grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/crypto/obj/obj_dat.h

@@ -56,7 +56,8 @@
 
 /* This file is generated by crypto/obj/objects.go. */
 
-#define NUM_NID 949
+
+#define NUM_NID 959
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -1811,6 +1812,8 @@ static const uint8_t kObjectData[] = {
     0x2b, 0x81, 0x04, 0x01, 0x0e, 0x02,
     /* NID_dhSinglePass_cofactorDH_sha512kdf_scheme */
     0x2b, 0x81, 0x04, 0x01, 0x0e, 0x03,
+    /* NID_ED25519 */
+    0x2b, 0x65, 0x70,
 };
 
 static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -3440,6 +3443,17 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"dh-std-kdf", "dh-std-kdf", NID_dh_std_kdf, 0, NULL, 0},
     {"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf, 0, NULL, 0},
     {"X25519", "X25519", NID_X25519, 0, NULL, 0},
+    {"ED25519", "ED25519", NID_ED25519, 3, &kObjectData[6175], 0},
+    {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305, 0, NULL,
+     0},
+    {"KxRSA", "kx-rsa", NID_kx_rsa, 0, NULL, 0},
+    {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe, 0, NULL, 0},
+    {"KxPSK", "kx-psk", NID_kx_psk, 0, NULL, 0},
+    {"AuthRSA", "auth-rsa", NID_auth_rsa, 0, NULL, 0},
+    {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa, 0, NULL, 0},
+    {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0},
+    {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
+    {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
 };
 
 static const unsigned kNIDsInShortNameOrder[] = {
@@ -3470,6 +3484,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
     426 /* AES-256-ECB */,
     428 /* AES-256-OFB */,
     914 /* AES-256-XTS */,
+    958 /* AuthANY */,
+    955 /* AuthECDSA */,
+    956 /* AuthPSK */,
+    954 /* AuthRSA */,
     91 /* BF-CBC */,
     93 /* BF-CFB */,
     92 /* BF-ECB */,
@@ -3501,6 +3519,7 @@ static const unsigned kNIDsInShortNameOrder[] = {
     13 /* CN */,
     141 /* CRLReason */,
     417 /* CSPName */,
+    950 /* ChaCha20-Poly1305 */,
     367 /* CrlID */,
     391 /* DC */,
     31 /* DES-CBC */,
@@ -3528,6 +3547,7 @@ static const unsigned kNIDsInShortNameOrder[] = {
     70 /* DSA-SHA1-old */,
     67 /* DSA-old */,
     297 /* DVCS */,
+    949 /* ED25519 */,
     99 /* GN */,
     855 /* HMAC */,
     780 /* HMAC-MD5 */,
@@ -3542,6 +3562,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
     645 /* ITU-T */,
     646 /* JOINT-ISO-ITU-T */,
     773 /* KISA */,
+    957 /* KxANY */,
+    952 /* KxECDHE */,
+    953 /* KxPSK */,
+    951 /* KxRSA */,
     15 /* L */,
     856 /* LocalKeySet */,
     3 /* MD2 */,
@@ -4400,6 +4424,7 @@ static const unsigned kNIDsInLongNameOrder[] = {
     382 /* Directory */,
     392 /* Domain */,
     132 /* E-mail Protection */,
+    949 /* ED25519 */,
     389 /* Enterprises */,
     384 /* Experimental */,
     372 /* Extended OCSP Status */,
@@ -4564,6 +4589,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
     484 /* associatedDomain */,
     485 /* associatedName */,
     501 /* audio */,
+    958 /* auth-any */,
+    955 /* auth-ecdsa */,
+    956 /* auth-psk */,
+    954 /* auth-rsa */,
     882 /* authorityRevocationList */,
     91 /* bf-cbc */,
     93 /* bf-cfb */,
@@ -4634,6 +4663,7 @@ static const unsigned kNIDsInLongNameOrder[] = {
     677 /* certicom-arc */,
     517 /* certificate extensions */,
     883 /* certificateRevocationList */,
+    950 /* chacha20-poly1305 */,
     54 /* challengePassword */,
     407 /* characteristic-two-field */,
     395 /* clearance */,
@@ -4976,6 +5006,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
     646 /* joint-iso-itu-t */,
     150 /* keyBag */,
     773 /* kisa */,
+    957 /* kx-any */,
+    952 /* kx-ecdhe */,
+    953 /* kx-psk */,
+    951 /* kx-rsa */,
     477 /* lastModifiedBy */,
     476 /* lastModifiedTime */,
     157 /* localKeyID */,
@@ -5327,26 +5361,39 @@ static const unsigned kNIDsInLongNameOrder[] = {
 };
 
