Sync pki to chromium d740199e083b70d13506973c6f479f0b01165a05

This also removes fillins/check.h which is no longer needed. Crbug: 1322914 Change-Id: If5e8355700472bf6703c80809ea276c4c07ddc52 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62485 Auto-Submit: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
1 year ago · 0500756f10
parent 257bfaa329
commit 0500756f10
22 changed files with 93 additions and 129 deletions
--- a/fuzz/parse_certificate_fuzzer.cc
+++ b/fuzz/parse_certificate_fuzzer.cc
@ -7,6 +7,7 @@

 #include "../pki/cert_errors.h"
 #include "../pki/parsed_certificate.h"
+#include <openssl/base.h>
 #include <openssl/pool.h>

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
@ -18,8 +19,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
          {}, &errors);

  // Severe errors must be provided iff the parsing failed.
-  CHECK_EQ(errors.ContainsAnyErrorWithSeverity(bssl::CertError::SEVERITY_HIGH),
-           cert == nullptr);
+  BSSL_CHECK(errors.ContainsAnyErrorWithSeverity(
+                 bssl::CertError::SEVERITY_HIGH) == (cert == nullptr));

  return 0;
 }
--- a/pki/cert_error_params.cc
+++ b/pki/cert_error_params.cc
@ -7,9 +7,9 @@

 #include <memory>

-#include "fillins/check.h"
 #include "string_util.h"
 #include "input.h"
+#include <openssl/base.h>

 namespace bssl {

@ -111,7 +111,7 @@ CertErrorParams::~CertErrorParams() = default;
 std::unique_ptr<CertErrorParams> CreateCertErrorParams1Der(
    const char* name,
    const der::Input& der) {
-  DCHECK(name);
+  BSSL_CHECK(name);
  return std::make_unique<CertErrorParams2Der>(name, der, nullptr,
                                               der::Input());
 }
@ -121,14 +121,14 @@ std::unique_ptr<CertErrorParams> CreateCertErrorParams2Der(
    const der::Input& der1,
    const char* name2,
    const der::Input& der2) {
-  DCHECK(name1);
-  DCHECK(name2);
+  BSSL_CHECK(name1);
+  BSSL_CHECK(name2);
  return std::make_unique<CertErrorParams2Der>(name1, der1, name2, der2);
 }

 std::unique_ptr<CertErrorParams> CreateCertErrorParams1SizeT(const char* name,
                                                             size_t value) {
-  DCHECK(name);
+  BSSL_CHECK(name);
  return std::make_unique<CertErrorParams1SizeT>(name, value);
 }

@ -137,8 +137,8 @@ OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams2SizeT(
    size_t value1,
    const char* name2,
    size_t value2) {
-  DCHECK(name1);
-  DCHECK(name2);
+  BSSL_CHECK(name1);
+  BSSL_CHECK(name2);
  return std::make_unique<CertErrorParams2SizeT>(name1, value1, name2, value2);
 }

--- a/pki/certificate_policies.cc
+++ b/pki/certificate_policies.cc
@ -12,6 +12,7 @@
 #include "parse_values.h"
 #include "parser.h"
 #include "tag.h"
+#include <openssl/base.h>

 namespace bssl {

@ -43,7 +44,7 @@ bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers,
                           der::Parser* policy_qualifiers_sequence_parser,
                           std::vector<PolicyQualifierInfo>* policy_qualifiers,
                           CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  // If it is present, the policyQualifiers sequence should have at least 1
  // element.
@ -132,8 +133,8 @@ bool ParseCertificatePoliciesExtensionImpl(
    std::vector<der::Input>* policy_oids,
    std::vector<PolicyInformation>* policy_informations,
    CertErrors* errors) {
-  DCHECK(policy_oids);
-  DCHECK(errors);
+  BSSL_CHECK(policy_oids);
+  BSSL_CHECK(errors);
  // certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
  der::Parser extension_parser(extension_value);
  der::Parser policies_sequence_parser;
--- a/pki/crl.cc
+++ b/pki/crl.cc
@ -5,6 +5,8 @@
 #include <algorithm>
 #include <iterator>

