BASELINE: Update Chromium to 69.0.3497.70

Change-Id: I2b7b56e4e7a8b26656930def0d4575dc32b900a0
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

15 files changed, 102 insertions, 409 deletions

diff --git a/chromium/crypto/BUILD.gn b/chromium/crypto/BUILD.gn
index 54539e96ea1..1097db5148c 100644
--- a/chromium/crypto/BUILD.gn
+++ b/chromium/crypto/BUILD.gn
@@ -133,7 +133,6 @@ test("crypto_unittests") {
     "ec_private_key_unittest.cc",
     "ec_signature_creator_unittest.cc",
     "encryptor_unittest.cc",
-    "hkdf_unittest.cc",
     "hmac_unittest.cc",
     "nss_key_util_unittest.cc",
     "nss_util_unittest.cc",
diff --git a/chromium/crypto/aead.cc b/chromium/crypto/aead.cc
index 30766054fd1..be6ea52b451 100644
--- a/chromium/crypto/aead.cc
+++ b/chromium/crypto/aead.cc
@@ -24,6 +24,9 @@ Aead::Aead(AeadAlgorithm algorithm) : key_(nullptr) {
     case AES_256_GCM:
       aead_ = EVP_aead_aes_256_gcm();
       break;
+    case AES_256_GCM_SIV:
+      aead_ = EVP_aead_aes_256_gcm_siv();
+      break;
   }
 }
 
diff --git a/chromium/crypto/aead.h b/chromium/crypto/aead.h
index 494e77630fe..5802c7ef561 100644
--- a/chromium/crypto/aead.h
+++ b/chromium/crypto/aead.h
@@ -19,7 +19,7 @@ namespace crypto {
 // This class exposes the AES-128-CTR-HMAC-SHA256 and AES_256_GCM AEAD.
 class CRYPTO_EXPORT Aead {
  public:
-  enum AeadAlgorithm { AES_128_CTR_HMAC_SHA256, AES_256_GCM };
+  enum AeadAlgorithm { AES_128_CTR_HMAC_SHA256, AES_256_GCM, AES_256_GCM_SIV };
 
   explicit Aead(AeadAlgorithm algorithm);
 
diff --git a/chromium/crypto/aead_unittest.cc b/chromium/crypto/aead_unittest.cc
index 7409753f284..559e1252502 100644
--- a/chromium/crypto/aead_unittest.cc
+++ b/chromium/crypto/aead_unittest.cc
@@ -10,45 +10,18 @@
 
 namespace {
 
-TEST(AeadTest, SealOpenCtrHmac) {
-  crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
-  std::string key(aead.KeyLength(), 0);
-  aead.Init(&key);
-  std::string nonce(aead.NonceLength(), 0);
-  std::string plaintext("this is the plaintext");
-  std::string ad("this is the additional data");
-  std::string ciphertext;
-  EXPECT_TRUE(aead.Seal(plaintext, nonce, ad, &ciphertext));
-  EXPECT_LT(0U, ciphertext.size());
+const crypto::Aead::AeadAlgorithm kAllAlgorithms[]{
+    crypto::Aead::AES_128_CTR_HMAC_SHA256, crypto::Aead::AES_256_GCM,
+    crypto::Aead::AES_256_GCM_SIV,
+};
 
-  std::string decrypted;
-  EXPECT_TRUE(aead.Open(ciphertext, nonce, ad, &decrypted));
+class AeadTest : public testing::TestWithParam<crypto::Aead::AeadAlgorithm> {};
 
-  EXPECT_EQ(plaintext, decrypted);
-}
-
-TEST(AeadTest, SealOpenWrongKeyCtrHmac) {
-  crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
-  std::string key(aead.KeyLength(), 0);
-  std::string wrong_key(aead.KeyLength(), 1);
-  aead.Init(&key);
-  crypto::Aead aead_wrong_key(crypto::Aead::AES_128_CTR_HMAC_SHA256);
-  aead_wrong_key.Init(&wrong_key);
-
-  std::string nonce(aead.NonceLength(), 0);
-  std::string plaintext("this is the plaintext");
-  std::string ad("this is the additional data");
-  std::string ciphertext;
-  EXPECT_TRUE(aead.Seal(plaintext, nonce, ad, &ciphertext));
-  EXPECT_LT(0U, ciphertext.size());
-
-  std::string decrypted;
-  EXPECT_FALSE(aead_wrong_key.Open(ciphertext, nonce, ad, &decrypted));
-  EXPECT_EQ(0U, decrypted.size());
-}
+INSTANTIATE_TEST_CASE_P(, AeadTest, testing::ValuesIn(kAllAlgorithms));
 
