grpc 1.55.0 → 1.56.2

data/src/ruby/ext/grpc/extconf.rb

@@ -34,24 +34,23 @@ def env_unset?(name)
   ENV[name].nil? || ENV[name].size == 0
 end
 
-def rbconfig_set?(name)
-  RbConfig::CONFIG[name] && RbConfig::CONFIG[name].size > 0
+def inherit_env_or_rbconfig(name)
+  ENV[name] = inherit_rbconfig(name) if env_unset?(name)
 end
 
 def inherit_rbconfig(name)
-  ENV[name] = RbConfig::CONFIG[name] if env_unset?(name) && rbconfig_set?(name)
+  ENV[name] = RbConfig::CONFIG[name] || ''
 end
 
 def env_append(name, string)
-  ENV[name] ||= ''
   ENV[name] += ' ' + string
 end
 
-inherit_rbconfig 'AR'
-inherit_rbconfig 'CC'
-inherit_rbconfig 'CXX'
-inherit_rbconfig 'RANLIB'
-inherit_rbconfig 'STRIP'
+inherit_env_or_rbconfig 'AR'
+inherit_env_or_rbconfig 'CC'
+inherit_env_or_rbconfig 'CXX'
+inherit_env_or_rbconfig 'RANLIB'
+inherit_env_or_rbconfig 'STRIP'
 inherit_rbconfig 'CPPFLAGS'
 inherit_rbconfig 'LDFLAGS'
 

data/src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -188,6 +188,7 @@ grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_op
 grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
 grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
+grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
 grpc_tls_credentials_options_set_check_call_host_type grpc_tls_credentials_options_set_check_call_host_import;
 grpc_insecure_credentials_create_type grpc_insecure_credentials_create_import;
 grpc_insecure_server_credentials_create_type grpc_insecure_server_credentials_create_import;
@@ -474,6 +475,7 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
   grpc_tls_credentials_options_set_crl_directory_import = (grpc_tls_credentials_options_set_crl_directory_type) GetProcAddress(library, "grpc_tls_credentials_options_set_crl_directory");
   grpc_tls_credentials_options_set_verify_server_cert_import = (grpc_tls_credentials_options_set_verify_server_cert_type) GetProcAddress(library, "grpc_tls_credentials_options_set_verify_server_cert");
+  grpc_tls_credentials_options_set_send_client_ca_list_import = (grpc_tls_credentials_options_set_send_client_ca_list_type) GetProcAddress(library, "grpc_tls_credentials_options_set_send_client_ca_list");
   grpc_tls_credentials_options_set_check_call_host_import = (grpc_tls_credentials_options_set_check_call_host_type) GetProcAddress(library, "grpc_tls_credentials_options_set_check_call_host");
   grpc_insecure_credentials_create_import = (grpc_insecure_credentials_create_type) GetProcAddress(library, "grpc_insecure_credentials_create");
   grpc_insecure_server_credentials_create_import = (grpc_insecure_server_credentials_create_type) GetProcAddress(library, "grpc_insecure_server_credentials_create");

data/src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -539,6 +539,9 @@ extern grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_
 typedef void(*grpc_tls_credentials_options_set_verify_server_cert_type)(grpc_tls_credentials_options* options, int verify_server_cert);
 extern grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
 #define grpc_tls_credentials_options_set_verify_server_cert grpc_tls_credentials_options_set_verify_server_cert_import
+typedef void(*grpc_tls_credentials_options_set_send_client_ca_list_type)(grpc_tls_credentials_options* options, bool send_client_ca_list);
+extern grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
+#define grpc_tls_credentials_options_set_send_client_ca_list grpc_tls_credentials_options_set_send_client_ca_list_import
 typedef void(*grpc_tls_credentials_options_set_check_call_host_type)(grpc_tls_credentials_options* options, int check_call_host);
 extern grpc_tls_credentials_options_set_check_call_host_type grpc_tls_credentials_options_set_check_call_host_import;
 #define grpc_tls_credentials_options_set_check_call_host grpc_tls_credentials_options_set_check_call_host_import

data/src/ruby/lib/grpc/version.rb

@@ -14,5 +14,5 @@
 
 # GRPC contains the General RPC module.
 module GRPC
-  VERSION = '1.55.0'
+  VERSION = '1.56.2'
 end

data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c

@@ -73,18 +73,19 @@
 // horrible: it has to be :-( The 'ncopy' form checks minimum and maximum
 // size limits too.
 