 static const unsigned kNIDsInOIDOrder[] = {
-    434 /* 0.9 (OBJ_data) */, 182 /* 1.2 (OBJ_member_body) */,
-    379 /* 1.3 (OBJ_org) */, 676 /* 1.3 (OBJ_identified_organization) */,
-    11 /* 2.5 (OBJ_X500) */, 647 /* 2.23 (OBJ_international_organizations) */,
-    380 /* 1.3.6 (OBJ_dod) */, 12 /* 2.5.4 (OBJ_X509) */,
-    378 /* 2.5.8 (OBJ_X500algorithms) */, 81 /* 2.5.29 (OBJ_id_ce) */,
-    512 /* 2.23.42 (OBJ_id_set) */, 678 /* 2.23.43 (OBJ_wap) */,
-    435 /* 0.9.2342 (OBJ_pss) */, 183 /* 1.2.840 (OBJ_ISO_US) */,
-    381 /* 1.3.6.1 (OBJ_iana) */, 677 /* 1.3.132 (OBJ_certicom_arc) */,
+    434 /* 0.9 (OBJ_data) */,
+    182 /* 1.2 (OBJ_member_body) */,
+    379 /* 1.3 (OBJ_org) */,
+    676 /* 1.3 (OBJ_identified_organization) */,
+    11 /* 2.5 (OBJ_X500) */,
+    647 /* 2.23 (OBJ_international_organizations) */,
+    380 /* 1.3.6 (OBJ_dod) */,
+    12 /* 2.5.4 (OBJ_X509) */,
+    378 /* 2.5.8 (OBJ_X500algorithms) */,
+    81 /* 2.5.29 (OBJ_id_ce) */,
+    512 /* 2.23.42 (OBJ_id_set) */,
+    678 /* 2.23.43 (OBJ_wap) */,
+    435 /* 0.9.2342 (OBJ_pss) */,
+    183 /* 1.2.840 (OBJ_ISO_US) */,
+    381 /* 1.3.6.1 (OBJ_iana) */,
+    949 /* 1.3.101.112 (OBJ_ED25519) */,
+    677 /* 1.3.132 (OBJ_certicom_arc) */,
     394 /* 2.5.1.5 (OBJ_selected_attribute_types) */,
-    13 /* 2.5.4.3 (OBJ_commonName) */, 100 /* 2.5.4.4 (OBJ_surname) */,
-    105 /* 2.5.4.5 (OBJ_serialNumber) */, 14 /* 2.5.4.6 (OBJ_countryName) */,
+    13 /* 2.5.4.3 (OBJ_commonName) */,
+    100 /* 2.5.4.4 (OBJ_surname) */,
+    105 /* 2.5.4.5 (OBJ_serialNumber) */,
+    14 /* 2.5.4.6 (OBJ_countryName) */,
     15 /* 2.5.4.7 (OBJ_localityName) */,
     16 /* 2.5.4.8 (OBJ_stateOrProvinceName) */,
     660 /* 2.5.4.9 (OBJ_streetAddress) */,
     17 /* 2.5.4.10 (OBJ_organizationName) */,
     18 /* 2.5.4.11 (OBJ_organizationalUnitName) */,
-    106 /* 2.5.4.12 (OBJ_title) */, 107 /* 2.5.4.13 (OBJ_description) */,
+    106 /* 2.5.4.12 (OBJ_title) */,
+    107 /* 2.5.4.13 (OBJ_description) */,
     859 /* 2.5.4.14 (OBJ_searchGuide) */,
     860 /* 2.5.4.15 (OBJ_businessCategory) */,
-    861 /* 2.5.4.16 (OBJ_postalAddress) */, 661 /* 2.5.4.17 (OBJ_postalCode) */,
+    861 /* 2.5.4.16 (OBJ_postalAddress) */,
+    661 /* 2.5.4.17 (OBJ_postalCode) */,
     862 /* 2.5.4.18 (OBJ_postOfficeBox) */,
     863 /* 2.5.4.19 (OBJ_physicalDeliveryOfficeName) */,
     864 /* 2.5.4.20 (OBJ_telephoneNumber) */,
@@ -5360,15 +5407,18 @@ static const unsigned kNIDsInOIDOrder[] = {
     872 /* 2.5.4.28 (OBJ_preferredDeliveryMethod) */,
     873 /* 2.5.4.29 (OBJ_presentationAddress) */,
     874 /* 2.5.4.30 (OBJ_supportedApplicationContext) */,
-    875 /* 2.5.4.31 (OBJ_member) */, 876 /* 2.5.4.32 (OBJ_owner) */,
-    877 /* 2.5.4.33 (OBJ_roleOccupant) */, 878 /* 2.5.4.34 (OBJ_seeAlso) */,
+    875 /* 2.5.4.31 (OBJ_member) */,
+    876 /* 2.5.4.32 (OBJ_owner) */,
+    877 /* 2.5.4.33 (OBJ_roleOccupant) */,
+    878 /* 2.5.4.34 (OBJ_seeAlso) */,
