grpc 1.21.0 → 1.32.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +2516 -19950
- data/etc/roots.pem +44 -100
- data/include/grpc/grpc.h +3 -1
- data/include/grpc/grpc_security.h +238 -55
- data/include/grpc/grpc_security_constants.h +32 -1
- data/include/grpc/impl/codegen/README.md +22 -0
- data/include/grpc/impl/codegen/gpr_types.h +1 -1
- data/include/grpc/impl/codegen/grpc_types.h +61 -13
- data/include/grpc/impl/codegen/port_platform.h +74 -30
- data/include/grpc/impl/codegen/sync.h +5 -3
- data/include/grpc/impl/codegen/sync_abseil.h +36 -0
- data/include/grpc/impl/codegen/sync_generic.h +1 -1
- data/include/grpc/module.modulemap +25 -37
- data/include/grpc/slice.h +2 -2
- data/include/grpc/support/alloc.h +0 -16
- data/include/grpc/support/sync_abseil.h +26 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +84 -0
- data/src/core/ext/filters/client_channel/backend_metric.h +36 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +10 -8
- data/src/core/ext/filters/client_channel/backup_poller.h +5 -2
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +18 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +1516 -742
- data/src/core/ext/filters/client_channel/client_channel.h +25 -9
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +50 -139
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +15 -39
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +1 -1
- data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -9
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +8 -13
- data/src/core/ext/filters/client_channel/config_selector.cc +62 -0
- data/src/core/ext/filters/client_channel/config_selector.h +93 -0
- data/src/core/ext/filters/client_channel/connector.h +42 -39
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +34 -12
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +75 -115
- data/src/core/ext/filters/client_channel/health/health_check_client.h +8 -16
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +75 -46
- data/src/core/ext/filters/client_channel/http_proxy.cc +126 -120
- data/src/core/ext/filters/client_channel/http_proxy.h +5 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +35 -35
- data/src/core/ext/filters/client_channel/lb_policy.h +225 -152
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +83 -0
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +99 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +299 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.h +83 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +41 -25
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +635 -734
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +7 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +76 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +37 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +9 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +33 -49
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +7 -6
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +157 -271
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +42 -58
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +113 -166
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +890 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +61 -101
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +116 -260
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +744 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +423 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +946 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +537 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +3 -7
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +1141 -0
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +6 -9
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +53 -77
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +3 -3
- data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +8 -8
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +2 -1
- data/src/core/ext/filters/client_channel/proxy_mapper.h +14 -34
- data/src/core/ext/filters/client_channel/proxy_mapper_registry.cc +46 -79
- data/src/core/ext/filters/client_channel/proxy_mapper_registry.h +23 -17
- data/src/core/ext/filters/client_channel/resolver.cc +6 -9
- data/src/core/ext/filters/client_channel/resolver.h +19 -37
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +156 -130
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +74 -39
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +15 -21
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +33 -33
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +16 -13
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +476 -129
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +231 -193
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +6 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +9 -6
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +73 -48
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +165 -116
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +8 -7
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +45 -29
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +536 -0
- data/src/core/ext/filters/client_channel/resolver_factory.h +11 -11
- data/src/core/ext/filters/client_channel/resolver_registry.cc +39 -24
- data/src/core/ext/filters/client_channel/resolver_registry.h +17 -12
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +251 -313
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +28 -26
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +100 -325
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +48 -53
- data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
- data/src/core/ext/filters/client_channel/retry_throttle.h +2 -6
- data/src/core/ext/filters/client_channel/server_address.cc +40 -14
- data/src/core/ext/filters/client_channel/server_address.h +45 -15
- data/src/core/ext/filters/client_channel/service_config.cc +143 -253
- data/src/core/ext/filters/client_channel/service_config.h +47 -131
- data/src/core/ext/filters/client_channel/service_config_call_data.h +68 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +142 -0
- data/src/core/ext/filters/client_channel/service_config_parser.cc +87 -0
- data/src/core/ext/filters/client_channel/service_config_parser.h +89 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +436 -288
- data/src/core/ext/filters/client_channel/subchannel.h +181 -53
- data/src/core/ext/filters/client_channel/subchannel_interface.h +94 -0
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +440 -0
- data/src/core/ext/filters/deadline/deadline_filter.cc +30 -28
- data/src/core/ext/filters/http/client/http_client_filter.cc +66 -70
- data/src/core/ext/filters/http/client_authority_filter.cc +21 -21
- data/src/core/ext/filters/http/http_filters_plugin.cc +28 -12
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +335 -301
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +399 -0
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +31 -0
- data/src/core/ext/filters/http/server/http_server_filter.cc +66 -39
- data/src/core/ext/filters/max_age/max_age_filter.cc +72 -60
- data/src/core/ext/filters/message_size/message_size_filter.cc +116 -144
- data/src/core/ext/filters/message_size/message_size_filter.h +12 -6
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +19 -17
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +193 -171
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +48 -1
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +29 -25
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +44 -64
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +384 -305
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +7 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +3 -3
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +10 -16
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +9 -9
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +640 -560
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +2 -0
- data/src/core/ext/transport/chttp2/transport/context_list.cc +5 -3
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +26 -31
- data/src/core/ext/transport/chttp2/transport/flow_control.h +28 -38
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +45 -54
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +7 -9
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +7 -7
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +21 -13
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +9 -3
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +13 -12
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +9 -12
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +531 -348
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +26 -15
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +213 -143
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +11 -4
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +41 -196
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +62 -18
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
- data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -1
- data/src/core/ext/transport/chttp2/transport/internal.h +64 -47
- data/src/core/ext/transport/chttp2/transport/parsing.cc +148 -162
- data/src/core/ext/transport/chttp2/transport/stream_map.cc +28 -18
- data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
- data/src/core/ext/transport/chttp2/transport/writing.cc +38 -30
- data/src/core/ext/transport/inproc/inproc_transport.cc +164 -114
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.c +17 -0
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +29 -0
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +53 -0
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +224 -0
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +700 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.c +74 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.h +226 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +380 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +1378 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.h +69 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +55 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +323 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +112 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +334 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.h +79 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +309 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +869 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +96 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +328 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.h +71 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +195 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +634 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +170 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +684 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.h +80 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +152 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +536 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +28 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +58 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.h +88 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +91 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.h +220 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +91 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.h +273 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.c +112 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.h +332 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.c +33 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.h +65 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +108 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +401 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +138 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +490 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +41 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +94 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +174 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +599 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +63 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +204 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +773 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +2855 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +59 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +135 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +50 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.h +108 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +312 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +1125 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +20 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h +34 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +111 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +401 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +72 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +198 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +105 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +388 -0
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.c +25 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +129 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +386 -0
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +30 -0
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +30 -0
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +55 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.h +136 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.h +49 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.c +47 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.h +114 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.h +77 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.h +71 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +64 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.h +145 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +53 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +127 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.c +63 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.h +188 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.c +88 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.h +258 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.c +90 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.h +250 -0
- data/src/core/ext/upb-generated/envoy/type/v3/http.upb.c +17 -0
- data/src/core/ext/upb-generated/envoy/type/v3/http.upb.h +35 -0
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.c +40 -0
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.h +86 -0
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.c +51 -0
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.h +111 -0
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.c +30 -0
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.h +61 -0
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.c +17 -0
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.h +29 -0
- data/src/core/ext/upb-generated/google/api/annotations.upb.c +18 -0
- data/src/core/ext/upb-generated/google/api/annotations.upb.h +29 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +234 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +759 -0
- data/src/core/ext/upb-generated/google/api/http.upb.c +66 -0
- data/src/core/ext/upb-generated/google/api/http.upb.h +191 -0
- data/src/core/ext/upb-generated/google/protobuf/any.upb.c +27 -0
- data/src/core/ext/upb-generated/google/protobuf/any.upb.h +57 -0
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +486 -0
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +1722 -0
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.c +27 -0
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +57 -0
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.c +22 -0
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +49 -0
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +79 -0
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +194 -0
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.c +27 -0
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +57 -0
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.c +106 -0
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +237 -0
- data/src/core/ext/upb-generated/google/rpc/status.upb.c +33 -0
- data/src/core/ext/upb-generated/google/rpc/status.upb.h +74 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +49 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +113 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +212 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +672 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c +42 -0
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +110 -0
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.c +36 -0
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +83 -0
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +141 -0
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +396 -0
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.c +48 -0
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +103 -0
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c +17 -0
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +29 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +64 -0
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.c +27 -0
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.h +53 -0
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +58 -0
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +117 -0
- data/src/core/ext/upb-generated/validate/validate.upb.c +448 -0
- data/src/core/ext/upb-generated/validate/validate.upb.h +2074 -0
- data/src/core/ext/xds/xds_api.cc +2388 -0
- data/src/core/ext/xds/xds_api.h +360 -0
- data/src/core/ext/xds/xds_bootstrap.cc +373 -0
- data/src/core/ext/xds/xds_bootstrap.h +93 -0
- data/src/core/ext/xds/xds_channel.h +46 -0
- data/src/core/ext/xds/xds_channel_args.h +26 -0
- data/src/core/ext/xds/xds_channel_secure.cc +103 -0
- data/src/core/ext/xds/xds_client.cc +2114 -0
- data/src/core/ext/xds/xds_client.h +276 -0
- data/src/core/ext/xds/xds_client_stats.cc +115 -0
- data/src/core/ext/xds/xds_client_stats.h +211 -0
- data/src/core/lib/avl/avl.cc +1 -1
- data/src/core/lib/channel/channel_args.cc +52 -14
- data/src/core/lib/channel/channel_args.h +41 -3
- data/src/core/lib/channel/channel_stack.cc +1 -1
- data/src/core/lib/channel/channel_stack.h +38 -18
- data/src/core/lib/channel/channel_trace.cc +32 -45
- data/src/core/lib/channel/channel_trace.h +3 -3
- data/src/core/lib/channel/channelz.cc +377 -318
- data/src/core/lib/channel/channelz.h +128 -90
- data/src/core/lib/channel/channelz_registry.cc +123 -178
- data/src/core/lib/channel/channelz_registry.h +14 -32
- data/src/core/lib/channel/connected_channel.cc +28 -25
- data/src/core/lib/channel/context.h +2 -2
- data/src/core/lib/channel/handshaker.cc +18 -14
- data/src/core/lib/channel/handshaker.h +7 -6
- data/src/core/lib/channel/handshaker_factory.h +1 -3
- data/src/core/lib/channel/handshaker_registry.cc +9 -21
- data/src/core/lib/channel/handshaker_registry.h +3 -3
- data/src/core/lib/channel/status_util.cc +2 -3
- data/src/core/lib/compression/compression.cc +16 -11
- data/src/core/lib/compression/compression_args.cc +13 -6
- data/src/core/lib/compression/compression_args.h +3 -2
- data/src/core/lib/compression/compression_internal.cc +15 -11
- data/src/core/lib/compression/compression_internal.h +9 -1
- data/src/core/lib/compression/message_compress.cc +8 -3
- data/src/core/lib/compression/stream_compression.cc +3 -2
- data/src/core/lib/compression/stream_compression.h +2 -2
- data/src/core/lib/compression/stream_compression_gzip.cc +9 -9
- data/src/core/lib/compression/stream_compression_identity.cc +5 -7
- data/src/core/lib/debug/stats.cc +21 -27
- data/src/core/lib/debug/stats.h +3 -1
- data/src/core/lib/debug/trace.h +3 -2
- data/src/core/lib/gpr/alloc.cc +4 -29
- data/src/core/lib/gpr/cpu_linux.cc +1 -1
- data/src/core/lib/gpr/env.h +1 -1
- data/src/core/lib/gpr/env_linux.cc +10 -21
- data/src/core/lib/gpr/env_posix.cc +0 -5
- data/src/core/lib/gpr/log_linux.cc +8 -10
- data/src/core/lib/gpr/log_posix.cc +7 -9
- data/src/core/lib/gpr/spinlock.h +2 -3
- data/src/core/lib/gpr/string.cc +25 -36
- data/src/core/lib/gpr/string.h +11 -19
- data/src/core/lib/gpr/sync_abseil.cc +116 -0
- data/src/core/lib/gpr/sync_posix.cc +10 -142
- data/src/core/lib/gpr/sync_windows.cc +4 -2
- data/src/core/lib/gpr/time.cc +4 -0
- data/src/core/lib/gpr/time_posix.cc +1 -1
- data/src/core/lib/gpr/time_precise.cc +123 -36
- data/src/core/lib/gpr/time_precise.h +37 -0
- data/src/core/lib/gprpp/arena.cc +3 -3
- data/src/core/lib/gprpp/arena.h +2 -3
- data/src/core/lib/gprpp/atomic.h +10 -6
- data/src/core/lib/gprpp/debug_location.h +3 -2
- data/src/core/lib/gprpp/fork.cc +19 -26
- data/src/core/lib/gprpp/fork.h +18 -3
- data/src/core/lib/gprpp/global_config.h +9 -0
- data/src/core/lib/gprpp/global_config_custom.h +1 -1
- data/src/core/lib/gprpp/global_config_env.cc +15 -13
- data/src/core/lib/gprpp/global_config_env.h +2 -2
- data/src/core/lib/gprpp/host_port.cc +112 -0
- data/src/core/lib/gprpp/host_port.h +56 -0
- data/src/core/lib/gprpp/map.h +16 -382
- data/src/core/lib/gprpp/memory.h +12 -75
- data/src/core/lib/gprpp/mpscq.cc +108 -0
- data/src/core/lib/gprpp/mpscq.h +98 -0
- data/src/core/lib/gprpp/orphanable.h +9 -14
- data/src/core/lib/gprpp/ref_counted.h +97 -44
- data/src/core/lib/gprpp/ref_counted_ptr.h +8 -1
- data/src/core/lib/gprpp/sync.h +9 -0
- data/src/core/lib/gprpp/thd.h +13 -6
- data/src/core/lib/gprpp/thd_posix.cc +29 -3
- data/src/core/lib/gprpp/thd_windows.cc +12 -4
- data/src/core/lib/http/format_request.cc +46 -65
- data/src/core/lib/http/httpcli.cc +18 -16
- data/src/core/lib/http/httpcli.h +2 -3
- data/src/core/lib/http/httpcli_security_connector.cc +27 -21
- data/src/core/lib/http/parser.cc +1 -1
- data/src/core/lib/http/parser.h +2 -3
- data/src/core/lib/iomgr/buffer_list.cc +45 -40
- data/src/core/lib/iomgr/buffer_list.h +27 -27
- data/src/core/lib/iomgr/call_combiner.cc +12 -12
- data/src/core/lib/iomgr/call_combiner.h +10 -8
- data/src/core/lib/iomgr/cfstream_handle.cc +11 -3
- data/src/core/lib/iomgr/cfstream_handle.h +11 -3
- data/src/core/lib/iomgr/closure.h +43 -141
- data/src/core/lib/iomgr/combiner.cc +46 -90
- data/src/core/lib/iomgr/combiner.h +30 -8
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +47 -0
- data/src/core/lib/iomgr/endpoint.cc +5 -1
- data/src/core/lib/iomgr/endpoint.h +7 -3
- data/src/core/lib/iomgr/endpoint_cfstream.cc +41 -19
- data/src/core/lib/iomgr/endpoint_pair.h +2 -3
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +11 -11
- data/src/core/lib/iomgr/error.cc +26 -19
- data/src/core/lib/iomgr/error.h +15 -8
- data/src/core/lib/iomgr/error_cfstream.cc +9 -8
- data/src/core/lib/iomgr/error_internal.h +1 -1
- data/src/core/lib/iomgr/ev_apple.cc +356 -0
- data/src/core/lib/iomgr/ev_apple.h +43 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +48 -47
- data/src/core/lib/iomgr/ev_epollex_linux.cc +80 -94
- data/src/core/lib/iomgr/ev_poll_posix.cc +42 -26
- data/src/core/lib/iomgr/ev_posix.cc +9 -8
- data/src/core/lib/iomgr/ev_posix.h +3 -2
- data/src/core/lib/iomgr/ev_windows.cc +2 -2
- data/src/core/lib/iomgr/exec_ctx.cc +78 -21
- data/src/core/lib/iomgr/exec_ctx.h +27 -7
- data/src/core/lib/iomgr/executor.cc +25 -41
- data/src/core/lib/iomgr/executor.h +7 -7
- data/src/core/lib/iomgr/executor/mpmcqueue.cc +183 -0
- data/src/core/lib/iomgr/executor/mpmcqueue.h +175 -0
- data/src/core/lib/iomgr/executor/threadpool.cc +137 -0
- data/src/core/lib/iomgr/executor/threadpool.h +149 -0
- data/src/core/lib/iomgr/fork_posix.cc +8 -2
- data/src/core/lib/iomgr/iocp_windows.cc +2 -2
- data/src/core/lib/iomgr/iomgr.cc +4 -4
- data/src/core/lib/iomgr/iomgr_custom.cc +1 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +87 -9
- data/src/core/lib/iomgr/iomgr_uv.cc +3 -0
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +14 -0
- data/src/core/lib/iomgr/load_file.cc +1 -0
- data/src/core/lib/iomgr/lockfree_event.cc +13 -12
- data/src/core/lib/iomgr/parse_address.cc +238 -0
- data/src/core/lib/iomgr/parse_address.h +53 -0
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +87 -0
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +88 -0
- data/src/core/lib/iomgr/pollset_custom.cc +5 -5
- data/src/core/lib/iomgr/pollset_set_custom.cc +10 -10
- data/src/core/lib/iomgr/pollset_uv.h +32 -0
- data/src/core/lib/iomgr/pollset_windows.cc +16 -2
- data/src/core/lib/iomgr/port.h +10 -22
- data/src/core/lib/iomgr/python_util.h +46 -0
- data/src/core/lib/iomgr/resolve_address.h +4 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +49 -68
- data/src/core/lib/iomgr/resolve_address_custom.h +4 -2
- data/src/core/lib/iomgr/resolve_address_posix.cc +20 -24
- data/src/core/lib/iomgr/resolve_address_windows.cc +22 -35
- data/src/core/lib/iomgr/resource_quota.cc +120 -110
- data/src/core/lib/iomgr/resource_quota.h +13 -9
- data/src/core/lib/iomgr/sockaddr_utils.cc +33 -36
- data/src/core/lib/iomgr/sockaddr_utils.h +12 -16
- data/src/core/lib/iomgr/socket_factory_posix.h +2 -3
- data/src/core/lib/iomgr/socket_mutator.h +2 -3
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +140 -82
- data/src/core/lib/iomgr/socket_utils_posix.h +19 -0
- data/src/core/lib/iomgr/socket_windows.cc +6 -7
- data/src/core/lib/iomgr/socket_windows.h +1 -1
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +18 -21
- data/src/core/lib/iomgr/tcp_client_custom.cc +9 -11
- data/src/core/lib/iomgr/tcp_client_posix.cc +47 -59
- data/src/core/lib/iomgr/tcp_client_posix.h +6 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +12 -13
- data/src/core/lib/iomgr/tcp_custom.cc +58 -36
- data/src/core/lib/iomgr/tcp_custom.h +4 -1
- data/src/core/lib/iomgr/tcp_posix.cc +697 -124
- data/src/core/lib/iomgr/tcp_server.cc +8 -4
- data/src/core/lib/iomgr/tcp_server.h +28 -5
- data/src/core/lib/iomgr/tcp_server_custom.cc +46 -41
- data/src/core/lib/iomgr/tcp_server_posix.cc +102 -46
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +6 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +17 -19
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +10 -18
- data/src/core/lib/iomgr/tcp_server_windows.cc +33 -29
- data/src/core/lib/iomgr/tcp_uv.cc +8 -8
- data/src/core/lib/iomgr/tcp_windows.cc +49 -30
- data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
- data/src/core/lib/iomgr/timer.h +2 -1
- data/src/core/lib/iomgr/timer_custom.cc +7 -5
- data/src/core/lib/iomgr/timer_generic.cc +26 -24
- data/src/core/lib/iomgr/timer_generic.h +39 -0
- data/src/core/lib/iomgr/timer_heap.h +2 -3
- data/src/core/lib/iomgr/timer_manager.cc +8 -30
- data/src/core/lib/iomgr/timer_manager.h +2 -0
- data/src/core/lib/iomgr/udp_server.cc +53 -53
- data/src/core/lib/iomgr/udp_server.h +11 -14
- data/src/core/lib/iomgr/unix_sockets_posix.cc +9 -14
- data/src/core/lib/iomgr/unix_sockets_posix.h +3 -1
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +5 -2
- data/src/core/lib/iomgr/work_serializer.cc +155 -0
- data/src/core/lib/iomgr/work_serializer.h +65 -0
- data/src/core/lib/json/json.h +209 -68
- data/src/core/lib/json/json_reader.cc +508 -317
- data/src/core/lib/json/json_writer.cc +202 -110
- data/src/core/lib/profiling/basic_timers.cc +2 -2
- data/src/core/lib/security/authorization/authorization_engine.cc +177 -0
- data/src/core/lib/security/authorization/authorization_engine.h +84 -0
- data/src/core/lib/security/authorization/evaluate_args.cc +153 -0
- data/src/core/lib/security/authorization/evaluate_args.h +59 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +57 -0
- data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h +42 -0
- data/src/core/lib/security/authorization/mock_cel/cel_expression.h +68 -0
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +93 -0
- data/src/core/lib/security/authorization/mock_cel/evaluator_core.h +67 -0
- data/src/core/lib/security/authorization/mock_cel/flat_expr_builder.h +56 -0
- data/src/core/lib/security/authorization/mock_cel/statusor.h +50 -0
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +10 -7
- data/src/core/lib/security/credentials/alts/check_gcp_environment.cc +1 -1
- data/src/core/lib/security/credentials/alts/check_gcp_environment_windows.cc +45 -57
- data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +26 -6
- data/src/core/lib/security/credentials/composite/composite_credentials.h +11 -4
- data/src/core/lib/security/credentials/credentials.h +31 -25
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +9 -9
- data/src/core/lib/security/credentials/fake/fake_credentials.h +6 -1
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +8 -6
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +74 -56
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +12 -10
- data/src/core/lib/security/credentials/iam/iam_credentials.h +4 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +32 -58
- data/src/core/lib/security/credentials/jwt/json_token.h +5 -7
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +19 -26
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +12 -0
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +153 -170
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +4 -6
- data/src/core/lib/security/credentials/local/local_credentials.cc +3 -3
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +332 -87
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +27 -7
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +31 -15
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +4 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +43 -5
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +12 -2
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +70 -17
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +118 -5
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +128 -0
- data/src/core/lib/security/credentials/tls/tls_credentials.h +62 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +67 -32
- data/src/core/lib/security/security_connector/alts/alts_security_connector.h +5 -0
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +64 -47
- data/src/core/lib/security/security_connector/load_system_roots_fallback.cc +2 -2
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +9 -5
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +42 -16
- data/src/core/lib/security/security_connector/security_connector.cc +4 -1
- data/src/core/lib/security/security_connector/security_connector.h +22 -20
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +55 -62
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +8 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +150 -53
- data/src/core/lib/security/security_connector/ssl_utils.h +41 -17
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +32 -0
- data/src/core/lib/security/security_connector/ssl_utils_config.h +30 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +606 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +183 -0
- data/src/core/lib/security/transport/auth_filters.h +0 -2
- data/src/core/lib/security/transport/client_auth_filter.cc +74 -28
- data/src/core/lib/security/transport/secure_endpoint.cc +16 -9
- data/src/core/lib/security/transport/security_handshaker.cc +103 -43
- data/src/core/lib/security/transport/security_handshaker.h +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +18 -17
- data/src/core/lib/security/util/json_util.cc +35 -15
- data/src/core/lib/security/util/json_util.h +5 -3
- data/src/core/lib/slice/b64.cc +3 -4
- data/src/core/lib/slice/b64.h +3 -4
- data/src/core/lib/slice/slice.cc +188 -73
- data/src/core/lib/slice/slice_buffer.cc +55 -26
- data/src/core/lib/slice/slice_intern.cc +164 -64
- data/src/core/lib/slice/slice_internal.h +110 -8
- data/src/core/lib/slice/slice_string_helpers.cc +10 -1
- data/src/core/lib/slice/slice_string_helpers.h +3 -1
- data/src/core/lib/slice/slice_utils.h +200 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +2 -47
- data/src/core/lib/surface/call.cc +166 -117
- data/src/core/lib/surface/call.h +8 -8
- data/src/core/lib/surface/call_log_batch.cc +51 -60
- data/src/core/lib/surface/channel.cc +188 -137
- data/src/core/lib/surface/channel.h +91 -11
- data/src/core/lib/surface/channel_ping.cc +3 -4
- data/src/core/lib/surface/completion_queue.cc +144 -111
- data/src/core/lib/surface/completion_queue.h +6 -3
- data/src/core/lib/surface/completion_queue_factory.cc +1 -1
- data/src/core/lib/surface/event_string.cc +18 -25
- data/src/core/lib/surface/event_string.h +3 -1
- data/src/core/lib/surface/init.cc +6 -2
- data/src/core/lib/surface/init_secure.cc +2 -2
- data/src/core/lib/surface/lame_client.cc +43 -30
- data/src/core/lib/surface/server.cc +1275 -1316
- data/src/core/lib/surface/server.h +373 -52
- data/src/core/lib/surface/validate_metadata.cc +18 -8
- data/src/core/lib/surface/validate_metadata.h +13 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/authority_override.cc +38 -0
- data/src/core/lib/transport/authority_override.h +32 -0
- data/src/core/lib/transport/byte_stream.cc +5 -7
- data/src/core/lib/transport/byte_stream.h +13 -12
- data/src/core/lib/transport/connectivity_state.cc +118 -98
- data/src/core/lib/transport/connectivity_state.h +114 -50
- data/src/core/lib/transport/error_utils.cc +23 -1
- data/src/core/lib/transport/error_utils.h +6 -0
- data/src/core/lib/transport/metadata.cc +252 -57
- data/src/core/lib/transport/metadata.h +168 -80
- data/src/core/lib/transport/metadata_batch.cc +78 -16
- data/src/core/lib/transport/metadata_batch.h +40 -3
- data/src/core/lib/transport/static_metadata.cc +1169 -495
- data/src/core/lib/transport/static_metadata.h +279 -282
- data/src/core/lib/transport/status_conversion.cc +7 -15
- data/src/core/lib/transport/status_metadata.cc +8 -1
- data/src/core/lib/transport/status_metadata.h +18 -0
- data/src/core/lib/transport/timeout_encoding.cc +7 -0
- data/src/core/lib/transport/timeout_encoding.h +3 -2
- data/src/core/lib/transport/transport.cc +14 -13
- data/src/core/lib/transport/transport.h +48 -8
- data/src/core/lib/transport/transport_op_string.cc +67 -105
- data/src/core/lib/uri/uri_parser.cc +30 -35
- data/src/core/lib/uri/uri_parser.h +5 -4
- data/src/core/plugin_registry/grpc_plugin_registry.cc +36 -4
- data/src/core/tsi/alts/crypt/aes_gcm.cc +0 -2
- data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +414 -120
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +8 -4
- data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_shared_resource.h +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +293 -61
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +15 -5
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_utils.cc +10 -6
