grpc 1.24.0 → 1.25.0

data/third_party/boringssl/include/openssl/pkcs7.h

@@ -35,7 +35,10 @@ DECLARE_STACK_OF(X509_CRL)
 
 // PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
 // and appends the included certificates to |out_certs|. It returns one on
-// success and zero on error.
+// success and zero on error. |cbs| is advanced passed the structure.
+//
+// Note that a SignedData structure may contain no certificates, in which case
+// this function succeeds but does not append any certificates.
 OPENSSL_EXPORT int PKCS7_get_raw_certificates(
     STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);
 
@@ -49,8 +52,11 @@ OPENSSL_EXPORT int PKCS7_bundle_certificates(
     CBB *out, const STACK_OF(X509) *certs);
 
 // PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
-// the included CRLs to |out_crls|. It returns one on success and zero on
-// error.
+// the included CRLs to |out_crls|. It returns one on success and zero on error.
+// |cbs| is advanced passed the structure.
+//
+// Note that a SignedData structure may contain no CRLs, in which case this
+// function succeeds but does not append any CRLs.
 OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
 
 // PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
@@ -60,18 +66,145 @@ OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
 // PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
 // from |pem_bio| and appends the included certificates to |out_certs|. It
 // returns one on success and zero on error.
+//
+// Note that a SignedData structure may contain no certificates, in which case
+// this function succeeds but does not append any certificates.
 OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
                                               BIO *pem_bio);
 
 // PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
 // |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
 // success and zero on error.
+//
+// Note that a SignedData structure may contain no CRLs, in which case this
+// function succeeds but does not append any CRLs.
 OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
                                       BIO *pem_bio);
 
 
+// Deprecated functions.
+//
+// These functions are a compatibility layer over a subset of OpenSSL's PKCS#7
+// API. It intentionally does not implement the whole thing, only the minimum
+// needed to build cryptography.io.
+
+typedef struct {
+  STACK_OF(X509) *cert;
+  STACK_OF(X509_CRL) *crl;
+} PKCS7_SIGNED;
+
+typedef struct {
+  STACK_OF(X509) *cert;
+  STACK_OF(X509_CRL) *crl;
+} PKCS7_SIGN_ENVELOPE;
+
+typedef void PKCS7_ENVELOPE;
+typedef void PKCS7_DIGEST;
+typedef void PKCS7_ENCRYPT;
+
+typedef struct {
+  uint8_t *ber_bytes;
+  size_t ber_len;
+
+  // Unlike OpenSSL, the following fields are immutable. They filled in when the
+  // object is parsed and ignored in serialization.
+  ASN1_OBJECT *type;
+  union {
+    char *ptr;
+    ASN1_OCTET_STRING *data;
+    PKCS7_SIGNED *sign;
+    PKCS7_ENVELOPE *enveloped;
+    PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
+    PKCS7_DIGEST *digest;
+    PKCS7_ENCRYPT *encrypted;
+    ASN1_TYPE *other;
+  } d;
+} PKCS7;
+
+// d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from
+// |len| bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the
+// result is in |*out|. Note that, even if |*out| is already non-NULL on entry,
+// it will not be written to. Rather, a fresh |PKCS7| is allocated and the
+// previous one is freed. On successful exit, |*inp| is advanced past the BER
+// structure.  It returns the result or NULL on error.
+OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp,
+                                size_t len);
+
+// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|.  If
+// the length of the object is indefinite the full contents of |bio| are read.
+//
+// If the function fails then some unknown amount of data may have been read
+// from |bio|.
+OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);
+
+// i2d_PKCS7 is a dummy function which copies the contents of |p7|. If |out| is
+// not NULL then the result is written to |*out| and |*out| is advanced just
+// past the output. It returns the number of bytes in the result, whether
+// written or not, or a negative value on error.
+OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out);
+
+// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
+// error.
+OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
+
+// PKCS7_free releases memory associated with |p7|.
+OPENSSL_EXPORT void PKCS7_free(PKCS7 *p7);
+
+// PKCS7_type_is_data returns zero.
+OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);
+
+// PKCS7_type_is_digest returns zero.
+OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);
+
+// PKCS7_type_is_encrypted returns zero.
+OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);
+
+// PKCS7_type_is_enveloped returns zero.
+OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);
+
+// PKCS7_type_is_signed returns one. (We only supporte signed data
+// ContentInfos.)
+OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);
+
+// PKCS7_type_is_signedAndEnveloped returns zero.
+OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);
+
+// PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally.
+#define PKCS7_DETACHED 0x40
+
+// The following flags cause |PKCS7_sign| to fail.
+#define PKCS7_TEXT 0x1
+#define PKCS7_NOCERTS 0x2
+#define PKCS7_NOSIGS 0x4
+#define PKCS7_NOCHAIN 0x8
+#define PKCS7_NOINTERN 0x10
+#define PKCS7_NOVERIFY 0x20
+#define PKCS7_BINARY 0x80
+#define PKCS7_NOATTR 0x100
+#define PKCS7_NOSMIMECAP 0x200
+#define PKCS7_STREAM 0x1000
+
+// PKCS7_sign assembles |certs| into a PKCS#7 signed data ContentInfo with
+// external data and no signatures. It returns a newly-allocated |PKCS7| on
+// success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is
+// ignored. |flags| must be equal to |PKCS7_DETACHED|.
+//
+// Note this function only implements a subset of the corresponding OpenSSL
+// function. It is provided for backwards compatibility only.
+OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey,
+                                 STACK_OF(X509) *certs, BIO *data, int flags);
+
+
 #if defined(__cplusplus)
 }  // extern C
+
+extern "C++" {
+BSSL_NAMESPACE_BEGIN
+
+BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free)
+
+BSSL_NAMESPACE_END
+}  // extern C++
 #endif
 