     879 /* 2.5.4.35 (OBJ_userPassword) */,
     880 /* 2.5.4.36 (OBJ_userCertificate) */,
     881 /* 2.5.4.37 (OBJ_cACertificate) */,
     882 /* 2.5.4.38 (OBJ_authorityRevocationList) */,
     883 /* 2.5.4.39 (OBJ_certificateRevocationList) */,
     884 /* 2.5.4.40 (OBJ_crossCertificatePair) */,
-    173 /* 2.5.4.41 (OBJ_name) */, 99 /* 2.5.4.42 (OBJ_givenName) */,
+    173 /* 2.5.4.41 (OBJ_name) */,
+    99 /* 2.5.4.42 (OBJ_givenName) */,
     101 /* 2.5.4.43 (OBJ_initials) */,
     509 /* 2.5.4.44 (OBJ_generationQualifier) */,
     503 /* 2.5.4.45 (OBJ_x500UniqueIdentifier) */,
@@ -5380,7 +5430,8 @@ static const unsigned kNIDsInOIDOrder[] = {
     889 /* 2.5.4.51 (OBJ_houseIdentifier) */,
     890 /* 2.5.4.52 (OBJ_supportedAlgorithms) */,
     891 /* 2.5.4.53 (OBJ_deltaRevocationList) */,
-    892 /* 2.5.4.54 (OBJ_dmdName) */, 510 /* 2.5.4.65 (OBJ_pseudonym) */,
+    892 /* 2.5.4.54 (OBJ_dmdName) */,
+    510 /* 2.5.4.65 (OBJ_pseudonym) */,
     400 /* 2.5.4.72 (OBJ_role) */,
     769 /* 2.5.29.9 (OBJ_subject_directory_attributes) */,
     82 /* 2.5.29.14 (OBJ_subject_key_identifier) */,
@@ -5389,7 +5440,8 @@ static const unsigned kNIDsInOIDOrder[] = {
     85 /* 2.5.29.17 (OBJ_subject_alt_name) */,
     86 /* 2.5.29.18 (OBJ_issuer_alt_name) */,
     87 /* 2.5.29.19 (OBJ_basic_constraints) */,
-    88 /* 2.5.29.20 (OBJ_crl_number) */, 141 /* 2.5.29.21 (OBJ_crl_reason) */,
+    88 /* 2.5.29.20 (OBJ_crl_number) */,
+    141 /* 2.5.29.21 (OBJ_crl_reason) */,
     430 /* 2.5.29.23 (OBJ_hold_instruction_code) */,
     142 /* 2.5.29.24 (OBJ_invalidity_date) */,
     140 /* 2.5.29.27 (OBJ_delta_crl) */,
@@ -5405,16 +5457,26 @@ static const unsigned kNIDsInOIDOrder[] = {
     857 /* 2.5.29.46 (OBJ_freshest_crl) */,
     748 /* 2.5.29.54 (OBJ_inhibit_any_policy) */,
     402 /* 2.5.29.55 (OBJ_target_information) */,
-    403 /* 2.5.29.56 (OBJ_no_rev_avail) */, 513 /* 2.23.42.0 (OBJ_set_ctype) */,
-    514 /* 2.23.42.1 (OBJ_set_msgExt) */, 515 /* 2.23.42.3 (OBJ_set_attr) */,
-    516 /* 2.23.42.5 (OBJ_set_policy) */, 517 /* 2.23.42.7 (OBJ_set_certExt) */,
-    518 /* 2.23.42.8 (OBJ_set_brand) */, 679 /* 2.23.43.1 (OBJ_wap_wsg) */,
-    382 /* 1.3.6.1.1 (OBJ_Directory) */, 383 /* 1.3.6.1.2 (OBJ_Management) */,
-    384 /* 1.3.6.1.3 (OBJ_Experimental) */, 385 /* 1.3.6.1.4 (OBJ_Private) */,
-    386 /* 1.3.6.1.5 (OBJ_Security) */, 387 /* 1.3.6.1.6 (OBJ_SNMPv2) */,
-    388 /* 1.3.6.1.7 (OBJ_Mail) */, 376 /* 1.3.14.3.2 (OBJ_algorithm) */,
-    395 /* 2.5.1.5.55 (OBJ_clearance) */, 19 /* 2.5.8.1.1 (OBJ_rsa) */,
-    96 /* 2.5.8.3.100 (OBJ_mdc2WithRSA) */, 95 /* 2.5.8.3.101 (OBJ_mdc2) */,
+    403 /* 2.5.29.56 (OBJ_no_rev_avail) */,
+    513 /* 2.23.42.0 (OBJ_set_ctype) */,
+    514 /* 2.23.42.1 (OBJ_set_msgExt) */,
+    515 /* 2.23.42.3 (OBJ_set_attr) */,
+    516 /* 2.23.42.5 (OBJ_set_policy) */,
+    517 /* 2.23.42.7 (OBJ_set_certExt) */,
+    518 /* 2.23.42.8 (OBJ_set_brand) */,