-TEST(AeadTest, SealOpenGcm) {
-  crypto::Aead aead(crypto::Aead::AES_256_GCM);
+TEST_P(AeadTest, SealOpen) {
+  crypto::Aead::AeadAlgorithm alg = GetParam();
+  crypto::Aead aead(alg);
   std::string key(aead.KeyLength(), 0);
   aead.Init(&key);
   std::string nonce(aead.NonceLength(), 0);
@@ -64,12 +37,13 @@ TEST(AeadTest, SealOpenGcm) {
   EXPECT_EQ(plaintext, decrypted);
 }
 
-TEST(AeadTest, SealOpenWrongKeyGcm) {
-  crypto::Aead aead(crypto::Aead::AES_256_GCM);
+TEST_P(AeadTest, SealOpenWrongKey) {
+  crypto::Aead::AeadAlgorithm alg = GetParam();
+  crypto::Aead aead(alg);
   std::string key(aead.KeyLength(), 0);
   std::string wrong_key(aead.KeyLength(), 1);
   aead.Init(&key);
-  crypto::Aead aead_wrong_key(crypto::Aead::AES_256_GCM);
+  crypto::Aead aead_wrong_key(alg);
   aead_wrong_key.Init(&wrong_key);
 
   std::string nonce(aead.NonceLength(), 0);
diff --git a/chromium/crypto/apple_keychain.h b/chromium/crypto/apple_keychain.h
index ca681df5e0a..01f8d285e1e 100644
--- a/chromium/crypto/apple_keychain.h
+++ b/chromium/crypto/apple_keychain.h
@@ -11,14 +11,14 @@
 #include "build/build_config.h"
 #include "crypto/crypto_export.h"
 
-#if defined (OS_IOS)
-typedef void* SecKeychainRef;
-typedef void* SecKeychainItemRef;
-typedef void SecKeychainAttributeList;
-#endif
-
 namespace crypto {
 
+#if defined(OS_IOS)
+using AppleSecKeychainItemRef = void*;
+#else
+using AppleSecKeychainItemRef = SecKeychainItemRef;
+#endif
+
 // Wraps the KeychainServices API in a very thin layer, to allow it to be
 // mocked out for testing.
 
@@ -32,29 +32,26 @@ class CRYPTO_EXPORT AppleKeychain {
   AppleKeychain();
   virtual ~AppleKeychain();
 
-  virtual OSStatus FindGenericPassword(CFTypeRef keychainOrArray,
-                                       UInt32 serviceNameLength,
+  virtual OSStatus FindGenericPassword(UInt32 serviceNameLength,
                                        const char* serviceName,
                                        UInt32 accountNameLength,
                                        const char* accountName,
                                        UInt32* passwordLength,
                                        void** passwordData,
-                                       SecKeychainItemRef* itemRef) const;
+                                       AppleSecKeychainItemRef* itemRef) const;
 
-  virtual OSStatus ItemFreeContent(SecKeychainAttributeList* attrList,
-                                   void* data) const;
+  virtual OSStatus ItemFreeContent(void* data) const;
 
-  virtual OSStatus AddGenericPassword(SecKeychainRef keychain,
-                                      UInt32 serviceNameLength,
+  virtual OSStatus AddGenericPassword(UInt32 serviceNameLength,
                                       const char* serviceName,
                                       UInt32 accountNameLength,
                                       const char* accountName,
                                       UInt32 passwordLength,
                                       const void* passwordData,
-                                      SecKeychainItemRef* itemRef) const;
+                                      AppleSecKeychainItemRef* itemRef) const;
 