 #define PKCS7_R_BAD_PKCS7_VERSION 100

data/third_party/boringssl/include/openssl/pkcs8.h

@@ -152,14 +152,34 @@ OPENSSL_EXPORT PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12);
 // d2i_PKCS12_fp acts like |d2i_PKCS12| but reads from a |FILE|.
 OPENSSL_EXPORT PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12);
 
+// i2d_PKCS12 is a dummy function which copies the contents of |p12|. If |out|
+// is not NULL then the result is written to |*out| and |*out| is advanced just
+// past the output. It returns the number of bytes in the result, whether
+// written or not, or a negative value on error.
+OPENSSL_EXPORT int i2d_PKCS12(const PKCS12 *p12, uint8_t **out);
+
+// i2d_PKCS12_bio writes the contents of |p12| to |bio|. It returns one on
+// success and zero on error.
+OPENSSL_EXPORT int i2d_PKCS12_bio(BIO *bio, const PKCS12 *p12);
+
+// i2d_PKCS12_fp writes the contents of |p12| to |fp|. It returns one on
+// success and zero on error.
+OPENSSL_EXPORT int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12);
+
 // PKCS12_parse calls |PKCS12_get_key_and_certs| on the ASN.1 data stored in
 // |p12|. The |out_pkey| and |out_cert| arguments must not be NULL and, on
-// successful exit, the private key and first certificate will be stored in
+// successful exit, the private key and matching certificate will be stored in
 // them. The |out_ca_certs| argument may be NULL but, if not, then any extra
 // certificates will be appended to |*out_ca_certs|. If |*out_ca_certs| is NULL
 // then it will be set to a freshly allocated stack containing the extra certs.
 //
+// Note if |p12| does not contain a private key, both |*out_pkey| and
+// |*out_cert| will be set to NULL and all certificates will be returned via
+// |*out_ca_certs|.
+//
 // It returns one on success and zero on error.
+//
+// Use |PKCS12_get_key_and_certs| instead.
 OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,
                                 EVP_PKEY **out_pkey, X509 **out_cert,
                                 STACK_OF(X509) **out_ca_certs);
@@ -175,6 +195,23 @@ OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,
 OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
                                      int password_len);
 
+// PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|,
+// |cert|, and |chain|, encrypted with the specified password. |name|, if not
+// NULL, specifies a user-friendly name to encode with the key and
+// certificate. The key and certificates are encrypted with |key_nid| and
+// |cert_nid|, respectively, using |iterations| iterations in the
+// KDF. |mac_iterations| is the number of iterations when deriving the MAC
+// key. |key_type| must be zero. |pkey| and |cert| may be NULL to omit them.
+//
+// Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero
+// to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,
+// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively.
+OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,
+                                     const EVP_PKEY *pkey, X509 *cert,
+                                     const STACK_OF(X509) *chain, int key_nid,
+                                     int cert_nid, int iterations,
+                                     int mac_iterations, int key_type);
+
 // PKCS12_free frees |p12| and its contents.
 OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);
 
@@ -184,12 +221,12 @@ OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(PKCS12, PKCS12_free)
 BORINGSSL_MAKE_DELETER(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 
@@ -226,5 +263,7 @@ BORINGSSL_MAKE_DELETER(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free)
 #define PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION 128
 #define PKCS8_R_BAD_ITERATION_COUNT 129
 #define PKCS8_R_UNSUPPORTED_PRF 130
+#define PKCS8_R_INVALID_CHARACTERS 131
+#define PKCS8_R_UNSUPPORTED_OPTIONS 132
 