+    679 /* 2.23.43.1 (OBJ_wap_wsg) */,
+    382 /* 1.3.6.1.1 (OBJ_Directory) */,
+    383 /* 1.3.6.1.2 (OBJ_Management) */,
+    384 /* 1.3.6.1.3 (OBJ_Experimental) */,
+    385 /* 1.3.6.1.4 (OBJ_Private) */,
+    386 /* 1.3.6.1.5 (OBJ_Security) */,
+    387 /* 1.3.6.1.6 (OBJ_SNMPv2) */,
+    388 /* 1.3.6.1.7 (OBJ_Mail) */,
+    376 /* 1.3.14.3.2 (OBJ_algorithm) */,
+    395 /* 2.5.1.5.55 (OBJ_clearance) */,
+    19 /* 2.5.8.1.1 (OBJ_rsa) */,
+    96 /* 2.5.8.3.100 (OBJ_mdc2WithRSA) */,
+    95 /* 2.5.8.3.101 (OBJ_mdc2) */,
     746 /* 2.5.29.32.0 (OBJ_any_policy) */,
     910 /* 2.5.29.37.0 (OBJ_anyExtendedKeyUsage) */,
     519 /* 2.23.42.0.0 (OBJ_setct_PANData) */,
@@ -5529,22 +5591,27 @@ static const unsigned kNIDsInOIDOrder[] = {
     638 /* 2.23.42.8.34 (OBJ_set_brand_AmericanExpress) */,
     639 /* 2.23.42.8.35 (OBJ_set_brand_JCB) */,
     805 /* 1.2.643.2.2 (OBJ_cryptopro) */,
-    806 /* 1.2.643.2.9 (OBJ_cryptocom) */, 184 /* 1.2.840.10040 (OBJ_X9_57) */,
+    806 /* 1.2.643.2.9 (OBJ_cryptocom) */,
+    184 /* 1.2.840.10040 (OBJ_X9_57) */,
     405 /* 1.2.840.10045 (OBJ_ansi_X9_62) */,
     389 /* 1.3.6.1.4.1 (OBJ_Enterprises) */,
     504 /* 1.3.6.1.7.1 (OBJ_mime_mhs) */,
     104 /* 1.3.14.3.2.3 (OBJ_md5WithRSA) */,
-    29 /* 1.3.14.3.2.6 (OBJ_des_ecb) */, 31 /* 1.3.14.3.2.7 (OBJ_des_cbc) */,
+    29 /* 1.3.14.3.2.6 (OBJ_des_ecb) */,
+    31 /* 1.3.14.3.2.7 (OBJ_des_cbc) */,
     45 /* 1.3.14.3.2.8 (OBJ_des_ofb64) */,
     30 /* 1.3.14.3.2.9 (OBJ_des_cfb64) */,
     377 /* 1.3.14.3.2.11 (OBJ_rsaSignature) */,
-    67 /* 1.3.14.3.2.12 (OBJ_dsa_2) */, 66 /* 1.3.14.3.2.13 (OBJ_dsaWithSHA) */,
+    67 /* 1.3.14.3.2.12 (OBJ_dsa_2) */,
+    66 /* 1.3.14.3.2.13 (OBJ_dsaWithSHA) */,
     42 /* 1.3.14.3.2.15 (OBJ_shaWithRSAEncryption) */,
-    32 /* 1.3.14.3.2.17 (OBJ_des_ede_ecb) */, 41 /* 1.3.14.3.2.18 (OBJ_sha) */,
+    32 /* 1.3.14.3.2.17 (OBJ_des_ede_ecb) */,
+    41 /* 1.3.14.3.2.18 (OBJ_sha) */,
     64 /* 1.3.14.3.2.26 (OBJ_sha1) */,
     70 /* 1.3.14.3.2.27 (OBJ_dsaWithSHA1_2) */,
     115 /* 1.3.14.3.2.29 (OBJ_sha1WithRSA) */,
-    117 /* 1.3.36.3.2.1 (OBJ_ripemd160) */, 143 /* 1.3.101.1.4.1 (OBJ_sxnet) */,
+    117 /* 1.3.36.3.2.1 (OBJ_ripemd160) */,
+    143 /* 1.3.101.1.4.1 (OBJ_sxnet) */,
     721 /* 1.3.132.0.1 (OBJ_sect163k1) */,
     722 /* 1.3.132.0.2 (OBJ_sect163r1) */,
     728 /* 1.3.132.0.3 (OBJ_sect239k1) */,
@@ -5608,7 +5675,8 @@ static const unsigned kNIDsInOIDOrder[] = {
     816 /* 1.2.643.2.2.23 (OBJ_id_GostR3411_94_prf) */,
     817 /* 1.2.643.2.2.98 (OBJ_id_GostR3410_2001DH) */,
     818 /* 1.2.643.2.2.99 (OBJ_id_GostR3410_94DH) */,
-    1 /* 1.2.840.113549 (OBJ_rsadsi) */, 185 /* 1.2.840.10040.4 (OBJ_X9cm) */,
+    1 /* 1.2.840.113549 (OBJ_rsadsi) */,
+    185 /* 1.2.840.10040.4 (OBJ_X9cm) */,
     127 /* 1.3.6.1.5.5.7 (OBJ_id_pkix) */,
     505 /* 1.3.6.1.7.1.1 (OBJ_mime_mhs_headings) */,
     506 /* 1.3.6.1.7.1.2 (OBJ_mime_mhs_bodies) */,