 #if !defined(OS_IOS)
-  virtual OSStatus ItemDelete(SecKeychainItemRef itemRef) const;
+  virtual OSStatus ItemDelete(AppleSecKeychainItemRef itemRef) const;
 #endif  // !defined(OS_IOS)
 
  private:
diff --git a/chromium/crypto/apple_keychain_ios.mm b/chromium/crypto/apple_keychain_ios.mm
index 74cf129ce1f..e16407d0af0 100644
--- a/chromium/crypto/apple_keychain_ios.mm
+++ b/chromium/crypto/apple_keychain_ios.mm
@@ -112,20 +112,19 @@ AppleKeychain::AppleKeychain() {}
 
 AppleKeychain::~AppleKeychain() {}
 
-OSStatus AppleKeychain::ItemFreeContent(SecKeychainAttributeList* attrList,
-                                        void* data) const {
+OSStatus AppleKeychain::ItemFreeContent(void* data) const {
   free(data);
   return noErr;
 }
 
-OSStatus AppleKeychain::AddGenericPassword(SecKeychainRef keychain,
-                                           UInt32 serviceNameLength,
-                                           const char* serviceName,
-                                           UInt32 accountNameLength,
-                                           const char* accountName,
-                                           UInt32 passwordLength,
-                                           const void* passwordData,
-                                           SecKeychainItemRef* itemRef) const {
+OSStatus AppleKeychain::AddGenericPassword(
+    UInt32 serviceNameLength,
+    const char* serviceName,
+    UInt32 accountNameLength,
+    const char* accountName,
+    UInt32 passwordLength,
+    const void* passwordData,
+    AppleSecKeychainItemRef* itemRef) const {
   base::ScopedCFTypeRef<CFDictionaryRef> query(CreateGenericPasswordQuery(
       serviceNameLength, serviceName, accountNameLength, accountName));
   // Check that there is not already a password.
@@ -157,14 +156,14 @@ OSStatus AppleKeychain::AddGenericPassword(SecKeychainRef keychain,
   return status;
 }
 
-OSStatus AppleKeychain::FindGenericPassword(CFTypeRef keychainOrArray,
-                                            UInt32 serviceNameLength,
-                                            const char* serviceName,
-                                            UInt32 accountNameLength,
-                                            const char* accountName,
-                                            UInt32* passwordLength,
-                                            void** passwordData,
-                                            SecKeychainItemRef* itemRef) const {
+OSStatus AppleKeychain::FindGenericPassword(
+    UInt32 serviceNameLength,
+    const char* serviceName,
+    UInt32 accountNameLength,
+    const char* accountName,
+    UInt32* passwordLength,
+    void** passwordData,
+    AppleSecKeychainItemRef* itemRef) const {
   DCHECK((passwordData && passwordLength) ||
          (!passwordData && !passwordLength));
   base::ScopedCFTypeRef<CFDictionaryRef> query(CreateGenericPasswordQuery(
diff --git a/chromium/crypto/apple_keychain_mac.mm b/chromium/crypto/apple_keychain_mac.mm
index a36204858b7..5158f48c08f 100644
--- a/chromium/crypto/apple_keychain_mac.mm
+++ b/chromium/crypto/apple_keychain_mac.mm
@@ -15,53 +15,42 @@ AppleKeychain::AppleKeychain() {}
 
 AppleKeychain::~AppleKeychain() {}
 
-OSStatus AppleKeychain::ItemDelete(SecKeychainItemRef itemRef) const {
+OSStatus AppleKeychain::ItemDelete(AppleSecKeychainItemRef itemRef) const {
   base::AutoLock lock(GetMacSecurityServicesLock());
   return SecKeychainItemDelete(itemRef);
 }
 
