grpc 1.24.0 → 1.25.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (505) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +306 -243
  3. data/etc/roots.pem +0 -100
  4. data/include/grpc/grpc_security.h +44 -18
  5. data/include/grpc/impl/codegen/grpc_types.h +15 -0
  6. data/include/grpc/impl/codegen/port_platform.h +27 -11
  7. data/include/grpc/impl/codegen/sync_generic.h +1 -1
  8. data/src/boringssl/err_data.c +695 -650
  9. data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
  10. data/src/core/ext/filters/client_channel/client_channel.h +24 -0
  11. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
  12. data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
  13. data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
  14. data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
  15. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
  17. data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
  18. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
  19. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
  20. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
  21. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
  22. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
  26. data/src/core/ext/filters/client_channel/resolver.cc +1 -2
  27. data/src/core/ext/filters/client_channel/resolver.h +8 -16
  28. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
  29. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
  30. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
  31. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
  32. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
  33. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
  34. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
  35. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
  36. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
  37. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
  38. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
  39. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
  40. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
  41. data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
  42. data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
  43. data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
  44. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
  45. data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
  46. data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
  47. data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
  48. data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
  49. data/src/core/ext/filters/client_channel/service_config.h +8 -8
  50. data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
  51. data/src/core/ext/filters/client_channel/subchannel.h +7 -9
  52. data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
  53. data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
  54. data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
  55. data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
  56. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
  57. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
  58. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
  59. data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
  60. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
  61. data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
  62. data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
  63. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
  64. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
  65. data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
  66. data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
  67. data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
  68. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
  69. data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
  70. data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
  71. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
  72. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
  73. data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
  74. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
  75. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
  76. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
  77. data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
  78. data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
  79. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
  80. data/src/core/lib/channel/channel_args.cc +16 -0
  81. data/src/core/lib/channel/channel_args.h +22 -0
  82. data/src/core/lib/channel/channelz.cc +5 -6
  83. data/src/core/lib/channel/channelz.h +1 -1
  84. data/src/core/lib/channel/connected_channel.cc +20 -20
  85. data/src/core/lib/channel/handshaker.h +3 -4
  86. data/src/core/lib/channel/handshaker_factory.h +1 -3
  87. data/src/core/lib/debug/trace.h +3 -2
  88. data/src/core/lib/gprpp/arena.cc +3 -3
  89. data/src/core/lib/gprpp/arena.h +2 -3
  90. data/src/core/lib/gprpp/inlined_vector.h +9 -0
  91. data/src/core/lib/gprpp/map.h +3 -501
  92. data/src/core/lib/gprpp/memory.h +45 -41
  93. data/src/core/lib/gprpp/mpscq.cc +108 -0
  94. data/src/core/lib/gprpp/mpscq.h +98 -0
  95. data/src/core/lib/gprpp/orphanable.h +6 -11
  96. data/src/core/lib/gprpp/ref_counted.h +25 -19
  97. data/src/core/lib/gprpp/set.h +33 -0
  98. data/src/core/lib/gprpp/thd.h +2 -4
  99. data/src/core/lib/http/httpcli.cc +1 -1
  100. data/src/core/lib/http/httpcli_security_connector.cc +15 -11
  101. data/src/core/lib/http/parser.cc +1 -1
  102. data/src/core/lib/iomgr/buffer_list.cc +4 -5
  103. data/src/core/lib/iomgr/buffer_list.h +5 -6
  104. data/src/core/lib/iomgr/call_combiner.cc +4 -5
  105. data/src/core/lib/iomgr/call_combiner.h +2 -2
  106. data/src/core/lib/iomgr/cfstream_handle.h +3 -5
  107. data/src/core/lib/iomgr/closure.h +8 -3
  108. data/src/core/lib/iomgr/combiner.cc +45 -82
  109. data/src/core/lib/iomgr/combiner.h +32 -8
  110. data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
  111. data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
  112. data/src/core/lib/iomgr/ev_poll_posix.cc +3 -1
  113. data/src/core/lib/iomgr/exec_ctx.h +4 -3
  114. data/src/core/lib/iomgr/executor.cc +4 -2
  115. data/src/core/lib/iomgr/executor.h +3 -0
  116. data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
  117. data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
  118. data/src/core/lib/iomgr/executor/threadpool.h +7 -11
  119. data/src/core/lib/iomgr/resource_quota.cc +55 -51
  120. data/src/core/lib/iomgr/resource_quota.h +13 -9
  121. data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
  122. data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
  123. data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
  124. data/src/core/lib/iomgr/tcp_custom.cc +9 -7
  125. data/src/core/lib/iomgr/tcp_posix.cc +20 -16
  126. data/src/core/lib/iomgr/tcp_server.h +1 -4
  127. data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
  128. data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
  129. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
  130. data/src/core/lib/iomgr/timer_custom.cc +2 -2
  131. data/src/core/lib/iomgr/udp_server.cc +3 -2
  132. data/src/core/lib/iomgr/udp_server.h +6 -12
  133. data/src/core/lib/json/json.h +1 -1
  134. data/src/core/lib/json/json_string.cc +2 -2
  135. data/src/core/lib/profiling/basic_timers.cc +2 -2
  136. data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
  137. data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
  138. data/src/core/lib/security/credentials/credentials.h +4 -20
  139. data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
  140. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
  141. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
  142. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
  143. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
  144. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
  145. data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
