grpc 1.55.0 → 1.56.0.pre3

data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c

@@ -178,8 +178,8 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) {
 }
 
 int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,
-                               int type, const unsigned char *bytes, int len,
-                               int loc, int set) {
+                               int type, const unsigned char *bytes,
+                               ossl_ssize_t len, int loc, int set) {
   X509_NAME_ENTRY *ne =
       X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
   if (!ne) {
@@ -191,8 +191,8 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,
 }
 
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
-                               const unsigned char *bytes, int len, int loc,
-                               int set) {
+                               const unsigned char *bytes, ossl_ssize_t len,
+                               int loc, int set) {
   X509_NAME_ENTRY *ne =
       X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
   if (!ne) {
@@ -204,8 +204,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
 }
 
 int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                               const unsigned char *bytes, int len, int loc,
-                               int set) {
+                               const unsigned char *bytes, ossl_ssize_t len,
+                               int loc, int set) {
   X509_NAME_ENTRY *ne =
       X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
   if (!ne) {
@@ -282,7 +282,7 @@ err:
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
                                                const char *field, int type,
                                                const unsigned char *bytes,
-                                               int len) {
+                                               ossl_ssize_t len) {
   ASN1_OBJECT *obj;
   X509_NAME_ENTRY *nentry;
 
@@ -300,7 +300,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
                                                int type,
                                                const unsigned char *bytes,
-                                               int len) {
+                                               ossl_ssize_t len) {
   const ASN1_OBJECT *obj = OBJ_nid2obj(nid);
   if (obj == NULL) {
     OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_NID);
@@ -312,7 +312,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
                                                const ASN1_OBJECT *obj, int type,
                                                const unsigned char *bytes,
-                                               int len) {
+                                               ossl_ssize_t len) {
   X509_NAME_ENTRY *ret;
 
   if ((ne == NULL) || (*ne == NULL)) {
@@ -352,9 +352,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) {
 }
 
 int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-                             const unsigned char *bytes, int len) {
-  int i;
-
+                             const unsigned char *bytes, ossl_ssize_t len) {
   if ((ne == NULL) || ((bytes == NULL) && (len != 0))) {
     return 0;
   }
@@ -367,8 +365,7 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
   if (len < 0) {
     len = strlen((const char *)bytes);
   }
-  i = ASN1_STRING_set(ne->value, bytes, len);
-  if (!i) {
+  if (!ASN1_STRING_set(ne->value, bytes, len)) {
     return 0;
   }
   if (type != V_ASN1_UNDEF) {

data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c

@@ -77,7 +77,7 @@ EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) {
 
 // Load a Netscape SPKI from a base64 encoded string
 
-NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, int len) {
+NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, ossl_ssize_t len) {
   unsigned char *spki_der;
   const unsigned char *p;
   size_t spki_len;

data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c

@@ -90,7 +90,7 @@ static X509_CERT_AUX *aux_get(X509 *x) {
   return x->aux;
 }
 
-int X509_alias_set1(X509 *x, const unsigned char *name, int len) {
+int X509_alias_set1(X509 *x, const unsigned char *name, ossl_ssize_t len) {
   X509_CERT_AUX *aux;
   // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the
   // getters cannot quite represent them. Also erase the object if |len| is
@@ -112,7 +112,7 @@ int X509_alias_set1(X509 *x, const unsigned char *name, int len) {
   return ASN1_STRING_set(aux->alias, name, len);
 }
 
-int X509_keyid_set1(X509 *x, const unsigned char *id, int len) {
+int X509_keyid_set1(X509 *x, const unsigned char *id, ossl_ssize_t len) {
   X509_CERT_AUX *aux;
   // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the
   // getters cannot quite represent them. Also erase the object if |len| is

data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h

@@ -90,7 +90,7 @@ OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len);
 //
 // This function was historically named |string_to_hex| in OpenSSL. Despite the
 // name, |string_to_hex| converted from hex.
-unsigned char *x509v3_hex_to_bytes(const char *str, long *len);
+unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len);
 
 // x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins
 // with |cmp| followed by '.', and zero otherwise.