-OSStatus AppleKeychain::FindGenericPassword(CFTypeRef keychainOrArray,
-                                            UInt32 serviceNameLength,
-                                            const char* serviceName,
-                                            UInt32 accountNameLength,
-                                            const char* accountName,
-                                            UInt32* passwordLength,
-                                            void** passwordData,
-                                            SecKeychainItemRef* itemRef) const {
+OSStatus AppleKeychain::FindGenericPassword(
+    UInt32 serviceNameLength,
+    const char* serviceName,
+    UInt32 accountNameLength,
+    const char* accountName,
+    UInt32* passwordLength,
+    void** passwordData,
+    AppleSecKeychainItemRef* itemRef) const {
   base::AutoLock lock(GetMacSecurityServicesLock());
-  return SecKeychainFindGenericPassword(keychainOrArray,
-                                        serviceNameLength,
-                                        serviceName,
-                                        accountNameLength,
-                                        accountName,
-                                        passwordLength,
-                                        passwordData,
-                                        itemRef);
+  return SecKeychainFindGenericPassword(nullptr, serviceNameLength, serviceName,
+                                        accountNameLength, accountName,
+                                        passwordLength, passwordData, itemRef);
 }
 
-OSStatus AppleKeychain::ItemFreeContent(SecKeychainAttributeList* attrList,
-                                        void* data) const {
+OSStatus AppleKeychain::ItemFreeContent(void* data) const {
   base::AutoLock lock(GetMacSecurityServicesLock());
-  return SecKeychainItemFreeContent(attrList, data);
+  return SecKeychainItemFreeContent(nullptr, data);
 }
 
-OSStatus AppleKeychain::AddGenericPassword(SecKeychainRef keychain,
-                                           UInt32 serviceNameLength,
-                                           const char* serviceName,
-                                           UInt32 accountNameLength,
-                                           const char* accountName,
-                                           UInt32 passwordLength,
-                                           const void* passwordData,
-                                           SecKeychainItemRef* itemRef) const {
+OSStatus AppleKeychain::AddGenericPassword(
+    UInt32 serviceNameLength,
+    const char* serviceName,
+    UInt32 accountNameLength,
+    const char* accountName,
+    UInt32 passwordLength,
+    const void* passwordData,
+    AppleSecKeychainItemRef* itemRef) const {
   base::AutoLock lock(GetMacSecurityServicesLock());
-  return SecKeychainAddGenericPassword(keychain,
-                                       serviceNameLength,
-                                       serviceName,
-                                       accountNameLength,
-                                       accountName,
-                                       passwordLength,
-                                       passwordData,
-                                       itemRef);
+  return SecKeychainAddGenericPassword(nullptr, serviceNameLength, serviceName,
+                                       accountNameLength, accountName,
+                                       passwordLength, passwordData, itemRef);
 }
 
 }  // namespace crypto
diff --git a/chromium/crypto/ec_private_key.cc b/chromium/crypto/ec_private_key.cc
index 290770a50c5..c30a610719a 100644
--- a/chromium/crypto/ec_private_key.cc
+++ b/chromium/crypto/ec_private_key.cc
@@ -89,10 +89,7 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
 
 std::unique_ptr<ECPrivateKey> ECPrivateKey::Copy() const {
   std::unique_ptr<ECPrivateKey> copy(new ECPrivateKey());
-  if (key_) {
-    EVP_PKEY_up_ref(key_.get());
-    copy->key_.reset(key_.get());
-  }
+  copy->key_ = bssl::UpRef(key_);
   return copy;
 }
 
diff --git a/chromium/crypto/hkdf.cc b/chromium/crypto/hkdf.cc
index 6e4f84f3216..e2d367cdd29 100644
--- a/chromium/crypto/hkdf.cc
+++ b/chromium/crypto/hkdf.cc
@@ -11,125 +11,24 @@
 
 #include "base/logging.h"
 #include "crypto/hmac.h"
+#include "third_party/boringssl/src/include/openssl/digest.h"
+#include "third_party/boringssl/src/include/openssl/hkdf.h"
 