+#include <openssl/base.h>
+
 #include "cert_errors.h"
 #include "crl.h"
 #include "revocation_util.h"
@ -370,7 +372,7 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl,
                             const ParsedDistributionPoint& cert_dp,
                             int64_t verify_time_epoch_seconds,
                             std::optional<int64_t> max_age_seconds) {
-  DCHECK_LT(target_cert_index, valid_chain.size());
+  BSSL_CHECK(target_cert_index < valid_chain.size());

  if (cert_dp.reasons) {
    // Reason codes are not supported. If the distribution point contains a
--- a/pki/fillins/check.h
+++ b/pki/fillins/check.h
@ -1,53 +0,0 @@
-// Copyright 2023 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef PKI_CHECK_H_
-#define PKI_CHECK_H_
-
-// This header defines the CHECK, DCHECK, macros, inherited from chrome.
-
-// This file is not used in chrome, so check here to make sure we are
-// only compiling inside boringssl.
-#if !defined(_BORINGSSL_LIBPKI_)
-#error "_BORINGSSL_LIBPKI_ is not defined when compiling BoringSSL libpki"
-#endif
-
-#include <cassert>
-
-// This is not used in this include file, but is here temporarily to avoid
-// an intrusive change in chrome's files until we are fully extracted.
-// TODO(bbe) move this include to the relevant .cc files once we are no
-// longer using chrome as the canonical source.
-#include <openssl/base.h>
-
-// In chrome DCHECK is used like assert() but often erroneously. to be
-// safe we make DCHECK the same as CHECK, and if we truly wish to have
-// this be an assert, we convert to assert() as in the rest of boringssl.
-// TODO(bbe) scan all DCHECK's in here once we are no longer using chrome
-// as the canonical source and convert to CHECK unless certain they
-// can be an assert().
-#define DCHECK CHECK
-
-// CHECK aborts if a condition is not true.
-#define CHECK(A) \
-  do {           \
-    if (!(A))    \
-      abort();   \
-  } while (0);
-
-#define DCHECK_EQ CHECK_EQ
-#define DCHECK_NE CHECK_NE
-#define DCHECK_LE CHECK_LE
-#define DCHECK_LT CHECK_LT
-#define DCHECK_GE CHECK_GE
-#define DCHECK_GT CHECK_GT
-
-#define CHECK_EQ(val1, val2) CHECK((val1) == (val2))
-#define CHECK_NE(val1, val2) CHECK((val1) != (val2))
-#define CHECK_LE(val1, val2) CHECK((val1) <= (val2))
-#define CHECK_LT(val1, val2) CHECK((val1) < (val2))
-#define CHECK_GE(val1, val2) CHECK((val1) >= (val2))
-#define CHECK_GT(val1, val2) CHECK((val1) > (val2))
-
-#endif  // PKI_CHECK_H_
--- a/pki/fillins/ip_address.cc
+++ b/pki/fillins/ip_address.cc
@ -8,7 +8,7 @@
 #include <string.h>
 #include <climits>

-#include "check.h"
+#include <openssl/base.h>

 namespace bssl {

@ -52,7 +52,7 @@ IPAddress::IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4,

 // static
 IPAddress IPAddress::AllZeros(size_t num_zero_bytes) {
-  CHECK_LE(num_zero_bytes, 16u);
+  BSSL_CHECK(num_zero_bytes <= 16u);
  IPAddress result;
  result.addr_.reserve(num_zero_bytes);
  for (size_t i = 0; i < num_zero_bytes; ++i) {
@ -79,7 +79,7 @@ size_t IPAddress::size() const { return addr_.size(); }
 const IPAddressBytes &IPAddress::bytes() const { return addr_; }

 static IPAddress ConvertIPv4ToIPv4MappedIPv6(const IPAddress &address) {
-  CHECK(address.IsIPv4());
+  BSSL_CHECK(address.IsIPv4());
  // IPv4-mapped addresses are formed by:
  // <80 bits of zeros>  + <16 bits of ones> + <32-bit IPv4 address>.
  uint8_t bytes[16];
@ -122,10 +122,10 @@ bool IPAddressMatchesPrefix(const IPAddress &ip_address,
                            size_t prefix_length_in_bits) {
  // Both the input IP address and the prefix IP address should be either IPv4
  // or IPv6.
-  DCHECK(ip_address.IsValid());
-  DCHECK(ip_prefix.IsValid());
+  BSSL_CHECK(ip_address.IsValid());
+  BSSL_CHECK(ip_prefix.IsValid());

