/include/openssl/bn.h

@@ -317,10 +317,6 @@ OPENSSL_EXPORT int BN_get_u64(const BIGNUM *bn, uint64_t *out);
 // the result to |ret|. It returns one on success and zero on failure.
 OPENSSL_EXPORT int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret);
 
-// BN_parse_asn1_unsigned_buggy acts like |BN_parse_asn1_unsigned| but tolerates
-// some invalid encodings. Do not use this function.
-OPENSSL_EXPORT int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret);
-
 // BN_marshal_asn1 marshals |bn| as a non-negative DER INTEGER and appends the
 // result to |cbb|. It returns one on success and zero on failure.
 OPENSSL_EXPORT int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn);
@@ -491,8 +487,8 @@ OPENSSL_EXPORT int BN_set_bit(BIGNUM *a, int n);
 // zero on allocation failure.
 OPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n);
 
-// BN_is_bit_set returns the value of the |n|th, least-significant bit in |a|,
-// or zero if the bit doesn't exist.
+// BN_is_bit_set returns one if the |n|th least-significant bit in |a| exists
+// and is set. Otherwise, it returns zero.
 OPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n);
 
 // BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one
@@ -622,17 +618,6 @@ OPENSSL_EXPORT int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
 // BN_pseudo_rand_range is an alias for BN_rand_range.
 OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
 
-// BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
-// BN_rand_range, it also includes the contents of |priv| and |message| in the
-// generation so that an RNG failure isn't fatal as long as |priv| remains
-// secret. This is intended for use in DSA and ECDSA where an RNG weakness
-// leads directly to private key exposure unless this function is used.
-// It returns one on success and zero on error.
-OPENSSL_EXPORT int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
-                                         const BIGNUM *priv,
-                                         const uint8_t *message,
-                                         size_t message_len, BN_CTX *ctx);
-
 // BN_GENCB holds a callback function that is used by generation functions that
 // can take a very long time to complete. Use |BN_GENCB_set| to initialise a
 // |BN_GENCB| structure.

data/third_party/boringssl/include/openssl/buf.h

@@ -93,6 +93,10 @@ OPENSSL_EXPORT size_t BUF_MEM_grow(BUF_MEM *buf, size_t len);
 // allocated memory on free.
 OPENSSL_EXPORT size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len);
 
+// BUF_MEM_append appends |in| to |buf|. It returns one on success and zero on
+// error.
+OPENSSL_EXPORT int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len);
+
 // BUF_strdup returns an allocated, duplicate of |str|.
 OPENSSL_EXPORT char *BUF_strdup(const char *str);
 

data/third_party/boringssl/include/openssl/bytestring.h

@@ -447,6 +447,17 @@ OPENSSL_EXPORT void CBB_discard_child(CBB *cbb);
 // error.
 OPENSSL_EXPORT int CBB_add_asn1_uint64(CBB *cbb, uint64_t value);
 
+// CBB_add_asn1_oid_from_text decodes |len| bytes from |text| as an ASCII OID
+// representation, e.g. "1.2.840.113554.4.1.72585", and writes the DER-encoded
+// contents to |cbb|. It returns one on success and zero on malloc failure or if
+// |text| was invalid. It does not include the OBJECT IDENTIFER framing, only
+// the element's contents.
+//
+// This function considers OID strings with components which do not fit in a
+// |uint32_t| to be invalid.
+OPENSSL_EXPORT int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text,
+                                              size_t len);
+
 
 #if defined(__cplusplus)
 }  // extern C

data/third_party/boringssl/include/openssl/chacha.h

@@ -17,10 +17,14 @@
 
 #include <openssl/base.h>
 
-#ifdef  __cplusplus
+#if defined(__cplusplus)
 extern "C" {
 #endif
 
+// ChaCha20.
+//
+// ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc7539.
+
 
 // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
 // nonce and writes the result to |out|. If |in| and |out| alias, they must be

data/third_party/boringssl/include/openssl/cipher.h

@@ -417,6 +417,16 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void);
 // EVP_aes_128_cfb128 is only available in decrepit.
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void);
 
+// The following flags do nothing and are included only to make it easier to
+// compile code with BoringSSL.
+#define EVP_CIPH_CCM_MODE 0
+#define EVP_CIPH_WRAP_MODE 0
+#define EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 0
+
+// EVP_CIPHER_CTX_set_flags does nothing.
+OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx,
+                                             uint32_t flags);
+
 
 // Private functions.
 