data/third_party/boringssl/crypto/obj/obj_xref.c

@@ -66,7 +66,7 @@ typedef struct {
 } nid_triple;
 
 static const nid_triple kTriples[] = {
-    /* RSA PKCS#1. */
+    // RSA PKCS#1.
     {NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption},
     {NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},
     {NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption},
@@ -74,21 +74,21 @@ static const nid_triple kTriples[] = {
     {NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption},
     {NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption},
     {NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption},
-    /* DSA. */
+    // DSA.
     {NID_dsaWithSHA1, NID_sha1, NID_dsa},
     {NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2},
     {NID_dsa_with_SHA224, NID_sha224, NID_dsa},
     {NID_dsa_with_SHA256, NID_sha256, NID_dsa},
-    /* ECDSA. */
+    // ECDSA.
     {NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey},
     {NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey},
     {NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey},
     {NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey},
     {NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey},
-    /* For PSS the digest algorithm can vary and depends on the included
-     * AlgorithmIdentifier. The digest "undef" indicates the public key method
-     * should handle this explicitly. */
+    // The following algorithms use more complex (or simpler) parameters. The
+    // digest "undef" indicates the caller should handle this explicitly.
     {NID_rsassaPss, NID_undef, NID_rsaEncryption},
+    {NID_ED25519, NID_undef, NID_ED25519},
 };
 