 #endif  // OPENSSL_HEADER_PKCS8_H

data/third_party/boringssl/include/openssl/pool.h

@@ -48,6 +48,16 @@ OPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool);
 OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len,
                                                 CRYPTO_BUFFER_POOL *pool);
 
+// CRYPTO_BUFFER_alloc creates an unpooled |CRYPTO_BUFFER| of the given size and
+// writes the underlying data pointer to |*out_data|. It returns NULL on error.
+//
+// After calling this function, |len| bytes of contents must be written to
+// |out_data| before passing the returned pointer to any other BoringSSL
+// functions. Once initialized, the |CRYPTO_BUFFER| should be treated as
+// immutable.
+OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data,
+                                                  size_t len);
+
 // CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|.
 OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS(
     CBS *cbs, CRYPTO_BUFFER_POOL *pool);
@@ -77,12 +87,13 @@ OPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER_POOL, CRYPTO_BUFFER_POOL_free)
 BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER, CRYPTO_BUFFER_free)
+BORINGSSL_MAKE_UP_REF(CRYPTO_BUFFER, CRYPTO_BUFFER_up_ref)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

data/third_party/boringssl/include/openssl/ripemd.h

@@ -83,21 +83,22 @@ OPENSSL_EXPORT int RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *data,
                                    size_t len);
 
 // RIPEMD160_Final adds the final padding to |ctx| and writes the resulting
-// digest to |md|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of
+// digest to |out|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of
 // space. It returns one.
-OPENSSL_EXPORT int RIPEMD160_Final(uint8_t *md, RIPEMD160_CTX *ctx);
+OPENSSL_EXPORT int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH],
+                                   RIPEMD160_CTX *ctx);
 
 // RIPEMD160 writes the digest of |len| bytes from |data| to |out| and returns
 // |out|. There must be at least |RIPEMD160_DIGEST_LENGTH| bytes of space in
 // |out|.
 OPENSSL_EXPORT uint8_t *RIPEMD160(const uint8_t *data, size_t len,
-                                  uint8_t *out);
+                                  uint8_t out[RIPEMD160_DIGEST_LENGTH]);
 
 // RIPEMD160_Transform is a low-level function that performs a single,
 // RIPEMD160 block transformation using the state from |ctx| and 64 bytes from
 // |block|.
 OPENSSL_EXPORT void RIPEMD160_Transform(RIPEMD160_CTX *ctx,
-                                        const uint8_t *block);
+                                        const uint8_t block[RIPEMD160_CBLOCK]);
 
 
 #if defined(__cplusplus)

data/third_party/boringssl/include/openssl/rsa.h

@@ -72,8 +72,14 @@ extern "C" {
 
 
 // Allocation and destruction.
+//
+// An |RSA| object represents a public or private RSA key. A given object may be
+// used concurrently on multiple threads by non-mutating functions, provided no
+// other thread is concurrently calling a mutating function. Unless otherwise
+// documented, functions which take a |const| pointer are non-mutating and
+// functions which take a non-|const| pointer are mutating.
 
-// RSA_new returns a new, empty RSA object or NULL on error.
+// RSA_new returns a new, empty |RSA| object or NULL on error.
 OPENSSL_EXPORT RSA *RSA_new(void);
 
 // RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|.
@@ -83,7 +89,8 @@ OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
 // reference count drops to zero.
 OPENSSL_EXPORT void RSA_free(RSA *rsa);
 
-// RSA_up_ref increments the reference count of |rsa| and returns one.
+// RSA_up_ref increments the reference count of |rsa| and returns one. It does
+// not mutate |rsa| for thread-safety purposes and may be used concurrently.
 OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
 
 
@@ -154,7 +161,7 @@ OPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1,
 // with event=3 when a suitable value for |p| is found.
 //
 // It returns one on success or zero on error.
-OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
+OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
                                        BN_GENCB *cb);
 
 // RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs
@@ -164,12 +171,23 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb);
 
 
 // Encryption / Decryption
+//
+// These functions are considered non-mutating for thread-safety purposes and
+// may be used concurrently.
 