-  DCHECK_LE(prefix_length_in_bits, ip_prefix.size() * 8);
+  BSSL_CHECK(prefix_length_in_bits <= ip_prefix.size() * 8);

  // In case we have an IPv6 / IPv4 mismatch, convert the IPv4 addresses to
  // IPv6 addresses in order to do the comparison.
@ -144,7 +144,7 @@ bool IPAddressMatchesPrefix(const IPAddress &ip_address,
 }

 static unsigned CommonPrefixLength(const IPAddress &a1, const IPAddress &a2) {
-  DCHECK_EQ(a1.size(), a2.size());
+  BSSL_CHECK(a1.size() == a2.size());
  for (size_t i = 0; i < a1.size(); ++i) {
    uint8_t diff = a1.bytes()[i] ^ a2.bytes()[i];
    if (!diff)
--- a/pki/general_names.cc
+++ b/pki/general_names.cc
@ -4,6 +4,8 @@

 #include "general_names.h"

+#include <openssl/base.h>
+
 #include <climits>
 #include <cstring>

@ -67,7 +69,7 @@ GeneralNames::~GeneralNames() = default;
 std::unique_ptr<GeneralNames> GeneralNames::Create(
    const der::Input& general_names_tlv,
    CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  // RFC 5280 section 4.2.1.6:
  // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
@ -89,7 +91,7 @@ std::unique_ptr<GeneralNames> GeneralNames::Create(
 std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
    const der::Input& general_names_value,
    CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  auto general_names = std::make_unique<GeneralNames>();

@ -122,7 +124,7 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
    GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
    GeneralNames* subtrees,
    CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);
  der::Parser parser(input);
  der::Tag tag;
  der::Input value;
@ -198,7 +200,7 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
      }
      subtrees->ip_addresses.emplace_back(value.UnsafeData(), value.Length());
    } else {
-      DCHECK_EQ(ip_address_type, GeneralNames::IP_ADDRESS_AND_NETMASK);
+      BSSL_CHECK(ip_address_type == GeneralNames::IP_ADDRESS_AND_NETMASK);
      // RFC 5280 section 4.2.1.10:
      // The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
      // the following additions specifically for name constraints. For IPv4
@ -234,7 +236,7 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
                     CreateCertErrorParams1SizeT("tag", tag));
    return false;
  }
-  DCHECK_NE(GENERAL_NAME_NONE, name_type);
+  BSSL_CHECK(GENERAL_NAME_NONE != name_type);
  subtrees->present_name_types |= name_type;
  return true;
 }
--- a/pki/input.cc
+++ b/pki/input.cc
@ -6,7 +6,7 @@

 #include <algorithm>

-#include "fillins/check.h"
+#include <openssl/base.h>

 namespace bssl::der {

@ -59,7 +59,7 @@ bool ByteReader::HasMore() {
 }

 void ByteReader::Advance(size_t len) {
-  CHECK_LE(len, len_);
+  BSSL_CHECK(len <= len_);
  data_ += len;
  len_ -= len;
 }
--- a/pki/input.h
+++ b/pki/input.h
@ -57,6 +57,8 @@ class OPENSSL_EXPORT Input {
  // is not an option.
  constexpr const uint8_t* UnsafeData() const { return data_.data(); }

+  constexpr uint8_t operator[](size_t idx) const { return data_[idx]; }
+
  // Returns a copy of the data represented by this object as a std::string.
  std::string AsString() const;

--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@ -17,6 +17,7 @@
 #include "parser.h"
 #include "tag.h"
 #include <optional>
+#include <openssl/base.h>