 int OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid, int *out_pkey_nid) {

data/third_party/boringssl/crypto/pem/pem_info.c

@@ -297,7 +297,6 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                             unsigned char *kstr, int klen,
                             pem_password_cb *cb, void *u)
 {
-    EVP_CIPHER_CTX ctx;
     int i, ret = 0;
     unsigned char *data = NULL;
     const char *objstr = NULL;
@@ -374,8 +373,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
 
     ret = 1;
 
- err:
-    OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
-    OPENSSL_cleanse(buf, PEM_BUFSIZE);
-    return (ret);
+err:
+  OPENSSL_cleanse(buf, PEM_BUFSIZE);
+  return ret;
 }

data/third_party/boringssl/crypto/pem/pem_lib.c

@@ -343,10 +343,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
     OPENSSL_cleanse(iv, sizeof(iv));
     OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
     OPENSSL_cleanse(buf, PEM_BUFSIZE);
-    if (data != NULL) {
-        OPENSSL_cleanse(data, (unsigned int)dsize);
-        OPENSSL_free(data);
-    }
+    OPENSSL_free(data);
     return (ret);
 }
 
@@ -562,7 +559,6 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
     EVP_EncodeFinal(&ctx, buf, &outl);
     if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
         goto err;
-    OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
     OPENSSL_free(buf);
     buf = NULL;
     if ((BIO_write(bp, "-----END ", 9) != 9) ||
@@ -572,7 +568,6 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
     return (i + outl);
  err:
     if (buf) {
-        OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
         OPENSSL_free(buf);
     }
     OPENSSL_PUT_ERROR(PEM, reason);

data/third_party/boringssl/crypto/pem/pem_pk8.c

@@ -176,6 +176,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     }
     p8inf = PKCS8_decrypt(p8, psbuf, klen);
     X509_SIG_free(p8);
+    OPENSSL_cleanse(psbuf, klen);
     if (!p8inf)
         return NULL;
     ret = EVP_PKCS82PKEY(p8inf);

data/third_party/boringssl/crypto/pem/pem_pkey.c

@@ -114,6 +114,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         }
         p8inf = PKCS8_decrypt(p8, psbuf, klen);
         X509_SIG_free(p8);
+        OPENSSL_cleanse(psbuf, klen);
         if (!p8inf)
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);
@@ -139,7 +140,6 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
 
  err:
     OPENSSL_free(nm);
-    OPENSSL_cleanse(data, len);
     OPENSSL_free(data);
     return (ret);
 }

data/third_party/boringssl/crypto/pem/pem_xaux.c

@@ -63,5 +63,3 @@
 #include <openssl/x509.h>
 
 IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
-IMPLEMENT_PEM_rw(X509_CERT_PAIR, X509_CERT_PAIR, PEM_STRING_X509_PAIR,
-                 X509_CERT_PAIR)

data/third_party/boringssl/crypto/pkcs7/internal.h

@@ -0,0 +1,49 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_PKCS7_INTERNAL_H
+#define OPENSSL_HEADER_PKCS7_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
+// SignedData blob from |cbs| and sets |*out| to point to the rest of the
+// input. If the input is in BER format, then |*der_bytes| will be set to a
+// pointer that needs to be freed by the caller once they have finished
+// processing |*out| (which will be pointing into |*der_bytes|).
+//
+// It returns one on success or zero on error. On error, |*der_bytes| is
+// NULL.
+int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);
+
+// pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
+// |cb| with a CBB to which certificate or CRL data can be written, and the
+// opaque context pointer, |arg|. The callback can return zero to indicate an
+// error.
+//
+// pkcs7_bundle returns one on success or zero on error.
+int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
+                 const void *arg);
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_PKCS7_INTERNAL_H