data/third_party/boringssl/include/openssl/conf.h

@@ -141,13 +141,9 @@ int CONF_parse_list(const char *list, char sep, int remove_whitespace,
 #define CONF_MFLAGS_DEFAULT_SECTION 0
 #define CONF_MFLAGS_IGNORE_MISSING_FILE 0
 
-typedef struct conf_must_be_null_st CONF_MUST_BE_NULL;
-
-// CONF_modules_load_file returns one. |filename| was originally a string, with
-// NULL indicating the default. BoringSSL does not support configuration files,
-// so this stub emulates the "default" no-op file but intentionally breaks
-// compilation of consumers actively attempting to use this subsystem.
-OPENSSL_EXPORT int CONF_modules_load_file(CONF_MUST_BE_NULL *filename,
+// CONF_modules_load_file returns one. BoringSSL is defined to have no config
+// file options, thus loading from |filename| always succeeds by doing nothing.
+OPENSSL_EXPORT int CONF_modules_load_file(const char *filename,
                                           const char *appname,
                                           unsigned long flags);
 
@@ -155,7 +151,7 @@ OPENSSL_EXPORT int CONF_modules_load_file(CONF_MUST_BE_NULL *filename,
 OPENSSL_EXPORT void CONF_modules_free(void);
 
 // OPENSSL_config does nothing.
-OPENSSL_EXPORT void OPENSSL_config(CONF_MUST_BE_NULL *config_name);
+OPENSSL_EXPORT void OPENSSL_config(const char *config_name);
 
 // OPENSSL_no_config does nothing.
 OPENSSL_EXPORT void OPENSSL_no_config(void);

data/third_party/boringssl/include/openssl/dsa.h

@@ -172,7 +172,7 @@ OPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig);
 // DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
 // and returns an allocated, DSA_SIG structure, or NULL on error.
 OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,
-                                    DSA *dsa);
+                                    const DSA *dsa);
 
 // DSA_do_verify verifies that |sig| is a valid signature, by the public key in
 // |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1
@@ -212,7 +212,7 @@ OPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
 // (The |type| argument is ignored.)
 OPENSSL_EXPORT int DSA_sign(int type, const uint8_t *digest, size_t digest_len,
                             uint8_t *out_sig, unsigned int *out_siglen,
-                            DSA *dsa);
+                            const DSA *dsa);
 
 // DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public
 // key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid
@@ -284,19 +284,6 @@ OPENSSL_EXPORT DSA *DSA_parse_parameters(CBS *cbs);
 OPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa);
 
 
-// Precomputation.
-
-// DSA_sign_setup precomputes the message independent part of the DSA signature
-// and writes them to |*out_kinv| and |*out_r|. Returns one on success, zero on
-// error.
-//
-// TODO(fork): decide what to do with this. Since making DSA* opaque there's no
-// way for the user to install them. Also, it forces the DSA* not to be const
-// when passing to the signing function.
-OPENSSL_EXPORT int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx,
-                                  BIGNUM **out_kinv, BIGNUM **out_r);
-
-
 // Conversion.
 
 // DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is
@@ -411,9 +398,6 @@ struct dsa_st {
   BIGNUM *pub_key;   // y public key
   BIGNUM *priv_key;  // x private key
 
-  BIGNUM *kinv;  // Signing pre-calc
-  BIGNUM *r;     // Signing pre-calc
-
   int flags;
   // Normally used to cache montgomery values
   CRYPTO_MUTEX method_mont_lock;

data/third_party/boringssl/include/openssl/ec.h

@@ -162,10 +162,6 @@ OPENSSL_EXPORT EC_POINT *EC_POINT_new(const EC_GROUP *group);
 // EC_POINT_free frees |point| and the data that it points to.
 OPENSSL_EXPORT void EC_POINT_free(EC_POINT *point);
 
-// EC_POINT_clear_free clears the data that |point| points to, frees it and
-// then frees |point| itself.
-OPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point);
-
 // EC_POINT_copy sets |*dest| equal to |*src|. It returns one on success and
 // zero otherwise.
 OPENSSL_EXPORT int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src);
@@ -306,7 +302,7 @@ OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p,
 // EC_GROUP_set_generator sets the generator for |group| to |generator|, which
 // must have the given order and cofactor. It may only be used with |EC_GROUP|
 // objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on
-// each group.
+// each group. |generator| must have been created using |group|.
 OPENSSL_EXPORT int EC_GROUP_set_generator(EC_GROUP *group,
                                           const EC_POINT *generator,
                                           const BIGNUM *order,
@@ -350,6 +346,9 @@ typedef struct {
 OPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
                                             size_t max_num_curves);
 