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c

@@ -57,6 +57,7 @@
 // extension creation utilities
 
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -81,7 +82,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
                                   int crit, void *ext_struc);
 static unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,
-                                   long *ext_len);
+                                   size_t *ext_len);
 
 X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx,
                                  const char *name, const char *value) {
@@ -191,52 +192,30 @@ static X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx,
   }
 
   ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
-  if (method->it) {
-    ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
-  } else {
-    method->ext_free(ext_struc);
-  }
+  ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
   return ext;
 }
 
 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
                                   int crit, void *ext_struc) {
-  unsigned char *ext_der;
-  int ext_len;
-  ASN1_OCTET_STRING *ext_oct;
-  X509_EXTENSION *ext;
-  // Convert internal representation to DER
-  if (method->it) {
-    ext_der = NULL;
-    ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
-    if (ext_len < 0) {
-      goto merr;
-    }
-  } else {
-    unsigned char *p;
-    ext_len = method->i2d(ext_struc, NULL);
-    if (!(ext_der = OPENSSL_malloc(ext_len))) {
-      goto merr;
-    }
-    p = ext_der;
-    method->i2d(ext_struc, &p);
-  }
-  if (!(ext_oct = ASN1_OCTET_STRING_new())) {
-    goto merr;
+  // Convert the extension's internal representation to DER.
+  unsigned char *ext_der = NULL;
+  int ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
+  if (ext_len < 0) {
+    return NULL;
   }
-  ext_oct->data = ext_der;
-  ext_oct->length = ext_len;
 
-  ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
-  if (!ext) {
-    goto merr;
+  ASN1_OCTET_STRING *ext_oct = ASN1_OCTET_STRING_new();
+  if (ext_oct == NULL) {
+    OPENSSL_free(ext_der);
+    return NULL;
   }
-  ASN1_OCTET_STRING_free(ext_oct);
+  ASN1_STRING_set0(ext_oct, ext_der, ext_len);
 
+  X509_EXTENSION *ext =
+      X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
+  ASN1_OCTET_STRING_free(ext_oct);
   return ext;
-
-merr:
-  return NULL;
 }
 
 // Given an internal structure, nid and critical flag create an extension
@@ -290,7 +269,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
                                             int crit, int gen_type,
                                             const X509V3_CTX *ctx) {
   unsigned char *ext_der = NULL;
-  long ext_len = 0;
+  size_t ext_len = 0;
   ASN1_OBJECT *obj = NULL;
   ASN1_OCTET_STRING *oct = NULL;
   X509_EXTENSION *extension = NULL;
@@ -312,12 +291,17 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
     goto err;
   }
 
-  if (!(oct = ASN1_OCTET_STRING_new())) {
+  if (ext_len > INT_MAX) {
+    OPENSSL_PUT_ERROR(X509V3, ERR_R_OVERFLOW);
+    goto err;
+  }
+
+  oct = ASN1_OCTET_STRING_new();
+  if (oct == NULL) {
     goto err;
   }
 
-  oct->data = ext_der;
-  oct->length = ext_len;
+  ASN1_STRING_set0(oct, ext_der, (int)ext_len);
   ext_der = NULL;
 
   extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
@@ -330,15 +314,18 @@ err:
 }
 
 static unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,
-                                   long *ext_len) {
-  ASN1_TYPE *typ;
-  unsigned char *ext_der = NULL;
-  typ = ASN1_generate_v3(value, ctx);
+                                   size_t *ext_len) {
+  ASN1_TYPE *typ = ASN1_generate_v3(value, ctx);
   if (typ == NULL) {
     return NULL;
   }
-  *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
+  unsigned char *ext_der = NULL;
+  int len = i2d_ASN1_TYPE(typ, &ext_der);
   ASN1_TYPE_free(typ);
+  if (len < 0) {
+    return NULL;
+  }
+  *ext_len = len;
   return ext_der;
 }
 

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c

@@ -356,6 +356,7 @@ static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx,
       if (!nos || !sk_CONF_VALUE_num(nos)) {
         OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBERS);
         X509V3_conf_err(cnf);
+        sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
         goto err;
       }
       int ret = nref_nos(nref->noticenos, nos);