-int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
-                       int inform, unsigned long mask) {
-  return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in,
+                       ossl_ssize_t len, int inform, unsigned long mask) {
+  return ASN1_mbstring_ncopy(out, in, len, inform, mask, /*minsize=*/0,
+                             /*maxsize=*/0);
 }
 
 OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_BMPSTRING)
 OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UNIVERSALSTRING)
 OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UTF8STRING)
 
-int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
-                        int inform, unsigned long mask, long minsize,
-                        long maxsize) {
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in,
+                        ossl_ssize_t len, int inform, unsigned long mask,
+                        ossl_ssize_t minsize, ossl_ssize_t maxsize) {
   if (len == -1) {
     len = strlen((const char *)in);
   }
@@ -164,14 +165,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
     utf8_len += cbb_get_utf8_len(c);
     if (maxsize > 0 && nchar > (size_t)maxsize) {
       OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
-      ERR_add_error_dataf("maxsize=%ld", maxsize);
+      ERR_add_error_dataf("maxsize=%zu", (size_t)maxsize);
       return -1;
     }
   }
 
   if (minsize > 0 && nchar < (size_t)minsize) {
     OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);
-    ERR_add_error_dataf("minsize=%ld", minsize);
+    ERR_add_error_dataf("minsize=%zu", (size_t)minsize);
     return -1;
   }
 

data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c

@@ -87,7 +87,7 @@ static const ASN1_STRING_TABLE *asn1_string_table_get(int nid);
 // a corresponding OID. For example certificates and certificate requests.
 
 ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
-                                    int len, int inform, int nid) {
+                                    ossl_ssize_t len, int inform, int nid) {
   ASN1_STRING *str = NULL;
   int ret;
   if (!out) {

data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h

@@ -56,8 +56,8 @@
  *
  */
 
-#ifndef OPENSSL_HEADER_ASN1_ASN1_LOCL_H
-#define OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+#ifndef OPENSSL_HEADER_ASN1_INTERNAL_H
+#define OPENSSL_HEADER_ASN1_INTERNAL_H
 
 #include <time.h>
 
@@ -266,4 +266,4 @@ typedef struct ASN1_EXTERN_FUNCS_st {
 }  // extern C
 #endif
 
-#endif  // OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+#endif  // OPENSSL_HEADER_ASN1_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c

@@ -85,7 +85,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
 static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in,
                                    long len, const ASN1_TEMPLATE *tt, char opt,
                                    CRYPTO_BUFFER *buf, int depth);
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
                        int utype, const ASN1_ITEM *it);
 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in,
                                  long len, const ASN1_ITEM *it, int tag,
@@ -749,7 +749,7 @@ err:
 
 // Translate ASN1 content octets into a structure
 
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
                        int utype, const ASN1_ITEM *it) {
   ASN1_VALUE **opval = NULL;
   ASN1_STRING *stmp;
@@ -837,7 +837,14 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
     case V_ASN1_UTF8STRING:
     case V_ASN1_OTHER:
     case V_ASN1_SET:
-    case V_ASN1_SEQUENCE: {
+    case V_ASN1_SEQUENCE:
+    // TODO(crbug.com/boringssl/412): This default case should be removed, now
+    // that we've resolved https://crbug.com/boringssl/561. However, it is still
+    // needed to support some edge cases in |ASN1_PRINTABLE|. |ASN1_PRINTABLE|
+    // broadly doesn't tolerate unrecognized universal tags, but except for
+    // eight values that map to |B_ASN1_UNKNOWN| instead of zero. See the
+    // X509Test.NameAttributeValues test.
+    default: {
       CBS cbs;
       CBS_init(&cbs, cont, (size_t)len);
       if (utype == V_ASN1_BMPSTRING) {
@@ -900,9 +907,6 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
       }
       break;
     }
-    default:
-      OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
-      goto err;
   }
   // If ASN1_ANY and NULL type fix up value
   if (typ && (utype == V_ASN1_NULL)) {