+// EC_POINT_clear_free calls |EC_POINT_free|.
+OPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point);
+
 // Old code expects to get EC_KEY from ec.h.
 #include <openssl/ec_key.h>
 
@@ -403,5 +402,6 @@ BORINGSSL_MAKE_DELETER(EC_GROUP, EC_GROUP_free)
 #define EC_R_GROUP_MISMATCH 130
 #define EC_R_INVALID_COFACTOR 131
 #define EC_R_PUBLIC_KEY_VALIDATION_FAILED 132
+#define EC_R_INVALID_SCALAR 133
 
 #endif  // OPENSSL_HEADER_EC_H

data/third_party/boringssl/include/openssl/ecdsa.h

@@ -106,6 +106,16 @@ OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void);
 // ECDSA_SIG_free frees |sig| its member |BIGNUM|s.
 OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
 
+// ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two
+// components of |sig|.
+OPENSSL_EXPORT void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,
+                                   const BIGNUM **out_s);
+
+// ECDSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may
+// be NULL. On success, it takes ownership of each argument and returns one.
+// Otherwise, it returns zero.
+OPENSSL_EXPORT int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
 // ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns
 // the resulting signature structure, or NULL on error.
 OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,
@@ -118,34 +128,6 @@ OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
                                    const ECDSA_SIG *sig, const EC_KEY *key);
 
 
-// Signing with precomputation.
-//
-// Parts of the ECDSA signature can be independent of the message to be signed
-// thus it's possible to precompute them and reduce the signing latency.
-//
-// TODO(fork): remove support for this as it cannot support safe-randomness.
-
-// ECDSA_sign_setup precomputes parts of an ECDSA signing operation. It sets
-// |*kinv| and |*rp| to the precomputed values and uses the |ctx| argument, if
-// not NULL. It returns one on success and zero otherwise.
-OPENSSL_EXPORT int ECDSA_sign_setup(const EC_KEY *eckey, BN_CTX *ctx,
-                                    BIGNUM **kinv, BIGNUM **rp);
-
-// ECDSA_do_sign_ex is the same as |ECDSA_do_sign| but takes precomputed values
-// as generated by |ECDSA_sign_setup|.
-OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign_ex(const uint8_t *digest,
-                                           size_t digest_len,
-                                           const BIGNUM *kinv, const BIGNUM *rp,
-                                           const EC_KEY *eckey);
-
-// ECDSA_sign_ex is the same as |ECDSA_sign| but takes precomputed values as
-// generated by |ECDSA_sign_setup|.
-OPENSSL_EXPORT int ECDSA_sign_ex(int type, const uint8_t *digest,
-                                 size_t digest_len, uint8_t *sig,
-                                 unsigned int *sig_len, const BIGNUM *kinv,
-                                 const BIGNUM *rp, const EC_KEY *eckey);
-
-
 // ASN.1 functions.
 
 // ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and

data/third_party/boringssl/include/openssl/evp.h

@@ -225,10 +225,6 @@ OPENSSL_EXPORT EVP_PKEY *EVP_parse_private_key(CBS *cbs);
 // success and zero on error.
 OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key);
 
-// EVP_set_buggy_rsa_parser configures whether |RSA_parse_public_key_buggy| is
-// used by |EVP_parse_public_key|. By default, it is not used.
-OPENSSL_EXPORT void EVP_set_buggy_rsa_parser(int buggy);
-
 
 // Signing
 

data/third_party/boringssl/include/openssl/lhash.h

@@ -125,24 +125,7 @@ typedef int (*lhash_cmp_func)(const void *a, const void *b);
 // uint32_t.
 typedef uint32_t (*lhash_hash_func)(const void *a);
 
-typedef struct lhash_st {
-  // num_items contains the total number of items in the hash table.
-  size_t num_items;
-  // buckets is an array of |num_buckets| pointers. Each points to the head of
-  // a chain of LHASH_ITEM objects that have the same hash value, mod
-  // |num_buckets|.
-  LHASH_ITEM **buckets;
-  // num_buckets contains the length of |buckets|. This value is always >=
-  // kMinNumBuckets.
-  size_t num_buckets;
-  // callback_depth contains the current depth of |lh_doall| or |lh_doall_arg|
-  // calls. If non-zero then this suppresses resizing of the |buckets| array,
-  // which would otherwise disrupt the iteration.
-  unsigned callback_depth;
-
-  lhash_cmp_func comp;
-  lhash_hash_func hash;
-} _LHASH;
+typedef struct lhash_st _LHASH;
 
 // lh_new returns a new, empty hash table or NULL on error.
 OPENSSL_EXPORT _LHASH *lh_new(lhash_hash_func hash, lhash_cmp_func comp);

data/third_party/boringssl/include/openssl/obj.h

@@ -228,5 +228,6 @@ OPENSSL_EXPORT void OBJ_NAME_do_all(int type, void (*callback)(const OBJ_NAME *,
 #endif
 
 #define OBJ_R_UNKNOWN_NID 100
+#define OBJ_R_INVALID_OID_STRING 101
 
 #endif  // OPENSSL_HEADER_OBJ_H

data/third_party/boringssl/include/openssl/rsa.h

@@ -89,6 +89,9 @@ OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
 
 // Properties.
 