- data/src/core/tsi/alts/handshaker/alts_tsi_utils.h +4 -3
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +76 -48
- data/src/core/tsi/alts/handshaker/transport_security_common_api.h +34 -26
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
- data/src/core/tsi/fake_transport_security.cc +22 -21
- data/src/core/tsi/fake_transport_security.h +2 -0
- data/src/core/tsi/local_transport_security.cc +8 -6
- data/src/core/tsi/ssl/session_cache/ssl_session.h +2 -6
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +2 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +11 -9
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -13
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +2 -3
- data/src/core/tsi/ssl_transport_security.cc +345 -103
- data/src/core/tsi/ssl_transport_security.h +42 -11
- data/src/core/tsi/ssl_types.h +0 -2
- data/src/core/tsi/transport_security.cc +13 -0
- data/src/core/tsi/transport_security.h +6 -9
- data/src/core/tsi/transport_security_grpc.cc +7 -0
- data/src/core/tsi/transport_security_grpc.h +8 -3
- data/src/core/tsi/transport_security_interface.h +20 -3
- data/src/ruby/bin/math_pb.rb +5 -5
- data/src/ruby/bin/math_services_pb.rb +4 -4
- data/src/ruby/ext/grpc/ext-export.clang +1 -0
- data/src/ruby/ext/grpc/ext-export.gcc +6 -0
- data/src/ruby/ext/grpc/extconf.rb +11 -2
- data/src/ruby/ext/grpc/rb_call.c +13 -4
- data/src/ruby/ext/grpc/rb_call.h +4 -0
- data/src/ruby/ext/grpc/rb_call_credentials.c +61 -13
- data/src/ruby/ext/grpc/rb_channel.c +1 -1
- data/src/ruby/ext/grpc/rb_channel_credentials.c +9 -0
- data/src/ruby/ext/grpc/rb_enable_cpp.cc +22 -0
- data/src/ruby/ext/grpc/rb_grpc.c +1 -42
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +16 -6
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +28 -13
- data/src/ruby/lib/grpc.rb +2 -0
- data/src/ruby/lib/grpc/core/status_codes.rb +135 -0
- data/src/ruby/lib/grpc/errors.rb +107 -49
- data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
- data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
- data/src/ruby/lib/grpc/generic/client_stub.rb +1 -1
- data/src/ruby/lib/grpc/generic/interceptors.rb +5 -5
- data/src/ruby/lib/grpc/generic/rpc_server.rb +11 -12
- data/src/ruby/lib/grpc/generic/service.rb +5 -4
- data/src/ruby/lib/grpc/google_rpc_status_utils.rb +9 -4
- data/src/ruby/lib/grpc/grpc.rb +1 -1
- data/src/ruby/lib/grpc/structs.rb +15 -0
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/generate_proto_ruby.sh +5 -3
- data/src/ruby/pb/grpc/health/v1/health_pb.rb +3 -3
- data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +2 -2
- data/src/ruby/pb/src/proto/grpc/testing/empty_pb.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +39 -13
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +43 -11
- data/src/ruby/spec/channel_credentials_spec.rb +10 -0
- data/src/ruby/spec/debug_message_spec.rb +134 -0
- data/src/ruby/spec/errors_spec.rb +1 -0
- data/src/ruby/spec/generic/active_call_spec.rb +19 -8
- data/src/ruby/spec/generic/service_spec.rb +2 -0
- data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import.proto +22 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto +23 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +41 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto +27 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/same_ruby_package_service_name.proto +29 -0
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +79 -29
- data/src/ruby/spec/support/services.rb +10 -4
- data/src/ruby/spec/testdata/ca.pem +18 -13
- data/src/ruby/spec/testdata/client.key +26 -14
- data/src/ruby/spec/testdata/client.pem +18 -12
- data/src/ruby/spec/testdata/server1.key +26 -14
- data/src/ruby/spec/testdata/server1.pem +20 -14
- data/src/ruby/spec/user_agent_spec.rb +74 -0
- data/third_party/abseil-cpp/absl/algorithm/algorithm.h +159 -0
- data/third_party/abseil-cpp/absl/algorithm/container.h +1727 -0
- data/third_party/abseil-cpp/absl/base/attributes.h +621 -0
- data/third_party/abseil-cpp/absl/base/call_once.h +226 -0
- data/third_party/abseil-cpp/absl/base/casts.h +184 -0
- data/third_party/abseil-cpp/absl/base/config.h +671 -0
- data/third_party/abseil-cpp/absl/base/const_init.h +76 -0
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.cc +129 -0
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +389 -0
- data/third_party/abseil-cpp/absl/base/internal/atomic_hook.h +200 -0
- data/third_party/abseil-cpp/absl/base/internal/bits.h +218 -0
- data/third_party/abseil-cpp/absl/base/internal/cycleclock.cc +107 -0
- data/third_party/abseil-cpp/absl/base/internal/cycleclock.h +94 -0
- data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +161 -0
- data/third_party/abseil-cpp/absl/base/internal/endian.h +266 -0
- data/third_party/abseil-cpp/absl/base/internal/errno_saver.h +43 -0
- data/third_party/abseil-cpp/absl/base/internal/exponential_biased.cc +93 -0
- data/third_party/abseil-cpp/absl/base/internal/exponential_biased.h +130 -0
- data/third_party/abseil-cpp/absl/base/internal/hide_ptr.h +51 -0
- data/third_party/abseil-cpp/absl/base/internal/identity.h +37 -0
- data/third_party/abseil-cpp/absl/base/internal/inline_variable.h +107 -0
- data/third_party/abseil-cpp/absl/base/internal/invoke.h +187 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc +620 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_alloc.h +126 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +107 -0
- data/third_party/abseil-cpp/absl/base/internal/per_thread_tls.h +52 -0
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +240 -0
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +183 -0
- data/third_party/abseil-cpp/absl/base/internal/scheduling_mode.h +58 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +233 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +243 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +35 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +66 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +46 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.cc +81 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +93 -0
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +37 -0
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +416 -0
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.h +66 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_annotations.h +271 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +152 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +259 -0
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +108 -0
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.h +75 -0
- data/third_party/abseil-cpp/absl/base/internal/tsan_mutex_interface.h +66 -0
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +158 -0
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +140 -0
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.h +124 -0
- data/third_party/abseil-cpp/absl/base/log_severity.cc +27 -0
- data/third_party/abseil-cpp/absl/base/log_severity.h +121 -0
- data/third_party/abseil-cpp/absl/base/macros.h +220 -0
- data/third_party/abseil-cpp/absl/base/optimization.h +181 -0
- data/third_party/abseil-cpp/absl/base/options.h +211 -0
- data/third_party/abseil-cpp/absl/base/policy_checks.h +111 -0
- data/third_party/abseil-cpp/absl/base/port.h +26 -0
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +280 -0
- data/third_party/abseil-cpp/absl/container/fixed_array.h +515 -0
- data/third_party/abseil-cpp/absl/container/flat_hash_set.h +503 -0
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +848 -0
- data/third_party/abseil-cpp/absl/container/internal/common.h +202 -0
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +265 -0
- data/third_party/abseil-cpp/absl/container/internal/container_memory.h +440 -0
- data/third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h +146 -0
- data/third_party/abseil-cpp/absl/container/internal/hash_policy_traits.h +191 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtable_debug_hooks.h +85 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +269 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +297 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +30 -0
- data/third_party/abseil-cpp/absl/container/internal/have_sse.h +49 -0
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +892 -0
- data/third_party/abseil-cpp/absl/container/internal/layout.h +741 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +48 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +1882 -0
- data/third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc +138 -0
- data/third_party/abseil-cpp/absl/debugging/internal/address_is_readable.h +32 -0
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +1895 -0
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.h +71 -0
- data/third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc +382 -0
- data/third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.h +134 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +192 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_arm-inl.inc +125 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +70 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_generic-inl.inc +99 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +248 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_unimplemented-inl.inc +24 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_win32-inl.inc +85 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_x86-inl.inc +346 -0
- data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +128 -0
- data/third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc +194 -0
- data/third_party/abseil-cpp/absl/debugging/internal/vdso_support.h +158 -0
- data/third_party/abseil-cpp/absl/debugging/stacktrace.cc +140 -0
- data/third_party/abseil-cpp/absl/debugging/stacktrace.h +231 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize.cc +25 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize.h +99 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +1480 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_unimplemented.inc +40 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_win32.inc +81 -0
- data/third_party/abseil-cpp/absl/functional/function_ref.h +139 -0
- data/third_party/abseil-cpp/absl/functional/internal/function_ref.h +106 -0
- data/third_party/abseil-cpp/absl/hash/hash.h +324 -0
- data/third_party/abseil-cpp/absl/hash/internal/city.cc +346 -0
- data/third_party/abseil-cpp/absl/hash/internal/city.h +96 -0
- data/third_party/abseil-cpp/absl/hash/internal/hash.cc +55 -0
- data/third_party/abseil-cpp/absl/hash/internal/hash.h +988 -0
- data/third_party/abseil-cpp/absl/memory/memory.h +695 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +759 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +404 -0
- data/third_party/abseil-cpp/absl/numeric/int128.h +1091 -0
- data/third_party/abseil-cpp/absl/numeric/int128_have_intrinsic.inc +302 -0
- data/third_party/abseil-cpp/absl/numeric/int128_no_intrinsic.inc +308 -0
- data/third_party/abseil-cpp/absl/status/status.cc +447 -0
- data/third_party/abseil-cpp/absl/status/status.h +428 -0
- data/third_party/abseil-cpp/absl/status/status_payload_printer.cc +43 -0
- data/third_party/abseil-cpp/absl/status/status_payload_printer.h +51 -0
- data/third_party/abseil-cpp/absl/strings/ascii.cc +200 -0
- data/third_party/abseil-cpp/absl/strings/ascii.h +242 -0
- data/third_party/abseil-cpp/absl/strings/charconv.cc +984 -0
- data/third_party/abseil-cpp/absl/strings/charconv.h +119 -0
- data/third_party/abseil-cpp/absl/strings/cord.cc +2019 -0
- data/third_party/abseil-cpp/absl/strings/cord.h +1121 -0
- data/third_party/abseil-cpp/absl/strings/escaping.cc +949 -0
- data/third_party/abseil-cpp/absl/strings/escaping.h +164 -0
- data/third_party/abseil-cpp/absl/strings/internal/char_map.h +156 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.cc +359 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.h +423 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +504 -0
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.h +99 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +151 -0
- data/third_party/abseil-cpp/absl/strings/internal/escaping.cc +180 -0
- data/third_party/abseil-cpp/absl/strings/internal/escaping.h +58 -0
- data/third_party/abseil-cpp/absl/strings/internal/memutil.cc +112 -0
- data/third_party/abseil-cpp/absl/strings/internal/memutil.h +148 -0
- data/third_party/abseil-cpp/absl/strings/internal/ostringstream.cc +36 -0
- data/third_party/abseil-cpp/absl/strings/internal/ostringstream.h +89 -0
- data/third_party/abseil-cpp/absl/strings/internal/resize_uninitialized.h +73 -0
- data/third_party/abseil-cpp/absl/strings/internal/stl_type_traits.h +248 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +388 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +432 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +245 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +209 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +326 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.cc +51 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h +415 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +493 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +23 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/output.cc +72 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/output.h +104 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +334 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +333 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_join_internal.h +314 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +455 -0
- data/third_party/abseil-cpp/absl/strings/internal/utf8.cc +53 -0
- data/third_party/abseil-cpp/absl/strings/internal/utf8.h +50 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +40 -0
- data/third_party/abseil-cpp/absl/strings/match.h +90 -0
- data/third_party/abseil-cpp/absl/strings/numbers.cc +965 -0
- data/third_party/abseil-cpp/absl/strings/numbers.h +266 -0
- data/third_party/abseil-cpp/absl/strings/str_cat.cc +246 -0
- data/third_party/abseil-cpp/absl/strings/str_cat.h +408 -0
- data/third_party/abseil-cpp/absl/strings/str_format.h +537 -0
- data/third_party/abseil-cpp/absl/strings/str_join.h +293 -0
- data/third_party/abseil-cpp/absl/strings/str_replace.cc +82 -0
- data/third_party/abseil-cpp/absl/strings/str_replace.h +219 -0
- data/third_party/abseil-cpp/absl/strings/str_split.cc +139 -0
- data/third_party/abseil-cpp/absl/strings/str_split.h +513 -0
- data/third_party/abseil-cpp/absl/strings/string_view.cc +235 -0
- data/third_party/abseil-cpp/absl/strings/string_view.h +622 -0
- data/third_party/abseil-cpp/absl/strings/strip.h +91 -0
- data/third_party/abseil-cpp/absl/strings/substitute.cc +171 -0
- data/third_party/abseil-cpp/absl/strings/substitute.h +693 -0
- data/third_party/abseil-cpp/absl/synchronization/barrier.cc +52 -0
- data/third_party/abseil-cpp/absl/synchronization/barrier.h +79 -0
- data/third_party/abseil-cpp/absl/synchronization/blocking_counter.cc +57 -0
- data/third_party/abseil-cpp/absl/synchronization/blocking_counter.h +99 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/create_thread_identity.cc +140 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/create_thread_identity.h +60 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +697 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.h +141 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +155 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +261 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +106 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +115 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +484 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +159 -0
- data/third_party/abseil-cpp/absl/synchronization/mutex.cc +2728 -0
- data/third_party/abseil-cpp/absl/synchronization/mutex.h +1056 -0
- data/third_party/abseil-cpp/absl/synchronization/notification.cc +78 -0
- data/third_party/abseil-cpp/absl/synchronization/notification.h +123 -0
- data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
- data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
- data/third_party/abseil-cpp/absl/time/clock.cc +569 -0
- data/third_party/abseil-cpp/absl/time/clock.h +74 -0
- data/third_party/abseil-cpp/absl/time/duration.cc +922 -0
- data/third_party/abseil-cpp/absl/time/format.cc +153 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +622 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +384 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +922 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +121 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +958 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +138 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +308 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +115 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
- data/third_party/abseil-cpp/absl/time/time.cc +499 -0
- data/third_party/abseil-cpp/absl/time/time.h +1584 -0
- data/third_party/abseil-cpp/absl/types/bad_optional_access.cc +48 -0
- data/third_party/abseil-cpp/absl/types/bad_optional_access.h +78 -0
- data/third_party/abseil-cpp/absl/types/bad_variant_access.cc +64 -0
- data/third_party/abseil-cpp/absl/types/bad_variant_access.h +82 -0
- data/third_party/abseil-cpp/absl/types/internal/optional.h +396 -0
- data/third_party/abseil-cpp/absl/types/internal/span.h +128 -0
- data/third_party/abseil-cpp/absl/types/internal/variant.h +1646 -0
- data/third_party/abseil-cpp/absl/types/optional.h +776 -0
- data/third_party/abseil-cpp/absl/types/span.h +713 -0
- data/third_party/abseil-cpp/absl/types/variant.h +861 -0
- data/third_party/abseil-cpp/absl/utility/utility.h +350 -0
- data/third_party/boringssl-with-bazel/err_data.c +1451 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +271 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +123 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +93 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +195 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_gentm.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +88 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +420 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +305 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +286 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_octet.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_print.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +313 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +212 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +151 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_utctm.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_utf8.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +446 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn1_locl.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn1_par.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +105 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_enum.c +93 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +97 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +91 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_dec.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +664 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_fre.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_new.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_typ.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_utl.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/time_support.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +466 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +700 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/bio_mem.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +545 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +279 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +317 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/hexdump.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +488 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/printf.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +206 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +118 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bn_extra/bn_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +470 -0
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +172 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bytestring/asn1_compat.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +265 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +719 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +688 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +96 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/unicode.c +155 -0
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +184 -0
- data/third_party/boringssl-with-bazel/src/crypto/chacha/internal.h +45 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +143 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +152 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesccm.c +447 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +283 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +891 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +418 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_null.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_rc2.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_rc4.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +688 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +492 -0
- data/third_party/boringssl-with-bazel/src/crypto/cmac/cmac.c +278 -0
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +810 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/conf/conf_def.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/conf/internal.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-aarch64-fuchsia.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-aarch64-linux.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +220 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.h +201 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-arm.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +291 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-ppc64le.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +226 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +2159 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +7872 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +146 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +539 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh/check.c +217 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh/dh.c +533 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dh/dh_asn1.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dh/params.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/digest_extra/digest_extra.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +980 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dsa/dsa_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +574 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_derive.c +95 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +385 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +124 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +267 -0
- data/third_party/boringssl-with-bazel/src/crypto/engine/engine.c +99 -0
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +850 -0
- data/third_party/boringssl-with-bazel/src/crypto/err/internal.h +58 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/digestsign.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +443 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +547 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +484 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +269 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +273 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +286 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +255 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +104 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +221 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +648 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +194 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +110 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +248 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/pbkdf.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/print.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +213 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/sign.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/ex_data.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +108 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1282 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +238 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +236 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +122 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +263 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/add.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/asm/x86_64-gcc.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +445 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/bytes.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +200 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +236 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +886 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +1288 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +378 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +325 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/generic.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +704 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/jacobi.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +502 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +186 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +749 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +1068 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +341 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +226 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +104 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +364 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/sqrt.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/cipher/aead.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +620 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +1302 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_des.c +237 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +128 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/delocate.h +89 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/des/des.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/des/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +271 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +296 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/digest/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +268 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +1252 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +465 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +524 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +100 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +776 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +328 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +1180 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9497 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +633 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.h +153 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +740 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +175 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +357 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +270 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.c +255 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +270 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +122 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +328 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/fips_shared_support.c +32 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/hmac/hmac.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/is_fips.c +29 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +256 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/internal.h +37 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +301 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +167 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +202 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +200 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +729 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +304 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +441 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +96 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/polyval.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +202 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +163 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +378 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +391 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +243 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +127 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +695 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +898 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +1358 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +716 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +53 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/sha/sha1-altivec.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +371 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +343 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +544 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/tls/internal.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/tls/kdf.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/hkdf/hkdf.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +456 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +192 -0
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +2100 -0
- data/third_party/boringssl-with-bazel/src/crypto/hrss/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +834 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/lhash.c +348 -0
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +373 -0
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +549 -0
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +11585 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/obj/obj_xref.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +261 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +360 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +777 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +257 -0
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +218 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pem/pem_x509.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pem/pem_xaux.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs7/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +159 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +385 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +138 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/p5_pbev2.c +316 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +530 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1336 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/poly1305/internal.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +318 -0
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +305 -0