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c

@@ -168,7 +168,6 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
                                        const STACK_OF(CONF_VALUE) *nval) {
   AUTHORITY_INFO_ACCESS *ainfo = NULL;
   ACCESS_DESCRIPTION *acc;
-  char *objtmp, *ptmp;
   if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
     return NULL;
   }
@@ -178,22 +177,21 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
         !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
       goto err;
     }
-    ptmp = strchr(cnf->name, ';');
+    char *ptmp = strchr(cnf->name, ';');
     if (!ptmp) {
       OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX);
       goto err;
     }
-    int objlen = ptmp - cnf->name;
     CONF_VALUE ctmp;
     ctmp.name = ptmp + 1;
     ctmp.value = cnf->value;
     if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0)) {
       goto err;
     }
-    if (!(objtmp = OPENSSL_malloc(objlen + 1))) {
+    char *objtmp = OPENSSL_strndup(cnf->name, ptmp - cnf->name);
+    if (objtmp == NULL) {
       goto err;
     }
-    OPENSSL_strlcpy(objtmp, cnf->name, objlen + 1);
     acc->method = OBJ_txt2obj(objtmp, 0);
     if (!acc->method) {
       OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_OBJECT);

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c

@@ -57,6 +57,7 @@
  */
 /* X509 v3 extension utilities */
 
+#include <assert.h>
 #include <stdio.h>
 
 #include <openssl/conf.h>
@@ -70,21 +71,20 @@
 #include "ext_dat.h"
 static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
 
-static void ext_list_free(X509V3_EXT_METHOD *ext);
-
 static int ext_stack_cmp(const X509V3_EXT_METHOD *const *a,
                          const X509V3_EXT_METHOD *const *b) {
   return ((*a)->ext_nid - (*b)->ext_nid);
 }
 
 int X509V3_EXT_add(X509V3_EXT_METHOD *ext) {
+  // We only support |ASN1_ITEM|-based extensions.
+  assert(ext->it != NULL);
+
   // TODO(davidben): This should be locked. Also check for duplicates.
   if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_stack_cmp))) {
-    ext_list_free(ext);
     return 0;
   }
   if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
-    ext_list_free(ext);
     return 0;
   }
   sk_X509V3_EXT_METHOD_sort(ext_list);
@@ -136,28 +136,12 @@ int X509V3_EXT_free(int nid, void *ext_data) {
     return 0;
   }
 
-  if (ext_method->it != NULL) {
-    ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
-  } else if (ext_method->ext_free != NULL) {
-    ext_method->ext_free(ext_data);
-  } else {
-    OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION);
-    return 0;
-  }
-
-  return 1;
-}
-
-int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) {
-  for (; extlist->ext_nid != -1; extlist++) {
-    if (!X509V3_EXT_add(extlist)) {
-      return 0;
-    }
-  }
+  ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
   return 1;
 }
 
 int X509V3_EXT_add_alias(int nid_to, int nid_from) {
+OPENSSL_BEGIN_ALLOW_DEPRECATED
   const X509V3_EXT_METHOD *ext;
   X509V3_EXT_METHOD *tmpext;
 
@@ -171,19 +155,12 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from) {
   }
   *tmpext = *ext;
   tmpext->ext_nid = nid_to;
-  tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
-  return X509V3_EXT_add(tmpext);
-}
-
-void X509V3_EXT_cleanup(void) {
-  sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
-  ext_list = NULL;
-}
-
-static void ext_list_free(X509V3_EXT_METHOD *ext) {
-  if (ext->ext_flags & X509V3_EXT_DYNAMIC) {
-    OPENSSL_free(ext);
+  if (!X509V3_EXT_add(tmpext)) {
+    OPENSSL_free(tmpext);
+    return 0;
   }
+  return 1;
+OPENSSL_END_ALLOW_DEPRECATED
 }
 
 // Legacy function: we don't need to add standard extensions any more because
@@ -201,23 +178,14 @@ void *X509V3_EXT_d2i(const X509_EXTENSION *ext) {
     return NULL;
   }
   p = ext->value->data;
-  void *ret;
-  if (method->it) {
-    ret =
-        ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
-  } else {
-    ret = method->d2i(NULL, &p, ext->value->length);
-  }
+  void *ret =
+      ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
   if (ret == NULL) {
     return NULL;
   }
   // Check for trailing data.
   if (p != ext->value->data + ext->value->length) {
-    if (method->it) {
-      ASN1_item_free(ret, ASN1_ITEM_ptr(method->it));
-    } else {
-      method->ext_free(ret);
-    }
+    ASN1_item_free(ret, ASN1_ITEM_ptr(method->it));
     OPENSSL_PUT_ERROR(X509V3, X509V3_R_TRAILING_DATA_IN_EXTENSION);
     return NULL;
   }