 namespace crypto {
 
-const size_t kSHA256HashLength = 32;
-
-HKDF::HKDF(base::StringPiece secret,
-           base::StringPiece salt,
-           base::StringPiece info,
-           size_t key_bytes_to_generate,
-           size_t iv_bytes_to_generate,
-           size_t subkey_secret_bytes_to_generate)
-    : HKDF(secret,
-           salt,
-           info,
-           key_bytes_to_generate,
-           key_bytes_to_generate,
-           iv_bytes_to_generate,
-           iv_bytes_to_generate,
-           subkey_secret_bytes_to_generate) {}
-
-HKDF::HKDF(base::StringPiece secret,
-           base::StringPiece salt,
-           base::StringPiece info,
-           size_t client_key_bytes_to_generate,
-           size_t server_key_bytes_to_generate,
-           size_t client_iv_bytes_to_generate,
-           size_t server_iv_bytes_to_generate,
-           size_t subkey_secret_bytes_to_generate) {
-  // https://tools.ietf.org/html/rfc5869#section-2.2
-  base::StringPiece actual_salt = salt;
-  char zeros[kSHA256HashLength];
-  if (actual_salt.empty()) {
-    // If salt is not given, HashLength zeros are used.
-    memset(zeros, 0, sizeof(zeros));
-    actual_salt.set(zeros, sizeof(zeros));
-  }
-
-  // Perform the Extract step to transform the input key and
-  // salt into the pseudorandom key (PRK) used for Expand.
-  HMAC prk_hmac(HMAC::SHA256);
-  bool result = prk_hmac.Init(actual_salt);
-  DCHECK(result);
-
-  // |prk| is a pseudorandom key (of kSHA256HashLength octets).
-  uint8_t prk[kSHA256HashLength];
-  DCHECK_EQ(sizeof(prk), prk_hmac.DigestLength());
-  result = prk_hmac.Sign(secret, prk, sizeof(prk));
-  DCHECK(result);
-
-  // https://tools.ietf.org/html/rfc5869#section-2.3
-  // Perform the Expand phase to turn the pseudorandom key
-  // and info into the output keying material.
-  const size_t material_length =
-      client_key_bytes_to_generate + client_iv_bytes_to_generate +
-      server_key_bytes_to_generate + server_iv_bytes_to_generate +
-      subkey_secret_bytes_to_generate;
-  const size_t n =
-      (material_length + kSHA256HashLength - 1) / kSHA256HashLength;
-  DCHECK_LT(n, 256u);
-
-  output_.resize(n * kSHA256HashLength);
-  base::StringPiece previous;
-
-  std::unique_ptr<char[]> buf(new char[kSHA256HashLength + info.size() + 1]);
-  uint8_t digest[kSHA256HashLength];
-
-  HMAC hmac(HMAC::SHA256);
-  result = hmac.Init(prk, sizeof(prk));
+std::string HkdfSha256(base::StringPiece secret,
+                       base::StringPiece salt,
+                       base::StringPiece info,
+                       size_t derived_key_size) {
+  std::string key;
+  key.resize(derived_key_size);
+  int result = ::HKDF(
+      reinterpret_cast<uint8_t*>(&key[0]), derived_key_size, EVP_sha256(),
+      reinterpret_cast<const uint8_t*>(secret.data()), secret.size(),
+      reinterpret_cast<const uint8_t*>(salt.data()), salt.size(),
+      reinterpret_cast<const uint8_t*>(info.data()), info.size());
   DCHECK(result);
-
-  for (size_t i = 0; i < n; i++) {
-    memcpy(buf.get(), previous.data(), previous.size());
-    size_t j = previous.size();
-    memcpy(buf.get() + j, info.data(), info.size());
-    j += info.size();
-    buf[j++] = static_cast<char>(i + 1);
-
-    result = hmac.Sign(base::StringPiece(buf.get(), j), digest, sizeof(digest));
-    DCHECK(result);
-
-    memcpy(&output_[i*sizeof(digest)], digest, sizeof(digest));
-    previous = base::StringPiece(reinterpret_cast<char*>(digest),
-                                 sizeof(digest));
-  }
-
-  size_t j = 0;
-  // On Windows, when the size of output_ is zero, dereference of 0'th element
-  // results in a crash. C++11 solves this problem by adding a data() getter
-  // method to std::vector.
-  if (client_key_bytes_to_generate) {
-    client_write_key_ = base::StringPiece(reinterpret_cast<char*>(&output_[j]),
-                                          client_key_bytes_to_generate);
-    j += client_key_bytes_to_generate;
-  }
-
-  if (server_key_bytes_to_generate) {
-    server_write_key_ = base::StringPiece(reinterpret_cast<char*>(&output_[j]),
-                                          server_key_bytes_to_generate);
-    j += server_key_bytes_to_generate;
-  }
-
-  if (client_iv_bytes_to_generate) {
-    client_write_iv_ = base::StringPiece(reinterpret_cast<char*>(&output_[j]),
-                                         client_iv_bytes_to_generate);
-    j += client_iv_bytes_to_generate;
-  }
-
-  if (server_iv_bytes_to_generate) {
-    server_write_iv_ = base::StringPiece(reinterpret_cast<char*>(&output_[j]),
-                                         server_iv_bytes_to_generate);
-    j += server_iv_bytes_to_generate;
-  }
-
-  if (subkey_secret_bytes_to_generate) {
-    subkey_secret_ = base::StringPiece(reinterpret_cast<char*>(&output_[j]),
-                                       subkey_secret_bytes_to_generate);
-  }
+  return key;
 }
 