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +856 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +45 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +220 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +52 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rand_extra/forkunsafe.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/fuchsia.c +30 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rand_extra/rand_extra.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +69 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rc4/rc4.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/refcount_c11.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +53 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rsa_extra/rsa_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_print.c +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +82 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +431 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/thread.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_none.c +59 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +210 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +260 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +249 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1227 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +682 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/a_digest.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/a_sign.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c +653 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +114 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +161 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +842 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +458 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +275 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/charmap.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/i2d_pr.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/internal.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/rsa_pss.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +125 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +244 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +544 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/t_x509a.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/vpm_int.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +90 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_att.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +483 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_d2.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +103 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_ext.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +834 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +198 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +116 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +351 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +226 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +329 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +204 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_v3.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +2506 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +671 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +235 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +389 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509rset.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509spki.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_algor.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +399 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_attrib.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +563 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_exten.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_info.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_name.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_pkey.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +214 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_req.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +89 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_spki.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_val.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +356 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_x509a.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +141 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +286 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_data.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_int.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_lib.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_map.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +189 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +842 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +207 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_akeya.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +629 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_bcons.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_bitst.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +463 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +503 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_crld.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +100 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_extku.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +246 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_ia5.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +218 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_int.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +371 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_ncons.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +68 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +288 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pcia.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pcons.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pku.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pmaps.c +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_prn.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +882 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +155 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_sxnet.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1395 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +459 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/aes.h +207 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +173 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +911 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/asn1_mac.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/asn1t.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +575 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/base64.h +190 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +933 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/blowfish.h +93 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +1057 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/buf.h +137 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/buffer.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +561 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cast.h +96 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/chacha.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +638 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cmac.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +180 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +212 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +149 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/curve25519.h +201 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/des.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +319 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +331 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +457 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/dtls1.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/e_os2.h +18 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +424 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +372 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdh.h +118 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +205 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/engine.h +109 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +465 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +1119 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ex_data.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/hkdf.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +186 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hrss.h +100 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/is_boringssl.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/lhash.h +282 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/md4.h +108 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/md5.h +109 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +175 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +4259 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +236 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/obj_mac.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/objects.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/opensslconf.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/opensslv.h +0 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ossl_typ.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +435 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pkcs12.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +215 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +269 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/poly1305.h +49 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pool.h +102 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +111 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/rc4.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ripemd.h +108 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +818 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/safestack.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +294 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/siphash.h +37 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +199 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/srtp.h +0 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +5247 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +333 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +542 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +191 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +631 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +282 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +90 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1292 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +681 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +831 -0
- data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/bio_ssl.cc +0 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +837 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +268 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +273 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +232 -0
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +200 -0
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +353 -0
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +675 -0
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +710 -0
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +1890 -0
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +1814 -0
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +3579 -0
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +724 -0
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +221 -0
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +458 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +432 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +856 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +306 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +1016 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +1718 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +585 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +397 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +3053 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +835 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +1313 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +230 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +277 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +394 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +1358 -0
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +386 -0
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +3895 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +689 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1027 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +513 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +1104 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +317 -0
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +705 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +981 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +619 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3147 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1226 -0
- data/third_party/re2/re2/bitmap256.h +117 -0
- data/third_party/re2/re2/bitstate.cc +385 -0
- data/third_party/re2/re2/compile.cc +1279 -0
- data/third_party/re2/re2/dfa.cc +2130 -0
- data/third_party/re2/re2/filtered_re2.cc +121 -0
- data/third_party/re2/re2/filtered_re2.h +109 -0
- data/third_party/re2/re2/mimics_pcre.cc +197 -0
- data/third_party/re2/re2/nfa.cc +713 -0
- data/third_party/re2/re2/onepass.cc +623 -0
- data/third_party/re2/re2/parse.cc +2464 -0
- data/third_party/re2/re2/perl_groups.cc +119 -0
- data/third_party/re2/re2/pod_array.h +55 -0
- data/third_party/re2/re2/prefilter.cc +710 -0
- data/third_party/re2/re2/prefilter.h +108 -0
- data/third_party/re2/re2/prefilter_tree.cc +407 -0
- data/third_party/re2/re2/prefilter_tree.h +139 -0
- data/third_party/re2/re2/prog.cc +988 -0
- data/third_party/re2/re2/prog.h +436 -0
- data/third_party/re2/re2/re2.cc +1362 -0
- data/third_party/re2/re2/re2.h +1002 -0
- data/third_party/re2/re2/regexp.cc +980 -0
- data/third_party/re2/re2/regexp.h +659 -0
- data/third_party/re2/re2/set.cc +154 -0
- data/third_party/re2/re2/set.h +80 -0
- data/third_party/re2/re2/simplify.cc +657 -0
- data/third_party/re2/re2/sparse_array.h +392 -0
- data/third_party/re2/re2/sparse_set.h +264 -0
- data/third_party/re2/re2/stringpiece.cc +65 -0
- data/third_party/re2/re2/stringpiece.h +210 -0
- data/third_party/re2/re2/tostring.cc +351 -0
- data/third_party/re2/re2/unicode_casefold.cc +582 -0
- data/third_party/re2/re2/unicode_casefold.h +78 -0
- data/third_party/re2/re2/unicode_groups.cc +6269 -0
- data/third_party/re2/re2/unicode_groups.h +67 -0
- data/third_party/re2/re2/walker-inl.h +246 -0
- data/third_party/re2/util/benchmark.h +156 -0
- data/third_party/re2/util/flags.h +26 -0
- data/third_party/re2/util/logging.h +109 -0
- data/third_party/re2/util/malloc_counter.h +19 -0
- data/third_party/re2/util/mix.h +41 -0
- data/third_party/re2/util/mutex.h +148 -0
- data/third_party/re2/util/pcre.cc +1025 -0
- data/third_party/re2/util/pcre.h +681 -0
- data/third_party/re2/util/rune.cc +260 -0
- data/third_party/re2/util/strutil.cc +149 -0
- data/third_party/re2/util/strutil.h +21 -0
- data/third_party/re2/util/test.h +50 -0
- data/third_party/re2/util/utf.h +44 -0
- data/third_party/re2/util/util.h +42 -0
- data/third_party/upb/upb/decode.c +621 -0
- data/third_party/upb/upb/decode.h +21 -0
- data/third_party/upb/upb/encode.c +420 -0
- data/third_party/upb/upb/encode.h +21 -0
- data/third_party/upb/upb/msg.c +177 -0
- data/third_party/upb/upb/msg.h +473 -0
- data/third_party/upb/upb/port.c +26 -0
- data/third_party/upb/upb/port_def.inc +179 -0
- data/third_party/upb/upb/port_undef.inc +28 -0
- data/third_party/upb/upb/table.c +880 -0
- data/third_party/upb/upb/table.int.h +466 -0
- data/third_party/upb/upb/upb.c +287 -0
- data/third_party/upb/upb/upb.h +308 -0
- data/third_party/upb/upb/upb.hpp +88 -0
- metadata +1054 -526
- data/src/boringssl/err_data.c +0 -1362
- data/src/core/ext/filters/client_channel/connector.cc +0 -41
- data/src/core/ext/filters/client_channel/health/health.pb.c +0 -23
- data/src/core/ext/filters/client_channel/health/health.pb.h +0 -73
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/duration.pb.c +0 -19
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/duration.pb.h +0 -54
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/timestamp.pb.c +0 -19
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/timestamp.pb.h +0 -54
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.c +0 -89
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.h +0 -164
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -2249
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel.h +0 -36
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_secure.cc +0 -61
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_client_stats.cc +0 -85
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_client_stats.h +0 -72
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.cc +0 -307
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -89
- data/src/core/ext/filters/client_channel/parse_address.cc +0 -234
- data/src/core/ext/filters/client_channel/parse_address.h +0 -53
- data/src/core/ext/filters/client_channel/proxy_mapper.cc +0 -48
- data/src/core/lib/gpr/host_port.cc +0 -98
- data/src/core/lib/gpr/host_port.h +0 -43
- data/src/core/lib/gpr/mpscq.cc +0 -117
- data/src/core/lib/gpr/mpscq.h +0 -88
- data/src/core/lib/gprpp/abstract.h +0 -37
- data/src/core/lib/gprpp/inlined_vector.h +0 -200
- data/src/core/lib/gprpp/optional.h +0 -48
- data/src/core/lib/gprpp/pair.h +0 -38
- data/src/core/lib/json/json.cc +0 -94
- data/src/core/lib/json/json_common.h +0 -34
- data/src/core/lib/json/json_reader.h +0 -146
- data/src/core/lib/json/json_string.cc +0 -367
- data/src/core/lib/json/json_writer.h +0 -84
- data/src/core/lib/security/credentials/tls/spiffe_credentials.cc +0 -129
- data/src/core/lib/security/credentials/tls/spiffe_credentials.h +0 -62
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +0 -426
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +0 -122
- data/src/core/lib/security/transport/target_authority_table.cc +0 -75
- data/src/core/lib/security/transport/target_authority_table.h +0 -40
- data/src/core/lib/slice/slice_hash_table.h +0 -205
- data/src/core/lib/slice/slice_weak_hash_table.h +0 -109
- data/src/core/tsi/alts/handshaker/alts_handshaker_service_api.cc +0 -520
- data/src/core/tsi/alts/handshaker/alts_handshaker_service_api.h +0 -323
- data/src/core/tsi/alts/handshaker/alts_handshaker_service_api_util.cc +0 -145
- data/src/core/tsi/alts/handshaker/alts_handshaker_service_api_util.h +0 -149
- data/src/core/tsi/alts/handshaker/altscontext.pb.c +0 -47
- data/src/core/tsi/alts/handshaker/altscontext.pb.h +0 -63
- data/src/core/tsi/alts/handshaker/handshaker.pb.c +0 -122
- data/src/core/tsi/alts/handshaker/handshaker.pb.h +0 -254
- data/src/core/tsi/alts/handshaker/transport_security_common.pb.c +0 -49
- data/src/core/tsi/alts/handshaker/transport_security_common.pb.h +0 -78
- data/src/core/tsi/grpc_shadow_boringssl.h +0 -3006
- data/third_party/boringssl/crypto/asn1/a_bitstr.c +0 -271
- data/third_party/boringssl/crypto/asn1/a_bool.c +0 -110
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +0 -297
- data/third_party/boringssl/crypto/asn1/a_dup.c +0 -111
- data/third_party/boringssl/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +0 -150
- data/third_party/boringssl/crypto/asn1/a_int.c +0 -479
- data/third_party/boringssl/crypto/asn1/a_mbstr.c +0 -411
- data/third_party/boringssl/crypto/asn1/a_object.c +0 -275
- data/third_party/boringssl/crypto/asn1/a_strnid.c +0 -312
- data/third_party/boringssl/crypto/asn1/a_time.c +0 -213
- data/third_party/boringssl/crypto/asn1/a_type.c +0 -151
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +0 -442
- data/third_party/boringssl/crypto/asn1/asn_pack.c +0 -105
- data/third_party/boringssl/crypto/asn1/f_enum.c +0 -93
- data/third_party/boringssl/crypto/asn1/f_int.c +0 -97
- data/third_party/boringssl/crypto/asn1/f_string.c +0 -91
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +0 -662
- data/third_party/boringssl/crypto/base64/base64.c +0 -466
- data/third_party/boringssl/crypto/bio/bio.c +0 -636
- data/third_party/boringssl/crypto/bio/connect.c +0 -542
- data/third_party/boringssl/crypto/bio/fd.c +0 -276
- data/third_party/boringssl/crypto/bio/file.c +0 -315
- data/third_party/boringssl/crypto/bio/pair.c +0 -489
- data/third_party/boringssl/crypto/bio/socket.c +0 -202
- data/third_party/boringssl/crypto/bio/socket_helper.c +0 -114
- data/third_party/boringssl/crypto/bn_extra/convert.c +0 -466
- data/third_party/boringssl/crypto/buf/buf.c +0 -231
- data/third_party/boringssl/crypto/bytestring/ber.c +0 -261
- data/third_party/boringssl/crypto/bytestring/cbb.c +0 -668
- data/third_party/boringssl/crypto/bytestring/cbs.c +0 -618
- data/third_party/boringssl/crypto/bytestring/internal.h +0 -75
- data/third_party/boringssl/crypto/chacha/chacha.c +0 -167
- data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +0 -114
- data/third_party/boringssl/crypto/cipher_extra/derive_key.c +0 -152
- data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +0 -203
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +0 -281
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +0 -867
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +0 -326
- data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
- data/third_party/boringssl/crypto/cipher_extra/e_tls.c +0 -680
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +0 -482
- data/third_party/boringssl/crypto/cmac/cmac.c +0 -241
- data/third_party/boringssl/crypto/conf/conf.c +0 -803
- data/third_party/boringssl/crypto/cpu-arm-linux.c +0 -363
- data/third_party/boringssl/crypto/cpu-intel.c +0 -288
- data/third_party/boringssl/crypto/crypto.c +0 -198
- data/third_party/boringssl/crypto/curve25519/spake25519.c +0 -539
- data/third_party/boringssl/crypto/dh/check.c +0 -217
- data/third_party/boringssl/crypto/dh/dh.c +0 -519
- data/third_party/boringssl/crypto/dsa/dsa.c +0 -946
- data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +0 -562
- data/third_party/boringssl/crypto/ecdh/ecdh.c +0 -162
- data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +0 -275
- data/third_party/boringssl/crypto/engine/engine.c +0 -98
- data/third_party/boringssl/crypto/err/err.c +0 -847
- data/third_party/boringssl/crypto/err/internal.h +0 -58
- data/third_party/boringssl/crypto/evp/evp.c +0 -362
- data/third_party/boringssl/crypto/evp/evp_asn1.c +0 -337
- data/third_party/boringssl/crypto/evp/evp_ctx.c +0 -446
- data/third_party/boringssl/crypto/evp/internal.h +0 -252
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +0 -268
- data/third_party/boringssl/crypto/evp/p_ec.c +0 -239
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +0 -256
- data/third_party/boringssl/crypto/evp/p_ed25519.c +0 -71
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +0 -190
- data/third_party/boringssl/crypto/evp/p_rsa.c +0 -634
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +0 -189
- data/third_party/boringssl/crypto/evp/scrypt.c +0 -209
- data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +0 -1100
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +0 -100
- data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +0 -138
- data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +0 -112
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +0 -148
- data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +0 -428
- data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +0 -200
- data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +0 -303
- data/third_party/boringssl/crypto/fipsmodule/bn/div.c +0 -895
- data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +0 -1356
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -683
- data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +0 -573
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +0 -526
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +0 -185
- data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +0 -876
- data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +0 -1154
- data/third_party/boringssl/crypto/fipsmodule/bn/random.c +0 -351
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +0 -231
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +0 -33
- data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +0 -364
- data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +0 -615
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +0 -1437
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +0 -233
- data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +0 -129
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +0 -88
- data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +0 -256
- data/third_party/boringssl/crypto/fipsmodule/digest/digests.c +0 -280
- data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +0 -268
- data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +0 -974
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +0 -453
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +0 -270
- data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +0 -337
- data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +0 -373
- data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +0 -1104
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +0 -9503
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +0 -447
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +0 -117
- data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +0 -1046
- data/third_party/boringssl/crypto/fipsmodule/ec/util.c +0 -104
- data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +0 -354
- data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +0 -458
- data/third_party/boringssl/crypto/fipsmodule/is_fips.c +0 -27
- data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +0 -254
- data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +0 -298
- data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +0 -211
- data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
- data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +0 -234
- data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +0 -220
- data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +0 -1063
- data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +0 -388
- data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +0 -95
- data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +0 -202
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +0 -92
- data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +0 -358
- data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +0 -302
- data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c +0 -239
- data/third_party/boringssl/crypto/fipsmodule/rsa/internal.h +0 -126
- data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +0 -692
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +0 -875
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +0 -1218
- data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +0 -581
- data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +0 -375
- data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +0 -337
- data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +0 -608
- data/third_party/boringssl/crypto/internal.h +0 -739
- data/third_party/boringssl/crypto/lhash/lhash.c +0 -336
- data/third_party/boringssl/crypto/mem.c +0 -235
- data/third_party/boringssl/crypto/obj/obj.c +0 -554
- data/third_party/boringssl/crypto/obj/obj_dat.h +0 -6244
- data/third_party/boringssl/crypto/pem/pem_all.c +0 -262
- data/third_party/boringssl/crypto/pem/pem_info.c +0 -379
- data/third_party/boringssl/crypto/pem/pem_lib.c +0 -776
- data/third_party/boringssl/crypto/pem/pem_oth.c +0 -88
- data/third_party/boringssl/crypto/pem/pem_pk8.c +0 -258
- data/third_party/boringssl/crypto/pem/pem_pkey.c +0 -227
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +0 -166
- data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +0 -233
- data/third_party/boringssl/crypto/pkcs8/internal.h +0 -120
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +0 -307
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +0 -513
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +0 -789
- data/third_party/boringssl/crypto/poly1305/poly1305.c +0 -318
- data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +0 -304
- data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +0 -839
- data/third_party/boringssl/crypto/pool/internal.h +0 -45
- data/third_party/boringssl/crypto/pool/pool.c +0 -200
- data/third_party/boringssl/crypto/rand_extra/deterministic.c +0 -48
- data/third_party/boringssl/crypto/rand_extra/fuchsia.c +0 -43
- data/third_party/boringssl/crypto/rand_extra/windows.c +0 -53
- data/third_party/boringssl/crypto/refcount_lock.c +0 -53
- data/third_party/boringssl/crypto/stack/stack.c +0 -380
- data/third_party/boringssl/crypto/thread_none.c +0 -59
- data/third_party/boringssl/crypto/thread_pthread.c +0 -206
- data/third_party/boringssl/crypto/thread_win.c +0 -237
- data/third_party/boringssl/crypto/x509/a_strex.c +0 -633
- data/third_party/boringssl/crypto/x509/a_verify.c +0 -115
- data/third_party/boringssl/crypto/x509/algorithm.c +0 -153
- data/third_party/boringssl/crypto/x509/asn1_gen.c +0 -841
- data/third_party/boringssl/crypto/x509/by_dir.c +0 -451
- data/third_party/boringssl/crypto/x509/by_file.c +0 -274
- data/third_party/boringssl/crypto/x509/t_crl.c +0 -128
- data/third_party/boringssl/crypto/x509/t_req.c +0 -246
- data/third_party/boringssl/crypto/x509/t_x509.c +0 -547
- data/third_party/boringssl/crypto/x509/x509.c +0 -157
- data/third_party/boringssl/crypto/x509/x509_cmp.c +0 -477
- data/third_party/boringssl/crypto/x509/x509_def.c +0 -103
- data/third_party/boringssl/crypto/x509/x509_lu.c +0 -725
- data/third_party/boringssl/crypto/x509/x509_obj.c +0 -198
- data/third_party/boringssl/crypto/x509/x509_r2x.c +0 -117
- data/third_party/boringssl/crypto/x509/x509_req.c +0 -322
- data/third_party/boringssl/crypto/x509/x509_set.c +0 -164
- data/third_party/boringssl/crypto/x509/x509_trs.c +0 -326
- data/third_party/boringssl/crypto/x509/x509_txt.c +0 -205
- data/third_party/boringssl/crypto/x509/x509_vfy.c +0 -2476
- data/third_party/boringssl/crypto/x509/x509_vpm.c +0 -670
- data/third_party/boringssl/crypto/x509/x509cset.c +0 -170
- data/third_party/boringssl/crypto/x509/x509name.c +0 -389
- data/third_party/boringssl/crypto/x509/x_all.c +0 -501
- data/third_party/boringssl/crypto/x509/x_crl.c +0 -541
- data/third_party/boringssl/crypto/x509/x_pubkey.c +0 -368
- data/third_party/boringssl/crypto/x509/x_sig.c +0 -69
- data/third_party/boringssl/crypto/x509/x_x509.c +0 -328
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +0 -143
- data/third_party/boringssl/crypto/x509v3/pcy_cache.c +0 -284
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +0 -188
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +0 -840
- data/third_party/boringssl/crypto/x509v3/v3_akey.c +0 -204
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +0 -623
- data/third_party/boringssl/crypto/x509v3/v3_conf.c +0 -462
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +0 -502
- data/third_party/boringssl/crypto/x509v3/v3_enum.c +0 -100
- data/third_party/boringssl/crypto/x509v3/v3_genn.c +0 -251
- data/third_party/boringssl/crypto/x509v3/v3_info.c +0 -219
- data/third_party/boringssl/crypto/x509v3/v3_lib.c +0 -370
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +0 -287
- data/third_party/boringssl/crypto/x509v3/v3_purp.c +0 -866
- data/third_party/boringssl/crypto/x509v3/v3_skey.c +0 -152
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +0 -1352
- data/third_party/boringssl/include/openssl/aead.h +0 -433
- data/third_party/boringssl/include/openssl/aes.h +0 -170
- data/third_party/boringssl/include/openssl/arm_arch.h +0 -121
- data/third_party/boringssl/include/openssl/asn1.h +0 -981
- data/third_party/boringssl/include/openssl/base.h +0 -457
- data/third_party/boringssl/include/openssl/base64.h +0 -187
- data/third_party/boringssl/include/openssl/bio.h +0 -902
- data/third_party/boringssl/include/openssl/blowfish.h +0 -93
- data/third_party/boringssl/include/openssl/bn.h +0 -1019
- data/third_party/boringssl/include/openssl/buf.h +0 -137
- data/third_party/boringssl/include/openssl/bytestring.h +0 -505
- data/third_party/boringssl/include/openssl/cast.h +0 -96
- data/third_party/boringssl/include/openssl/cipher.h +0 -608
- data/third_party/boringssl/include/openssl/cmac.h +0 -87
- data/third_party/boringssl/include/openssl/conf.h +0 -183
- data/third_party/boringssl/include/openssl/cpu.h +0 -196
- data/third_party/boringssl/include/openssl/crypto.h +0 -122
- data/third_party/boringssl/include/openssl/curve25519.h +0 -201
- data/third_party/boringssl/include/openssl/dh.h +0 -298
- data/third_party/boringssl/include/openssl/digest.h +0 -316
- data/third_party/boringssl/include/openssl/dsa.h +0 -435
- data/third_party/boringssl/include/openssl/ec.h +0 -413
- data/third_party/boringssl/include/openssl/ec_key.h +0 -342
- data/third_party/boringssl/include/openssl/ecdh.h +0 -101
- data/third_party/boringssl/include/openssl/ecdsa.h +0 -199
- data/third_party/boringssl/include/openssl/engine.h +0 -109
- data/third_party/boringssl/include/openssl/err.h +0 -458
- data/third_party/boringssl/include/openssl/evp.h +0 -873
- data/third_party/boringssl/include/openssl/hmac.h +0 -186
- data/third_party/boringssl/include/openssl/lhash.h +0 -174
- data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
- data/third_party/boringssl/include/openssl/md4.h +0 -106
- data/third_party/boringssl/include/openssl/md5.h +0 -107
- data/third_party/boringssl/include/openssl/mem.h +0 -156
- data/third_party/boringssl/include/openssl/nid.h +0 -4242
- data/third_party/boringssl/include/openssl/obj.h +0 -233
- data/third_party/boringssl/include/openssl/pem.h +0 -397
- data/third_party/boringssl/include/openssl/pkcs7.h +0 -82
- data/third_party/boringssl/include/openssl/pkcs8.h +0 -230
- data/third_party/boringssl/include/openssl/poly1305.h +0 -51
- data/third_party/boringssl/include/openssl/pool.h +0 -91
- data/third_party/boringssl/include/openssl/rand.h +0 -125
- data/third_party/boringssl/include/openssl/ripemd.h +0 -107
- data/third_party/boringssl/include/openssl/rsa.h +0 -756
- data/third_party/boringssl/include/openssl/sha.h +0 -256
- data/third_party/boringssl/include/openssl/span.h +0 -191
- data/third_party/boringssl/include/openssl/ssl.h +0 -4740
- data/third_party/boringssl/include/openssl/ssl3.h +0 -332
- data/third_party/boringssl/include/openssl/stack.h +0 -485
- data/third_party/boringssl/include/openssl/thread.h +0 -191
- data/third_party/boringssl/include/openssl/tls1.h +0 -618
- data/third_party/boringssl/include/openssl/type_check.h +0 -91
- data/third_party/boringssl/include/openssl/x509.h +0 -1180
- data/third_party/boringssl/include/openssl/x509_vfy.h +0 -614
- data/third_party/boringssl/include/openssl/x509v3.h +0 -827
- data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
- data/third_party/boringssl/ssl/d1_both.cc +0 -851
- data/third_party/boringssl/ssl/d1_lib.cc +0 -267
- data/third_party/boringssl/ssl/d1_pkt.cc +0 -274
- data/third_party/boringssl/ssl/d1_srtp.cc +0 -232
- data/third_party/boringssl/ssl/dtls_method.cc +0 -193
- data/third_party/boringssl/ssl/dtls_record.cc +0 -353
- data/third_party/boringssl/ssl/handoff.cc +0 -285
- data/third_party/boringssl/ssl/handshake.cc +0 -630
- data/third_party/boringssl/ssl/handshake_client.cc +0 -1842
- data/third_party/boringssl/ssl/handshake_server.cc +0 -1674
- data/third_party/boringssl/ssl/internal.h +0 -3064
- data/third_party/boringssl/ssl/s3_both.cc +0 -585
- data/third_party/boringssl/ssl/s3_lib.cc +0 -226
- data/third_party/boringssl/ssl/s3_pkt.cc +0 -425
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +0 -412
- data/third_party/boringssl/ssl/ssl_asn1.cc +0 -844
- data/third_party/boringssl/ssl/ssl_buffer.cc +0 -286
- data/third_party/boringssl/ssl/ssl_cert.cc +0 -913
- data/third_party/boringssl/ssl/ssl_cipher.cc +0 -1781
- data/third_party/boringssl/ssl/ssl_file.cc +0 -583
- data/third_party/boringssl/ssl/ssl_key_share.cc +0 -252
- data/third_party/boringssl/ssl/ssl_lib.cc +0 -2719
- data/third_party/boringssl/ssl/ssl_privkey.cc +0 -494
- data/third_party/boringssl/ssl/ssl_session.cc +0 -1221
- data/third_party/boringssl/ssl/ssl_stat.cc +0 -224
- data/third_party/boringssl/ssl/ssl_transcript.cc +0 -398
- data/third_party/boringssl/ssl/ssl_versions.cc +0 -399
- data/third_party/boringssl/ssl/ssl_x509.cc +0 -1297
- data/third_party/boringssl/ssl/t1_enc.cc +0 -452
- data/third_party/boringssl/ssl/t1_lib.cc +0 -3783
- data/third_party/boringssl/ssl/tls13_both.cc +0 -559
- data/third_party/boringssl/ssl/tls13_client.cc +0 -891
- data/third_party/boringssl/ssl/tls13_enc.cc +0 -493
- data/third_party/boringssl/ssl/tls13_server.cc +0 -1022
- data/third_party/boringssl/ssl/tls_method.cc +0 -274
- data/third_party/boringssl/ssl/tls_record.cc +0 -703
- data/third_party/boringssl/third_party/fiat/curve25519.c +0 -3230
- data/third_party/boringssl/third_party/fiat/curve25519_tables.h +0 -7880
- data/third_party/boringssl/third_party/fiat/internal.h +0 -154
- data/third_party/boringssl/third_party/fiat/p256.c +0 -1824
- data/third_party/nanopb/pb.h +0 -579
- data/third_party/nanopb/pb_common.c +0 -97
- data/third_party/nanopb/pb_common.h +0 -42
- data/third_party/nanopb/pb_decode.c +0 -1347
- data/third_party/nanopb/pb_decode.h +0 -149
- data/third_party/nanopb/pb_encode.c +0 -696
- data/third_party/nanopb/pb_encode.h +0 -154
@@ -0,0 +1,204 @@
|
|
1
|
+
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
2
|
+
* All rights reserved.