 namespace bssl {

@ -114,7 +115,7 @@ bool DNSNameMatches(std::string_view name,
 [[nodiscard]] bool ParseGeneralSubtrees(const der::Input& value,
                                        GeneralNames* subtrees,
                                        CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
  //
@ -272,7 +273,7 @@ std::unique_ptr<NameConstraints> NameConstraints::Create(
    const der::Input& extension_value,
    bool is_critical,
    CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  auto name_constraints = std::make_unique<NameConstraints>();
  if (!name_constraints->Parse(extension_value, is_critical, errors))
@ -283,7 +284,7 @@ std::unique_ptr<NameConstraints> NameConstraints::Create(
 bool NameConstraints::Parse(const der::Input& extension_value,
                            bool is_critical,
                            CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  der::Parser extension_parser(extension_value);
  der::Parser sequence_parser;
--- a/pki/parse_certificate.cc
+++ b/pki/parse_certificate.cc
@ -131,8 +131,9 @@ DEFINE_CERT_ERROR_ID(kSerialNumberNotValidInteger,
  // Note that it is OK to read from the unused bits, since BitString parsing
  // guarantees they are all zero.
  for (size_t i = 0; i < bits.bytes().Length(); ++i) {
-    if (bits.bytes().UnsafeData()[i] != 0)
+    if (bits.bytes()[i] != 0) {
      return false;
+    }
  }
  return true;
 }
@ -263,8 +264,9 @@ bool VerifySerialNumber(const der::Input& value,
  //    gracefully handle such certificates.
  if (negative)
    errors->AddWarning(kSerialNumberIsNegative);
-  if (value.Length() == 1 && value.UnsafeData()[0] == 0)
+  if (value.Length() == 1 && value[0] == 0) {
    errors->AddWarning(kSerialNumberIsZero);
+  }

  // RFC 5280 section 4.1.2.2:
  //
--- a/pki/parse_values.cc
+++ b/pki/parse_values.cc
@ -7,13 +7,13 @@
 #include <tuple>
 #include <vector>

-#include "fillins/check.h"

 #include "fillins/string_util.h"

 #include "fillins/utf_string_conversions.h"
 #include "fillins/inet.h"
 #include "fillins/utf_string_conversions.h"
+#include <openssl/base.h>
 #include <openssl/bytestring.h>

 namespace bssl::der {
@ -208,12 +208,11 @@ bool ParseUint8(const Input& in, uint8_t* out) {

 BitString::BitString(const Input& bytes, uint8_t unused_bits)
    : bytes_(bytes), unused_bits_(unused_bits) {
-  DCHECK_LT(unused_bits, 8);
-  DCHECK(unused_bits == 0 || bytes.Length() != 0);
+  BSSL_CHECK(unused_bits < 8);
+  BSSL_CHECK(unused_bits == 0 || bytes.Length() != 0);
  // The unused bits must be zero.
-  DCHECK(bytes.Length() == 0 ||
-         (bytes.UnsafeData()[bytes.Length() - 1] & ((1u << unused_bits) - 1)) ==
-             0);
+  BSSL_CHECK(bytes.Length() == 0 ||
+             (bytes[bytes.Length() - 1] & ((1u << unused_bits) - 1)) == 0);
 }

 bool BitString::AssertsBit(size_t bit_index) const {
@ -233,7 +232,7 @@ bool BitString::AssertsBit(size_t bit_index) const {
  // BIT STRING parsing already guarantees that unused bits in a byte are zero
  // (otherwise it wouldn't be valid DER). Therefore it isn't necessary to check
  // |unused_bits_|
-  uint8_t byte = bytes_.UnsafeData()[byte_index];
+  uint8_t byte = bytes_[byte_index];
  return 0 != (byte & (1 << bit_index_in_byte));
 }

@ -263,7 +262,7 @@ std::optional<BitString> ParseBitString(const Input& in) {
    // and the initial octet shall be zero.
    if (bytes.Length() == 0)
      return std::nullopt;
-    uint8_t last_byte = bytes.UnsafeData()[bytes.Length() - 1];
+    uint8_t last_byte = bytes[bytes.Length() - 1];

    // From ITU-T X.690, section 11.2.1 (applies to CER and DER, but not BER):
    //
@ -384,12 +383,13 @@ bool ParseTeletexStringAsLatin1(Input in, std::string* out) {
  // Convert from Latin-1 to UTF-8.
  size_t utf8_length = in.Length();
  for (size_t i = 0; i < in.Length(); i++) {
-    if (in.UnsafeData()[i] > 0x7f)
+    if (in[i] > 0x7f) {
      utf8_length++;
+    }
  }
  out->reserve(utf8_length);
  for (size_t i = 0; i < in.Length(); i++) {
-    uint8_t u = in.UnsafeData()[i];
+    uint8_t u = in[i];
    if (u <= 0x7f) {
      out->push_back(u);
    } else {
@ -397,7 +397,7 @@ bool ParseTeletexStringAsLatin1(Input in, std::string* out) {
      out->push_back(0x80 | (u & 0x3f));
    }
  }
-  DCHECK_EQ(utf8_length, out->size());
+  BSSL_CHECK(utf8_length == out->size());
  return true;
 }

