grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/x509v3/v3_skey.c

@@ -63,6 +63,9 @@
 #include <openssl/obj.h>
 #include <openssl/x509v3.h>
 
+#include "internal.h"
+
+
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx, char *str);
 const X509V3_EXT_METHOD v3_skey_id = {
@@ -76,7 +79,7 @@ const X509V3_EXT_METHOD v3_skey_id = {
 
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
 {
-    return hex_to_string(oct->data, oct->length);
+    return x509v3_bytes_to_hex(oct->data, oct->length);
 }
 
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
@@ -90,7 +93,7 @@ ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
         return NULL;
     }
 
-    if (!(oct->data = string_to_hex(str, &length))) {
+    if (!(oct->data = x509v3_hex_to_bytes(str, &length))) {
         M_ASN1_OCTET_STRING_free(oct);
         return NULL;
     }

data/third_party/boringssl/crypto/x509v3/v3_utl.c

@@ -72,6 +72,7 @@
 
 #include "../conf/internal.h"
 #include "../internal.h"
+#include "internal.h"
 
 
 static char *strip_spaces(char *name);
@@ -446,7 +447,7 @@ static char *strip_spaces(char *name)
  * on EBCDIC machines)
  */
 
-char *hex_to_string(const unsigned char *buffer, long len)
+char *x509v3_bytes_to_hex(const unsigned char *buffer, long len)
 {
     char *tmp, *q;
     const unsigned char *p;
@@ -469,11 +470,7 @@ char *hex_to_string(const unsigned char *buffer, long len)
     return tmp;
 }
 
-/*
- * Give a string of hex digits convert to a buffer
- */
-
-unsigned char *string_to_hex(const char *str, long *len)
+unsigned char *x509v3_hex_to_bytes(const char *str, long *len)
 {
     unsigned char *hexbuf, *q;
     unsigned char ch, cl, *p;
@@ -533,11 +530,7 @@ unsigned char *string_to_hex(const char *str, long *len)
 
 }
 
-/*
- * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
- */
-
-int name_cmp(const char *name, const char *cmp)
+int x509v3_name_cmp(const char *name, const char *cmp)
 {
     int len, ret;
     char c;
@@ -650,6 +643,7 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
     if (!*sk)
         return 0;
     /* Don't add duplicates */
+    sk_OPENSSL_STRING_sort(*sk);
     if (sk_OPENSSL_STRING_find(*sk, NULL, (char *)email->data))
         return 1;
     emtmp = BUF_strdup((char *)email->data);
@@ -915,6 +909,53 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
                           subject, subject_len, flags);
 }
 
+int x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {
+    /* This function is used as a heuristic for whether a common name is a
+     * hostname to be matched, or merely a decorative name to describe the
+     * subject. This heuristic must be applied to both name constraints and the
+     * common name fallback, so it must be loose enough to accept hostname
+     * common names, and tight enough to reject decorative common names. */
+
+    if (len > 0 && in[len - 1] == '.') {
+        len--;
+    }
+
+    /* Wildcards are allowed in front. */
+    if (len >= 2 && in[0] == '*' && in[1] == '.') {
+        in += 2;
+        len -= 2;
+    }
+
+    if (len == 0) {
+        return 0;
+    }
+
+    size_t label_start = 0;
+    for (size_t i = 0; i < len; i++) {
+        unsigned char c = in[i];
+        if ((c >= 'a' && c <= 'z') ||
+            (c >= '0' && c <= '9') ||
+            (c >= 'A' && c <= 'Z') ||
+            (c == '-' && i > label_start) ||
+            /* These are not valid characters in hostnames, but commonly found
+             * in deployments outside the Web PKI. */
+            c == '_' ||
+            c == ':') {
+            continue;
+        }
+
+        /* Labels must not be empty. */
+        if (c == '.' && i > label_start && i < len - 1) {
+            label_start = i + 1;
+            continue;
+        }
+
+        return 0;
+    }
+
+    return 1;
+}
+
 /*
  * Compare an ASN1_STRING to a supplied string. If they match return 1. If
  * cmp_type > 0 only compare if string matches the type, otherwise convert it
@@ -922,8 +963,8 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  */
 
 static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
-                           unsigned int flags, const char *b, size_t blen,
-                           char **peername)
+                           unsigned int flags, int check_type, const char *b,
+                           size_t blen, char **peername)
 {
     int rv = 0;
 