|
3
|
+
*
|
4
|
+
* This package is an SSL implementation written
|
5
|
+
* by Eric Young (eay@cryptsoft.com).
|
6
|
+
* The implementation was written so as to conform with Netscapes SSL.
|
7
|
+
*
|
8
|
+
* This library is free for commercial and non-commercial use as long as
|
9
|
+
* the following conditions are aheared to. The following conditions
|
10
|
+
* apply to all code found in this distribution, be it the RC4, RSA,
|
11
|
+
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
12
|
+
* included with this distribution is covered by the same copyright terms
|
13
|
+
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
14
|
+
*
|
15
|
+
* Copyright remains Eric Young's, and as such any Copyright notices in
|
16
|
+
* the code are not to be removed.
|
17
|
+
* If this package is used in a product, Eric Young should be given attribution
|
18
|
+
* as the author of the parts of the library used.
|
19
|
+
* This can be in the form of a textual message at program startup or
|
20
|
+
* in documentation (online or textual) provided with the package.
|
21
|
+
*
|
22
|
+
* Redistribution and use in source and binary forms, with or without
|
23
|
+
* modification, are permitted provided that the following conditions
|
24
|
+
* are met:
|
25
|
+
* 1. Redistributions of source code must retain the copyright
|
26
|
+
* notice, this list of conditions and the following disclaimer.
|
27
|
+
* 2. Redistributions in binary form must reproduce the above copyright
|
28
|
+
* notice, this list of conditions and the following disclaimer in the
|
29
|
+
* documentation and/or other materials provided with the distribution.
|
30
|
+
* 3. All advertising materials mentioning features or use of this software
|
31
|
+
* must display the following acknowledgement:
|
32
|
+
* "This product includes cryptographic software written by
|
33
|
+
* Eric Young (eay@cryptsoft.com)"
|
34
|
+
* The word 'cryptographic' can be left out if the rouines from the library
|
35
|
+
* being used are not cryptographic related :-).
|
36
|
+
* 4. If you include any Windows specific code (or a derivative thereof) from
|
37
|
+
* the apps directory (application code) you must include an acknowledgement:
|
38
|
+
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
39
|
+
*
|
40
|
+
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
41
|
+
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
42
|
+
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
43
|
+
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
44
|
+
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
45
|
+
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
46
|
+
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
47
|
+
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
48
|
+
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
49
|
+
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
50
|
+
* SUCH DAMAGE.
|
51
|
+
*
|
52
|
+
* The licence and distribution terms for any publically available version or
|
53
|
+
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
54
|
+
* copied and put under another distribution licence
|
55
|
+
* [including the GNU Public Licence.] */
|
56
|
+
|
57
|
+
#include <openssl/x509.h>
|
58
|
+
|
59
|
+
const char *X509_verify_cert_error_string(long n)
|
60
|
+
{
|
61
|
+
switch ((int)n) {
|
62
|
+
case X509_V_OK:
|
63
|
+
return ("ok");
|
64
|
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
65
|
+
return ("unable to get issuer certificate");
|
66
|
+
case X509_V_ERR_UNABLE_TO_GET_CRL:
|
67
|
+
return ("unable to get certificate CRL");
|
68
|
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
|
69
|
+
return ("unable to decrypt certificate's signature");
|
70
|
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
|
71
|
+
return ("unable to decrypt CRL's signature");
|
72
|
+
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
|
73
|
+
return ("unable to decode issuer public key");
|
74
|
+
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
|
75
|
+
return ("certificate signature failure");
|
76
|
+
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
|
77
|
+
return ("CRL signature failure");
|
78
|
+
case X509_V_ERR_CERT_NOT_YET_VALID:
|
79
|
+
return ("certificate is not yet valid");
|
80
|
+
case X509_V_ERR_CRL_NOT_YET_VALID:
|
81
|
+
return ("CRL is not yet valid");
|
82
|
+
case X509_V_ERR_CERT_HAS_EXPIRED:
|
83
|
+
return ("certificate has expired");
|
84
|
+
case X509_V_ERR_CRL_HAS_EXPIRED:
|
85
|
+
return ("CRL has expired");
|
86
|
+
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
87
|
+
return ("format error in certificate's notBefore field");
|
88
|
+
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
89
|
+
return ("format error in certificate's notAfter field");
|
90
|
+
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
|
91
|
+
return ("format error in CRL's lastUpdate field");
|
92
|
+
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
|
93
|
+
return ("format error in CRL's nextUpdate field");
|
94
|
+
case X509_V_ERR_OUT_OF_MEM:
|
95
|
+
return ("out of memory");
|
96
|
+
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
97
|
+
return ("self signed certificate");
|
98
|
+
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
99
|
+
return ("self signed certificate in certificate chain");
|
100
|
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
101
|
+
return ("unable to get local issuer certificate");
|
102
|
+
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
103
|
+
return ("unable to verify the first certificate");
|
104
|
+
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
|
105
|
+
return ("certificate chain too long");
|
106
|
+
case X509_V_ERR_CERT_REVOKED:
|
107
|
+
return ("certificate revoked");
|
108
|
+
case X509_V_ERR_INVALID_CA:
|
109
|
+
return ("invalid CA certificate");
|
110
|
+
case X509_V_ERR_INVALID_NON_CA:
|
111
|
+
return ("invalid non-CA certificate (has CA markings)");
|
112
|
+
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
113
|
+
return ("path length constraint exceeded");
|
114
|
+
case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
|
115
|
+
return ("proxy path length constraint exceeded");
|
116
|
+
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
|
117
|
+
return
|
118
|
+
("proxy certificates not allowed, please set the appropriate flag");
|
119
|
+
case X509_V_ERR_INVALID_PURPOSE:
|
120
|
+
return ("unsupported certificate purpose");
|
121
|
+
case X509_V_ERR_CERT_UNTRUSTED:
|
122
|
+
return ("certificate not trusted");
|
123
|
+
case X509_V_ERR_CERT_REJECTED:
|
124
|
+
return ("certificate rejected");
|
125
|
+
case X509_V_ERR_APPLICATION_VERIFICATION:
|
126
|
+
return ("application verification failure");
|
127
|
+
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
|
128
|
+
return ("subject issuer mismatch");
|
129
|
+
case X509_V_ERR_AKID_SKID_MISMATCH:
|
130
|
+
return ("authority and subject key identifier mismatch");
|
131
|
+
case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
|
132
|
+
return ("authority and issuer serial number mismatch");
|
133
|
+
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
|
134
|
+
return ("key usage does not include certificate signing");
|
135
|
+
case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
|
136
|
+
return ("unable to get CRL issuer certificate");
|
137
|
+
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
|
138
|
+
return ("unhandled critical extension");
|
139
|
+
case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
|
140
|
+
return ("key usage does not include CRL signing");
|
141
|
+
case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
|
142
|
+
return ("key usage does not include digital signature");
|
143
|
+
case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
|
144
|
+
return ("unhandled critical CRL extension");
|
145
|
+
case X509_V_ERR_INVALID_EXTENSION:
|
146
|
+
return ("invalid or inconsistent certificate extension");
|
147
|
+
case X509_V_ERR_INVALID_POLICY_EXTENSION:
|
148
|
+
return ("invalid or inconsistent certificate policy extension");
|
149
|
+
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
150
|
+
return ("no explicit policy");
|
151
|
+
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
|
152
|
+
return ("Different CRL scope");
|
153
|
+
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
|
154
|
+
return ("Unsupported extension feature");
|
155
|
+
case X509_V_ERR_UNNESTED_RESOURCE:
|
156
|
+
return ("RFC 3779 resource not subset of parent's resources");
|
157
|
+
|
158
|
+
case X509_V_ERR_PERMITTED_VIOLATION:
|
159
|
+
return ("permitted subtree violation");
|
160
|
+
case X509_V_ERR_EXCLUDED_VIOLATION:
|
161
|
+
return ("excluded subtree violation");
|
162
|
+
case X509_V_ERR_SUBTREE_MINMAX:
|
163
|
+
return ("name constraints minimum and maximum not supported");
|
164
|
+
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
|
165
|
+
return ("unsupported name constraint type");
|
166
|
+
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
|
167
|
+
return ("unsupported or invalid name constraint syntax");
|
168
|
+
case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
|
169
|
+
return ("unsupported or invalid name syntax");
|
170
|
+
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
|
171
|
+
return ("CRL path validation error");
|
172
|
+
|
173
|
+
case X509_V_ERR_SUITE_B_INVALID_VERSION:
|
174
|
+
return ("Suite B: certificate version invalid");
|
175
|
+
case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
|
176
|
+
return ("Suite B: invalid public key algorithm");
|
177
|
+
case X509_V_ERR_SUITE_B_INVALID_CURVE:
|
178
|
+
return ("Suite B: invalid ECC curve");
|
179
|
+
case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM:
|
180
|
+
return ("Suite B: invalid signature algorithm");
|
181
|
+
case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED:
|
182
|
+
return ("Suite B: curve not allowed for this LOS");
|
183
|
+
case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
|
184
|
+
return ("Suite B: cannot sign P-384 with P-256");
|
185
|
+
|
186
|
+
case X509_V_ERR_HOSTNAME_MISMATCH:
|
187
|
+
return ("Hostname mismatch");
|
188
|
+
case X509_V_ERR_EMAIL_MISMATCH:
|
189
|
+
return ("Email address mismatch");
|
190
|
+
case X509_V_ERR_IP_ADDRESS_MISMATCH:
|
191
|
+
return ("IP address mismatch");
|
192
|
+
|
193
|
+
case X509_V_ERR_INVALID_CALL:
|
194
|
+
return ("Invalid certificate verification context");
|
195
|
+
case X509_V_ERR_STORE_LOOKUP:
|
196
|
+
return ("Issuer certificate lookup error");
|
197
|
+
|
198
|
+
case X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS:
|
199
|
+
return "Issuer has name constraints but leaf has no SANs";
|
200
|
+
|
201
|
+
default:
|
202
|
+
return "unknown certificate verification error";
|
203
|
+
}
|
204
|
+
}
|
File without changes
|
@@ -0,0 +1,2506 @@
|
|
1
|
+
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
2
|
+
* All rights reserved.
|
3
|
+
*
|
4
|
+
* This package is an SSL implementation written
|
5
|
+
* by Eric Young (eay@cryptsoft.com).
|
6
|
+
* The implementation was written so as to conform with Netscapes SSL.
|
7
|
+
*
|
8
|
+
* This library is free for commercial and non-commercial use as long as
|
9
|
+
* the following conditions are aheared to. The following conditions
|
10
|
+
* apply to all code found in this distribution, be it the RC4, RSA,
|
11
|
+
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
12
|
+
* included with this distribution is covered by the same copyright terms
|
13
|
+
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
14
|
+
*
|
15
|
+
* Copyright remains Eric Young's, and as such any Copyright notices in
|
16
|
+
* the code are not to be removed.
|
17
|
+
* If this package is used in a product, Eric Young should be given attribution
|
18
|
+
* as the author of the parts of the library used.
|
19
|
+
* This can be in the form of a textual message at program startup or
|
20
|
+
* in documentation (online or textual) provided with the package.
|
21
|
+
*
|
22
|
+
* Redistribution and use in source and binary forms, with or without
|
23
|
+
* modification, are permitted provided that the following conditions
|
24
|
+
* are met:
|
25
|
+
* 1. Redistributions of source code must retain the copyright
|
26
|
+
* notice, this list of conditions and the following disclaimer.
|
27
|
+
* 2. Redistributions in binary form must reproduce the above copyright
|
28
|
+
* notice, this list of conditions and the following disclaimer in the
|
29
|
+
* documentation and/or other materials provided with the distribution.
|
30
|
+
* 3. All advertising materials mentioning features or use of this software
|
31
|
+
* must display the following acknowledgement:
|
32
|
+
* "This product includes cryptographic software written by
|
33
|
+
* Eric Young (eay@cryptsoft.com)"
|
34
|
+
* The word 'cryptographic' can be left out if the rouines from the library
|
35
|
+
* being used are not cryptographic related :-).
|
36
|
+
* 4. If you include any Windows specific code (or a derivative thereof) from
|
37
|
+
* the apps directory (application code) you must include an acknowledgement:
|
38
|
+
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
39
|
+
*
|
40
|
+
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
41
|
+
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
42
|
+
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
43
|
+
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
44
|
+
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
45
|
+
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
46
|
+
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
47
|
+
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
48
|
+
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
49
|
+
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
50
|
+
* SUCH DAMAGE.
|
51
|
+
*
|
52
|
+
* The licence and distribution terms for any publically available version or
|
53
|
+
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
54
|
+
* copied and put under another distribution licence
|
55
|
+
* [including the GNU Public Licence.] */
|
56
|
+
|
57
|
+
#include <ctype.h>
|
58
|
+
#include <string.h>
|
59
|
+
#include <time.h>
|
60
|
+
|
61
|
+
#include <openssl/asn1.h>
|
62
|
+
#include <openssl/err.h>
|
63
|
+
#include <openssl/evp.h>
|
64
|
+
#include <openssl/mem.h>
|
65
|
+
#include <openssl/obj.h>
|
66
|
+
#include <openssl/thread.h>
|
67
|
+
#include <openssl/x509.h>
|
68
|
+
#include <openssl/x509v3.h>
|
69
|
+
|
70
|
+
#include "vpm_int.h"
|
71
|
+
#include "../internal.h"
|
72
|
+
#include "../x509v3/internal.h"
|
73
|
+
|
74
|
+
static CRYPTO_EX_DATA_CLASS g_ex_data_class =
|
75
|
+
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
|
76
|
+
|
77
|
+
/* CRL score values */
|
78
|
+
|
79
|
+
/* No unhandled critical extensions */
|
80
|
+
|
81
|
+
#define CRL_SCORE_NOCRITICAL 0x100
|
82
|
+
|
83
|
+
/* certificate is within CRL scope */
|
84
|
+
|
85
|
+
#define CRL_SCORE_SCOPE 0x080
|
86
|
+
|
87
|
+
/* CRL times valid */
|
88
|
+
|
89
|
+
#define CRL_SCORE_TIME 0x040
|
90
|
+
|
91
|
+
/* Issuer name matches certificate */
|
92
|
+
|
93
|
+
#define CRL_SCORE_ISSUER_NAME 0x020
|
94
|
+
|
95
|
+
/* If this score or above CRL is probably valid */
|
96
|
+
|
97
|
+
#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
|
98
|
+
|
99
|
+
/* CRL issuer is certificate issuer */
|
100
|
+
|
101
|
+
#define CRL_SCORE_ISSUER_CERT 0x018
|
102
|
+
|
103
|
+
/* CRL issuer is on certificate path */
|
104
|
+
|
105
|
+
#define CRL_SCORE_SAME_PATH 0x008
|
106
|
+
|
107
|
+
/* CRL issuer matches CRL AKID */
|
108
|
+
|
109
|
+
#define CRL_SCORE_AKID 0x004
|
110
|
+
|
111
|
+
/* Have a delta CRL with valid times */
|
112
|
+
|
113
|
+
#define CRL_SCORE_TIME_DELTA 0x002
|
114
|
+
|
115
|
+
static int null_callback(int ok, X509_STORE_CTX *e);
|
116
|
+
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
|
117
|
+
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
|
118
|
+
static int check_chain_extensions(X509_STORE_CTX *ctx);
|
119
|
+
static int check_name_constraints(X509_STORE_CTX *ctx);
|
120
|
+
static int check_id(X509_STORE_CTX *ctx);
|
121
|
+
static int check_trust(X509_STORE_CTX *ctx);
|
122
|
+
static int check_revocation(X509_STORE_CTX *ctx);
|
123
|
+
static int check_cert(X509_STORE_CTX *ctx);
|
124
|
+
static int check_policy(X509_STORE_CTX *ctx);
|
125
|
+
|
126
|
+
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
127
|
+
unsigned int *preasons, X509_CRL *crl, X509 *x);
|
128
|
+
static int get_crl_delta(X509_STORE_CTX *ctx,
|
129
|
+
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
|
130
|
+
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
|
131
|
+
int *pcrl_score, X509_CRL *base,
|
132
|
+
STACK_OF(X509_CRL) *crls);
|
133
|
+
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
|
134
|
+
int *pcrl_score);
|
135
|
+
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
136
|
+
unsigned int *preasons);
|
137
|
+
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
|
138
|
+
static int check_crl_chain(X509_STORE_CTX *ctx,
|
139
|
+
STACK_OF(X509) *cert_path,
|
140
|
+
STACK_OF(X509) *crl_path);
|
141
|
+
|
142
|
+
static int internal_verify(X509_STORE_CTX *ctx);
|
143
|
+
|
144
|
+
static int null_callback(int ok, X509_STORE_CTX *e)
|
145
|
+
{
|
146
|
+
return ok;
|
147
|
+
}
|
148
|
+
|
149
|
+
/* cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
|
150
|
+
* one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
|
151
|
+
* returns zero. */
|
152
|
+
static int cert_self_signed(X509 *x, int *out_is_self_signed)
|
153
|
+
{
|
154
|
+
if (!x509v3_cache_extensions(x)) {
|
155
|
+
return 0;
|
156
|
+
}
|
157
|
+
*out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
|
158
|
+
return 1;
|
159
|
+
}
|
160
|
+
|
161
|
+
/* Given a certificate try and find an exact match in the store */
|
162
|
+
|
163
|
+
static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
|
164
|
+
{
|
165
|
+
STACK_OF(X509) *certs;
|
166
|
+
X509 *xtmp = NULL;
|
167
|
+
size_t i;
|
168
|
+
/* Lookup all certs with matching subject name */
|
169
|
+
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
|
170
|
+
if (certs == NULL)
|
171
|
+
return NULL;
|
172
|
+
/* Look for exact match */
|
173
|
+
for (i = 0; i < sk_X509_num(certs); i++) {
|
174
|
+
xtmp = sk_X509_value(certs, i);
|
175
|
+
if (!X509_cmp(xtmp, x))
|
176
|
+
break;
|
177
|
+
}
|
178
|
+
if (i < sk_X509_num(certs))
|
179
|
+
X509_up_ref(xtmp);
|
180
|
+
else
|
181
|
+
xtmp = NULL;
|
182
|
+
sk_X509_pop_free(certs, X509_free);
|
183
|
+
return xtmp;
|
184
|
+
}
|
185
|
+
|
186
|
+
int X509_verify_cert(X509_STORE_CTX *ctx)
|
187
|
+
{
|
188
|
+
X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
|
189
|
+
int bad_chain = 0;
|
190
|
+
X509_VERIFY_PARAM *param = ctx->param;
|
191
|
+
int depth, i, ok = 0;
|
192
|
+
int num, j, retry, trust;
|
193
|
+
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
194
|
+
STACK_OF(X509) *sktmp = NULL;
|
195
|
+
if (ctx->cert == NULL) {
|
196
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
|
197
|
+
ctx->error = X509_V_ERR_INVALID_CALL;
|
198
|
+
return -1;
|
199
|
+
}
|
200
|
+
if (ctx->chain != NULL) {
|
201
|
+
/*
|
202
|
+
* This X509_STORE_CTX has already been used to verify a cert. We
|
203
|
+
* cannot do another one.
|
204
|
+
*/
|
205
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
206
|
+
ctx->error = X509_V_ERR_INVALID_CALL;
|
207
|
+
return -1;
|
208
|
+
}
|
209
|
+
|
210
|
+
cb = ctx->verify_cb;
|
211
|
+
|
212
|
+
/*
|
213
|
+
* first we make sure the chain we are going to build is present and that
|
214
|
+
* the first entry is in place
|
215
|
+
*/
|
216
|
+
ctx->chain = sk_X509_new_null();
|
217
|
+
if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
|
218
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
219
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
220
|
+
goto end;
|
221
|
+
}
|
222
|
+
X509_up_ref(ctx->cert);
|
223
|
+
ctx->last_untrusted = 1;
|
224
|
+
|
225
|
+
/* We use a temporary STACK so we can chop and hack at it.
