Bazel: update BoringSSL to f6ef1c5 / 95b3ed1 (master-with-bazel).

f6ef1c560 Check tag class and constructed bit in d2i_ASN1_BOOLEAN.
2f8bf102e Use typedefs in i2d and d2i_ASN1_BOOLEAN.
45c8be91f Forward-declare SSL_CLIENT_HELLO.
052453852 Fix BN_CTX usage in BN_mod_sqrt malloc error paths.
a406ad76a Make ASN1_NULL an opaque pointer.
f5e601275 Remove remnants of ASN.1 print function generators.
c31a8a6f0 Fold x509_vfy.h into x509.h.
f61997b4d Make ASN1_STRING_TABLE_add thread-safe and document.
38890fdef Test ASN1_STRING_set_by_NID with custom NIDs.
db93c2524 Test ASN1_STRING_set_by_NID with built-in NIDs.
a50f24c85 Test that built-in ASN1_STRING_TABLEs are sorted.
fa6ced951 Extract common rotl/rotr functions.
523d6c74c Remove X509_STORE_set0_additional_untrusted.
8f5eb80b8 Enable X509_V_FLAG_TRUSTED_FIRST by default.
2bde9365f Switch to modify the existing X509_VERIFY_PARAM.
87f316d77 Add note to HMAC test vectors from NIST
cc509bdb7 Add log tag for Trusty.
551ccd7e9 Fix CRYPTO_malloc, etc., definitions.
03cae7a2b Keep EVP_CIPHER/EVP_MD lookup and do_all functions in sync
dedd23e59 aarch64: Add missing LR validation in 'vpaes_cbc_encrypt'
66e61c577 Allow PKCS7_sign to work for signing kernel modules.
f958727f7 Speed up constant-time base64 decoding.
4937f05cc Unwind remnants of ASN1_TFLG_NDEF.
f3e594151 acvptool: add CS3 support.
41adb341b Ignore SIGPIPE in the bssl tool.
1c2473eba Add FIPS counters for AES-GCM in EVP_AEAD.
cd32fd37d Refresh fuzzer corpus for ECH draft-13.
27a3328a3 Fix the TLS fuzzers for ECH draft-13.
62c4f1547 Clarify that TLS sessions are not application sessions.
019cc625b Fix BN_prime_checks_for_validation to align with false-positive rate.
0446b5942 Add maskHash to RSA_PSS_PARAMS for compat
ed5f4e82e Remove ASN1_OP_I2D_* callbacks.
afed9f762 Don't read it->funcs without checking it->itype.
866cccc54 Reject missing required fields in i2d functions.
c9b75aff2 Reject -1 types in ASN1_TYPE and MSTRINGs when encoding.
6e70be0f8 Correctly handle invalid ASN1_OBJECTs when encoding.
248ab8176 Check for invalid CHOICE selectors in i2d functions.
3b6cebb1e Fix x509_name_ex_i2d error-handling.
27b31cfc5 Correctly propagate errors in i2d functions.
25773430c acvptool: add hmacDRBG support
a03c34c6d Check for __TRUSTY__ instead of TRUSTY.
0fa3030e1 Update comment for ECH draft-13.
c0fcb4e24 Silence a GCC false positive warning.
1a668b39d Switch to the new, simpler WHATWG URL formulation.
b49b78ef3 Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"
19fe7943c Fix calculation of draft-13 ECH confirmation signal.
18b6836b2 Update to draft-ietf-tls-esni-13.
37a3c70c0 Reword SSL_get0_ech_name_override documentation.
07b365f63 Remove SSL_set_verify_result.
dddb60eb9 Make most of crypto/x509 opaque.
59aff62ca Remove V_ASN1_APP_CHOOSE.
6b7525a9f Rewrite ASN1_PRINTABLE_type and add tests.
31f462a1e Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all.
96181288c NUL is not printable.
c65543b7a Make RSA_check_key more than 2x as fast.
417010f9b Benchmark RSA private key parsing.
c6d3fd1d0 Work around yet another MSVC 2015 SFINAE bug.
d55f450c4 Avoid re-hashing the transcript multiple times.
a75027b04 Make ssl_parse_extensions a little easier to use.
e2cb42376 Deduplicate our three ServerHello parsers.
61f320874 Merge in OpenSSL's X.509 corpus.
6038ac5ce Run X509_print in the certificate fuzzer.
cdfc2595b Fix some error-handling in i2v functions.
4bf0a19ac Fix typo.
5984cfe8e OPENSSL_strndup should not return NULL given {NULL, 0}.
b27438e12 Rewrite name constraints matching with CBS.
04601b026 Add some tests for name constraints.
2d10c18b3 Fix i2v_GENERAL_NAME to not assume NUL terminated strings
4f9a7ba47 Do not rely on ASN1_STRING being NUL-terminated.
954506271 Add a CBB_add_zeros helper.
047ff6428 Linkify RFCs in documentation.
8648c5369 Refer to RFCs consistently.
16c3e3ae0 runner: Test session IDs over 32 bytes.
05ce773ca Process the TLS 1.3 cipher suite in one place.
80df7398c Guard use of sdallocx with BORINGSSL_SDALLOCX
a603c828d Bump minimum GCC version and note impending VS2015 deprecation.
006f20ad7 Add Span::first() and Span::last().
2e68a05c9 Simplify built-in BIOs slightly.