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c

@@ -693,15 +693,18 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit,
     case V_ASN1_SET:
     // This is not a valid |ASN1_ITEM| type, but it appears in |ASN1_TYPE|.
     case V_ASN1_OTHER:
+    // TODO(crbug.com/boringssl/412): This default case should be removed, now
+    // that we've resolved https://crbug.com/boringssl/561. However, it is still
+    // needed to support some edge cases in |ASN1_PRINTABLE|. |ASN1_PRINTABLE|
+    // broadly doesn't tolerate unrecognized universal tags, but except for
+    // eight values that map to |B_ASN1_UNKNOWN| instead of zero. See the
+    // X509Test.NameAttributeValues test.
+    default:
       // All based on ASN1_STRING and handled the same
       strtmp = (ASN1_STRING *)*pval;
       cont = strtmp->data;
       len = strtmp->length;
       break;
-
-    default:
-      OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
-      return -1;
   }
   if (cout && len) {
     OPENSSL_memcpy(cout, cont, len);

data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c

@@ -423,7 +423,7 @@ int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent) {
 }
 
 static int print_bio(const char *str, size_t len, void *bio) {
-  return BIO_write((BIO *)bio, str, len);
+  return BIO_write_all((BIO *)bio, str, len);
 }
 
 void ERR_print_errors(BIO *bio) {
@@ -462,9 +462,11 @@ static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
       OPENSSL_free(*out);
       return 0;
     }
-    const size_t todo = len - done;
-    assert(todo < INT_MAX);
-    const int n = BIO_read(bio, *out + done, todo);
+    size_t todo = len - done;
+    if (todo > INT_MAX) {
+      todo = INT_MAX;
+    }
+    const int n = BIO_read(bio, *out + done, (int)todo);
     if (n == 0) {
       *out_len = done;
       return 1;

data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c

@@ -257,7 +257,8 @@ static int fd_gets(BIO *bp, char *buf, int size) {
 
   ptr[0] = '\0';
 
-  return ptr - buf;
+  // The output length is bounded by |size|.
+  return (int)(ptr - buf);
 }
 
 static const BIO_METHOD methods_fdp = {

data/third_party/boringssl-with-bazel/src/crypto/bio/file.c

@@ -157,13 +157,11 @@ static int file_read(BIO *b, char *out, int outl) {
 }
 
 static int file_write(BIO *b, const char *in, int inl) {
-  int ret = 0;
-
   if (!b->init) {
     return 0;
   }
 
-  ret = fwrite(in, inl, 1, (FILE *)b->ptr);
+  int ret = (int)fwrite(in, inl, 1, (FILE *)b->ptr);
   if (ret > 0) {
     ret = inl;
   }
@@ -253,20 +251,18 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
 }
 
 static int file_gets(BIO *bp, char *buf, int size) {
-  int ret = 0;
-
   if (size == 0) {
     return 0;
   }
 
   if (!fgets(buf, size, (FILE *)bp->ptr)) {
     buf[0] = 0;
-    goto err;
+    // TODO(davidben): This doesn't distinguish error and EOF. This should check
+    // |ferror| as in |file_read|.
+    return 0;
   }
-  ret = strlen(buf);
 
-err:
-  return ret;
+  return (int)strlen(buf);
 }
 
 static const BIO_METHOD methods_filep = {

data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c

@@ -221,7 +221,8 @@ static int bio_read(BIO *bio, char *buf, int size_) {
     rest -= chunk;
   } while (rest);
 
-  return size;
+  // |size| is bounded by the buffer size, which fits in |int|.
+  return (int)size;
 }
 
 static int bio_write(BIO *bio, const char *buf, int num_) {
@@ -293,7 +294,8 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
     buf += chunk;
   } while (rest);
 