|
226
|
+
* sktmp = ctx->untrusted ++ ctx->ctx->additional_untrusted */
|
227
|
+
if (ctx->untrusted != NULL
|
228
|
+
&& (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
|
229
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
230
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
231
|
+
goto end;
|
232
|
+
}
|
233
|
+
|
234
|
+
if (ctx->ctx->additional_untrusted != NULL) {
|
235
|
+
if (sktmp == NULL) {
|
236
|
+
sktmp = sk_X509_new_null();
|
237
|
+
if (sktmp == NULL) {
|
238
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
239
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
240
|
+
goto end;
|
241
|
+
}
|
242
|
+
}
|
243
|
+
|
244
|
+
for (size_t k = 0; k < sk_X509_num(ctx->ctx->additional_untrusted);
|
245
|
+
k++) {
|
246
|
+
if (!sk_X509_push(sktmp,
|
247
|
+
sk_X509_value(ctx->ctx->additional_untrusted,
|
248
|
+
k))) {
|
249
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
250
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
251
|
+
goto end;
|
252
|
+
}
|
253
|
+
}
|
254
|
+
}
|
255
|
+
|
256
|
+
num = sk_X509_num(ctx->chain);
|
257
|
+
x = sk_X509_value(ctx->chain, num - 1);
|
258
|
+
depth = param->depth;
|
259
|
+
|
260
|
+
for (;;) {
|
261
|
+
/* If we have enough, we break */
|
262
|
+
if (depth < num)
|
263
|
+
break; /* FIXME: If this happens, we should take
|
264
|
+
* note of it and, if appropriate, use the
|
265
|
+
* X509_V_ERR_CERT_CHAIN_TOO_LONG error code
|
266
|
+
* later. */
|
267
|
+
|
268
|
+
int is_self_signed;
|
269
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
270
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
271
|
+
goto end;
|
272
|
+
}
|
273
|
+
|
274
|
+
/* If we are self signed, we break */
|
275
|
+
if (is_self_signed)
|
276
|
+
break;
|
277
|
+
/*
|
278
|
+
* If asked see if we can find issuer in trusted store first
|
279
|
+
*/
|
280
|
+
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
|
281
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
282
|
+
if (ok < 0) {
|
283
|
+
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
284
|
+
goto end;
|
285
|
+
}
|
286
|
+
/*
|
287
|
+
* If successful for now free up cert so it will be picked up
|
288
|
+
* again later.
|
289
|
+
*/
|
290
|
+
if (ok > 0) {
|
291
|
+
X509_free(xtmp);
|
292
|
+
break;
|
293
|
+
}
|
294
|
+
}
|
295
|
+
|
296
|
+
/* If we were passed a cert chain, use it first */
|
297
|
+
if (sktmp != NULL) {
|
298
|
+
xtmp = find_issuer(ctx, sktmp, x);
|
299
|
+
if (xtmp != NULL) {
|
300
|
+
if (!sk_X509_push(ctx->chain, xtmp)) {
|
301
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
302
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
303
|
+
ok = 0;
|
304
|
+
goto end;
|
305
|
+
}
|
306
|
+
X509_up_ref(xtmp);
|
307
|
+
(void)sk_X509_delete_ptr(sktmp, xtmp);
|
308
|
+
ctx->last_untrusted++;
|
309
|
+
x = xtmp;
|
310
|
+
num++;
|
311
|
+
/*
|
312
|
+
* reparse the full chain for the next one
|
313
|
+
*/
|
314
|
+
continue;
|
315
|
+
}
|
316
|
+
}
|
317
|
+
break;
|
318
|
+
}
|
319
|
+
|
320
|
+
/* Remember how many untrusted certs we have */
|
321
|
+
j = num;
|
322
|
+
/*
|
323
|
+
* at this point, chain should contain a list of untrusted certificates.
|
324
|
+
* We now need to add at least one trusted one, if possible, otherwise we
|
325
|
+
* complain.
|
326
|
+
*/
|
327
|
+
|
328
|
+
do {
|
329
|
+
/*
|
330
|
+
* Examine last certificate in chain and see if it is self signed.
|
331
|
+
*/
|
332
|
+
i = sk_X509_num(ctx->chain);
|
333
|
+
x = sk_X509_value(ctx->chain, i - 1);
|
334
|
+
|
335
|
+
int is_self_signed;
|
336
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
337
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
338
|
+
goto end;
|
339
|
+
}
|
340
|
+
|
341
|
+
if (is_self_signed) {
|
342
|
+
/* we have a self signed certificate */
|
343
|
+
if (sk_X509_num(ctx->chain) == 1) {
|
344
|
+
/*
|
345
|
+
* We have a single self signed certificate: see if we can
|
346
|
+
* find it in the store. We must have an exact match to avoid
|
347
|
+
* possible impersonation.
|
348
|
+
*/
|
349
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
350
|
+
if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
351
|
+
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
352
|
+
ctx->current_cert = x;
|
353
|
+
ctx->error_depth = i - 1;
|
354
|
+
if (ok == 1)
|
355
|
+
X509_free(xtmp);
|
356
|
+
bad_chain = 1;
|
357
|
+
ok = cb(0, ctx);
|
358
|
+
if (!ok)
|
359
|
+
goto end;
|
360
|
+
} else {
|
361
|
+
/*
|
362
|
+
* We have a match: replace certificate with store
|
363
|
+
* version so we get any trust settings.
|
364
|
+
*/
|
365
|
+
X509_free(x);
|
366
|
+
x = xtmp;
|
367
|
+
(void)sk_X509_set(ctx->chain, i - 1, x);
|
368
|
+
ctx->last_untrusted = 0;
|
369
|
+
}
|
370
|
+
} else {
|
371
|
+
/*
|
372
|
+
* extract and save self signed certificate for later use
|
373
|
+
*/
|
374
|
+
chain_ss = sk_X509_pop(ctx->chain);
|
375
|
+
ctx->last_untrusted--;
|
376
|
+
num--;
|
377
|
+
j--;
|
378
|
+
x = sk_X509_value(ctx->chain, num - 1);
|
379
|
+
}
|
380
|
+
}
|
381
|
+
/* We now lookup certs from the certificate store */
|
382
|
+
for (;;) {
|
383
|
+
/* If we have enough, we break */
|
384
|
+
if (depth < num)
|
385
|
+
break;
|
386
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
387
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
388
|
+
goto end;
|
389
|
+
}
|
390
|
+
/* If we are self signed, we break */
|
391
|
+
if (is_self_signed)
|
392
|
+
break;
|
393
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
394
|
+
|
395
|
+
if (ok < 0) {
|
396
|
+
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
397
|
+
goto end;
|
398
|
+
}
|
399
|
+
if (ok == 0)
|
400
|
+
break;
|
401
|
+
x = xtmp;
|
402
|
+
if (!sk_X509_push(ctx->chain, x)) {
|
403
|
+
X509_free(xtmp);
|
404
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
405
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
406
|
+
ok = 0;
|
407
|
+
goto end;
|
408
|
+
}
|
409
|
+
num++;
|
410
|
+
}
|
411
|
+
|
412
|
+
/* we now have our chain, lets check it... */
|
413
|
+
trust = check_trust(ctx);
|
414
|
+
|
415
|
+
/* If explicitly rejected error */
|
416
|
+
if (trust == X509_TRUST_REJECTED) {
|
417
|
+
ok = 0;
|
418
|
+
goto end;
|
419
|
+
}
|
420
|
+
/*
|
421
|
+
* If it's not explicitly trusted then check if there is an alternative
|
422
|
+
* chain that could be used. We only do this if we haven't already
|
423
|
+
* checked via TRUSTED_FIRST and the user hasn't switched off alternate
|
424
|
+
* chain checking
|
425
|
+
*/
|
426
|
+
retry = 0;
|
427
|
+
if (trust != X509_TRUST_TRUSTED
|
428
|
+
&& !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
429
|
+
&& !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
430
|
+
while (j-- > 1) {
|
431
|
+
xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
432
|
+
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
433
|
+
if (ok < 0)
|
434
|
+
goto end;
|
435
|
+
/* Check if we found an alternate chain */
|
436
|
+
if (ok > 0) {
|
437
|
+
/*
|
438
|
+
* Free up the found cert we'll add it again later
|
439
|
+
*/
|
440
|
+
X509_free(xtmp);
|
441
|
+
|
442
|
+
/*
|
443
|
+
* Dump all the certs above this point - we've found an
|
444
|
+
* alternate chain
|
445
|
+
*/
|
446
|
+
while (num > j) {
|
447
|
+
xtmp = sk_X509_pop(ctx->chain);
|
448
|
+
X509_free(xtmp);
|
449
|
+
num--;
|
450
|
+
}
|
451
|
+
ctx->last_untrusted = sk_X509_num(ctx->chain);
|
452
|
+
retry = 1;
|
453
|
+
break;
|
454
|
+
}
|
455
|
+
}
|
456
|
+
}
|
457
|
+
} while (retry);
|
458
|
+
|
459
|
+
/*
|
460
|
+
* If not explicitly trusted then indicate error unless it's a single
|
461
|
+
* self signed certificate in which case we've indicated an error already
|
462
|
+
* and set bad_chain == 1
|
463
|
+
*/
|
464
|
+
if (trust != X509_TRUST_TRUSTED && !bad_chain) {
|
465
|
+
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
|
466
|
+
if (ctx->last_untrusted >= num)
|
467
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
|
468
|
+
else
|
469
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
|
470
|
+
ctx->current_cert = x;
|
471
|
+
} else {
|
472
|
+
|
473
|
+
sk_X509_push(ctx->chain, chain_ss);
|
474
|
+
num++;
|
475
|
+
ctx->last_untrusted = num;
|
476
|
+
ctx->current_cert = chain_ss;
|
477
|
+
ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
|
478
|
+
chain_ss = NULL;
|
479
|
+
}
|
480
|
+
|
481
|
+
ctx->error_depth = num - 1;
|
482
|
+
bad_chain = 1;
|
483
|
+
ok = cb(0, ctx);
|
484
|
+
if (!ok)
|
485
|
+
goto end;
|
486
|
+
}
|
487
|
+
|
488
|
+
/* We have the chain complete: now we need to check its purpose */
|
489
|
+
ok = check_chain_extensions(ctx);
|
490
|
+
|
491
|
+
if (!ok)
|
492
|
+
goto end;
|
493
|
+
|
494
|
+
ok = check_id(ctx);
|
495
|
+
|
496
|
+
if (!ok)
|
497
|
+
goto end;
|
498
|
+
|
499
|
+
/*
|
500
|
+
* Check revocation status: we do this after copying parameters because
|
501
|
+
* they may be needed for CRL signature verification.
|
502
|
+
*/
|
503
|
+
|
504
|
+
ok = ctx->check_revocation(ctx);
|
505
|
+
if (!ok)
|
506
|
+
goto end;
|
507
|
+
|
508
|
+
int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
|
509
|
+
ctx->param->flags);
|
510
|
+
if (err != X509_V_OK) {
|
511
|
+
ctx->error = err;
|
512
|
+
ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
|
513
|
+
ok = cb(0, ctx);
|
514
|
+
if (!ok)
|
515
|
+
goto end;
|
516
|
+
}
|
517
|
+
|
518
|
+
/* At this point, we have a chain and need to verify it */
|
519
|
+
if (ctx->verify != NULL)
|
520
|
+
ok = ctx->verify(ctx);
|
521
|
+
else
|
522
|
+
ok = internal_verify(ctx);
|
523
|
+
if (!ok)
|
524
|
+
goto end;
|
525
|
+
|
526
|
+
/* Check name constraints */
|
527
|
+
|
528
|
+
ok = check_name_constraints(ctx);
|
529
|
+
if (!ok)
|
530
|
+
goto end;
|
531
|
+
|
532
|
+
/* If we get this far evaluate policies */
|
533
|
+
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
|
534
|
+
ok = ctx->check_policy(ctx);
|
535
|
+
|
536
|
+
end:
|
537
|
+
if (sktmp != NULL)
|
538
|
+
sk_X509_free(sktmp);
|
539
|
+
if (chain_ss != NULL)
|
540
|
+
X509_free(chain_ss);
|
541
|
+
|
542
|
+
/* Safety net, error returns must set ctx->error */
|
543
|
+
if (ok <= 0 && ctx->error == X509_V_OK)
|
544
|
+
ctx->error = X509_V_ERR_UNSPECIFIED;
|
545
|
+
return ok;
|
546
|
+
}
|
547
|
+
|
548
|
+
/*
|
549
|
+
* Given a STACK_OF(X509) find the issuer of cert (if any)
|
550
|
+
*/
|
551
|
+
|
552
|
+
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
|
553
|
+
{
|
554
|
+
size_t i;
|
555
|
+
X509 *issuer;
|
556
|
+
for (i = 0; i < sk_X509_num(sk); i++) {
|
557
|
+
issuer = sk_X509_value(sk, i);
|
558
|
+
if (ctx->check_issued(ctx, x, issuer))
|
559
|
+
return issuer;
|
560
|
+
}
|
561
|
+
return NULL;
|
562
|
+
}
|
563
|
+
|
564
|
+
/* Given a possible certificate and issuer check them */
|
565
|
+
|
566
|
+
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
|
567
|
+
{
|
568
|
+
int ret;
|
569
|
+
ret = X509_check_issued(issuer, x);
|
570
|
+
if (ret == X509_V_OK)
|
571
|
+
return 1;
|
572
|
+
/* If we haven't asked for issuer errors don't set ctx */
|
573
|
+
if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
|
574
|
+
return 0;
|
575
|
+
|
576
|
+
ctx->error = ret;
|
577
|
+
ctx->current_cert = x;
|
578
|
+
ctx->current_issuer = issuer;
|
579
|
+
return ctx->verify_cb(0, ctx);
|
580
|
+
}
|
581
|
+
|
582
|
+
/* Alternative lookup method: look from a STACK stored in other_ctx */
|
583
|
+
|
584
|
+
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
585
|
+
{
|
586
|
+
*issuer = find_issuer(ctx, ctx->other_ctx, x);
|
587
|
+
if (*issuer) {
|
588
|
+
X509_up_ref(*issuer);
|
589
|
+
return 1;
|
590
|
+
} else
|
591
|
+
return 0;
|
592
|
+
}
|
593
|
+
|
594
|
+
/*
|
595
|
+
* Check a certificate chains extensions for consistency with the supplied
|
596
|
+
* purpose
|
597
|
+
*/
|
598
|
+
|
599
|
+
static int check_chain_extensions(X509_STORE_CTX *ctx)
|
600
|
+
{
|
601
|
+
int i, ok = 0, plen = 0;
|
602
|
+
X509 *x;
|
603
|
+
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
604
|
+
int proxy_path_length = 0;
|
605
|
+
int purpose;
|
606
|
+
int allow_proxy_certs;
|
607
|
+
cb = ctx->verify_cb;
|
608
|
+
|
609
|
+
enum {
|
610
|
+
// ca_or_leaf allows either type of certificate so that direct use of
|
611
|
+
// self-signed certificates works.
|
612
|
+
ca_or_leaf,
|
613
|
+
must_be_ca,
|
614
|
+
must_not_be_ca,
|
615
|
+
} ca_requirement;
|
616
|
+
|
617
|
+
/* CRL path validation */
|
618
|
+
if (ctx->parent) {
|
619
|
+
allow_proxy_certs = 0;
|
620
|
+
purpose = X509_PURPOSE_CRL_SIGN;
|
621
|
+
} else {
|
622
|
+
allow_proxy_certs =
|
623
|
+
! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
|
624
|
+
purpose = ctx->param->purpose;
|
625
|
+
}
|
626
|
+
|
627
|
+
ca_requirement = ca_or_leaf;
|
628
|
+
|
629
|
+
/* Check all untrusted certificates */
|
630
|
+
for (i = 0; i < ctx->last_untrusted; i++) {
|
631
|
+
int ret;
|
632
|
+
x = sk_X509_value(ctx->chain, i);
|
633
|
+
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
634
|
+
&& (x->ex_flags & EXFLAG_CRITICAL)) {
|
635
|
+
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
|
636
|
+
ctx->error_depth = i;
|
637
|
+
ctx->current_cert = x;
|
638
|
+
ok = cb(0, ctx);
|
639
|
+
if (!ok)
|
640
|
+
goto end;
|
641
|
+
}
|
642
|
+
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
|
643
|
+
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
|
644
|
+
ctx->error_depth = i;
|
645
|
+
ctx->current_cert = x;
|
646
|
+
ok = cb(0, ctx);
|
647
|
+
if (!ok)
|
648
|
+
goto end;
|
649
|
+
}
|
650
|
+
|
651
|
+
switch (ca_requirement) {
|
652
|
+
case ca_or_leaf:
|
653
|
+
ret = 1;
|
654
|
+
break;
|
655
|
+
case must_not_be_ca:
|
656
|
+
if (X509_check_ca(x)) {
|
657
|
+
ret = 0;
|
658
|
+
ctx->error = X509_V_ERR_INVALID_NON_CA;
|
659
|
+
} else
|
660
|
+
ret = 1;
|
661
|
+
break;
|
662
|
+
case must_be_ca:
|
663
|
+
if (!X509_check_ca(x)) {
|
664
|
+
ret = 0;
|
665
|
+
ctx->error = X509_V_ERR_INVALID_CA;
|
666
|
+
} else
|
667
|
+
ret = 1;
|
668
|
+
break;
|
669
|
+
default:
|
670
|
+
// impossible.
|
671
|
+
ret = 0;
|
672
|
+
}
|
673
|
+
|
674
|
+
if (ret == 0) {
|
675
|
+
ctx->error_depth = i;
|
676
|
+
ctx->current_cert = x;
|
677
|
+
ok = cb(0, ctx);
|
678
|
+
if (!ok)
|
679
|
+
goto end;
|
680
|
+
}
|
681
|
+
if (ctx->param->purpose > 0) {
|
682
|
+
ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
|
683
|
+
if (ret != 1) {
|
684
|
+
ret = 0;
|
685
|
+
ctx->error = X509_V_ERR_INVALID_PURPOSE;
|
686
|
+
ctx->error_depth = i;
|
687
|
+
ctx->current_cert = x;
|
688
|
+
ok = cb(0, ctx);
|
689
|
+
if (!ok)
|
690
|
+
goto end;
|
691
|
+
}
|
692
|
+
}
|
693
|
+
/* Check pathlen if not self issued */
|
694
|
+
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
695
|
+
&& (x->ex_pathlen != -1)
|
696
|
+
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
|
697
|
+
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
698
|
+
ctx->error_depth = i;
|
699
|
+
ctx->current_cert = x;
|
700
|
+
ok = cb(0, ctx);
|
701
|
+
if (!ok)
|
702
|
+
goto end;
|
703
|
+
}
|
704
|
+
/* Increment path length if not self issued */
|
705
|
+
if (!(x->ex_flags & EXFLAG_SI))
|
706
|
+
plen++;
|
707
|
+
/*
|
708
|
+
* If this certificate is a proxy certificate, the next certificate
|
709
|
+
* must be another proxy certificate or a EE certificate. If not,
|
710
|
+
* the next certificate must be a CA certificate.
|
711
|
+
*/
|
712
|
+
if (x->ex_flags & EXFLAG_PROXY) {
|
713
|
+
if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
|
714
|
+
ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
|
715
|
+
ctx->error_depth = i;
|
716
|
+
ctx->current_cert = x;
|
717
|
+
ok = cb(0, ctx);
|
718
|
+
if (!ok)
|
719
|
+
goto end;
|
720
|
+
}
|
721
|
+
proxy_path_length++;
|
722
|
+
ca_requirement = must_not_be_ca;
|
723
|
+
} else {
|
724
|
+
ca_requirement = must_be_ca;
|
725
|
+
}
|
726
|
+
}
|
727
|
+
ok = 1;
|
728
|
+
end:
|
729
|
+
return ok;
|
730
|
+
}
|
731
|
+
|
732
|
+
static int reject_dns_name_in_common_name(X509 *x509)
|
733
|
+
{
|
734
|
+
X509_NAME *name = X509_get_subject_name(x509);
|
735
|
+
int i = -1;
|
736
|
+
for (;;) {
|
737
|
+
i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
|
738
|
+
if (i == -1) {
|
739
|
+
return X509_V_OK;
|
740
|
+
}
|
741
|
+
|
742
|
+
X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
|
743
|
+
ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
|
744
|
+
unsigned char *idval;
|
745
|
+
int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
|
746
|
+
if (idlen < 0) {
|
747
|
+
return X509_V_ERR_OUT_OF_MEM;
|
748
|
+
}
|
749
|
+
/* Only process attributes that look like host names. Note it is
|
750
|
+
* important that this check be mirrored in |X509_check_host|. */
|
751
|
+
int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
|
752
|
+
OPENSSL_free(idval);
|
753
|
+
if (looks_like_dns) {
|
754
|
+
return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
|
755
|
+
}
|
756
|
+
}
|
757
|
+
}
|
758
|
+
|
759
|
+
static int check_name_constraints(X509_STORE_CTX *ctx)
|
760
|
+
{
|
761
|
+
int i, j, rv;
|
762
|
+
int has_name_constraints = 0;
|
763
|
+
/* Check name constraints for all certificates */
|
764
|
+
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
|
765
|
+
X509 *x = sk_X509_value(ctx->chain, i);
|
766
|
+
/* Ignore self issued certs unless last in chain */
|
767
|
+
if (i && (x->ex_flags & EXFLAG_SI))
|
768
|
+
continue;
|
769
|
+
/*
|
770
|
+
* Check against constraints for all certificates higher in chain
|
771
|
+
* including trust anchor. Trust anchor not strictly speaking needed
|
772
|
+
* but if it includes constraints it is to be assumed it expects them
|
773
|
+
* to be obeyed.
|
774
|
+
*/
|
775
|
+
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
|
776
|
+
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
|
777
|
+
if (nc) {
|
778
|
+
has_name_constraints = 1;
|
779
|
+
rv = NAME_CONSTRAINTS_check(x, nc);
|
780
|
+
switch (rv) {
|
781
|
+
case X509_V_OK:
|
782
|
+
continue;
|
783
|
+
case X509_V_ERR_OUT_OF_MEM:
|
784
|
+
ctx->error = rv;
|
785
|
+
return 0;
|
786
|
+
default:
|
787
|
+
ctx->error = rv;
|
788
|
+
ctx->error_depth = i;
|
789
|
+
ctx->current_cert = x;
|
790
|
+
if (!ctx->verify_cb(0, ctx))
|
791
|
+
return 0;
|
792
|
+
break;
|
793
|
+
}
|
794
|
+
}
|
795
|
+
}
|
796
|
+
}
|
797
|
+
|
798
|
+
/* Name constraints do not match against the common name, but
|
799
|
+
* |X509_check_host| still implements the legacy behavior where, on
|
800
|
+
* certificates lacking a SAN list, DNS-like names in the common name are
|
801
|
+
* checked instead.