--- a/pki/parse_values_unittest.cc
+++ b/pki/parse_values_unittest.cc
@ -351,7 +351,7 @@ TEST(ParseValuesTest, ParseBitStringSevenOneBits) {

  EXPECT_EQ(1u, bit_string->unused_bits());
  EXPECT_EQ(1u, bit_string->bytes().Length());
-  EXPECT_EQ(0xFE, bit_string->bytes().UnsafeData()[0]);
+  EXPECT_EQ(0xFE, bit_string->bytes()[0]);

  EXPECT_TRUE(bit_string->AssertsBit(0));
  EXPECT_TRUE(bit_string->AssertsBit(1));
--- a/pki/parsed_certificate.h
+++ b/pki/parsed_certificate.h
@ -10,7 +10,6 @@
 #include <memory>
 #include <vector>

-#include "fillins/check.h"

 #include "certificate_policies.h"
 #include "parse_certificate.h"
@ -129,7 +128,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the ParsedBasicConstraints struct. Caller must check
  // has_basic_constraints() before accessing this.
  const ParsedBasicConstraints& basic_constraints() const {
-    DCHECK(has_basic_constraints_);
+    BSSL_CHECK(has_basic_constraints_);
    return basic_constraints_;
  }

@ -139,7 +138,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the KeyUsage BitString. Caller must check
  // has_key_usage() before accessing this.
  const der::BitString& key_usage() const {
-    DCHECK(has_key_usage_);
+    BSSL_CHECK(has_key_usage_);
    return key_usage_;
  }

@ -149,7 +148,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the ExtendedKeyUsage key purpose OIDs. Caller must check
  // has_extended_key_usage() before accessing this.
  const std::vector<der::Input>& extended_key_usage() const {
-    DCHECK(has_extended_key_usage_);
+    BSSL_CHECK(has_extended_key_usage_);
    return extended_key_usage_;
  }

@ -175,7 +174,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the parsed NameConstraints extension. Must not be called if
  // has_name_constraints() is false.
  const NameConstraints& name_constraints() const {
-    DCHECK(name_constraints_);
+    BSSL_CHECK(name_constraints_);
    return *name_constraints_;
  }

@ -201,7 +200,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the policy OIDs. Caller must check has_policy_oids() before
  // accessing this.
  const std::vector<der::Input>& policy_oids() const {
-    DCHECK(has_policy_oids());
+    BSSL_CHECK(has_policy_oids());
    return policy_oids_;
  }

@ -211,7 +210,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the ParsedPolicyConstraints struct. Caller must check
  // has_policy_constraints() before accessing this.
  const ParsedPolicyConstraints& policy_constraints() const {
-    DCHECK(has_policy_constraints_);
+    BSSL_CHECK(has_policy_constraints_);
    return policy_constraints_;
  }

@ -221,7 +220,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the PolicyMappings extension. Caller must check
  // has_policy_mappings() before accessing this.
  const std::vector<ParsedPolicyMapping>& policy_mappings() const {
-    DCHECK(has_policy_mappings_);
+    BSSL_CHECK(has_policy_mappings_);
    return policy_mappings_;
  }

@ -231,7 +230,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Returns the Inhibit Any Policy extension. Caller must check
  // has_inhibit_any_policy() before accessing this.
  uint8_t inhibit_any_policy() const {
-    DCHECK(has_inhibit_any_policy_);
+    BSSL_CHECK(has_inhibit_any_policy_);
    return inhibit_any_policy_;
  }

--- a/pki/parser.cc
+++ b/pki/parser.cc
@ -4,8 +4,8 @@

 #include "parser.h"

