[dev.boringcrypto] all: merge master into dev.boringcrypto

Change-Id: I083d1e4e997b30d9fab10940401eaf160e36f6c1

diff --cc src/crypto/ecdsa/ecdsa.go
index 08a0533aa70da9a179825bf77fc229fd41bcc86e,ccce87385947f06dd30d813ee0998a35e3a8cd34..04738cdbd7b248ff7e2cf1e570d9b47eba74b8f7
--- 1/src/crypto/ecdsa/ecdsa.go
--- 2/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@@@ -65,10 -60,11 +65,13 @@@ const 
  type PublicKey struct {
        elliptic.Curve
        X, Y *big.Int
 +
 +      boring unsafe.Pointer
  }
  
+ // Any methods implemented on PublicKey might need to also be implemented on
+ // PrivateKey, as the latter embeds the former and will expose its methods.
+ 
  // Equal reports whether pub and x have the same value.
  //
  // Two keys are only considered to have the same value if they have the same Curve value.

diff --cc src/crypto/rsa/rsa.go
index 4c67644ccb6e324522204453396cb72e0071851a,b414b44148a46c476a8c5df4679a0bc1ba817847..94a66216a56d4596cd6430bd636bb9a1abce662f
--- 1/src/crypto/rsa/rsa.go
--- 2/src/crypto/rsa/rsa.go
+++ b/src/crypto/rsa/rsa.go
@@@ -47,10 -42,11 +47,13 @@@ var bigOne = big.NewInt(1
  type PublicKey struct {
        N *big.Int // modulus
        E int      // public exponent
 +
 +      boring unsafe.Pointer
  }
  
+ // Any methods implemented on PublicKey might need to also be implemented on
+ // PrivateKey, as the latter embeds the former and will expose its methods.
+ 
  // Size returns the modulus size in bytes. Raw signatures and ciphertexts
  // for or by this public key will have the same size.
  func (pub *PublicKey) Size() int {

diff --cc src/crypto/tls/common.go
Simple merge

diff --cc src/crypto/tls/handshake_client.go
Simple merge

diff --cc src/crypto/tls/handshake_client_tls13.go
Simple merge

diff --cc src/crypto/tls/handshake_messages_test.go
Simple merge

diff --cc src/crypto/tls/handshake_server.go
Simple merge

diff --cc src/crypto/x509/verify.go
index df7aadeeb6faa2c5c88a3fa7cec9fa3e2f7295b0,05936f2e358db061096460719a04c1a437459056..e01f55733ce91aac18303a1ab1256986ff45ca52
--- 1/src/crypto/x509/verify.go
--- 2/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@@ -185,18 -185,24 +185,29 @@@ func (se SystemRootsError) Error() stri
  // verified. Platform-specific verification needs the ASN.1 contents.
  var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate")
  
- // VerifyOptions contains parameters for Certificate.Verify. It's a structure
- // because other PKIX verification APIs have ended up needing many options.
+ // VerifyOptions contains parameters for Certificate.Verify.
  type VerifyOptions struct {
-       DNSName       string
 +      // IsBoring is a validity check for BoringCrypto.
 +      // If not nil, it will be called to check whether a given certificate
 +      // can be used for constructing verification chains.
 +      IsBoring func(*Certificate) bool
 +
+       // DNSName, if set, is checked against the leaf certificate with
+       // Certificate.VerifyHostname.
+       DNSName string
+ 
+       // Intermediates is an optional pool of certificates that are not trust
+       // anchors, but can be used to form a chain from the leaf certificate to a
+       // root certificate.
        Intermediates *CertPool
-       Roots         *CertPool // if nil, the system roots are used
-       CurrentTime   time.Time // if zero, the current time is used
+       // Roots is the set of trusted root certificates the leaf certificate needs
+       // to chain up to. If nil, the system roots or the platform verifier are used.
+       Roots *CertPool
+ 
+       // CurrentTime is used to check the validity of all certificates in the
+       // chain. If zero, the current time is used.
+       CurrentTime time.Time
+ 
        // KeyUsage specifies which Extended Key Usage values are acceptable. A leaf
        // certificate is accepted if it contains any of the listed values. An empty
        // list means ExtKeyUsageServerAuth. To accept any key usage, include