data/third_party/boringssl/crypto/pkcs7/pkcs7.c

@@ -0,0 +1,166 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/pkcs7.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/pool.h>
+#include <openssl/stack.h>
+
+#include "internal.h"
+#include "../bytestring/internal.h"
+
+
+// 1.2.840.113549.1.7.1
+static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
+                                     0x0d, 0x01, 0x07, 0x01};
+
+// 1.2.840.113549.1.7.2
+static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
+                                           0x0d, 0x01, 0x07, 0x02};
+
+// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
+// SignedData blob from |cbs| and sets |*out| to point to the rest of the
+// input. If the input is in BER format, then |*der_bytes| will be set to a
+// pointer that needs to be freed by the caller once they have finished
+// processing |*out| (which will be pointing into |*der_bytes|).
+//
+// It returns one on success or zero on error. On error, |*der_bytes| is
+// NULL.
+int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
+  size_t der_len;
+  CBS in, content_info, content_type, wrapped_signed_data, signed_data;
+  uint64_t version;
+
+  // The input may be in BER format.
+  *der_bytes = NULL;
+  if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) {
+    return 0;
+  }
+  if (*der_bytes != NULL) {
+    CBS_init(&in, *der_bytes, der_len);
+  } else {
+    CBS_init(&in, CBS_data(cbs), CBS_len(cbs));
+  }
+
+  // See https://tools.ietf.org/html/rfc2315#section-7
+  if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||
+      !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {
+    goto err;
+  }
+
+  if (!CBS_mem_equal(&content_type, kPKCS7SignedData,
+                     sizeof(kPKCS7SignedData))) {
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA);
+    goto err;
+  }
+
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
+  if (!CBS_get_asn1(&content_info, &wrapped_signed_data,
+                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
+      !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||
+      !CBS_get_asn1_uint64(&signed_data, &version) ||
+      !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||
+      !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {
+    goto err;
+  }
+
+  if (version < 1) {
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION);
+    goto err;
+  }
+
+  CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));
+  return 1;
+
+err:
+  OPENSSL_free(*der_bytes);
+  *der_bytes = NULL;
+  return 0;
+}
+
+int PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs,
+                               CRYPTO_BUFFER_POOL *pool) {
+  CBS signed_data, certificates;
+  uint8_t *der_bytes = NULL;
+  int ret = 0;
+  const size_t initial_certs_len = sk_CRYPTO_BUFFER_num(out_certs);
+
+  if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
+    return 0;
+  }
+
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
+  if (!CBS_get_asn1(&signed_data, &certificates,
+                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CERTIFICATES_INCLUDED);
+    goto err;
+  }
+
+  while (CBS_len(&certificates) > 0) {
+    CBS cert;
+    if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {
+      goto err;
+    }
+
+    CRYPTO_BUFFER *buf = CRYPTO_BUFFER_new_from_CBS(&cert, pool);
+    if (buf == NULL ||
+        !sk_CRYPTO_BUFFER_push(out_certs, buf)) {
+      CRYPTO_BUFFER_free(buf);
+      goto err;
+    }
+  }
+
+  ret = 1;
+
+err:
+  OPENSSL_free(der_bytes);
+
+  if (!ret) {
+    while (sk_CRYPTO_BUFFER_num(out_certs) != initial_certs_len) {
+      CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_pop(out_certs);
+      CRYPTO_BUFFER_free(buf);
+    }
+  }
+
+  return ret;
+}
+
+int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
+                 const void *arg) {
+  CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
+      content_info;
+
+  // See https://tools.ietf.org/html/rfc2315#section-7
+  if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&outer_seq, &oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&oid, kPKCS7SignedData, sizeof(kPKCS7SignedData)) ||
+      !CBB_add_asn1(&outer_seq, &wrapped_seq,
+                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
+      // See https://tools.ietf.org/html/rfc2315#section-9.1
+      !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||
+      !CBB_add_u8(&version_bytes, 1) ||
+      !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||
+      !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||
+      !cb(&seq, arg)) {
+    return 0;
+  }
+
+  return CBB_flush(out);
+}