-// Padding types for encryption.
+// RSA_PKCS1_PADDING denotes PKCS#1 v1.5 padding. When used with encryption,
+// this is RSAES-PKCS1-v1_5. When used with signing, this is RSASSA-PKCS1-v1_5.
 #define RSA_PKCS1_PADDING 1
+
+// RSA_NO_PADDING denotes a raw RSA operation.
 #define RSA_NO_PADDING 3
+
+// RSA_PKCS1_OAEP_PADDING denotes the RSAES-OAEP encryption scheme.
 #define RSA_PKCS1_OAEP_PADDING 4
-// RSA_PKCS1_PSS_PADDING can only be used via the EVP interface.
+
+// RSA_PKCS1_PSS_PADDING denotes the RSASSA-PSS signature scheme. This value may
+// not be passed into |RSA_sign_raw|, only |EVP_PKEY_CTX_set_rsa_padding|. See
+// also |RSA_sign_pss_mgf1| and |RSA_verify_pss_mgf1|.
 #define RSA_PKCS1_PSS_PADDING 6
 
 // RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
@@ -231,6 +249,9 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
 
 
 // Signing / Verification
+//
+// These functions are considered non-mutating for thread-safety purposes and
+// may be used concurrently.
 
 // RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
 // RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
@@ -272,7 +293,8 @@ OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,
 //
 // The |padding| argument must be one of the |RSA_*_PADDING| values. If in
 // doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
-// (via the |EVP_PKEY| interface) is preferred for new protocols.
+// (via |RSA_sign_pss_mgf1| or the |EVP_PKEY| interface) is preferred for new
+// protocols.
 OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
                                 size_t max_out, const uint8_t *in,
                                 size_t in_len, int padding);
@@ -317,7 +339,8 @@ OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
 //
 // The |padding| argument must be one of the |RSA_*_PADDING| values. If in
 // doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
-// (via the |EVP_PKEY| interface) is preferred for new protocols.
+// (via |RSA_verify_pss_mgf1| or the |EVP_PKEY| interface) is preferred for new
+// protocols.
 OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
                                   size_t max_out, const uint8_t *in,
                                   size_t in_len, int padding);
@@ -372,8 +395,9 @@ OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
 // returns zero then a more detailed error is available on the error queue.
 OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
 
-// RSA_check_fips performs public key validity tests on |key|. It returns one
-// if they pass and zero otherwise. Opaque keys always fail.
+// RSA_check_fips performs public key validity tests on |key|. It returns one if
+// they pass and zero otherwise. Opaque keys always fail. This function does not
+// mutate |rsa| for thread-safety purposes and may be used concurrently.
 OPENSSL_EXPORT int RSA_check_fips(RSA *key);
 
 // RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
@@ -390,7 +414,8 @@ OPENSSL_EXPORT int RSA_check_fips(RSA *key);
 //
 // This function implements only the low-level padding logic. Use
 // |RSA_verify_pss_mgf1| instead.
-OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
+OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa,
+                                             const uint8_t *mHash,
                                              const EVP_MD *Hash,
                                              const EVP_MD *mgf1Hash,
                                              const uint8_t *EM, int sLen);
@@ -407,7 +432,7 @@ OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
 //
 // This function implements only the low-level padding logic. Use
 // |RSA_sign_pss_mgf1| instead.
-OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
+OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, uint8_t *EM,
                                                   const uint8_t *mHash,
                                                   const EVP_MD *Hash,
                                                   const EVP_MD *mgf1Hash,
@@ -567,7 +592,7 @@ OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
 //
 // This function implements only the low-level padding logic. Use
 // |RSA_sign_pss_mgf1| instead.
-OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM,
+OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(const RSA *rsa, uint8_t *EM,
                                              const uint8_t *mHash,
                                              const EVP_MD *Hash, int sLen);
 
@@ -576,7 +601,7 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM,
 //
 // This function implements only the low-level padding logic. Use
 // |RSA_verify_pss_mgf1| instead.
-OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash,
+OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(const RSA *rsa, const uint8_t *mHash,
                                         const EVP_MD *Hash, const uint8_t *EM,
                                         int sLen);
 
@@ -589,6 +614,10 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len,
                                               const uint8_t *param,
                                               size_t param_len);
 
+// RSA_print prints a textual representation of |rsa| to |bio|. It returns one
+// on success or zero otherwise.
+OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent);
+
 
 struct rsa_meth_st {
   struct openssl_method_common_st common;
@@ -694,11 +723,12 @@ struct rsa_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(RSA, RSA_free)
+BORINGSSL_MAKE_UP_REF(RSA, RSA_up_ref)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 
@@ -752,5 +782,6 @@ BORINGSSL_MAKE_DELETER(RSA, RSA_free)
 #define RSA_R_WRONG_SIGNATURE_LENGTH 145
 #define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146
 #define RSA_R_D_OUT_OF_RANGE 147
+#define RSA_R_BLOCK_TYPE_IS_NOT_02 148
 
 #endif  // OPENSSL_HEADER_RSA_H