-#include "fillins/check.h"
 #include "parse_values.h"
+#include <openssl/base.h>

 namespace bssl::der {

@ -55,7 +55,7 @@ bool Parser::ReadRawTLV(Input* out) {
 bool Parser::ReadTagAndValue(Tag* tag, Input* out) {
  if (!PeekTagAndValue(tag, out))
    return false;
-  CHECK(Advance());
+  BSSL_CHECK(Advance());
  return true;
 }

@ -70,7 +70,7 @@ bool Parser::ReadOptionalTag(Tag tag, std::optional<Input>* out) {
    return false;
  }
  if (actual_tag == tag) {
-    CHECK(Advance());
+    BSSL_CHECK(Advance());
    *out = value;
  } else {
    advance_len_ = 0;
@ -99,7 +99,7 @@ bool Parser::ReadTag(Tag tag, Input* out) {
  if (!PeekTagAndValue(&actual_tag, &value) || actual_tag != tag) {
    return false;
  }
-  CHECK(Advance());
+  BSSL_CHECK(Advance());
  *out = value;
  return true;
 }
--- a/pki/parser_unittest.cc
+++ b/pki/parser_unittest.cc
@ -348,8 +348,8 @@ TEST(ParserTest, ReadBitString) {

  EXPECT_EQ(1u, bit_string->unused_bits());
  ASSERT_EQ(2u, bit_string->bytes().Length());
-  EXPECT_EQ(0xAA, bit_string->bytes().UnsafeData()[0]);
-  EXPECT_EQ(0xBE, bit_string->bytes().UnsafeData()[1]);
+  EXPECT_EQ(0xAA, bit_string->bytes()[0]);
+  EXPECT_EQ(0xBE, bit_string->bytes()[1]);
 }

 // Tries reading a BIT STRING. This should fail because the tag is not for a
--- a/pki/path_builder.cc
+++ b/pki/path_builder.cc
@ -23,6 +23,7 @@
 #include "verify_name_match.h"
 #include "parser.h"
 #include "tag.h"
+#include <openssl/base.h>
 #include <openssl/sha.h>

 namespace bssl {
@ -326,7 +327,7 @@ void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) {
 }

 void CertIssuersIter::DoAsyncIssuerQuery() {
-  DCHECK(!did_async_issuer_query_);
+  BSSL_CHECK(!did_async_issuer_query_);
  did_async_issuer_query_ = true;
  cur_async_request_ = 0;
  for (auto* cert_issuer_source : *cert_issuer_sources_) {
@ -386,14 +387,14 @@ class CertIssuerIterPath {
  void Append(std::unique_ptr<CertIssuersIter> cert_issuers_iter) {
    bool added =
        present_certs_.insert(GetKey(cert_issuers_iter->cert())).second;
-    DCHECK(added);
+    BSSL_CHECK(added);
    cur_path_.push_back(std::move(cert_issuers_iter));
  }

  // Pops the last CertIssuersIter off the path.
  void Pop() {
    size_t num_erased = present_certs_.erase(GetKey(cur_path_.back()->cert()));
-    DCHECK_EQ(num_erased, 1U);
+    BSSL_CHECK(num_erased == 1U);
    cur_path_.pop_back();
  }

@ -731,8 +732,8 @@ const CertPathBuilderResultPath* CertPathBuilder::Result::GetBestValidPath()

 const CertPathBuilderResultPath*
 CertPathBuilder::Result::GetBestPathPossiblyInvalid() const {
-  DCHECK((paths.empty() && best_result_index == 0) ||
-         best_result_index < paths.size());
+  BSSL_CHECK((paths.empty() && best_result_index == 0) ||
+             best_result_index < paths.size());

  if (best_result_index >= paths.size())
    return nullptr;
@ -761,7 +762,7 @@ CertPathBuilder::CertPathBuilder(
      user_initial_policy_set_(user_initial_policy_set),
      initial_policy_mapping_inhibit_(initial_policy_mapping_inhibit),
      initial_any_policy_inhibit_(initial_any_policy_inhibit) {
-  DCHECK(delegate);
+  BSSL_CHECK(delegate);
  // The TrustStore also implements the CertIssuerSource interface.
  AddCertIssuerSource(trust_store);
 }
--- a/pki/tag.cc
+++ b/pki/tag.cc
@ -4,17 +4,17 @@

 #include "tag.h"