|
802
|
+
*
|
803
|
+
* While we could apply the name constraints to the common name, name
|
804
|
+
* constraints are rare enough that can hold such certificates to a higher
|
805
|
+
* standard. Note this does not make "DNS-like" heuristic failures any
|
806
|
+
* worse. A decorative common-name misidentified as a DNS name would fail
|
807
|
+
* the name constraint anyway. */
|
808
|
+
X509 *leaf = sk_X509_value(ctx->chain, 0);
|
809
|
+
if (has_name_constraints && leaf->altname == NULL) {
|
810
|
+
rv = reject_dns_name_in_common_name(leaf);
|
811
|
+
switch (rv) {
|
812
|
+
case X509_V_OK:
|
813
|
+
break;
|
814
|
+
case X509_V_ERR_OUT_OF_MEM:
|
815
|
+
ctx->error = rv;
|
816
|
+
return 0;
|
817
|
+
default:
|
818
|
+
ctx->error = rv;
|
819
|
+
ctx->error_depth = i;
|
820
|
+
ctx->current_cert = leaf;
|
821
|
+
if (!ctx->verify_cb(0, ctx))
|
822
|
+
return 0;
|
823
|
+
break;
|
824
|
+
}
|
825
|
+
}
|
826
|
+
|
827
|
+
return 1;
|
828
|
+
}
|
829
|
+
|
830
|
+
static int check_id_error(X509_STORE_CTX *ctx, int errcode)
|
831
|
+
{
|
832
|
+
ctx->error = errcode;
|
833
|
+
ctx->current_cert = ctx->cert;
|
834
|
+
ctx->error_depth = 0;
|
835
|
+
return ctx->verify_cb(0, ctx);
|
836
|
+
}
|
837
|
+
|
838
|
+
static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
|
839
|
+
{
|
840
|
+
size_t i;
|
841
|
+
size_t n = sk_OPENSSL_STRING_num(id->hosts);
|
842
|
+
char *name;
|
843
|
+
|
844
|
+
if (id->peername != NULL) {
|
845
|
+
OPENSSL_free(id->peername);
|
846
|
+
id->peername = NULL;
|
847
|
+
}
|
848
|
+
for (i = 0; i < n; ++i) {
|
849
|
+
name = sk_OPENSSL_STRING_value(id->hosts, i);
|
850
|
+
if (X509_check_host(x, name, strlen(name), id->hostflags,
|
851
|
+
&id->peername) > 0)
|
852
|
+
return 1;
|
853
|
+
}
|
854
|
+
return n == 0;
|
855
|
+
}
|
856
|
+
|
857
|
+
static int check_id(X509_STORE_CTX *ctx)
|
858
|
+
{
|
859
|
+
X509_VERIFY_PARAM *vpm = ctx->param;
|
860
|
+
X509_VERIFY_PARAM_ID *id = vpm->id;
|
861
|
+
X509 *x = ctx->cert;
|
862
|
+
if (id->poison) {
|
863
|
+
if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
|
864
|
+
return 0;
|
865
|
+
}
|
866
|
+
if (id->hosts && check_hosts(x, id) <= 0) {
|
867
|
+
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
|
868
|
+
return 0;
|
869
|
+
}
|
870
|
+
if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) {
|
871
|
+
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
|
872
|
+
return 0;
|
873
|
+
}
|
874
|
+
if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {
|
875
|
+
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
|
876
|
+
return 0;
|
877
|
+
}
|
878
|
+
return 1;
|
879
|
+
}
|
880
|
+
|
881
|
+
static int check_trust(X509_STORE_CTX *ctx)
|
882
|
+
{
|
883
|
+
size_t i;
|
884
|
+
int ok;
|
885
|
+
X509 *x = NULL;
|
886
|
+
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
887
|
+
cb = ctx->verify_cb;
|
888
|
+
/* Check all trusted certificates in chain */
|
889
|
+
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
|
890
|
+
x = sk_X509_value(ctx->chain, i);
|
891
|
+
ok = X509_check_trust(x, ctx->param->trust, 0);
|
892
|
+
/* If explicitly trusted return trusted */
|
893
|
+
if (ok == X509_TRUST_TRUSTED)
|
894
|
+
return X509_TRUST_TRUSTED;
|
895
|
+
/*
|
896
|
+
* If explicitly rejected notify callback and reject if not
|
897
|
+
* overridden.
|
898
|
+
*/
|
899
|
+
if (ok == X509_TRUST_REJECTED) {
|
900
|
+
ctx->error_depth = i;
|
901
|
+
ctx->current_cert = x;
|
902
|
+
ctx->error = X509_V_ERR_CERT_REJECTED;
|
903
|
+
ok = cb(0, ctx);
|
904
|
+
if (!ok)
|
905
|
+
return X509_TRUST_REJECTED;
|
906
|
+
}
|
907
|
+
}
|
908
|
+
/*
|
909
|
+
* If we accept partial chains and have at least one trusted certificate
|
910
|
+
* return success.
|
911
|
+
*/
|
912
|
+
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
913
|
+
X509 *mx;
|
914
|
+
if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
|
915
|
+
return X509_TRUST_TRUSTED;
|
916
|
+
x = sk_X509_value(ctx->chain, 0);
|
917
|
+
mx = lookup_cert_match(ctx, x);
|
918
|
+
if (mx) {
|
919
|
+
(void)sk_X509_set(ctx->chain, 0, mx);
|
920
|
+
X509_free(x);
|
921
|
+
ctx->last_untrusted = 0;
|
922
|
+
return X509_TRUST_TRUSTED;
|
923
|
+
}
|
924
|
+
}
|
925
|
+
|
926
|
+
/*
|
927
|
+
* If no trusted certs in chain at all return untrusted and allow
|
928
|
+
* standard (no issuer cert) etc errors to be indicated.
|
929
|
+
*/
|
930
|
+
return X509_TRUST_UNTRUSTED;
|
931
|
+
}
|
932
|
+
|
933
|
+
static int check_revocation(X509_STORE_CTX *ctx)
|
934
|
+
{
|
935
|
+
int i, last, ok;
|
936
|
+
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
|
937
|
+
return 1;
|
938
|
+
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
|
939
|
+
last = sk_X509_num(ctx->chain) - 1;
|
940
|
+
else {
|
941
|
+
/* If checking CRL paths this isn't the EE certificate */
|
942
|
+
if (ctx->parent)
|
943
|
+
return 1;
|
944
|
+
last = 0;
|
945
|
+
}
|
946
|
+
for (i = 0; i <= last; i++) {
|
947
|
+
ctx->error_depth = i;
|
948
|
+
ok = check_cert(ctx);
|
949
|
+
if (!ok)
|
950
|
+
return ok;
|
951
|
+
}
|
952
|
+
return 1;
|
953
|
+
}
|
954
|
+
|
955
|
+
static int check_cert(X509_STORE_CTX *ctx)
|
956
|
+
{
|
957
|
+
X509_CRL *crl = NULL, *dcrl = NULL;
|
958
|
+
X509 *x;
|
959
|
+
int ok = 0, cnum;
|
960
|
+
unsigned int last_reasons;
|
961
|
+
cnum = ctx->error_depth;
|
962
|
+
x = sk_X509_value(ctx->chain, cnum);
|
963
|
+
ctx->current_cert = x;
|
964
|
+
ctx->current_issuer = NULL;
|
965
|
+
ctx->current_crl_score = 0;
|
966
|
+
ctx->current_reasons = 0;
|
967
|
+
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
|
968
|
+
last_reasons = ctx->current_reasons;
|
969
|
+
/* Try to retrieve relevant CRL */
|
970
|
+
if (ctx->get_crl)
|
971
|
+
ok = ctx->get_crl(ctx, &crl, x);
|
972
|
+
else
|
973
|
+
ok = get_crl_delta(ctx, &crl, &dcrl, x);
|
974
|
+
/*
|
975
|
+
* If error looking up CRL, nothing we can do except notify callback
|
976
|
+
*/
|
977
|
+
if (!ok) {
|
978
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
979
|
+
ok = ctx->verify_cb(0, ctx);
|
980
|
+
goto err;
|
981
|
+
}
|
982
|
+
ctx->current_crl = crl;
|
983
|
+
ok = ctx->check_crl(ctx, crl);
|
984
|
+
if (!ok)
|
985
|
+
goto err;
|
986
|
+
|
987
|
+
if (dcrl) {
|
988
|
+
ok = ctx->check_crl(ctx, dcrl);
|
989
|
+
if (!ok)
|
990
|
+
goto err;
|
991
|
+
ok = ctx->cert_crl(ctx, dcrl, x);
|
992
|
+
if (!ok)
|
993
|
+
goto err;
|
994
|
+
} else
|
995
|
+
ok = 1;
|
996
|
+
|
997
|
+
/* Don't look in full CRL if delta reason is removefromCRL */
|
998
|
+
if (ok != 2) {
|
999
|
+
ok = ctx->cert_crl(ctx, crl, x);
|
1000
|
+
if (!ok)
|
1001
|
+
goto err;
|
1002
|
+
}
|
1003
|
+
|
1004
|
+
X509_CRL_free(crl);
|
1005
|
+
X509_CRL_free(dcrl);
|
1006
|
+
crl = NULL;
|
1007
|
+
dcrl = NULL;
|
1008
|
+
/*
|
1009
|
+
* If reasons not updated we wont get anywhere by another iteration,
|
1010
|
+
* so exit loop.
|
1011
|
+
*/
|
1012
|
+
if (last_reasons == ctx->current_reasons) {
|
1013
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
1014
|
+
ok = ctx->verify_cb(0, ctx);
|
1015
|
+
goto err;
|
1016
|
+
}
|
1017
|
+
}
|
1018
|
+
err:
|
1019
|
+
X509_CRL_free(crl);
|
1020
|
+
X509_CRL_free(dcrl);
|
1021
|
+
|
1022
|
+
ctx->current_crl = NULL;
|
1023
|
+
return ok;
|
1024
|
+
|
1025
|
+
}
|
1026
|
+
|
1027
|
+
/* Check CRL times against values in X509_STORE_CTX */
|
1028
|
+
|
1029
|
+
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
|
1030
|
+
{
|
1031
|
+
time_t *ptime;
|
1032
|
+
int i;
|
1033
|
+
if (notify)
|
1034
|
+
ctx->current_crl = crl;
|
1035
|
+
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
|
1036
|
+
ptime = &ctx->param->check_time;
|
1037
|
+
else
|
1038
|
+
ptime = NULL;
|
1039
|
+
|
1040
|
+
i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
|
1041
|
+
if (i == 0) {
|
1042
|
+
if (!notify)
|
1043
|
+
return 0;
|
1044
|
+
ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
|
1045
|
+
if (!ctx->verify_cb(0, ctx))
|
1046
|
+
return 0;
|
1047
|
+
}
|
1048
|
+
|
1049
|
+
if (i > 0) {
|
1050
|
+
if (!notify)
|
1051
|
+
return 0;
|
1052
|
+
ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
|
1053
|
+
if (!ctx->verify_cb(0, ctx))
|
1054
|
+
return 0;
|
1055
|
+
}
|
1056
|
+
|
1057
|
+
if (X509_CRL_get_nextUpdate(crl)) {
|
1058
|
+
i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
|
1059
|
+
|
1060
|
+
if (i == 0) {
|
1061
|
+
if (!notify)
|
1062
|
+
return 0;
|
1063
|
+
ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
|
1064
|
+
if (!ctx->verify_cb(0, ctx))
|
1065
|
+
return 0;
|
1066
|
+
}
|
1067
|
+
/* Ignore expiry of base CRL is delta is valid */
|
1068
|
+
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
|
1069
|
+
if (!notify)
|
1070
|
+
return 0;
|
1071
|
+
ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
|
1072
|
+
if (!ctx->verify_cb(0, ctx))
|
1073
|
+
return 0;
|
1074
|
+
}
|
1075
|
+
}
|
1076
|
+
|
1077
|
+
if (notify)
|
1078
|
+
ctx->current_crl = NULL;
|
1079
|
+
|
1080
|
+
return 1;
|
1081
|
+
}
|
1082
|
+
|
1083
|
+
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
|
1084
|
+
X509 **pissuer, int *pscore, unsigned int *preasons,
|
1085
|
+
STACK_OF(X509_CRL) *crls)
|
1086
|
+
{
|
1087
|
+
int crl_score, best_score = *pscore;
|
1088
|
+
size_t i;
|
1089
|
+
unsigned int reasons, best_reasons = 0;
|
1090
|
+
X509 *x = ctx->current_cert;
|
1091
|
+
X509_CRL *crl, *best_crl = NULL;
|
1092
|
+
X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
|
1093
|
+
|
1094
|
+
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
1095
|
+
crl = sk_X509_CRL_value(crls, i);
|
1096
|
+
reasons = *preasons;
|
1097
|
+
crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
|
1098
|
+
if (crl_score < best_score || crl_score == 0)
|
1099
|
+
continue;
|
1100
|
+
/* If current CRL is equivalent use it if it is newer */
|
1101
|
+
if (crl_score == best_score && best_crl != NULL) {
|
1102
|
+
int day, sec;
|
1103
|
+
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
|
1104
|
+
X509_CRL_get_lastUpdate(crl)) == 0)
|
1105
|
+
continue;
|
1106
|
+
/*
|
1107
|
+
* ASN1_TIME_diff never returns inconsistent signs for |day|
|
1108
|
+
* and |sec|.
|
1109
|
+
*/
|
1110
|
+
if (day <= 0 && sec <= 0)
|
1111
|
+
continue;
|
1112
|
+
}
|
1113
|
+
best_crl = crl;
|
1114
|
+
best_crl_issuer = crl_issuer;
|
1115
|
+
best_score = crl_score;
|
1116
|
+
best_reasons = reasons;
|
1117
|
+
}
|
1118
|
+
|
1119
|
+
if (best_crl) {
|
1120
|
+
if (*pcrl)
|
1121
|
+
X509_CRL_free(*pcrl);
|
1122
|
+
*pcrl = best_crl;
|
1123
|
+
*pissuer = best_crl_issuer;
|
1124
|
+
*pscore = best_score;
|
1125
|
+
*preasons = best_reasons;
|
1126
|
+
X509_CRL_up_ref(best_crl);
|
1127
|
+
if (*pdcrl) {
|
1128
|
+
X509_CRL_free(*pdcrl);
|
1129
|
+
*pdcrl = NULL;
|
1130
|
+
}
|
1131
|
+
get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
|
1132
|
+
}
|
1133
|
+
|
1134
|
+
if (best_score >= CRL_SCORE_VALID)
|
1135
|
+
return 1;
|
1136
|
+
|
1137
|
+
return 0;
|
1138
|
+
}
|
1139
|
+
|
1140
|
+
/*
|
1141
|
+
* Compare two CRL extensions for delta checking purposes. They should be
|
1142
|
+
* both present or both absent. If both present all fields must be identical.
|
1143
|
+
*/
|
1144
|
+
|
1145
|
+
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
|
1146
|
+
{
|
1147
|
+
ASN1_OCTET_STRING *exta, *extb;
|
1148
|
+
int i;
|
1149
|
+
i = X509_CRL_get_ext_by_NID(a, nid, -1);
|
1150
|
+
if (i >= 0) {
|
1151
|
+
/* Can't have multiple occurrences */
|
1152
|
+
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
|
1153
|
+
return 0;
|
1154
|
+
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
|
1155
|
+
} else
|
1156
|
+
exta = NULL;
|
1157
|
+
|
1158
|
+
i = X509_CRL_get_ext_by_NID(b, nid, -1);
|
1159
|
+
|
1160
|
+
if (i >= 0) {
|
1161
|
+
|
1162
|
+
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
|
1163
|
+
return 0;
|
1164
|
+
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
|
1165
|
+
} else
|
1166
|
+
extb = NULL;
|
1167
|
+
|
1168
|
+
if (!exta && !extb)
|
1169
|
+
return 1;
|
1170
|
+
|
1171
|
+
if (!exta || !extb)
|
1172
|
+
return 0;
|
1173
|
+
|
1174
|
+
if (ASN1_OCTET_STRING_cmp(exta, extb))
|
1175
|
+
return 0;
|
1176
|
+
|
1177
|
+
return 1;
|
1178
|
+
}
|
1179
|
+
|
1180
|
+
/* See if a base and delta are compatible */
|
1181
|
+
|
1182
|
+
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
|
1183
|
+
{
|
1184
|
+
/* Delta CRL must be a delta */
|
1185
|
+
if (!delta->base_crl_number)
|
1186
|
+
return 0;
|
1187
|
+
/* Base must have a CRL number */
|
1188
|
+
if (!base->crl_number)
|
1189
|
+
return 0;
|
1190
|
+
/* Issuer names must match */
|
1191
|
+
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
|
1192
|
+
return 0;
|
1193
|
+
/* AKID and IDP must match */
|
1194
|
+
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
|
1195
|
+
return 0;
|
1196
|
+
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
|
1197
|
+
return 0;
|
1198
|
+
/* Delta CRL base number must not exceed Full CRL number. */
|
1199
|
+
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
|
1200
|
+
return 0;
|
1201
|
+
/* Delta CRL number must exceed full CRL number */
|
1202
|
+
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
|
1203
|
+
return 1;
|
1204
|
+
return 0;
|
1205
|
+
}
|
1206
|
+
|
1207
|
+
/*
|
1208
|
+
* For a given base CRL find a delta... maybe extend to delta scoring or
|
1209
|
+
* retrieve a chain of deltas...
|
1210
|
+
*/
|
1211
|
+
|
1212
|
+
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
|
1213
|
+
X509_CRL *base, STACK_OF(X509_CRL) *crls)
|
1214
|
+
{
|
1215
|
+
X509_CRL *delta;
|
1216
|
+
size_t i;
|
1217
|
+
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
|
1218
|
+
return;
|
1219
|
+
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
|
1220
|
+
return;
|
1221
|
+
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
1222
|
+
delta = sk_X509_CRL_value(crls, i);
|
1223
|
+
if (check_delta_base(delta, base)) {
|
1224
|
+
if (check_crl_time(ctx, delta, 0))
|
1225
|
+
*pscore |= CRL_SCORE_TIME_DELTA;
|
1226
|
+
X509_CRL_up_ref(delta);
|
1227
|
+
*dcrl = delta;
|
1228
|
+
return;
|
1229
|
+
}
|
1230
|
+
}
|
1231
|
+
*dcrl = NULL;
|
1232
|
+
}
|
1233
|
+
|
1234
|
+
/*
|
1235
|
+
* For a given CRL return how suitable it is for the supplied certificate
|
1236
|
+
* 'x'. The return value is a mask of several criteria. If the issuer is not
|
1237
|
+
* the certificate issuer this is returned in *pissuer. The reasons mask is
|
1238
|
+
* also used to determine if the CRL is suitable: if no new reasons the CRL
|
1239
|
+
* is rejected, otherwise reasons is updated.
|
1240
|
+
*/
|
1241
|
+
|
1242
|
+
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
1243
|
+
unsigned int *preasons, X509_CRL *crl, X509 *x)
|
1244
|
+
{
|
1245
|
+
|
1246
|
+
int crl_score = 0;
|
1247
|
+
unsigned int tmp_reasons = *preasons, crl_reasons;
|
1248
|
+
|
1249
|
+
/* First see if we can reject CRL straight away */
|
1250
|
+
|
1251
|
+
/* Invalid IDP cannot be processed */
|
1252
|
+
if (crl->idp_flags & IDP_INVALID)
|
1253
|
+
return 0;
|
1254
|
+
/* Reason codes or indirect CRLs need extended CRL support */
|
1255
|
+
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
|
1256
|
+
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
|
1257
|
+
return 0;
|
1258
|
+
} else if (crl->idp_flags & IDP_REASONS) {
|
1259
|
+
/* If no new reasons reject */
|
1260
|
+
if (!(crl->idp_reasons & ~tmp_reasons))
|
1261
|
+
return 0;
|
1262
|
+
}
|
1263
|
+
/* Don't process deltas at this stage */
|
1264
|
+
else if (crl->base_crl_number)
|
1265
|
+
return 0;
|
1266
|
+
/* If issuer name doesn't match certificate need indirect CRL */
|
1267
|
+
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
|
1268
|
+
if (!(crl->idp_flags & IDP_INDIRECT))
|
1269
|
+
return 0;
|
1270
|
+
} else
|
1271
|
+
crl_score |= CRL_SCORE_ISSUER_NAME;
|
1272
|
+
|
1273
|
+
if (!(crl->flags & EXFLAG_CRITICAL))
|
1274
|
+
crl_score |= CRL_SCORE_NOCRITICAL;
|
1275
|
+
|
1276
|
+
/* Check expiry */
|
1277
|
+
if (check_crl_time(ctx, crl, 0))
|
1278
|
+
crl_score |= CRL_SCORE_TIME;
|
1279
|
+
|
1280
|
+
/* Check authority key ID and locate certificate issuer */
|
1281
|
+
crl_akid_check(ctx, crl, pissuer, &crl_score);
|
1282
|
+
|
1283
|
+
/* If we can't locate certificate issuer at this point forget it */
|
1284
|
+
|
1285
|
+
if (!(crl_score & CRL_SCORE_AKID))
|
1286
|
+
return 0;
|
1287
|
+
|
1288
|
+
/* Check cert for matching CRL distribution points */
|
1289
|
+
|
1290
|
+
if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
|
1291
|
+
/* If no new reasons reject */
|
1292
|
+
if (!(crl_reasons & ~tmp_reasons))
|
1293
|
+
return 0;
|
1294
|
+
tmp_reasons |= crl_reasons;
|
1295
|
+
crl_score |= CRL_SCORE_SCOPE;
|
1296
|
+
}
|
1297
|
+
|
1298
|
+
*preasons = tmp_reasons;
|
1299
|
+
|
1300
|
+
return crl_score;
|
1301
|
+
|
1302
|
+
}
|
1303
|
+
|
1304
|
+
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
|
1305
|
+
X509 **pissuer, int *pcrl_score)
|
1306
|
+
{
|
1307
|
+
X509 *crl_issuer = NULL;
|
1308
|
+
X509_NAME *cnm = X509_CRL_get_issuer(crl);
|
1309
|
+
int cidx = ctx->error_depth;
|
1310
|
+
size_t i;
|
1311
|
+
|
1312
|
+
if ((size_t)cidx != sk_X509_num(ctx->chain) - 1)
|
1313
|
+
cidx++;
|
1314
|
+
|
1315
|
+
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
1316
|
+
|
1317
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1318
|
+
if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
|
1319
|
+
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
|
1320
|
+
*pissuer = crl_issuer;
|
1321
|
+
return;
|
1322
|
+
}
|
1323
|
+
}
|
1324
|
+
|
1325
|
+
for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
|
1326
|
+
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
1327
|
+
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
1328
|
+
continue;
|
1329
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1330
|
+
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
|
1331
|
+
*pissuer = crl_issuer;
|
1332
|
+
return;
|
1333
|
+
}
|
1334
|
+
}
|
1335
|
+
|
1336
|
+
/* Anything else needs extended CRL support */
|
1337
|
+
|
1338
|
+
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
|
1339
|
+
return;
|
1340
|
+
|
1341
|
+
/*
|
1342
|
+
* Otherwise the CRL issuer is not on the path. Look for it in the set of
|
1343
|
+
* untrusted certificates.
|
1344
|
+
*/
|
1345
|
+
for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
|
1346
|
+
crl_issuer = sk_X509_value(ctx->untrusted, i);
|
1347
|
+
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
1348
|
+
continue;
|
1349
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1350
|
+
*pissuer = crl_issuer;
|
1351
|
+
*pcrl_score |= CRL_SCORE_AKID;
|
1352
|
+
return;
|
1353
|
+
}
|
1354
|
+
}
|
1355
|
+
|
1356
|
+
for (i = 0; i < sk_X509_num(ctx->ctx->additional_untrusted); i++) {
|
1357
|
+
crl_issuer = sk_X509_value(ctx->ctx->additional_untrusted, i);
|
1358
|
+
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
1359
|
+
continue;
|
1360
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1361
|
+
*pissuer = crl_issuer;
|
1362
|
+
*pcrl_score |= CRL_SCORE_AKID;
|
1363
|
+
return;
|
1364
|
+
}
|
1365
|
+
}
|
1366
|
+
}
|
1367
|
+
|
1368
|
+
/*
|
1369
|
+
* Check the path of a CRL issuer certificate. This creates a new
|
1370
|
+
* X509_STORE_CTX and populates it with most of the parameters from the
|
1371
|
+
* parent. This could be optimised somewhat since a lot of path checking will
|
1372
|
+
* be duplicated by the parent, but this will rarely be used in practice.
