[dev.boringcrypto] all: merge master into dev.boringcrypto

Change-Id: I52009bf809dda4fbcff03aa82d0ea8aa2a978fa2

cipher_suites.go

@@ -219,56 +219,56 @@ var cipherSuitesTLS13 = []*cipherSuiteTLS13{ // TODO: replace with a map.
 //
 //   - Anything else comes before RC4
 //
-//       RC4 has practically exploitable biases. See https://www.rc4nomore.com.
+//     RC4 has practically exploitable biases. See https://www.rc4nomore.com.
 //
 //   - Anything else comes before CBC_SHA256
 //
-//       SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
-//       countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
-//       https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
+//     SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
+//     countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
+//     https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
 //
 //   - Anything else comes before 3DES
 //
-//       3DES has 64-bit blocks, which makes it fundamentally susceptible to
-//       birthday attacks. See https://sweet32.info.
+//     3DES has 64-bit blocks, which makes it fundamentally susceptible to
+//     birthday attacks. See https://sweet32.info.
 //
 //   - ECDHE comes before anything else
 //
-//       Once we got the broken stuff out of the way, the most important
-//       property a cipher suite can have is forward secrecy. We don't
-//       implement FFDHE, so that means ECDHE.
+//     Once we got the broken stuff out of the way, the most important
+//     property a cipher suite can have is forward secrecy. We don't
+//     implement FFDHE, so that means ECDHE.
 //
 //   - AEADs come before CBC ciphers
 //
-//       Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites
-//       are fundamentally fragile, and suffered from an endless sequence of
-//       padding oracle attacks. See https://eprint.iacr.org/2015/1129,
-//       https://www.imperialviolet.org/2014/12/08/poodleagain.html, and
-//       https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/.
+//     Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites
+//     are fundamentally fragile, and suffered from an endless sequence of
+//     padding oracle attacks. See https://eprint.iacr.org/2015/1129,
+//     https://www.imperialviolet.org/2014/12/08/poodleagain.html, and
+//     https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/.
 //
 //   - AES comes before ChaCha20
 //
-//       When AES hardware is available, AES-128-GCM and AES-256-GCM are faster
-//       than ChaCha20Poly1305.
+//     When AES hardware is available, AES-128-GCM and AES-256-GCM are faster
+//     than ChaCha20Poly1305.
 //
-//       When AES hardware is not available, AES-128-GCM is one or more of: much
-//       slower, way more complex, and less safe (because not constant time)
-//       than ChaCha20Poly1305.
+//     When AES hardware is not available, AES-128-GCM is one or more of: much
+//     slower, way more complex, and less safe (because not constant time)
+//     than ChaCha20Poly1305.
 //
-//       We use this list if we think both peers have AES hardware, and
-//       cipherSuitesPreferenceOrderNoAES otherwise.
+//     We use this list if we think both peers have AES hardware, and
+//     cipherSuitesPreferenceOrderNoAES otherwise.
 //
 //   - AES-128 comes before AES-256
 //
-//       The only potential advantages of AES-256 are better multi-target
-//       margins, and hypothetical post-quantum properties. Neither apply to
-//       TLS, and AES-256 is slower due to its four extra rounds (which don't
-//       contribute to the advantages above).
+//     The only potential advantages of AES-256 are better multi-target
+//     margins, and hypothetical post-quantum properties. Neither apply to
+//     TLS, and AES-256 is slower due to its four extra rounds (which don't
+//     contribute to the advantages above).
 //
 //   - ECDSA comes before RSA
 //
-//       The relative order of ECDSA and RSA cipher suites doesn't matter,
-//       as they depend on the certificate. Pick one to get a stable order.
+//     The relative order of ECDSA and RSA cipher suites doesn't matter,
+//     as they depend on the certificate. Pick one to get a stable order.
 var cipherSuitesPreferenceOrder = []uint16{
 	// AEADs w/ ECDHE
 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,