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c

@@ -105,59 +105,47 @@ void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val, int indent,
 
 int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag,
                      int indent) {
-  void *ext_str = NULL;
-  char *value = NULL;
-  const X509V3_EXT_METHOD *method;
-  STACK_OF(CONF_VALUE) *nval = NULL;
-  int ok = 1;
-
-  if (!(method = X509V3_EXT_get(ext))) {
+  const X509V3_EXT_METHOD *method = X509V3_EXT_get(ext);
+  if (method == NULL) {
     return unknown_ext_print(out, ext, flag, indent, 0);
   }
   const ASN1_STRING *ext_data = X509_EXTENSION_get_data(ext);
   const unsigned char *p = ASN1_STRING_get0_data(ext_data);
-  if (method->it) {
-    ext_str = ASN1_item_d2i(NULL, &p, ASN1_STRING_length(ext_data),
-                            ASN1_ITEM_ptr(method->it));
-  } else {
-    ext_str = method->d2i(NULL, &p, ASN1_STRING_length(ext_data));
-  }
-
+  void *ext_str = ASN1_item_d2i(NULL, &p, ASN1_STRING_length(ext_data),
+                                ASN1_ITEM_ptr(method->it));
   if (!ext_str) {
     return unknown_ext_print(out, ext, flag, indent, 1);
   }
 
+  char *value = NULL;
+  STACK_OF(CONF_VALUE) *nval = NULL;
+  int ok = 0;
   if (method->i2s) {
     if (!(value = method->i2s(method, ext_str))) {
-      ok = 0;
       goto err;
     }
     BIO_printf(out, "%*s%s", indent, "", value);
   } else if (method->i2v) {
     if (!(nval = method->i2v(method, ext_str, NULL))) {
-      ok = 0;
       goto err;
     }
     X509V3_EXT_val_prn(out, nval, indent,
                        method->ext_flags & X509V3_EXT_MULTILINE);
   } else if (method->i2r) {
     if (!method->i2r(method, ext_str, out, indent)) {
-      ok = 0;
+      goto err;
     }
   } else {
-    ok = 0;
+    OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);
+    goto err;
   }
 
+  ok = 1;
+
 err:
   sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-  if (value) {
-    OPENSSL_free(value);
-  }
-  if (method->it) {
-    ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
-  } else {
-    method->ext_free(ext_str);
-  }
+  OPENSSL_free(value);
+  ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
   return ok;
 }
 

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c

@@ -54,12 +54,14 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com). */
 
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/obj.h>
+#include <openssl/mem.h>
 #include <openssl/x509v3.h>
 
 #include "../x509/internal.h"
@@ -74,21 +76,26 @@ char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,
                                          const X509V3_CTX *ctx,
                                          const char *str) {
-  ASN1_OCTET_STRING *oct;
-  long length;
-
-  if (!(oct = ASN1_OCTET_STRING_new())) {
+  size_t len;
+  uint8_t *data = x509v3_hex_to_bytes(str, &len);
+  if (data == NULL) {
     return NULL;
   }
-
-  if (!(oct->data = x509v3_hex_to_bytes(str, &length))) {
-    ASN1_OCTET_STRING_free(oct);
-    return NULL;
+  if (len > INT_MAX) {
+    OPENSSL_PUT_ERROR(X509V3, ERR_R_OVERFLOW);
+    goto err;
   }
 
-  oct->length = length;
-
+  ASN1_OCTET_STRING *oct = ASN1_OCTET_STRING_new();
+  if (oct == NULL) {
+    goto err;
+  }
+  ASN1_STRING_set0(oct, data, (int)len);
   return oct;
+
+err:
+  OPENSSL_free(data);
+  return NULL;
 }
 
 static char *i2s_ASN1_OCTET_STRING_cb(const X509V3_EXT_METHOD *method,

data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c

@@ -494,7 +494,7 @@ err:
   return NULL;
 }
 
-unsigned char *x509v3_hex_to_bytes(const char *str, long *len) {
+unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len) {
   unsigned char *hexbuf, *q;
   unsigned char ch, cl, *p;
   uint8_t high, low;

data/third_party/boringssl-with-bazel/src/include/openssl/aead.h

@@ -138,12 +138,10 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
 // authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
 
-// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
+// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See RFC 8452.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);
 
-// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
+// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See RFC 8452.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);
 