|
1373
|
+
*/
|
1374
|
+
|
1375
|
+
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
|
1376
|
+
{
|
1377
|
+
X509_STORE_CTX crl_ctx;
|
1378
|
+
int ret;
|
1379
|
+
/* Don't allow recursive CRL path validation */
|
1380
|
+
if (ctx->parent)
|
1381
|
+
return 0;
|
1382
|
+
if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
|
1383
|
+
return -1;
|
1384
|
+
|
1385
|
+
crl_ctx.crls = ctx->crls;
|
1386
|
+
/* Copy verify params across */
|
1387
|
+
X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
|
1388
|
+
|
1389
|
+
crl_ctx.parent = ctx;
|
1390
|
+
crl_ctx.verify_cb = ctx->verify_cb;
|
1391
|
+
|
1392
|
+
/* Verify CRL issuer */
|
1393
|
+
ret = X509_verify_cert(&crl_ctx);
|
1394
|
+
|
1395
|
+
if (ret <= 0)
|
1396
|
+
goto err;
|
1397
|
+
|
1398
|
+
/* Check chain is acceptable */
|
1399
|
+
|
1400
|
+
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
|
1401
|
+
err:
|
1402
|
+
X509_STORE_CTX_cleanup(&crl_ctx);
|
1403
|
+
return ret;
|
1404
|
+
}
|
1405
|
+
|
1406
|
+
/*
|
1407
|
+
* RFC3280 says nothing about the relationship between CRL path and
|
1408
|
+
* certificate path, which could lead to situations where a certificate could
|
1409
|
+
* be revoked or validated by a CA not authorised to do so. RFC5280 is more
|
1410
|
+
* strict and states that the two paths must end in the same trust anchor,
|
1411
|
+
* though some discussions remain... until this is resolved we use the
|
1412
|
+
* RFC5280 version
|
1413
|
+
*/
|
1414
|
+
|
1415
|
+
static int check_crl_chain(X509_STORE_CTX *ctx,
|
1416
|
+
STACK_OF(X509) *cert_path,
|
1417
|
+
STACK_OF(X509) *crl_path)
|
1418
|
+
{
|
1419
|
+
X509 *cert_ta, *crl_ta;
|
1420
|
+
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
|
1421
|
+
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
|
1422
|
+
if (!X509_cmp(cert_ta, crl_ta))
|
1423
|
+
return 1;
|
1424
|
+
return 0;
|
1425
|
+
}
|
1426
|
+
|
1427
|
+
/*
|
1428
|
+
* Check for match between two dist point names: three separate cases. 1.
|
1429
|
+
* Both are relative names and compare X509_NAME types. 2. One full, one
|
1430
|
+
* relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
|
1431
|
+
* compare two GENERAL_NAMES. 4. One is NULL: automatic match.
|
1432
|
+
*/
|
1433
|
+
|
1434
|
+
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
|
1435
|
+
{
|
1436
|
+
X509_NAME *nm = NULL;
|
1437
|
+
GENERAL_NAMES *gens = NULL;
|
1438
|
+
GENERAL_NAME *gena, *genb;
|
1439
|
+
size_t i, j;
|
1440
|
+
if (!a || !b)
|
1441
|
+
return 1;
|
1442
|
+
if (a->type == 1) {
|
1443
|
+
if (!a->dpname)
|
1444
|
+
return 0;
|
1445
|
+
/* Case 1: two X509_NAME */
|
1446
|
+
if (b->type == 1) {
|
1447
|
+
if (!b->dpname)
|
1448
|
+
return 0;
|
1449
|
+
if (!X509_NAME_cmp(a->dpname, b->dpname))
|
1450
|
+
return 1;
|
1451
|
+
else
|
1452
|
+
return 0;
|
1453
|
+
}
|
1454
|
+
/* Case 2: set name and GENERAL_NAMES appropriately */
|
1455
|
+
nm = a->dpname;
|
1456
|
+
gens = b->name.fullname;
|
1457
|
+
} else if (b->type == 1) {
|
1458
|
+
if (!b->dpname)
|
1459
|
+
return 0;
|
1460
|
+
/* Case 2: set name and GENERAL_NAMES appropriately */
|
1461
|
+
gens = a->name.fullname;
|
1462
|
+
nm = b->dpname;
|
1463
|
+
}
|
1464
|
+
|
1465
|
+
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
|
1466
|
+
if (nm) {
|
1467
|
+
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
1468
|
+
gena = sk_GENERAL_NAME_value(gens, i);
|
1469
|
+
if (gena->type != GEN_DIRNAME)
|
1470
|
+
continue;
|
1471
|
+
if (!X509_NAME_cmp(nm, gena->d.directoryName))
|
1472
|
+
return 1;
|
1473
|
+
}
|
1474
|
+
return 0;
|
1475
|
+
}
|
1476
|
+
|
1477
|
+
/* Else case 3: two GENERAL_NAMES */
|
1478
|
+
|
1479
|
+
for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
|
1480
|
+
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
|
1481
|
+
for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
|
1482
|
+
genb = sk_GENERAL_NAME_value(b->name.fullname, j);
|
1483
|
+
if (!GENERAL_NAME_cmp(gena, genb))
|
1484
|
+
return 1;
|
1485
|
+
}
|
1486
|
+
}
|
1487
|
+
|
1488
|
+
return 0;
|
1489
|
+
|
1490
|
+
}
|
1491
|
+
|
1492
|
+
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
|
1493
|
+
{
|
1494
|
+
size_t i;
|
1495
|
+
X509_NAME *nm = X509_CRL_get_issuer(crl);
|
1496
|
+
/* If no CRLissuer return is successful iff don't need a match */
|
1497
|
+
if (!dp->CRLissuer)
|
1498
|
+
return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
|
1499
|
+
for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
|
1500
|
+
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
|
1501
|
+
if (gen->type != GEN_DIRNAME)
|
1502
|
+
continue;
|
1503
|
+
if (!X509_NAME_cmp(gen->d.directoryName, nm))
|
1504
|
+
return 1;
|
1505
|
+
}
|
1506
|
+
return 0;
|
1507
|
+
}
|
1508
|
+
|
1509
|
+
/* Check CRLDP and IDP */
|
1510
|
+
|
1511
|
+
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
1512
|
+
unsigned int *preasons)
|
1513
|
+
{
|
1514
|
+
size_t i;
|
1515
|
+
if (crl->idp_flags & IDP_ONLYATTR)
|
1516
|
+
return 0;
|
1517
|
+
if (x->ex_flags & EXFLAG_CA) {
|
1518
|
+
if (crl->idp_flags & IDP_ONLYUSER)
|
1519
|
+
return 0;
|
1520
|
+
} else {
|
1521
|
+
if (crl->idp_flags & IDP_ONLYCA)
|
1522
|
+
return 0;
|
1523
|
+
}
|
1524
|
+
*preasons = crl->idp_reasons;
|
1525
|
+
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
|
1526
|
+
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
|
1527
|
+
if (crldp_check_crlissuer(dp, crl, crl_score)) {
|
1528
|
+
if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
|
1529
|
+
*preasons &= dp->dp_reasons;
|
1530
|
+
return 1;
|
1531
|
+
}
|
1532
|
+
}
|
1533
|
+
}
|
1534
|
+
if ((!crl->idp || !crl->idp->distpoint)
|
1535
|
+
&& (crl_score & CRL_SCORE_ISSUER_NAME))
|
1536
|
+
return 1;
|
1537
|
+
return 0;
|
1538
|
+
}
|
1539
|
+
|
1540
|
+
/*
|
1541
|
+
* Retrieve CRL corresponding to current certificate. If deltas enabled try
|
1542
|
+
* to find a delta CRL too
|
1543
|
+
*/
|
1544
|
+
|
1545
|
+
static int get_crl_delta(X509_STORE_CTX *ctx,
|
1546
|
+
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
|
1547
|
+
{
|
1548
|
+
int ok;
|
1549
|
+
X509 *issuer = NULL;
|
1550
|
+
int crl_score = 0;
|
1551
|
+
unsigned int reasons;
|
1552
|
+
X509_CRL *crl = NULL, *dcrl = NULL;
|
1553
|
+
STACK_OF(X509_CRL) *skcrl;
|
1554
|
+
X509_NAME *nm = X509_get_issuer_name(x);
|
1555
|
+
reasons = ctx->current_reasons;
|
1556
|
+
ok = get_crl_sk(ctx, &crl, &dcrl,
|
1557
|
+
&issuer, &crl_score, &reasons, ctx->crls);
|
1558
|
+
|
1559
|
+
if (ok)
|
1560
|
+
goto done;
|
1561
|
+
|
1562
|
+
/* Lookup CRLs from store */
|
1563
|
+
|
1564
|
+
skcrl = ctx->lookup_crls(ctx, nm);
|
1565
|
+
|
1566
|
+
/* If no CRLs found and a near match from get_crl_sk use that */
|
1567
|
+
if (!skcrl && crl)
|
1568
|
+
goto done;
|
1569
|
+
|
1570
|
+
get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
|
1571
|
+
|
1572
|
+
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
|
1573
|
+
|
1574
|
+
done:
|
1575
|
+
|
1576
|
+
/* If we got any kind of CRL use it and return success */
|
1577
|
+
if (crl) {
|
1578
|
+
ctx->current_issuer = issuer;
|
1579
|
+
ctx->current_crl_score = crl_score;
|
1580
|
+
ctx->current_reasons = reasons;
|
1581
|
+
*pcrl = crl;
|
1582
|
+
*pdcrl = dcrl;
|
1583
|
+
return 1;
|
1584
|
+
}
|
1585
|
+
|
1586
|
+
return 0;
|
1587
|
+
}
|
1588
|
+
|
1589
|
+
/* Check CRL validity */
|
1590
|
+
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
|
1591
|
+
{
|
1592
|
+
X509 *issuer = NULL;
|
1593
|
+
EVP_PKEY *ikey = NULL;
|
1594
|
+
int ok = 0, chnum, cnum;
|
1595
|
+
cnum = ctx->error_depth;
|
1596
|
+
chnum = sk_X509_num(ctx->chain) - 1;
|
1597
|
+
/* if we have an alternative CRL issuer cert use that */
|
1598
|
+
if (ctx->current_issuer)
|
1599
|
+
issuer = ctx->current_issuer;
|
1600
|
+
|
1601
|
+
/*
|
1602
|
+
* Else find CRL issuer: if not last certificate then issuer is next
|
1603
|
+
* certificate in chain.
|
1604
|
+
*/
|
1605
|
+
else if (cnum < chnum)
|
1606
|
+
issuer = sk_X509_value(ctx->chain, cnum + 1);
|
1607
|
+
else {
|
1608
|
+
issuer = sk_X509_value(ctx->chain, chnum);
|
1609
|
+
/* If not self signed, can't check signature */
|
1610
|
+
if (!ctx->check_issued(ctx, issuer, issuer)) {
|
1611
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
|
1612
|
+
ok = ctx->verify_cb(0, ctx);
|
1613
|
+
if (!ok)
|
1614
|
+
goto err;
|
1615
|
+
}
|
1616
|
+
}
|
1617
|
+
|
1618
|
+
if (issuer) {
|
1619
|
+
/*
|
1620
|
+
* Skip most tests for deltas because they have already been done
|
1621
|
+
*/
|
1622
|
+
if (!crl->base_crl_number) {
|
1623
|
+
/* Check for cRLSign bit if keyUsage present */
|
1624
|
+
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
|
1625
|
+
!(issuer->ex_kusage & KU_CRL_SIGN)) {
|
1626
|
+
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
|
1627
|
+
ok = ctx->verify_cb(0, ctx);
|
1628
|
+
if (!ok)
|
1629
|
+
goto err;
|
1630
|
+
}
|
1631
|
+
|
1632
|
+
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
|
1633
|
+
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
|
1634
|
+
ok = ctx->verify_cb(0, ctx);
|
1635
|
+
if (!ok)
|
1636
|
+
goto err;
|
1637
|
+
}
|
1638
|
+
|
1639
|
+
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
|
1640
|
+
if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
|
1641
|
+
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
|
1642
|
+
ok = ctx->verify_cb(0, ctx);
|
1643
|
+
if (!ok)
|
1644
|
+
goto err;
|
1645
|
+
}
|
1646
|
+
}
|
1647
|
+
|
1648
|
+
if (crl->idp_flags & IDP_INVALID) {
|
1649
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
1650
|
+
ok = ctx->verify_cb(0, ctx);
|
1651
|
+
if (!ok)
|
1652
|
+
goto err;
|
1653
|
+
}
|
1654
|
+
|
1655
|
+
}
|
1656
|
+
|
1657
|
+
if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
|
1658
|
+
ok = check_crl_time(ctx, crl, 1);
|
1659
|
+
if (!ok)
|
1660
|
+
goto err;
|
1661
|
+
}
|
1662
|
+
|
1663
|
+
/* Attempt to get issuer certificate public key */
|
1664
|
+
ikey = X509_get_pubkey(issuer);
|
1665
|
+
|
1666
|
+
if (!ikey) {
|
1667
|
+
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
|
1668
|
+
ok = ctx->verify_cb(0, ctx);
|
1669
|
+
if (!ok)
|
1670
|
+
goto err;
|
1671
|
+
} else {
|
1672
|
+
int rv;
|
1673
|
+
rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
|
1674
|
+
if (rv != X509_V_OK) {
|
1675
|
+
ctx->error = rv;
|
1676
|
+
ok = ctx->verify_cb(0, ctx);
|
1677
|
+
if (!ok)
|
1678
|
+
goto err;
|
1679
|
+
}
|
1680
|
+
/* Verify CRL signature */
|
1681
|
+
if (X509_CRL_verify(crl, ikey) <= 0) {
|
1682
|
+
ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
|
1683
|
+
ok = ctx->verify_cb(0, ctx);
|
1684
|
+
if (!ok)
|
1685
|
+
goto err;
|
1686
|
+
}
|
1687
|
+
}
|
1688
|
+
}
|
1689
|
+
|
1690
|
+
ok = 1;
|
1691
|
+
|
1692
|
+
err:
|
1693
|
+
EVP_PKEY_free(ikey);
|
1694
|
+
return ok;
|
1695
|
+
}
|
1696
|
+
|
1697
|
+
/* Check certificate against CRL */
|
1698
|
+
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
|
1699
|
+
{
|
1700
|
+
int ok;
|
1701
|
+
X509_REVOKED *rev;
|
1702
|
+
/*
|
1703
|
+
* The rules changed for this... previously if a CRL contained unhandled
|
1704
|
+
* critical extensions it could still be used to indicate a certificate
|
1705
|
+
* was revoked. This has since been changed since critical extension can
|
1706
|
+
* change the meaning of CRL entries.
|
1707
|
+
*/
|
1708
|
+
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
1709
|
+
&& (crl->flags & EXFLAG_CRITICAL)) {
|
1710
|
+
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
|
1711
|
+
ok = ctx->verify_cb(0, ctx);
|
1712
|
+
if (!ok)
|
1713
|
+
return 0;
|
1714
|
+
}
|
1715
|
+
/*
|
1716
|
+
* Look for serial number of certificate in CRL If found make sure reason
|
1717
|
+
* is not removeFromCRL.
|
1718
|
+
*/
|
1719
|
+
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
|
1720
|
+
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
|
1721
|
+
return 2;
|
1722
|
+
ctx->error = X509_V_ERR_CERT_REVOKED;
|
1723
|
+
ok = ctx->verify_cb(0, ctx);
|
1724
|
+
if (!ok)
|
1725
|
+
return 0;
|
1726
|
+
}
|
1727
|
+
|
1728
|
+
return 1;
|
1729
|
+
}
|
1730
|
+
|
1731
|
+
static int check_policy(X509_STORE_CTX *ctx)
|
1732
|
+
{
|
1733
|
+
int ret;
|
1734
|
+
if (ctx->parent)
|
1735
|
+
return 1;
|
1736
|
+
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
|
1737
|
+
ctx->param->policies, ctx->param->flags);
|
1738
|
+
if (ret == 0) {
|
1739
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
1740
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
1741
|
+
return 0;
|
1742
|
+
}
|
1743
|
+
/* Invalid or inconsistent extensions */
|
1744
|
+
if (ret == -1) {
|
1745
|
+
/*
|
1746
|
+
* Locate certificates with bad extensions and notify callback.
|
1747
|
+
*/
|
1748
|
+
X509 *x;
|
1749
|
+
size_t i;
|
1750
|
+
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
1751
|
+
x = sk_X509_value(ctx->chain, i);
|
1752
|
+
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
|
1753
|
+
continue;
|
1754
|
+
ctx->current_cert = x;
|
1755
|
+
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
|
1756
|
+
if (!ctx->verify_cb(0, ctx))
|
1757
|
+
return 0;
|
1758
|
+
}
|
1759
|
+
return 1;
|
1760
|
+
}
|
1761
|
+
if (ret == -2) {
|
1762
|
+
ctx->current_cert = NULL;
|
1763
|
+
ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
|
1764
|
+
return ctx->verify_cb(0, ctx);
|
1765
|
+
}
|
1766
|
+
|
1767
|
+
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
|
1768
|
+
ctx->current_cert = NULL;
|
1769
|
+
/*
|
1770
|
+
* Verification errors need to be "sticky", a callback may have allowed
|
1771
|
+
* an SSL handshake to continue despite an error, and we must then
|
1772
|
+
* remain in an error state. Therefore, we MUST NOT clear earlier
|
1773
|
+
* verification errors by setting the error to X509_V_OK.
|
1774
|
+
*/
|
1775
|
+
if (!ctx->verify_cb(2, ctx))
|
1776
|
+
return 0;
|
1777
|
+
}
|
1778
|
+
|
1779
|
+
return 1;
|
1780
|
+
}
|
1781
|
+
|
1782
|
+
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
1783
|
+
{
|
1784
|
+
time_t *ptime;
|
1785
|
+
int i;
|
1786
|
+
|
1787
|
+
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
|
1788
|
+
ptime = &ctx->param->check_time;
|
1789
|
+
else
|
1790
|
+
ptime = NULL;
|
1791
|
+
|
1792
|
+
i = X509_cmp_time(X509_get_notBefore(x), ptime);
|
1793
|
+
if (i == 0) {
|
1794
|
+
ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
|
1795
|
+
ctx->current_cert = x;
|
1796
|
+
if (!ctx->verify_cb(0, ctx))
|
1797
|
+
return 0;
|
1798
|
+
}
|
1799
|
+
|
1800
|
+
if (i > 0) {
|
1801
|
+
ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
|
1802
|
+
ctx->current_cert = x;
|
1803
|
+
if (!ctx->verify_cb(0, ctx))
|
1804
|
+
return 0;
|
1805
|
+
}
|
1806
|
+
|
1807
|
+
i = X509_cmp_time(X509_get_notAfter(x), ptime);
|
1808
|
+
if (i == 0) {
|
1809
|
+
ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
|
1810
|
+
ctx->current_cert = x;
|
1811
|
+
if (!ctx->verify_cb(0, ctx))
|
1812
|
+
return 0;
|
1813
|
+
}
|
1814
|
+
|
1815
|
+
if (i < 0) {
|
1816
|
+
ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
|
1817
|
+
ctx->current_cert = x;
|
1818
|
+
if (!ctx->verify_cb(0, ctx))
|
1819
|
+
return 0;
|
1820
|
+
}
|
1821
|
+
|
1822
|
+
return 1;
|
1823
|
+
}
|
1824
|
+
|
1825
|
+
static int internal_verify(X509_STORE_CTX *ctx)
|
1826
|
+
{
|
1827
|
+
int ok = 0, n;
|
1828
|
+
X509 *xs, *xi;
|
1829
|
+
EVP_PKEY *pkey = NULL;
|
1830
|
+
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
1831
|
+
|
1832
|
+
cb = ctx->verify_cb;
|
1833
|
+
|
1834
|
+
n = sk_X509_num(ctx->chain);
|
1835
|
+
ctx->error_depth = n - 1;
|
1836
|
+
n--;
|
1837
|
+
xi = sk_X509_value(ctx->chain, n);
|
1838
|
+
|
1839
|
+
if (ctx->check_issued(ctx, xi, xi))
|
1840
|
+
xs = xi;
|
1841
|
+
else {
|
1842
|
+
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
1843
|
+
xs = xi;
|
1844
|
+
goto check_cert;
|
1845
|
+
}
|
1846
|
+
if (n <= 0) {
|
1847
|
+
ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
|
1848
|
+
ctx->current_cert = xi;
|
1849
|
+
ok = cb(0, ctx);
|
1850
|
+
goto end;
|
1851
|
+
} else {
|
1852
|
+
n--;
|
1853
|
+
ctx->error_depth = n;
|
1854
|
+
xs = sk_X509_value(ctx->chain, n);
|
1855
|
+
}
|
1856
|
+
}
|
1857
|
+
|
1858
|
+
/* ctx->error=0; not needed */
|
1859
|
+
while (n >= 0) {
|
1860
|
+
ctx->error_depth = n;
|
1861
|
+
|
1862
|
+
/*
|
1863
|
+
* Skip signature check for self signed certificates unless
|
1864
|
+
* explicitly asked for. It doesn't add any security and just wastes
|
1865
|
+
* time.
|
1866
|
+
*/
|
1867
|
+
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
|
1868
|
+
if ((pkey = X509_get_pubkey(xi)) == NULL) {
|
1869
|
+
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
|
1870
|
+
ctx->current_cert = xi;
|
1871
|
+
ok = (*cb) (0, ctx);
|
1872
|
+
if (!ok)
|
1873
|
+
goto end;
|
1874
|
+
} else if (X509_verify(xs, pkey) <= 0) {
|
1875
|
+
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
1876
|
+
ctx->current_cert = xs;
|
1877
|
+
ok = (*cb) (0, ctx);
|
1878
|
+
if (!ok) {
|
1879
|
+
EVP_PKEY_free(pkey);
|
1880
|
+
goto end;
|
1881
|
+
}
|
1882
|
+
}
|
1883
|
+
EVP_PKEY_free(pkey);
|
1884
|
+
pkey = NULL;
|
1885
|
+
}
|
1886
|
+
|
1887
|
+
check_cert:
|
1888
|
+
ok = check_cert_time(ctx, xs);
|
1889
|
+
if (!ok)
|
1890
|
+
goto end;
|
1891
|
+
|
1892
|
+
/* The last error (if any) is still in the error value */
|
1893
|
+
ctx->current_issuer = xi;
|
1894
|
+
ctx->current_cert = xs;
|
1895
|
+
ok = (*cb) (1, ctx);
|
1896
|
+
if (!ok)
|
1897
|
+
goto end;
|
1898
|
+
|
1899
|
+
n--;
|
1900
|
+
if (n >= 0) {
|
1901
|
+
xi = xs;
|
1902
|
+
xs = sk_X509_value(ctx->chain, n);
|
1903
|
+
}
|
1904
|
+
}
|
1905
|
+
ok = 1;
|
1906
|
+
end:
|
1907
|
+
return ok;
|
1908
|
+
}
|
1909
|
+
|
1910
|
+
int X509_cmp_current_time(const ASN1_TIME *ctm)
|
1911
|
+
{
|
1912
|
+
return X509_cmp_time(ctm, NULL);
|
1913
|
+
}
|
1914
|
+
|
1915
|
+
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
1916
|
+
{
|
1917
|
+
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
|
1918
|
+
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
|
1919
|
+
ASN1_TIME *asn1_cmp_time = NULL;
|
1920
|
+
int i, day, sec, ret = 0;
|
1921
|
+
|
1922
|
+
/*
|
1923
|
+
* Note that ASN.1 allows much more slack in the time format than RFC5280.