  146. data/src/core/lib/security/security_connector/security_connector.cc +1 -0
  147. data/src/core/lib/security/security_connector/security_connector.h +19 -17
  148. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
  149. data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
  150. data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
  151. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
  152. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
  153. data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
  154. data/src/core/lib/security/transport/security_handshaker.cc +29 -13
  155. data/src/core/lib/security/transport/security_handshaker.h +4 -2
  156. data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
  157. data/src/core/lib/slice/slice.cc +2 -10
  158. data/src/core/lib/slice/slice_hash_table.h +4 -6
  159. data/src/core/lib/slice/slice_intern.cc +42 -39
  160. data/src/core/lib/slice/slice_internal.h +3 -3
  161. data/src/core/lib/slice/slice_utils.h +21 -4
  162. data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
  163. data/src/core/lib/surface/call.cc +3 -3
  164. data/src/core/lib/surface/channel.cc +7 -0
  165. data/src/core/lib/surface/completion_queue.cc +12 -11
  166. data/src/core/lib/surface/completion_queue.h +4 -2
  167. data/src/core/lib/surface/init.cc +1 -0
  168. data/src/core/lib/surface/lame_client.cc +33 -18
  169. data/src/core/lib/surface/server.cc +77 -76
  170. data/src/core/lib/surface/version.cc +1 -1
  171. data/src/core/lib/transport/byte_stream.h +3 -7
  172. data/src/core/lib/transport/connectivity_state.cc +112 -98
  173. data/src/core/lib/transport/connectivity_state.h +100 -50
  174. data/src/core/lib/transport/static_metadata.cc +276 -288
  175. data/src/core/lib/transport/static_metadata.h +73 -76
  176. data/src/core/lib/transport/status_conversion.cc +1 -1
  177. data/src/core/lib/transport/status_metadata.cc +1 -1
  178. data/src/core/lib/transport/transport.cc +2 -2
  179. data/src/core/lib/transport/transport.h +12 -4
  180. data/src/core/lib/transport/transport_op_string.cc +14 -11
  181. data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
  182. data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
  183. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
  184. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
  185. data/src/core/tsi/fake_transport_security.cc +7 -5
  186. data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
  187. data/src/core/tsi/local_transport_security.cc +8 -6
  188. data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
  189. data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
  190. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
  191. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
  192. data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
  193. data/src/core/tsi/ssl_transport_security.cc +12 -12
  194. data/src/core/tsi/ssl_transport_security.h +2 -2
  195. data/src/core/tsi/transport_security_grpc.cc +7 -0
  196. data/src/core/tsi/transport_security_grpc.h +6 -0
  197. data/src/ruby/ext/grpc/extconf.rb +1 -0
  198. data/src/ruby/ext/grpc/rb_call.c +1 -1
  199. data/src/ruby/ext/grpc/rb_channel.c +1 -1
  200. data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
  201. data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
  202. data/src/ruby/lib/grpc/version.rb +1 -1
  203. data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
  204. data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
  205. data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
  206. data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
  207. data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
  208. data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
  209. data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
  210. data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
  211. data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
  212. data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
  213. data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
  214. data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
  215. data/third_party/boringssl/crypto/base64/base64.c +2 -2
  216. data/third_party/boringssl/crypto/bio/bio.c +73 -9
  217. data/third_party/boringssl/crypto/bio/connect.c +4 -0
  218. data/third_party/boringssl/crypto/bio/fd.c +4 -0
  219. data/third_party/boringssl/crypto/bio/file.c +5 -2
  220. data/third_party/boringssl/crypto/bio/socket.c +4 -0
  221. data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
  222. data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
  223. data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
  224. data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
  225. data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
  226. data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
  227. data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
  228. data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
  229. data/third_party/boringssl/crypto/chacha/internal.h +45 -0
  230. data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
  231. data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
  232. data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
  233. data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
  234. data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
  235. data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
  236. data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
  237. data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
  238. data/third_party/boringssl/crypto/conf/conf.c +7 -0
  239. data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
  240. data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
  241. data/third_party/boringssl/crypto/cpu-intel.c +45 -51
  242. data/third_party/boringssl/crypto/crypto.c +39 -22
  243. data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
  244. data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
  245. data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
  246. data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
  247. data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
  248. data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
  249. data/third_party/boringssl/crypto/engine/engine.c +2 -1
  250. data/third_party/boringssl/crypto/err/err.c +2 -0
  251. data/third_party/boringssl/crypto/err/internal.h +2 -2
  252. data/third_party/boringssl/crypto/evp/evp.c +89 -8
  253. data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
  254. data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
  255. data/third_party/boringssl/crypto/evp/internal.h +18 -1
  256. data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
  257. data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
  258. data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
  259. data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
  260. data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
  261. data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
  262. data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
  263. data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
  264. data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
  265. data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
  266. data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
  267. data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
  268. data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
  269. data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
  270. data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
  271. data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
  272. data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
  273. data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
  274. data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
  275. data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
  276. data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