-HKDF::~HKDF() = default;
-
 }  // namespace crypto
diff --git a/chromium/crypto/hkdf.h b/chromium/crypto/hkdf.h
index ff93e2b2676..f0d7a50e84f 100644
--- a/chromium/crypto/hkdf.h
+++ b/chromium/crypto/hkdf.h
@@ -6,78 +6,19 @@
 #define CRYPTO_HKDF_H_
 
 #include <stddef.h>
-#include <stdint.h>
 
-#include <vector>
+#include <string>
 
 #include "base/strings/string_piece.h"
 #include "crypto/crypto_export.h"
 
 namespace crypto {
 
-// HKDF implements the key derivation function specified in RFC 5869 (using
-// SHA-256) and outputs key material, as needed by QUIC.
-// See https://tools.ietf.org/html/rfc5869 for details.
-class CRYPTO_EXPORT HKDF {
- public:
-  // |secret|: the input shared secret (or, from RFC 5869, the IKM).
-  // |salt|: an (optional) public salt / non-secret random value. While
-  // optional, callers are strongly recommended to provide a salt. There is no
-  // added security value in making this larger than the SHA-256 block size of
-  // 64 bytes.
-  // |info|: an (optional) label to distinguish different uses of HKDF. It is
-  // optional context and application specific information (can be a zero-length
-  // string).
-  // |key_bytes_to_generate|: the number of bytes of key material to generate
-  // for both client and server.
-  // |iv_bytes_to_generate|: the number of bytes of IV to generate for both
-  // client and server.
-  // |subkey_secret_bytes_to_generate|: the number of bytes of subkey secret to
-  // generate, shared between client and server.
-  HKDF(base::StringPiece secret,
-       base::StringPiece salt,
-       base::StringPiece info,
-       size_t key_bytes_to_generate,
-       size_t iv_bytes_to_generate,
-       size_t subkey_secret_bytes_to_generate);
-
-  // An alternative constructor that allows the client and server key/IV
-  // lengths to be different.
-  HKDF(base::StringPiece secret,
-       base::StringPiece salt,
-       base::StringPiece info,
-       size_t client_key_bytes_to_generate,
-       size_t server_key_bytes_to_generate,
-       size_t client_iv_bytes_to_generate,
-       size_t server_iv_bytes_to_generate,
-       size_t subkey_secret_bytes_to_generate);
-  ~HKDF();
-
-  base::StringPiece client_write_key() const {
-    return client_write_key_;
-  }
-  base::StringPiece client_write_iv() const {
-    return client_write_iv_;
-  }
-  base::StringPiece server_write_key() const {
-    return server_write_key_;
-  }
-  base::StringPiece server_write_iv() const {
-    return server_write_iv_;
-  }
-  base::StringPiece subkey_secret() const {
-    return subkey_secret_;
-  }
-
- private:
-  std::vector<uint8_t> output_;
-
-  base::StringPiece client_write_key_;
-  base::StringPiece server_write_key_;
-  base::StringPiece client_write_iv_;
-  base::StringPiece server_write_iv_;
-  base::StringPiece subkey_secret_;
-};
+CRYPTO_EXPORT
+std::string HkdfSha256(base::StringPiece secret,
+                       base::StringPiece salt,
+                       base::StringPiece info,
+                       size_t derived_key_size);
 