69ec7c8de Fix some error returns from SSL_read and SSL_write.
b9ee7b143 Fix negative ENUMERATED values in multi-strings.
1b2db8c7c Add a test for ASN1_mbstring_copy and clean up.
eb17de499 Remove ASN1_TFLG_SET_ORDER.
b319e3b89 Fix ASN1_STRING_print_ex with negative integers.
e3a365554 Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex.
4c993da66 Document ASN.1 printing functions.
07a6628e4 Move some ASN1 printing functions to crypto/asn1.
0dcbc6e14 Move a_strex.c back to asn1, split X509_NAME bits out.
1201c9ad8 Unwind io_ch abstraction in print functions.
7a6066ca6 Implement ASN1_STRING_print_ex_fp, etc., with file BIOs.
b9ec9dee5 Remove OPENSSL_NO_FP_API ifdefs.
28d7252d2 Move X509_ALGOR to x509.h.
8627e9743 Unexport BIT_STRING_BITNAME.
11a24ae02 Unexport ub_* constants.
f8b3961b0 Always use an ASN1_STRING_TABLE global mask of UTF8String.
6d8456980 Document ASN1_mbstring_copy.
47c5f9d2f Update from upstream.
549e4e799 Align with upstream on 'close STDOUT' lines.
7e265971c Avoid double-expanding variables in CMake.
ead57c300 Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.
46e0523ea Add some tests for time_t to ASN1_TIME conversions.
046fc130d Remove ASN1_STRING_FLAG_MSTRING.
116d9250a Document another batch of functions.
e9fae77c0 Clarify BIO_new_mum_buf's lifetime rules.
0768d42c2 include needed headers
f1d153dc3 Don't overread in poly_Rq_mul
5799ebfe5 acvp: recognise another style of JSON.
d422d2c4a Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""
c1571feb5 acvp: add HKDF support.
7a817f48b Add 'generate-ech' command to bssl tool
e38cf79cd Don't enable atomics in NO_THREADS configurations.
17be3872a Check strtoul return for overflow error in GetUnsigned()
897a2ca3f Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
6191cc95a Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
519c2986c Always have CRYPTO_sysrand_for_seed.
715301301 hrss: use less stack space.
94a608a1f Make X509_EXTENSION opaque.
a5a9b54d8 Make X509_CRL opaque.
b86dcfefe Switch another malloc to bssl::Array.
ecc301ca0 Add a pointer alignment helper function.
268a4a6ff Remove unused field in X509_NAME_ENTRY.
61a21e7ec Fix sign bit in BN_div if numerator and quotient alias.
ad5db9658 Handle the server case in SSL_get0_ech_name_override.
62d6ed60d Remove -2 return value from X509*_get_*_by_NID.
2cf7a2cde Remove X509at_get0_data_by_OBJ.
957f23d2c Document a batch of extension-related functions in x509.h.
7ada84669 conf: fix getting keys from the default section.
919a97393 conf: don't crash when parsing.
ae7c17868 Add some OpenSSL compatibility aliases.
170045f49 Make ASN1_OBJECT opaque.
e3a7bd0a8 Rename asn1_locl.h to internal.h.
5514476c4 Update hpke_test.go.
c220b5fa6 Decorate x509v3_a2i_ipadd declaration as its definition.
25d501c77 SHA-256 is used on AArch64, even if NO_ASM.
b90cdddcd swtb is another AArch64 magic tweak.
ba423c9a1 Implement ClientHelloOuter handshakes.
ca7ef8c85 runner: Add a convenience function for base64 flags.
a10017c54 Reduce bouncing on the cache lock in ssl_update_cache.
10a76acb0 Only clear not_resumable after the handshake.
afa867be8 runner: Test that clients actually use renewed tickets.
5d224a559 runner: Clean up test logic.
c41a3a937 runner: Fix process exit timeout.
479adf98d Remove old ASN.1 SET macros.
b147c99dd Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
87be65922 Document ASN1_STRING_to_UTF8.
5f8c681d7 Const-correct ASN1_item_verify a bit more.
520678284 Compute ASN.1 BIT STRING sizes more consistently.
cafb99211 Remove lh_FOO_doall.
ec8c67dfb Prefix internal LHASH functions.
7f85116be Unexport almost all of LHASH.
ec552cab8 Rename to
f25ada3a7 Prefix and unexport a2i_ipadd.
f315a86df Fix a -Wdeprecated-copy warning.
9cbe737ec Validate ECH public names.
869bf9f3a Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
58abd2e6f Make X509_VERIFY_PARAM opaque.
36ea4d113 Move crypto/x509/vpm_int.h into internal.h.
6d3d0690f Reformat x509_vfy.h and convert comments.

Change-Id: I77e07130a3c3fdd777579f2789b8506cc2e0c275
Signed-off-by: Piotr Sikora <>
Reviewed-by: Wayne Zhang <>
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
index dacedbc..06bb4c9 100644
--- a/bazel/repositories.bzl
+++ b/bazel/repositories.bzl
@@ -48,9 +48,9 @@
     # BoringSSL
         name = "boringssl",
-        commit = "045bb228cb45224bb535a0114c16a80985185b4b",  # 2021-06-16
+        commit = "95b3ed1b01f2ef1d72fed290ed79fe1b0e7dafc0",  # 2021-10-12
         remote = "",
-        shallow_since = "1623882831 +0000",
+        shallow_since = "1634062184 +0000",
     # PCRE