+// RSA_bits returns the size of |rsa|, in bits.
+OPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa);
+
 // RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
 // modulus, public exponent, and private exponent, respectively. If |rsa| is a
 // public key, the private exponent will be set to NULL.
@@ -428,10 +431,6 @@ OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
 // error.
 OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);
 
-// RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
-// tolerates some invalid encodings. Do not use this function.
-OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs);
-
 // RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
 // (RFC 3447). It returns a newly-allocated |RSA| or NULL on error.
 OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);

data/third_party/boringssl/include/openssl/ssl.h

@@ -146,7 +146,6 @@
 
 #include <openssl/bio.h>
 #include <openssl/buf.h>
-#include <openssl/lhash.h>
 #include <openssl/pem.h>
 #include <openssl/span.h>
 #include <openssl/ssl3.h>
@@ -158,6 +157,11 @@
 #include <sys/time.h>
 #endif
 
+// NGINX needs this #include. Consider revisiting this after NGINX 1.14.0 has
+// been out for a year or so (assuming that they fix it in that release.) See
+// https://boringssl-review.googlesource.com/c/boringssl/+/21664.
+#include <openssl/hmac.h>
+
 // Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
 // Windows headers define too many macros to be included in public headers.
 // However, only a forward declaration is needed.
@@ -588,6 +592,8 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
 #define DTLS1_2_VERSION 0xfefd
 
 #define TLS1_3_DRAFT_VERSION 0x7f12
+#define TLS1_3_DRAFT21_VERSION 0x7f15
+#define TLS1_3_DRAFT22_VERSION 0x7e04
 #define TLS1_3_EXPERIMENT_VERSION 0x7e01
 #define TLS1_3_EXPERIMENT2_VERSION 0x7e02
 #define TLS1_3_EXPERIMENT3_VERSION 0x7e03
@@ -973,6 +979,25 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
 // before TLS 1.2.
 #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
 
+// SSL_get_signature_algorithm_name returns a human-readable name for |sigalg|,
+// or NULL if unknown. If |include_curve| is one, the curve for ECDSA algorithms
+// is included as in TLS 1.3. Otherwise, it is excluded as in TLS 1.2.
+OPENSSL_EXPORT const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
+                                                            int include_curve);
+
+// SSL_get_signature_algorithm_key_type returns the key type associated with
+// |sigalg| as an |EVP_PKEY_*| constant or |EVP_PKEY_NONE| if unknown.
+OPENSSL_EXPORT int SSL_get_signature_algorithm_key_type(uint16_t sigalg);
+
+// SSL_get_signature_algorithm_digest returns the digest function associated
+// with |sigalg| or |NULL| if |sigalg| has no prehash (Ed25519) or is unknown.
+OPENSSL_EXPORT const EVP_MD *SSL_get_signature_algorithm_digest(
+    uint16_t sigalg);
+
+// SSL_is_signature_algorithm_rsa_pss returns one if |sigalg| is an RSA-PSS
+// signature algorithm and zero otherwise.
+OPENSSL_EXPORT int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg);
+
 // SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the
 // preference list when signing with |ctx|'s private key. It returns one on
 // success and zero on error. |prefs| should not include the internal-only value
@@ -1042,8 +1067,8 @@ OPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der,
 // |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether
 // the file's contents are read as PEM or DER.
 