 // EVP_aead_aes_128_gcm_randnonce is AES-128 in Galois Counter Mode with
@@ -212,7 +210,7 @@ OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
 // AEAD operations.
 
 union evp_aead_ctx_st_state {
-  uint8_t opaque[580];
+  uint8_t opaque[564];
   uint64_t alignment;
 };
 
@@ -402,14 +400,14 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
 
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
+
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
 
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
 
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
-
 // EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS
 // 1.2 nonce construction.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);

data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h

@@ -740,15 +740,17 @@ OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out,
 // the result. If |out| is NULL, it returns the selected output type without
 // constructing an |ASN1_STRING|. On error, this function returns -1.
 OPENSSL_EXPORT int ASN1_mbstring_copy(ASN1_STRING **out, const uint8_t *in,
-                                      int len, int inform, unsigned long mask);
+                                      ossl_ssize_t len, int inform,
+                                      unsigned long mask);
 
 // ASN1_mbstring_ncopy behaves like |ASN1_mbstring_copy| but returns an error if
 // the input is less than |minsize| or greater than |maxsize| codepoints long. A
 // |maxsize| value of zero is ignored. Note the sizes are measured in
 // codepoints, not output bytes.
 OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in,
-                                       int len, int inform, unsigned long mask,
-                                       long minsize, long maxsize);
+                                       ossl_ssize_t len, int inform,
+                                       unsigned long mask, ossl_ssize_t minsize,
+                                       ossl_ssize_t maxsize);
 
 // ASN1_STRING_set_by_NID behaves like |ASN1_mbstring_ncopy|, but determines
 // |mask|, |minsize|, and |maxsize| based on |nid|. When |nid| is a recognized
@@ -774,7 +776,7 @@ OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in,
 // to call |ASN1_mbstring_ncopy| directly instead.
 OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out,
                                                    const unsigned char *in,
-                                                   int len, int inform,
+                                                   ossl_ssize_t len, int inform,
                                                    int nid);
 
 // STABLE_NO_MASK causes |ASN1_STRING_TABLE_add| to allow types other than

data/third_party/boringssl-with-bazel/src/include/openssl/base.h

@@ -164,6 +164,10 @@ extern "C" {
 #define OPENSSL_FREEBSD
 #endif
 
+#if defined(__OpenBSD__)
+#define OPENSSL_OPENBSD
+#endif
+
 // BoringSSL requires platform's locking APIs to make internal global state
 // thread-safe, including the PRNG. On some single-threaded embedded platforms,
 // locking APIs may not exist, so this dependency may be disabled with the
@@ -193,7 +197,7 @@ extern "C" {
 // A consumer may use this symbol in the preprocessor to temporarily build
 // against multiple revisions of BoringSSL at the same time. It is not
 // recommended to do so for longer than is necessary.
-#define BORINGSSL_API_VERSION 19
+#define BORINGSSL_API_VERSION 21
 
 #if defined(BORINGSSL_SHARED_LIBRARY)
 
@@ -221,6 +225,33 @@ extern "C" {
 
 #endif  // defined(BORINGSSL_SHARED_LIBRARY)
 
+#if defined(_MSC_VER)
+
+// OPENSSL_DEPRECATED is used to mark a function as deprecated. Use
+// of any functions so marked in caller code will produce a warning.
+// OPENSSL_BEGIN_ALLOW_DEPRECATED and OPENSSL_END_ALLOW_DEPRECATED
+// can be used to suppress the warning in regions of caller code.
+#define OPENSSL_DEPRECATED __declspec(deprecated)
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED \
+  __pragma(warning(push)) __pragma(warning(disable : 4996))
+#define OPENSSL_END_ALLOW_DEPRECATED __pragma(warning(pop))
+
+#elif defined(__GNUC__) || defined(__clang__)
+
+#define OPENSSL_DEPRECATED __attribute__((__deprecated__))
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED \
+  _Pragma("GCC diagnostic push")       \
+      _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
+#define OPENSSL_END_ALLOW_DEPRECATED _Pragma("GCC diagnostic pop")
+
+#else
+
+#define OPENSSL_DEPRECATED
+#define OPENSSL_BEGIN_ALLOW_DEPRECATED
+#define OPENSSL_END_ALLOW_DEPRECATED
+
+#endif
+
 
 #if defined(__GNUC__) || defined(__clang__)
 // MinGW has two different printf implementations. Ensure the format macro