-  return num;
+  // |num| is bounded by the buffer size, which fits in |int|.
+  return (int)num;
 }
 
 static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,

data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c

@@ -55,10 +55,13 @@ static void blake2b_mix(uint64_t v[16], int a, int b, int c, int d, uint64_t x,
   v[b] = CRYPTO_rotr_u64(v[b] ^ v[c], 63);
 }
 
-static void blake2b_transform(
-    BLAKE2B_CTX *b2b,
-    const uint64_t block_words[BLAKE2B_CBLOCK / sizeof(uint64_t)],
-    size_t num_bytes, int is_final_block) {
+static uint64_t blake2b_load(const uint8_t block[BLAKE2B_CBLOCK], size_t i) {
+  return CRYPTO_load_u64_le(block + 8 * i);
+}
+
+static void blake2b_transform(BLAKE2B_CTX *b2b,
+                              const uint8_t block[BLAKE2B_CBLOCK],
+                              size_t num_bytes, int is_final_block) {
   // https://tools.ietf.org/html/rfc7693#section-3.2
   uint64_t v[16];
   static_assert(sizeof(v) == sizeof(b2b->h) + sizeof(kIV), "");
@@ -78,14 +81,22 @@ static void blake2b_transform(
 
   for (int round = 0; round < 12; round++) {
     const uint8_t *const s = &kSigma[16 * (round % 10)];
-    blake2b_mix(v, 0, 4, 8, 12, block_words[s[0]], block_words[s[1]]);
-    blake2b_mix(v, 1, 5, 9, 13, block_words[s[2]], block_words[s[3]]);
-    blake2b_mix(v, 2, 6, 10, 14, block_words[s[4]], block_words[s[5]]);
-    blake2b_mix(v, 3, 7, 11, 15, block_words[s[6]], block_words[s[7]]);
-    blake2b_mix(v, 0, 5, 10, 15, block_words[s[8]], block_words[s[9]]);
-    blake2b_mix(v, 1, 6, 11, 12, block_words[s[10]], block_words[s[11]]);
-    blake2b_mix(v, 2, 7, 8, 13, block_words[s[12]], block_words[s[13]]);
-    blake2b_mix(v, 3, 4, 9, 14, block_words[s[14]], block_words[s[15]]);
+    blake2b_mix(v, 0, 4, 8, 12, blake2b_load(block, s[0]),
+                blake2b_load(block, s[1]));
+    blake2b_mix(v, 1, 5, 9, 13, blake2b_load(block, s[2]),
+                blake2b_load(block, s[3]));
+    blake2b_mix(v, 2, 6, 10, 14, blake2b_load(block, s[4]),
+                blake2b_load(block, s[5]));
+    blake2b_mix(v, 3, 7, 11, 15, blake2b_load(block, s[6]),
+                blake2b_load(block, s[7]));
+    blake2b_mix(v, 0, 5, 10, 15, blake2b_load(block, s[8]),
+                blake2b_load(block, s[9]));
+    blake2b_mix(v, 1, 6, 11, 12, blake2b_load(block, s[10]),
+                blake2b_load(block, s[11]));
+    blake2b_mix(v, 2, 7, 8, 13, blake2b_load(block, s[12]),
+                blake2b_load(block, s[13]));
+    blake2b_mix(v, 3, 4, 9, 14, blake2b_load(block, s[14]),
+                blake2b_load(block, s[15]));
   }
 
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(b2b->h); i++) {
@@ -111,11 +122,11 @@ void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *in_data, size_t len) {
   }
 
   const uint8_t *data = in_data;
-  size_t todo = sizeof(b2b->block.bytes) - b2b->block_used;
+  size_t todo = sizeof(b2b->block) - b2b->block_used;
   if (todo > len) {
     todo = len;
   }
-  OPENSSL_memcpy(&b2b->block.bytes[b2b->block_used], data, todo);
+  OPENSSL_memcpy(&b2b->block[b2b->block_used], data, todo);
   b2b->block_used += todo;
   data += todo;
   len -= todo;
@@ -126,26 +137,24 @@ void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *in_data, size_t len) {
 