-#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
-#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
+#define SSL_FILETYPE_PEM 1
+#define SSL_FILETYPE_ASN1 2
 
 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx,
                                                   const char *file,
@@ -1100,16 +1125,7 @@ enum ssl_private_key_result_t {
 // key hooks. This is used to off-load signing operations to a custom,
 // potentially asynchronous, backend. Metadata about the key such as the type
 // and size are parsed out of the certificate.
-//
-// TODO(davidben): This API has a number of legacy hooks. Remove the last
-// consumer of |sign_digest| and trim it.
 struct ssl_private_key_method_st {
-  // type is ignored and should be NULL.
-  int (*type)(SSL *ssl);
-
-  // max_signature_len is ignored and should be NULL.
-  size_t (*max_signature_len)(SSL *ssl);
-
   // sign signs the message |in| in using the specified signature algorithm. On
   // success, it returns |ssl_private_key_success| and writes at most |max_out|
   // bytes of signature data to |out| and sets |*out_len| to the number of bytes
@@ -1131,30 +1147,6 @@ struct ssl_private_key_method_st {
                                         uint16_t signature_algorithm,
                                         const uint8_t *in, size_t in_len);
 
-  // sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash
-  // function used to calculate |in|. On success, it returns
-  // |ssl_private_key_success| and writes at most |max_out| bytes of signature
-  // data to |out|. On failure, it returns |ssl_private_key_failure|. If the
-  // operation has not completed, it returns |ssl_private_key_retry|. |sign|
-  // should arrange for the high-level operation on |ssl| to be retried when the
-  // operation is completed. This will result in a call to |complete|.
-  //
-  // If the key is an RSA key, implementations must use PKCS#1 padding. |in| is
-  // the digest itself, so the DigestInfo prefix, if any, must be prepended by
-  // |sign|. If |md| is |EVP_md5_sha1|, there is no prefix.
-  //
-  // It is an error to call |sign_digest| while another private key operation is
-  // in progress on |ssl|.
-  //
-  // This function is deprecated. Implement |sign| instead.
-  //
-  // TODO(davidben): Remove this function.
-  enum ssl_private_key_result_t (*sign_digest)(SSL *ssl, uint8_t *out,
-                                               size_t *out_len, size_t max_out,
-                                               const EVP_MD *md,
-                                               const uint8_t *in,
-                                               size_t in_len);
-
   // decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it
   // returns |ssl_private_key_success|, writes at most |max_out| bytes of
   // decrypted data to |out| and sets |*out_len| to the actual number of bytes
@@ -1635,7 +1627,6 @@ OPENSSL_EXPORT int SSL_CTX_add_server_custom_ext(
 // established, an |SSL_SESSION| may be shared by multiple |SSL| objects on
 // different threads and must not be modified.
 
-DECLARE_LHASH_OF(SSL_SESSION)
 DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
 // SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on
@@ -2023,7 +2014,7 @@ OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void);
 // 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
 // 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
 //    encryption and authentication.
-// 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
+// 3) One can configure an |SSL_TICKET_AEAD_METHOD| to have more control
 //    and the option of asynchronous decryption.
 //
 // An attacker that compromises a server's session ticket key can impersonate
@@ -2100,8 +2091,8 @@ enum ssl_ticket_aead_result_t {
   ssl_ticket_aead_error,
 };
 
-// ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains
-// methods for encrypting and decrypting session tickets.
+// ssl_ticket_aead_method_st (aka |SSL_TICKET_AEAD_METHOD|) contains methods
+// for encrypting and decrypting session tickets.
 struct ssl_ticket_aead_method_st {
   // max_overhead returns the maximum number of bytes of overhead that |seal|
   // may add.
@@ -3231,6 +3222,8 @@ enum tls13_variant_t {
   tls13_experiment = 1,
   tls13_experiment2 = 2,
   tls13_experiment3 = 3,
+  tls13_draft21 = 4,
+  tls13_draft22 = 5,
 };
 
 // SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
@@ -3952,18 +3945,6 @@ OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
 OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
                                                       const char *dir);
 
-// SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
-// into |ssl|. These digests will be used, in decreasing order of preference,
-// when signing with |ssl|'s private key. It returns one on success and zero on
-// error.
-//
-// Use |SSL_set_signing_algorithm_prefs| instead.
-//
-// TODO(davidben): Remove this API when callers have been updated.
-OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
-                                                    const int *digest_nids,
-                                                    size_t num_digests);
-
 // SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
 //
 // TODO(davidben): Remove this function once it has been removed from
@@ -4042,8 +4023,7 @@ extern "C++" OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb(
 // This structures are exposed for historical reasons, but access to them is
 // deprecated.
 
-// TODO(davidben): Remove this forward declaration when is |SSL_SESSION| is
-// opaque.
+// TODO(davidben): Remove this forward declaration when |SSL_SESSION| is opaque.
 typedef struct ssl_x509_method_st SSL_X509_METHOD;
 
 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32
@@ -4574,6 +4554,7 @@ OPENSSL_EXPORT bool SealRecord(SSL *ssl, Span<uint8_t> out_prefix,
 #define SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA 279
 #define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
 #define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281
+#define SSL_R_EMPTY_HELLO_RETRY_REQUEST 282
 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020