@@ -944,7 +985,17 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
         astrlen = ASN1_STRING_to_UTF8(&astr, a);
         if (astrlen < 0)
             return -1;
-        rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
+        /*
+         * We check the common name against DNS name constraints if it passes
+         * |x509v3_looks_like_dns_name|. Thus we must not consider common names
+         * for DNS fallbacks if they fail this check.
+         */
+        if (check_type == GEN_DNS &&
+            !x509v3_looks_like_dns_name(astr, astrlen)) {
+            rv = 0;
+        } else {
+            rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
+        }
         if (rv > 0 && peername)
             *peername = BUF_strndup((char *)astr, astrlen);
         OPENSSL_free(astr);
@@ -961,7 +1012,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
     int j;
     int cnid = NID_undef;
     int alt_type;
-    int san_present = 0;
     int rv = 0;
     equal_fn equal;
 
@@ -994,7 +1044,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
             gen = sk_GENERAL_NAME_value(gens, i);
             if (gen->type != check_type)
                 continue;
-            san_present = 1;
             if (check_type == GEN_EMAIL)
                 cstr = gen->d.rfc822Name;
             else if (check_type == GEN_DNS)
@@ -1002,21 +1051,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
             else
                 cstr = gen->d.iPAddress;
             /* Positive on success, negative on error! */
-            if ((rv = do_check_string(cstr, alt_type, equal, flags,
+            if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type,
                                       chk, chklen, peername)) != 0)
                 break;
         }
         GENERAL_NAMES_free(gens);
-        if (rv != 0)
-            return rv;
-        if (cnid == NID_undef
-            || (san_present
-                && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
-            return 0;
+        return rv;
     }
 
     /* We're done if CN-ID is not pertinent */
-    if (cnid == NID_undef)
+    if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
         return 0;
 
     j = -1;
@@ -1027,7 +1071,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         ne = X509_NAME_get_entry(name, j);
         str = X509_NAME_ENTRY_get_data(ne);
         /* Positive on success, negative on error! */
-        if ((rv = do_check_string(str, -1, equal, flags,
+        if ((rv = do_check_string(str, -1, equal, flags, check_type,
                                   chk, chklen, peername)) != 0)
             return rv;
     }

data/third_party/boringssl/include/openssl/aead.h

@@ -91,15 +91,44 @@ extern "C" {
 // AEAD algorithms.
 
 // EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode.
+//
+// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
+// is specified to take a variable-length nonce, nonces with other lengths are
+// effectively randomized, which means one must consider collisions. Unless
+// implementing an existing protocol which has already specified incorrect
+// parameters, only use 12-byte nonces.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);
 
+// EVP_aead_aes_192_gcm is AES-192 in Galois Counter Mode.
+//
+// WARNING: AES-192 is superfluous and shouldn't exist. NIST should never have
+// defined it. Use only when interop with another system requires it, never
+// de novo.
+//
+// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
+// is specified to take a variable-length nonce, nonces with other lengths are
+// effectively randomized, which means one must consider collisions. Unless
+// implementing an existing protocol which has already specified incorrect
+// parameters, only use 12-byte nonces.
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_192_gcm(void);
+
 // EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode.
+//
+// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
+// is specified to take a variable-length nonce, nonces with other lengths are
+// effectively randomized, which means one must consider collisions. Unless
+// implementing an existing protocol which has already specified incorrect
+// parameters, only use 12-byte nonces.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
 
 // EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
 // Poly1305 as described in RFC 7539.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
 
+// EVP_aead_xchacha20_poly1305 is ChaCha20-Poly1305 with an extended nonce that
+// makes random generation of nonces safe.
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_xchacha20_poly1305(void);
+
 // EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
 // authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
 // block counter, thus the maximum plaintext size is 64GB.
@@ -154,13 +183,16 @@ OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
 
 // AEAD operations.
 
+union evp_aead_ctx_st_state {
+  uint8_t opaque[580];
+  uint64_t alignment;
+};
+
 // An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
 // and message-independent IV.
 typedef struct evp_aead_ctx_st {
   const EVP_AEAD *aead;
-  // aead_state is an opaque pointer to whatever state the AEAD needs to
-  // maintain.
-  void *aead_state;
+  union evp_aead_ctx_st_state state;
   // tag_len may contain the actual length of the authentication tag if it is
   // known at initialization time.
   uint8_t tag_len;
@@ -172,7 +204,7 @@ typedef struct evp_aead_ctx_st {
 
 // EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
 // any AEAD defined in this header.
-#define EVP_AEAD_MAX_NONCE_LENGTH 16
+#define EVP_AEAD_MAX_NONCE_LENGTH 24
 
 // EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
 // defined in this header.
@@ -361,19 +393,13 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);
 // 1.2 nonce construction.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void);
 
+// EVP_aead_aes_128_gcm_tls13 is AES-128 in Galois Counter Mode using the TLS
+// 1.3 nonce construction.
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls13(void);
 