|
1924
|
+
* In RFC5280, the representation is fixed:
|
1925
|
+
* UTCTime: YYMMDDHHMMSSZ
|
1926
|
+
* GeneralizedTime: YYYYMMDDHHMMSSZ
|
1927
|
+
*
|
1928
|
+
* We do NOT currently enforce the following RFC 5280 requirement:
|
1929
|
+
* "CAs conforming to this profile MUST always encode certificate
|
1930
|
+
* validity dates through the year 2049 as UTCTime; certificate validity
|
1931
|
+
* dates in 2050 or later MUST be encoded as GeneralizedTime."
|
1932
|
+
*/
|
1933
|
+
switch (ctm->type) {
|
1934
|
+
case V_ASN1_UTCTIME:
|
1935
|
+
if (ctm->length != (int)(utctime_length))
|
1936
|
+
return 0;
|
1937
|
+
break;
|
1938
|
+
case V_ASN1_GENERALIZEDTIME:
|
1939
|
+
if (ctm->length != (int)(generalizedtime_length))
|
1940
|
+
return 0;
|
1941
|
+
break;
|
1942
|
+
default:
|
1943
|
+
return 0;
|
1944
|
+
}
|
1945
|
+
|
1946
|
+
/**
|
1947
|
+
* Verify the format: the ASN.1 functions we use below allow a more
|
1948
|
+
* flexible format than what's mandated by RFC 5280.
|
1949
|
+
* Digit and date ranges will be verified in the conversion methods.
|
1950
|
+
*/
|
1951
|
+
for (i = 0; i < ctm->length - 1; i++) {
|
1952
|
+
if (!isdigit(ctm->data[i]))
|
1953
|
+
return 0;
|
1954
|
+
}
|
1955
|
+
if (ctm->data[ctm->length - 1] != 'Z')
|
1956
|
+
return 0;
|
1957
|
+
|
1958
|
+
/*
|
1959
|
+
* There is ASN1_UTCTIME_cmp_time_t but no
|
1960
|
+
* ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
|
1961
|
+
* so we go through ASN.1
|
1962
|
+
*/
|
1963
|
+
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
|
1964
|
+
if (asn1_cmp_time == NULL)
|
1965
|
+
goto err;
|
1966
|
+
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
|
1967
|
+
goto err;
|
1968
|
+
|
1969
|
+
/*
|
1970
|
+
* X509_cmp_time comparison is <=.
|
1971
|
+
* The return value 0 is reserved for errors.
|
1972
|
+
*/
|
1973
|
+
ret = (day >= 0 && sec >= 0) ? -1 : 1;
|
1974
|
+
|
1975
|
+
err:
|
1976
|
+
ASN1_TIME_free(asn1_cmp_time);
|
1977
|
+
return ret;
|
1978
|
+
}
|
1979
|
+
|
1980
|
+
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
|
1981
|
+
{
|
1982
|
+
return X509_time_adj(s, adj, NULL);
|
1983
|
+
}
|
1984
|
+
|
1985
|
+
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
|
1986
|
+
{
|
1987
|
+
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
|
1988
|
+
}
|
1989
|
+
|
1990
|
+
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
|
1991
|
+
int offset_day, long offset_sec, time_t *in_tm)
|
1992
|
+
{
|
1993
|
+
time_t t = 0;
|
1994
|
+
|
1995
|
+
if (in_tm)
|
1996
|
+
t = *in_tm;
|
1997
|
+
else
|
1998
|
+
time(&t);
|
1999
|
+
|
2000
|
+
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
|
2001
|
+
if (s->type == V_ASN1_UTCTIME)
|
2002
|
+
return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
|
2003
|
+
if (s->type == V_ASN1_GENERALIZEDTIME)
|
2004
|
+
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
|
2005
|
+
}
|
2006
|
+
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
|
2007
|
+
}
|
2008
|
+
|
2009
|
+
/* Make a delta CRL as the diff between two full CRLs */
|
2010
|
+
|
2011
|
+
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
|
2012
|
+
EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
|
2013
|
+
{
|
2014
|
+
X509_CRL *crl = NULL;
|
2015
|
+
int i;
|
2016
|
+
size_t j;
|
2017
|
+
STACK_OF(X509_REVOKED) *revs = NULL;
|
2018
|
+
/* CRLs can't be delta already */
|
2019
|
+
if (base->base_crl_number || newer->base_crl_number) {
|
2020
|
+
OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
|
2021
|
+
return NULL;
|
2022
|
+
}
|
2023
|
+
/* Base and new CRL must have a CRL number */
|
2024
|
+
if (!base->crl_number || !newer->crl_number) {
|
2025
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
|
2026
|
+
return NULL;
|
2027
|
+
}
|
2028
|
+
/* Issuer names must match */
|
2029
|
+
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
|
2030
|
+
OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
|
2031
|
+
return NULL;
|
2032
|
+
}
|
2033
|
+
/* AKID and IDP must match */
|
2034
|
+
if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
|
2035
|
+
OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
|
2036
|
+
return NULL;
|
2037
|
+
}
|
2038
|
+
if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
|
2039
|
+
OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
|
2040
|
+
return NULL;
|
2041
|
+
}
|
2042
|
+
/* Newer CRL number must exceed full CRL number */
|
2043
|
+
if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
|
2044
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
|
2045
|
+
return NULL;
|
2046
|
+
}
|
2047
|
+
/* CRLs must verify */
|
2048
|
+
if (skey && (X509_CRL_verify(base, skey) <= 0 ||
|
2049
|
+
X509_CRL_verify(newer, skey) <= 0)) {
|
2050
|
+
OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
|
2051
|
+
return NULL;
|
2052
|
+
}
|
2053
|
+
/* Create new CRL */
|
2054
|
+
crl = X509_CRL_new();
|
2055
|
+
if (!crl || !X509_CRL_set_version(crl, 1))
|
2056
|
+
goto memerr;
|
2057
|
+
/* Set issuer name */
|
2058
|
+
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
|
2059
|
+
goto memerr;
|
2060
|
+
|
2061
|
+
if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
|
2062
|
+
goto memerr;
|
2063
|
+
if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
|
2064
|
+
goto memerr;
|
2065
|
+
|
2066
|
+
/* Set base CRL number: must be critical */
|
2067
|
+
|
2068
|
+
if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
|
2069
|
+
goto memerr;
|
2070
|
+
|
2071
|
+
/*
|
2072
|
+
* Copy extensions across from newest CRL to delta: this will set CRL
|
2073
|
+
* number to correct value too.
|
2074
|
+
*/
|
2075
|
+
|
2076
|
+
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
|
2077
|
+
X509_EXTENSION *ext;
|
2078
|
+
ext = X509_CRL_get_ext(newer, i);
|
2079
|
+
if (!X509_CRL_add_ext(crl, ext, -1))
|
2080
|
+
goto memerr;
|
2081
|
+
}
|
2082
|
+
|
2083
|
+
/* Go through revoked entries, copying as needed */
|
2084
|
+
|
2085
|
+
revs = X509_CRL_get_REVOKED(newer);
|
2086
|
+
|
2087
|
+
for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
|
2088
|
+
X509_REVOKED *rvn, *rvtmp;
|
2089
|
+
rvn = sk_X509_REVOKED_value(revs, j);
|
2090
|
+
/*
|
2091
|
+
* Add only if not also in base. TODO: need something cleverer here
|
2092
|
+
* for some more complex CRLs covering multiple CAs.
|
2093
|
+
*/
|
2094
|
+
if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
|
2095
|
+
rvtmp = X509_REVOKED_dup(rvn);
|
2096
|
+
if (!rvtmp)
|
2097
|
+
goto memerr;
|
2098
|
+
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
|
2099
|
+
X509_REVOKED_free(rvtmp);
|
2100
|
+
goto memerr;
|
2101
|
+
}
|
2102
|
+
}
|
2103
|
+
}
|
2104
|
+
/* TODO: optionally prune deleted entries */
|
2105
|
+
|
2106
|
+
if (skey && md && !X509_CRL_sign(crl, skey, md))
|
2107
|
+
goto memerr;
|
2108
|
+
|
2109
|
+
return crl;
|
2110
|
+
|
2111
|
+
memerr:
|
2112
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
2113
|
+
if (crl)
|
2114
|
+
X509_CRL_free(crl);
|
2115
|
+
return NULL;
|
2116
|
+
}
|
2117
|
+
|
2118
|
+
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
|
2119
|
+
CRYPTO_EX_unused * unused,
|
2120
|
+
CRYPTO_EX_dup *dup_unused,
|
2121
|
+
CRYPTO_EX_free *free_func)
|
2122
|
+
{
|
2123
|
+
/*
|
2124
|
+
* This function is (usually) called only once, by
|
2125
|
+
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
|
2126
|
+
*/
|
2127
|
+
int index;
|
2128
|
+
if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
|
2129
|
+
free_func)) {
|
2130
|
+
return -1;
|
2131
|
+
}
|
2132
|
+
return index;
|
2133
|
+
}
|
2134
|
+
|
2135
|
+
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
|
2136
|
+
{
|
2137
|
+
return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
|
2138
|
+
}
|
2139
|
+
|
2140
|
+
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
|
2141
|
+
{
|
2142
|
+
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
|
2143
|
+
}
|
2144
|
+
|
2145
|
+
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
|
2146
|
+
{
|
2147
|
+
return ctx->error;
|
2148
|
+
}
|
2149
|
+
|
2150
|
+
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
|
2151
|
+
{
|
2152
|
+
ctx->error = err;
|
2153
|
+
}
|
2154
|
+
|
2155
|
+
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
|
2156
|
+
{
|
2157
|
+
return ctx->error_depth;
|
2158
|
+
}
|
2159
|
+
|
2160
|
+
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
|
2161
|
+
{
|
2162
|
+
return ctx->current_cert;
|
2163
|
+
}
|
2164
|
+
|
2165
|
+
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
|
2166
|
+
{
|
2167
|
+
return ctx->chain;
|
2168
|
+
}
|
2169
|
+
|
2170
|
+
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
|
2171
|
+
{
|
2172
|
+
return ctx->chain;
|
2173
|
+
}
|
2174
|
+
|
2175
|
+
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
|
2176
|
+
{
|
2177
|
+
if (!ctx->chain)
|
2178
|
+
return NULL;
|
2179
|
+
return X509_chain_up_ref(ctx->chain);
|
2180
|
+
}
|
2181
|
+
|
2182
|
+
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
|
2183
|
+
{
|
2184
|
+
return ctx->current_issuer;
|
2185
|
+
}
|
2186
|
+
|
2187
|
+
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
|
2188
|
+
{
|
2189
|
+
return ctx->current_crl;
|
2190
|
+
}
|
2191
|
+
|
2192
|
+
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
|
2193
|
+
{
|
2194
|
+
return ctx->parent;
|
2195
|
+
}
|
2196
|
+
|
2197
|
+
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
|
2198
|
+
{
|
2199
|
+
ctx->cert = x;
|
2200
|
+
}
|
2201
|
+
|
2202
|
+
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
2203
|
+
{
|
2204
|
+
ctx->untrusted = sk;
|
2205
|
+
}
|
2206
|
+
|
2207
|
+
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
|
2208
|
+
{
|
2209
|
+
return ctx->untrusted;
|
2210
|
+
}
|
2211
|
+
|
2212
|
+
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
|
2213
|
+
{
|
2214
|
+
ctx->crls = sk;
|
2215
|
+
}
|
2216
|
+
|
2217
|
+
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
|
2218
|
+
{
|
2219
|
+
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
|
2220
|
+
}
|
2221
|
+
|
2222
|
+
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
|
2223
|
+
{
|
2224
|
+
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
|
2225
|
+
}
|
2226
|
+
|
2227
|
+
/*
|
2228
|
+
* This function is used to set the X509_STORE_CTX purpose and trust values.
|
2229
|
+
* This is intended to be used when another structure has its own trust and
|
2230
|
+
* purpose values which (if set) will be inherited by the ctx. If they aren't
|
2231
|
+
* set then we will usually have a default purpose in mind which should then
|
2232
|
+
* be used to set the trust value. An example of this is SSL use: an SSL
|
2233
|
+
* structure will have its own purpose and trust settings which the
|
2234
|
+
* application can set: if they aren't set then we use the default of SSL
|
2235
|
+
* client/server.
|
2236
|
+
*/
|
2237
|
+
|
2238
|
+
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
2239
|
+
int purpose, int trust)
|
2240
|
+
{
|
2241
|
+
int idx;
|
2242
|
+
/* If purpose not set use default */
|
2243
|
+
if (!purpose)
|
2244
|
+
purpose = def_purpose;
|
2245
|
+
/* If we have a purpose then check it is valid */
|
2246
|
+
if (purpose) {
|
2247
|
+
X509_PURPOSE *ptmp;
|
2248
|
+
idx = X509_PURPOSE_get_by_id(purpose);
|
2249
|
+
if (idx == -1) {
|
2250
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
|
2251
|
+
return 0;
|
2252
|
+
}
|
2253
|
+
ptmp = X509_PURPOSE_get0(idx);
|
2254
|
+
if (ptmp->trust == X509_TRUST_DEFAULT) {
|
2255
|
+
idx = X509_PURPOSE_get_by_id(def_purpose);
|
2256
|
+
if (idx == -1) {
|
2257
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
|
2258
|
+
return 0;
|
2259
|
+
}
|
2260
|
+
ptmp = X509_PURPOSE_get0(idx);
|
2261
|
+
}
|
2262
|
+
/* If trust not set then get from purpose default */
|
2263
|
+
if (!trust)
|
2264
|
+
trust = ptmp->trust;
|
2265
|
+
}
|
2266
|
+
if (trust) {
|
2267
|
+
idx = X509_TRUST_get_by_id(trust);
|
2268
|
+
if (idx == -1) {
|
2269
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
|
2270
|
+
return 0;
|
2271
|
+
}
|
2272
|
+
}
|
2273
|
+
|
2274
|
+
if (purpose && !ctx->param->purpose)
|
2275
|
+
ctx->param->purpose = purpose;
|
2276
|
+
if (trust && !ctx->param->trust)
|
2277
|
+
ctx->param->trust = trust;
|
2278
|
+
return 1;
|
2279
|
+
}
|
2280
|
+
|
2281
|
+
X509_STORE_CTX *X509_STORE_CTX_new(void)
|
2282
|
+
{
|
2283
|
+
X509_STORE_CTX *ctx;
|
2284
|
+
ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
|
2285
|
+
if (!ctx) {
|
2286
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
2287
|
+
return NULL;
|
2288
|
+
}
|
2289
|
+
X509_STORE_CTX_zero(ctx);
|
2290
|
+
return ctx;
|
2291
|
+
}
|
2292
|
+
|
2293
|
+
void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
|
2294
|
+
{
|
2295
|
+
OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
|
2296
|
+
}
|
2297
|
+
|
2298
|
+
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
|
2299
|
+
{
|
2300
|
+
if (ctx == NULL) {
|
2301
|
+
return;
|
2302
|
+
}
|
2303
|
+
X509_STORE_CTX_cleanup(ctx);
|
2304
|
+
OPENSSL_free(ctx);
|
2305
|
+
}
|
2306
|
+
|
2307
|
+
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
2308
|
+
STACK_OF(X509) *chain)
|
2309
|
+
{
|
2310
|
+
int ret = 1;
|
2311
|
+
|
2312
|
+
X509_STORE_CTX_zero(ctx);
|
2313
|
+
ctx->ctx = store;
|
2314
|
+
ctx->cert = x509;
|
2315
|
+
ctx->untrusted = chain;
|
2316
|
+
|
2317
|
+
CRYPTO_new_ex_data(&ctx->ex_data);
|
2318
|
+
|
2319
|
+
ctx->param = X509_VERIFY_PARAM_new();
|
2320
|
+
if (!ctx->param)
|
2321
|
+
goto err;
|
2322
|
+
|
2323
|
+
/*
|
2324
|
+
* Inherit callbacks and flags from X509_STORE if not set use defaults.
|
2325
|
+
*/
|
2326
|
+
|
2327
|
+
if (store)
|
2328
|
+
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
|
2329
|
+
else
|
2330
|
+
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
|
2331
|
+
|
2332
|
+
if (store) {
|
2333
|
+
ctx->verify_cb = store->verify_cb;
|
2334
|
+
ctx->cleanup = store->cleanup;
|
2335
|
+
} else
|
2336
|
+
ctx->cleanup = 0;
|
2337
|
+
|
2338
|
+
if (ret)
|
2339
|
+
ret = X509_VERIFY_PARAM_inherit(ctx->param,
|
2340
|
+
X509_VERIFY_PARAM_lookup("default"));
|
2341
|
+
|
2342
|
+
if (ret == 0)
|
2343
|
+
goto err;
|
2344
|
+
|
2345
|
+
if (store && store->check_issued)
|
2346
|
+
ctx->check_issued = store->check_issued;
|
2347
|
+
else
|
2348
|
+
ctx->check_issued = check_issued;
|
2349
|
+
|
2350
|
+
if (store && store->get_issuer)
|
2351
|
+
ctx->get_issuer = store->get_issuer;
|
2352
|
+
else
|
2353
|
+
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
|
2354
|
+
|
2355
|
+
if (store && store->verify_cb)
|
2356
|
+
ctx->verify_cb = store->verify_cb;
|
2357
|
+
else
|
2358
|
+
ctx->verify_cb = null_callback;
|
2359
|
+
|
2360
|
+
if (store && store->verify)
|
2361
|
+
ctx->verify = store->verify;
|
2362
|
+
else
|
2363
|
+
ctx->verify = internal_verify;
|
2364
|
+
|
2365
|
+
if (store && store->check_revocation)
|
2366
|
+
ctx->check_revocation = store->check_revocation;
|
2367
|
+
else
|
2368
|
+
ctx->check_revocation = check_revocation;
|
2369
|
+
|
2370
|
+
if (store && store->get_crl)
|
2371
|
+
ctx->get_crl = store->get_crl;
|
2372
|
+
else
|
2373
|
+
ctx->get_crl = NULL;
|
2374
|
+
|
2375
|
+
if (store && store->check_crl)
|
2376
|
+
ctx->check_crl = store->check_crl;
|
2377
|
+
else
|
2378
|
+
ctx->check_crl = check_crl;
|
2379
|
+
|
2380
|
+
if (store && store->cert_crl)
|
2381
|
+
ctx->cert_crl = store->cert_crl;
|
2382
|
+
else
|
2383
|
+
ctx->cert_crl = cert_crl;
|
2384
|
+
|
2385
|
+
if (store && store->lookup_certs)
|
2386
|
+
ctx->lookup_certs = store->lookup_certs;
|
2387
|
+
else
|
2388
|
+
ctx->lookup_certs = X509_STORE_get1_certs;
|
2389
|
+
|
2390
|
+
if (store && store->lookup_crls)
|
2391
|
+
ctx->lookup_crls = store->lookup_crls;
|
2392
|
+
else
|
2393
|
+
ctx->lookup_crls = X509_STORE_get1_crls;
|
2394
|
+
|
2395
|
+
ctx->check_policy = check_policy;
|
2396
|
+
|
2397
|
+
return 1;
|
2398
|
+
|
2399
|
+
err:
|
2400
|
+
CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
|
2401
|
+
if (ctx->param != NULL) {
|
2402
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2403
|
+
}
|
2404
|
+
|
2405
|
+
OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
|
2406
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
2407
|
+
return 0;
|
2408
|
+
}
|
2409
|
+
|
2410
|
+
/*
|
2411
|
+
* Set alternative lookup method: just a STACK of trusted certificates. This
|
2412
|
+
* avoids X509_STORE nastiness where it isn't needed.
|
2413
|
+
*/
|
2414
|
+
|
2415
|
+
void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
2416
|
+
{
|
2417
|
+
ctx->other_ctx = sk;
|
2418
|
+
ctx->get_issuer = get_issuer_sk;
|
2419
|
+
}
|
2420
|
+
|
2421
|
+
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
|
2422
|
+
{
|
2423
|
+
/* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
|
2424
|
+
* also calls this function. */
|
2425
|
+
if (ctx->cleanup != NULL) {
|
2426
|
+
ctx->cleanup(ctx);
|
2427
|
+
ctx->cleanup = NULL;
|
2428
|
+
}
|
2429
|
+
if (ctx->param != NULL) {
|
2430
|
+
if (ctx->parent == NULL)
|
2431
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2432
|
+
ctx->param = NULL;
|
2433
|
+
}
|
2434
|
+
if (ctx->tree != NULL) {
|
2435
|
+
X509_policy_tree_free(ctx->tree);
|
2436
|
+
ctx->tree = NULL;
|
2437
|
+
}
|
2438
|
+
if (ctx->chain != NULL) {
|
2439
|
+
sk_X509_pop_free(ctx->chain, X509_free);
|
2440
|
+
ctx->chain = NULL;
|
2441
|
+
}
|
2442
|
+
CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
|
2443
|
+
OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
|
2444
|
+
}
|
2445
|
+
|
2446
|
+
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
|
2447
|
+
{
|
2448
|
+
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
|
2449
|
+
}
|
2450
|
+
|
2451
|
+
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
|
2452
|
+
{
|
2453
|
+
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
|
2454
|
+
}
|
2455
|
+
|
2456
|
+
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
|
2457
|
+
time_t t)
|
2458
|
+
{
|
2459
|
+
X509_VERIFY_PARAM_set_time(ctx->param, t);
|
2460
|
+
}
|
2461
|
+
|
2462
|
+
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
|
2463
|
+
{
|
2464
|
+
return ctx->cert;
|
2465
|
+
}
|
2466
|
+
|
2467
|
+
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
|
2468
|
+
int (*verify_cb) (int, X509_STORE_CTX *))
|
2469
|
+
{
|
2470
|
+
ctx->verify_cb = verify_cb;
|
2471
|
+
}
|
2472
|
+
|
2473
|
+
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
|
2474
|
+
{
|
2475
|
+
return ctx->tree;
|
2476
|
+
}
|
2477
|
+
|
2478
|
+
int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
|
2479
|
+
{
|
2480
|
+
return ctx->explicit_policy;
|
2481
|
+
}
|
2482
|
+
|
2483
|
+
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
|
2484
|
+
{
|
2485
|
+
const X509_VERIFY_PARAM *param;
|
2486
|
+
param = X509_VERIFY_PARAM_lookup(name);
|
2487
|
+
if (!param)
|
2488
|
+
return 0;
|
2489
|
+
return X509_VERIFY_PARAM_inherit(ctx->param, param);
|
2490
|
+
}
|
2491
|
+
|
2492
|
+
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
|
2493
|
+
{
|
2494
|
+
return ctx->param;
|
2495
|
+
}
|
2496
|
+
|
2497
|
+
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
|
2498
|
+
{
|
2499
|
+
if (ctx->param)
|
2500
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2501
|
+
ctx->param = param;
|
2502
|
+
}
|
2503
|
+
|
2504
|
+
IMPLEMENT_ASN1_SET_OF(X509)
|
2505
|
+
|
2506
|
+
IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
|