 }  // namespace crypto
 
diff --git a/chromium/crypto/hkdf_unittest.cc b/chromium/crypto/hkdf_unittest.cc
deleted file mode 100644
index 0412703d4f9..00000000000
--- a/chromium/crypto/hkdf_unittest.cc
+++ /dev/null
@@ -1,98 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "crypto/hkdf.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-
-#include "base/macros.h"
-#include "base/strings/string_number_conversions.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-using crypto::HKDF;
-
-namespace test {
-namespace {
-
-struct HKDFTest {
-  const char* key_hex;
-  const char* salt_hex;
-  const char* info_hex;
-  const char* output_hex;
-};
-
-// These test cases are taken from
-// https://tools.ietf.org/html/rfc5869#appendix-A.
-static const HKDFTest kHKDFTests[] = {{
-    "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
-    "000102030405060708090a0b0c",
-    "f0f1f2f3f4f5f6f7f8f9",
-    "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5"
-    "b887185865",
-  }, {
-    "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f2021222324"
-    "25262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f40414243444546474849"
-    "4a4b4c4d4e4f",
-    "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384"
-    "85868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9"
-    "aaabacadaeaf",
-    "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4"
-    "d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9"
-    "fafbfcfdfeff",
-    "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99ca"
-    "c7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c"
-    "01d5c1f3434f1d87",
-  }, {
-    "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
-    "",
-    "",
-    "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395fa"
-    "a4b61a96c8",
-  },
-};
-
-TEST(HKDFTest, HKDF) {
-  for (size_t i = 0; i < arraysize(kHKDFTests); i++) {
-    const HKDFTest& test(kHKDFTests[i]);
-    SCOPED_TRACE(i);
-
-    std::vector<uint8_t> data;
-    ASSERT_TRUE(base::HexStringToBytes(test.key_hex, &data));
-    const std::string key(reinterpret_cast<char*>(&data[0]), data.size());
-
-    data.clear();
-    // |salt_hex| is optional and may be empty.
-    std::string salt(test.salt_hex);
-    if (!salt.empty()) {
-      ASSERT_TRUE(base::HexStringToBytes(salt, &data));
-      salt.assign(reinterpret_cast<char*>(&data[0]), data.size());
-    }
-
-    data.clear();
-    // |info_hex| is optional and may be empty.
-    std::string info(test.info_hex);
-    if (!info.empty()) {
-      ASSERT_TRUE(base::HexStringToBytes(info, &data));
-      info.assign(reinterpret_cast<char*>(&data[0]), data.size());
-    }
-
-    data.clear();
-    ASSERT_TRUE(base::HexStringToBytes(test.output_hex, &data));
-    const std::string expected(reinterpret_cast<char*>(&data[0]), data.size());
-
-    // We set the key_length to the length of the expected output and then take
-    // the result from the first key, which is the client write key.
-    HKDF hkdf(key, salt, info, expected.size(), 0, 0);
-
-    ASSERT_EQ(expected.size(), hkdf.client_write_key().size());
-    EXPECT_EQ(0, memcmp(expected.data(), hkdf.client_write_key().data(),
-                        expected.size()));
-  }
-}
-
-}  // namespace
-}  // namespace test
diff --git a/chromium/crypto/mock_apple_keychain.cc b/chromium/crypto/mock_apple_keychain.cc
index 173cfa713b9..453114ef43b 100644
--- a/chromium/crypto/mock_apple_keychain.cc
+++ b/chromium/crypto/mock_apple_keychain.cc
@@ -25,14 +25,13 @@ void IncrementKeychainAccessHistogram() {
 namespace crypto {
 
 OSStatus MockAppleKeychain::FindGenericPassword(
-    CFTypeRef keychainOrArray,
     UInt32 serviceNameLength,
     const char* serviceName,
     UInt32 accountNameLength,
     const char* accountName,
     UInt32* passwordLength,
     void** passwordData,
-    SecKeychainItemRef* itemRef) const {
+    AppleSecKeychainItemRef* itemRef) const {
   IncrementKeychainAccessHistogram();
 