-// SSLv3-specific AEAD algorithms.
-//
-// These AEAD primitives do not meet the definition of generic AEADs. They are
-// all specific to SSLv3 and should not be used outside of that context. They
-// must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
-// and may not be used concurrently. They only accept an |ad| parameter of
-// length 9 (the standard TLS one with length and version omitted).
-
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
+// EVP_aead_aes_256_gcm_tls13 is AES-256 in Galois Counter Mode using the TLS
+// 1.3 nonce construction.
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void);
 
 
 // Obscure functions.
@@ -393,7 +419,7 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
 
 // EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
 // sets |*out_iv| to point to that many bytes of the current IV. This is only
-// meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).
+// meaningful for AEADs with implicit IVs (i.e. CBC mode in TLS 1.0).
 //
 // It returns one on success or zero on error.
 OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,
@@ -415,7 +441,7 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 using ScopedEVP_AEAD_CTX =
     internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,
@@ -423,7 +449,7 @@ using ScopedEVP_AEAD_CTX =
 
 BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

data/third_party/boringssl/include/openssl/aes.h

@@ -6,7 +6,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -76,18 +76,18 @@ struct aes_key_st {
 typedef struct aes_key_st AES_KEY;
 
 // AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key,
-// |key|.
+// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a
+// negative number if |bits| is an invalid AES key size.
 //
-// WARNING: unlike other OpenSSL functions, this returns zero on success and a
-// negative number on error.
+// WARNING: this function breaks the usual return value convention.
 OPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits,
                                        AES_KEY *aeskey);
 
 // AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key,
-// |key|.
+// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a
+// negative number if |bits| is an invalid AES key size.
 //
-// WARNING: unlike other OpenSSL functions, this returns zero on success and a
-// negative number on error.
+// WARNING: this function breaks the usual return value convention.
 OPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits,
                                        AES_KEY *aeskey);
 
@@ -163,6 +163,31 @@ OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv,
                                   size_t in_len);
 
 
+// AES key wrap with padding.
+//
+// These functions implement AES Key Wrap with Padding mode, as defined in RFC
+// 5649. They should never be used except to interoperate with existing systems
+// that use this mode.
+
+// AES_wrap_key_padded performs a padded AES key wrap on |in| which must be
+// between 1 and 2^32-1 bytes. |key| must have been configured for encryption.
+// On success it writes at most |max_out| bytes of ciphertext to |out|, sets
+// |*out_len| to the number of bytes written, and returns one. On failure it
+// returns zero. To ensure success, set |max_out| to at least |in_len| + 15.
+OPENSSL_EXPORT int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out,
+                                       size_t *out_len, size_t max_out,
+                                       const uint8_t *in, size_t in_len);
+
+// AES_unwrap_key_padded performs a padded AES key unwrap on |in| which must be
+// a multiple of 8 bytes. |key| must have been configured for decryption. On
+// success it writes at most |max_out| bytes to |out|, sets |*out_len| to the
+// number of bytes written, and returns one. On failure it returns zero. Setting
+// |max_out| to |in_len| is a sensible estimate.
+OPENSSL_EXPORT int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out,
+                                         size_t *out_len, size_t max_out,
+                                         const uint8_t *in, size_t in_len);
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

data/third_party/boringssl/include/openssl/asn1.h

@@ -152,6 +152,9 @@ extern "C" {
 /* For use with ASN1_mbstring_copy() */
 #define MBSTRING_FLAG		0x1000
 #define MBSTRING_UTF8		(MBSTRING_FLAG)
+/* |MBSTRING_ASC| refers to Latin-1, not ASCII. It is used with TeletexString
+ * which, in turn, is treated as Latin-1 rather than T.61 by OpenSSL and most
+ * other software. */
 #define MBSTRING_ASC		(MBSTRING_FLAG|1)
 #define MBSTRING_BMP		(MBSTRING_FLAG|2)
 #define MBSTRING_UNIV		(MBSTRING_FLAG|4)
@@ -295,19 +298,6 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
 	OPENSSL_EXPORT int fname##_print_ctx(BIO *out, stname *x, int indent, \
 					 const ASN1_PCTX *pctx);
 
-#define D2I_OF(type) type *(*)(type **,const unsigned char **,long)
-#define I2D_OF(type) int (*)(type *,unsigned char **)
-#define I2D_OF_const(type) int (*)(const type *,unsigned char **)
-
-#define CHECKED_D2I_OF(type, d2i) \
-    ((d2i_of_void*) (1 ? d2i : ((D2I_OF(type))0)))
-#define CHECKED_I2D_OF(type, i2d) \
-    ((i2d_of_void*) (1 ? i2d : ((I2D_OF(type))0)))
-#define CHECKED_NEW_OF(type, xnew) \
-    ((void *(*)(void)) (1 ? xnew : ((type *(*)(void))0)))
-#define CHECKED_PPTR_OF(type, p) \
-    ((void**) (1 ? p : (type**)0))
-
 typedef void *d2i_of_void(void **, const unsigned char **, long);
 typedef int i2d_of_void(const void *, unsigned char **);
 