-#include "fillins/check.h"
+#include <openssl/base.h>

 namespace bssl::der {

 Tag ContextSpecificConstructed(uint8_t tag_number) {
-  DCHECK_EQ(tag_number, tag_number & kTagNumberMask);
+  BSSL_CHECK(tag_number == (tag_number & kTagNumberMask));
  return (tag_number & kTagNumberMask) | kTagConstructed | kTagContextSpecific;
 }

 Tag ContextSpecificPrimitive(uint8_t base) {
-  DCHECK_EQ(base, base & kTagNumberMask);
+  BSSL_CHECK(base == (base & kTagNumberMask));
  return (base & kTagNumberMask) | kTagPrimitive | kTagContextSpecific;
 }

--- a/pki/trust_store.cc
+++ b/pki/trust_store.cc
@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

+#include <cassert>
+
 #include "trust_store.h"

 #include "string_util.h"
--- a/pki/trust_store_collection.cc
+++ b/pki/trust_store_collection.cc
@ -4,13 +4,15 @@

 #include "trust_store_collection.h"

+#include <openssl/base.h>
+
 namespace bssl {

 TrustStoreCollection::TrustStoreCollection() = default;
 TrustStoreCollection::~TrustStoreCollection() = default;

 void TrustStoreCollection::AddTrustStore(TrustStore* store) {
-  DCHECK(store);
+  BSSL_CHECK(store);
  stores_.push_back(store);
 }

--- a/pki/verify_certificate_chain.cc
+++ b/pki/verify_certificate_chain.cc
@ -17,6 +17,7 @@
 #include "trust_store.h"
 #include "verify_signed_data.h"
 #include "input.h"
+#include <openssl/base.h>

 namespace bssl {

@ -1016,7 +1017,7 @@ void PathVerifier::BasicCertificateProcessing(
  // match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
  // sections 4.1.1.2 and 4.1.2.3.
  if (!VerifySignatureAlgorithmsMatch(cert, errors)) {
-    CHECK(errors->ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH));
+    BSSL_CHECK(errors->ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH));
    *shortcircuit_chain_validation = true;
  }

@ -1472,8 +1473,8 @@ void PathVerifier::Run(
    CertPathErrors* errors) {
  // This implementation is structured to mimic the description of certificate
  // path verification given by RFC 5280 section 6.1.
-  DCHECK(delegate);
-  DCHECK(errors);
+  BSSL_CHECK(delegate);
+  BSSL_CHECK(errors);

  delegate_ = delegate;

@ -1557,7 +1558,7 @@ void PathVerifier::Run(
        // Chains that don't start from a trusted root should short-circuit the
        // rest of the verification, as accumulating more errors from untrusted
        // certificates would not be meaningful.
-        CHECK(cert_errors->ContainsAnyErrorWithSeverity(
+        BSSL_CHECK(cert_errors->ContainsAnyErrorWithSeverity(
            CertError::SEVERITY_HIGH));
        return;
      }
@ -1579,7 +1580,7 @@ void PathVerifier::Run(
      // Signature errors should short-circuit the rest of the verification, as
      // accumulating more errors from untrusted certificates would not be
      // meaningful.
-      CHECK(
+      BSSL_CHECK(
          cert_errors->ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH));
      return;
    }
--- a/pki/verify_name_match.cc
+++ b/pki/verify_name_match.cc
@ -10,6 +10,7 @@
 #include "input.h"
 #include "parser.h"
 #include "tag.h"
+#include <openssl/base.h>
 #include <openssl/bytestring.h>

 namespace bssl {
@ -114,7 +115,7 @@ enum CharsetEnforcement {
 [[nodiscard]] bool NormalizeValue(X509NameAttribute attribute,
                                  std::string* output,
                                  CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  if (!attribute.ValueAsStringUnsafe(output)) {
    errors->AddError(kFailedConvertingAttributeValue,
@ -301,7 +302,7 @@ bool VerifyNameMatchInternal(const der::Input& a,
 bool NormalizeName(const der::Input& name_rdn_sequence,
                   std::string* normalized_rdn_sequence,
                   CertErrors* errors) {
-  DCHECK(errors);
+  BSSL_CHECK(errors);

  // RFC 5280 section 4.1.2.4
  // RDNSequence ::= SEQUENCE OF RelativeDistinguishedName