   // When simulating |noErr|, return canned |passwordData| and
@@ -50,22 +49,20 @@ OSStatus MockAppleKeychain::FindGenericPassword(
   return find_generic_result_;
 }
 
-OSStatus MockAppleKeychain::ItemFreeContent(SecKeychainAttributeList* attrList,
-                                            void* data) const {
+OSStatus MockAppleKeychain::ItemFreeContent(void* data) const {
   // No-op.
   password_data_count_--;
   return noErr;
 }
 
 OSStatus MockAppleKeychain::AddGenericPassword(
-    SecKeychainRef keychain,
     UInt32 serviceNameLength,
     const char* serviceName,
     UInt32 accountNameLength,
     const char* accountName,
     UInt32 passwordLength,
     const void* passwordData,
-    SecKeychainItemRef* itemRef) const {
+    AppleSecKeychainItemRef* itemRef) const {
   IncrementKeychainAccessHistogram();
 
   called_add_generic_ = true;
diff --git a/chromium/crypto/mock_apple_keychain.h b/chromium/crypto/mock_apple_keychain.h
index b256a225708..b44986d8804 100644
--- a/chromium/crypto/mock_apple_keychain.h
+++ b/chromium/crypto/mock_apple_keychain.h
@@ -31,24 +31,21 @@ class CRYPTO_EXPORT MockAppleKeychain : public AppleKeychain {
   ~MockAppleKeychain() override;
 
   // AppleKeychain implementation.
-  OSStatus FindGenericPassword(CFTypeRef keychainOrArray,
-                               UInt32 serviceNameLength,
+  OSStatus FindGenericPassword(UInt32 serviceNameLength,
                                const char* serviceName,
                                UInt32 accountNameLength,
                                const char* accountName,
                                UInt32* passwordLength,
                                void** passwordData,
-                               SecKeychainItemRef* itemRef) const override;
-  OSStatus ItemFreeContent(SecKeychainAttributeList* attrList,
-                           void* data) const override;
-  OSStatus AddGenericPassword(SecKeychainRef keychain,
-                              UInt32 serviceNameLength,
+                               AppleSecKeychainItemRef* itemRef) const override;
+  OSStatus ItemFreeContent(void* data) const override;
+  OSStatus AddGenericPassword(UInt32 serviceNameLength,
                               const char* serviceName,
                               UInt32 accountNameLength,
                               const char* accountName,
                               UInt32 passwordLength,
                               const void* passwordData,
-                              SecKeychainItemRef* itemRef) const override;
+                              AppleSecKeychainItemRef* itemRef) const override;
 
   // Returns the password that OSCrypt uses to generate its encryption key.
   std::string GetEncryptionPassword() const;
diff --git a/chromium/crypto/mock_apple_keychain_mac.cc b/chromium/crypto/mock_apple_keychain_mac.cc
index 43a3410b31c..010f00c874a 100644
--- a/chromium/crypto/mock_apple_keychain_mac.cc
+++ b/chromium/crypto/mock_apple_keychain_mac.cc
@@ -18,7 +18,7 @@ MockAppleKeychain::MockAppleKeychain()
 
 MockAppleKeychain::~MockAppleKeychain() {}
 
-OSStatus MockAppleKeychain::ItemDelete(SecKeychainItemRef itemRef) const {
+OSStatus MockAppleKeychain::ItemDelete(AppleSecKeychainItemRef itemRef) const {
   return noErr;
 }
 
diff --git a/chromium/crypto/rsa_private_key.cc b/chromium/crypto/rsa_private_key.cc
index f14e4e8c47a..ab8027ca3ce 100644
--- a/chromium/crypto/rsa_private_key.cc
+++ b/chromium/crypto/rsa_private_key.cc
@@ -61,8 +61,7 @@ std::unique_ptr<RSAPrivateKey> RSAPrivateKey::CreateFromKey(EVP_PKEY* key) {
   if (EVP_PKEY_type(key->type) != EVP_PKEY_RSA)
     return nullptr;
   std::unique_ptr<RSAPrivateKey> copy(new RSAPrivateKey);
-  EVP_PKEY_up_ref(key);
-  copy->key_.reset(key);
+  copy->key_ = bssl::UpRef(key);
   return copy;
 }