   // More input remains therefore we must have filled |b2b->block|.
   assert(b2b->block_used == BLAKE2B_CBLOCK);
-  blake2b_transform(b2b, b2b->block.words, BLAKE2B_CBLOCK,
+  blake2b_transform(b2b, b2b->block, BLAKE2B_CBLOCK,
                     /*is_final_block=*/0);
   b2b->block_used = 0;
 
   while (len > BLAKE2B_CBLOCK) {
-    uint64_t block_words[BLAKE2B_CBLOCK / sizeof(uint64_t)];
-    OPENSSL_memcpy(block_words, data, sizeof(block_words));
-    blake2b_transform(b2b, block_words, BLAKE2B_CBLOCK, /*is_final_block=*/0);
+    blake2b_transform(b2b, data, BLAKE2B_CBLOCK, /*is_final_block=*/0);
     data += BLAKE2B_CBLOCK;
     len -= BLAKE2B_CBLOCK;
   }
 
-  OPENSSL_memcpy(b2b->block.bytes, data, len);
+  OPENSSL_memcpy(b2b->block, data, len);
   b2b->block_used = len;
 }
 
 void BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH], BLAKE2B_CTX *b2b) {
-  OPENSSL_memset(&b2b->block.bytes[b2b->block_used], 0,
-                 sizeof(b2b->block.bytes) - b2b->block_used);
-  blake2b_transform(b2b, b2b->block.words, b2b->block_used,
+  OPENSSL_memset(&b2b->block[b2b->block_used], 0,
+                 sizeof(b2b->block) - b2b->block_used);
+  blake2b_transform(b2b, b2b->block, b2b->block_used,
                     /*is_final_block=*/1);
   static_assert(BLAKE2B256_DIGEST_LENGTH <= sizeof(b2b->h), "");
   memcpy(out, b2b->h, BLAKE2B256_DIGEST_LENGTH);

data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c

@@ -400,6 +400,14 @@ static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
                        EVP_sha1(), 1);
 }
 
+static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
+                                            const uint8_t *key, size_t key_len,
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
+                       EVP_sha256(), 0);
+}
+
 static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                           size_t key_len, size_t tag_len,
                                           enum evp_aead_direction_t dir) {
@@ -442,13 +450,6 @@ static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
   return 1;
 }
 
-static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len,
-                                   enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                       EVP_sha1(), 1 /* implicit iv */);
-}
-
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
     SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
     16,                      // nonce len (IV)
@@ -483,6 +484,23 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
     aead_tls_tag_len,
 };
 
+static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
+    SHA256_DIGEST_LENGTH + 16,  // key len (SHA256 + AES128)
+    16,                         // nonce len (IV)
+    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
+    SHA256_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
+    aead_aes_128_cbc_sha256_tls_init,
+    aead_tls_cleanup,
+    aead_tls_open,
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
+};
+
 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
     SHA_DIGEST_LENGTH + 32,  // key len (SHA1 + AES256)
     16,                      // nonce len (IV)
@@ -551,23 +569,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
     aead_tls_tag_len,
 };
 
-static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,  // key len
-    0,                  // nonce len
-    SHA_DIGEST_LENGTH,  // overhead (SHA1)
-    SHA_DIGEST_LENGTH,  // max tag length
-    0,                  // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_null_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_open,
-    aead_tls_seal_scatter,
-    NULL,  // open_gather
-    NULL,  // get_iv
-    aead_tls_tag_len,
-};
-
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
   return &aead_aes_128_cbc_sha1_tls;
 }
@@ -576,6 +577,10 @@ const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
   return &aead_aes_128_cbc_sha1_tls_implicit_iv;
 }
 
+const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
+  return &aead_aes_128_cbc_sha256_tls;
+}
+
 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
   return &aead_aes_256_cbc_sha1_tls;
 }
@@ -591,5 +596,3 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
   return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
 }
-
-const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }

data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h

@@ -109,6 +109,14 @@ OPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix(
     SHA_CTX *ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t *in, size_t len,
     size_t max_len);
 
+// EVP_sha256_final_with_secret_suffix acts like
+// |EVP_sha1_final_with_secret_suffix|, but for SHA-256.
+//
+// This function is exported for unit tests.
+OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix(
+    SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in,
+    size_t len, size_t max_len);
+
 // EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
 // record.
 //