@@ -676,7 +666,6 @@ OPENSSL_EXPORT int 		d2i_ASN1_BOOLEAN(int *a,const unsigned char **pp,long lengt
 DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER)
 OPENSSL_EXPORT int		i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
 OPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length);
-OPENSSL_EXPORT ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length);
 OPENSSL_EXPORT ASN1_INTEGER *	ASN1_INTEGER_dup(const ASN1_INTEGER *x);
 OPENSSL_EXPORT int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y);
 
@@ -759,76 +748,17 @@ OPENSSL_EXPORT void ASN1_put_object(unsigned char **pp, int constructed, int len
 OPENSSL_EXPORT int ASN1_put_eoc(unsigned char **pp);
 OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag);
 
-/* Used to implement other functions */
-OPENSSL_EXPORT void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x);
-
-#define ASN1_dup_of(type,i2d,d2i,x) \
-    ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \
-		     CHECKED_D2I_OF(type, d2i), \
-		     CHECKED_PTR_OF(type, x)))
-
-#define ASN1_dup_of_const(type,i2d,d2i,x) \
-    ((type*)ASN1_dup(CHECKED_I2D_OF(const type, i2d), \
-		     CHECKED_D2I_OF(type, d2i), \
-		     CHECKED_PTR_OF(const type, x)))
-
 OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x);
 
-/* ASN1 alloc/free macros for when a type is only used internally */
-
-#define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type))
-#define M_ASN1_free_of(x, type) \
-		ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type))
-
 #ifndef OPENSSL_NO_FP_API
-OPENSSL_EXPORT void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x);
-
-#define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \
-    ((type*)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \
-			CHECKED_D2I_OF(type, d2i), \
-			in, \
-			CHECKED_PPTR_OF(type, x)))
-
 OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
-OPENSSL_EXPORT int ASN1_i2d_fp(i2d_of_void *i2d,FILE *out,void *x);
-
-#define ASN1_i2d_fp_of(type,i2d,out,x) \
-    (ASN1_i2d_fp(CHECKED_I2D_OF(type, i2d), \
-		 out, \
-		 CHECKED_PTR_OF(type, x)))
-
-#define ASN1_i2d_fp_of_const(type,i2d,out,x) \
-    (ASN1_i2d_fp(CHECKED_I2D_OF(const type, i2d), \
-		 out, \
-		 CHECKED_PTR_OF(const type, x)))
-
 OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x);
 OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
 
 OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
 
-OPENSSL_EXPORT void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x);
-
-#define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \
-    ((type*)ASN1_d2i_bio( CHECKED_NEW_OF(type, xnew), \
-			  CHECKED_D2I_OF(type, d2i), \
-			  in, \
-			  CHECKED_PPTR_OF(type, x)))
-
 OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
-OPENSSL_EXPORT int ASN1_i2d_bio(i2d_of_void *i2d,BIO *out, void *x);
-
-#define ASN1_i2d_bio_of(type,i2d,out,x) \
-    (ASN1_i2d_bio(CHECKED_I2D_OF(type, i2d), \
-		  out, \
-		  CHECKED_PTR_OF(type, x)))
-
-#define ASN1_i2d_bio_of_const(type,i2d,out,x) \
-    (ASN1_i2d_bio(CHECKED_I2D_OF(const type, i2d), \
-		  out, \
-		  CHECKED_PTR_OF(const type, x)))
-
 OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x);
 OPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a);
 OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *fp, const ASN1_GENERALIZEDTIME *a);
@@ -872,13 +802,13 @@ OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ASN1_OBJECT, ASN1_OBJECT_free)
 BORINGSSL_MAKE_DELETER(ASN1_STRING, ASN1_STRING_free)
 BORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  /* extern C++ */
 
@@ -926,14 +856,14 @@ BORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 139
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 140
 #define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 141
-#define ASN1_R_INVALID_BMPSTRING_LENGTH 142
+#define ASN1_R_INVALID_BMPSTRING 142
 #define ASN1_R_INVALID_DIGIT 143
 #define ASN1_R_INVALID_MODIFIER 144
 #define ASN1_R_INVALID_NUMBER 145
 #define ASN1_R_INVALID_OBJECT_ENCODING 146
 #define ASN1_R_INVALID_SEPARATOR 147
 #define ASN1_R_INVALID_TIME_FORMAT 148
-#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 149
+#define ASN1_R_INVALID_UNIVERSALSTRING 149
 #define ASN1_R_INVALID_UTF8STRING 150
 #define ASN1_R_LIST_ERROR 151
 #define ASN1_R_MISSING_ASN1_EOS 152