  277. data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
  278. data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
  279. data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
  280. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
  281. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
  282. data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
  283. data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
  284. data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
  285. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
  286. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
  287. data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
  288. data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
  289. data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
  290. data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
  291. data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
  292. data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
  293. data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
  294. data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
  295. data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
  296. data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
  297. data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
  298. data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
  299. data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
  300. data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
  301. data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
  302. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
  303. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
  304. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
  305. data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
  306. data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
  307. data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
  308. data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
  309. data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
  310. data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
  311. data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
  312. data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
  313. data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
  314. data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
  315. data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
  316. data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
  317. data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
  318. data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
  319. data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
  320. data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
  321. data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
  322. data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
  323. data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
  324. data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
  325. data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
  326. data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
  327. data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
  328. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
  329. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
  330. data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
  331. data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
  332. data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
  333. data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
  334. data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
  335. data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
  336. data/third_party/boringssl/crypto/hrss/internal.h +62 -0
  337. data/third_party/boringssl/crypto/internal.h +95 -20
  338. data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
  339. data/third_party/boringssl/crypto/mem.c +39 -2
  340. data/third_party/boringssl/crypto/obj/obj.c +4 -4
  341. data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
  342. data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
  343. data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
  344. data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
  345. data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
  346. data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
  347. data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
  348. data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
  349. data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
  350. data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
  351. data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
  352. data/third_party/boringssl/crypto/pool/internal.h +1 -1
  353. data/third_party/boringssl/crypto/pool/pool.c +21 -0
  354. data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
  355. data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
  356. data/third_party/boringssl/crypto/refcount_lock.c +2 -2
  357. data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
  358. data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
  359. data/third_party/boringssl/crypto/stack/stack.c +83 -32
  360. data/third_party/boringssl/crypto/thread_none.c +2 -2
  361. data/third_party/boringssl/crypto/thread_pthread.c +2 -2
  362. data/third_party/boringssl/crypto/thread_win.c +38 -19
  363. data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
  364. data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
  365. data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
  366. data/third_party/boringssl/crypto/x509/by_file.c +12 -10
  367. data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
  368. data/third_party/boringssl/crypto/x509/t_req.c +1 -3
  369. data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
  370. data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
  371. data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
  372. data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
  373. data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
  374. data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
  375. data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
  376. data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
  377. data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
  378. data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
  379. data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
  380. data/third_party/boringssl/crypto/x509/x509name.c +2 -3
  381. data/third_party/boringssl/crypto/x509/x_all.c +109 -210
  382. data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
  383. data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
  384. data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
  385. data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
  386. data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
  387. data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
  388. data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
  389. data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
  390. data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
  391. data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
  392. data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
  393. data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
  394. data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
  395. data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
  396. data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
  397. data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
  398. data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
  399. data/third_party/boringssl/include/openssl/aead.h +45 -19
  400. data/third_party/boringssl/include/openssl/aes.h +32 -7
  401. data/third_party/boringssl/include/openssl/asn1.h +7 -77
  402. data/third_party/boringssl/include/openssl/base.h +120 -6
  403. data/third_party/boringssl/include/openssl/base64.h +4 -1
  404. data/third_party/boringssl/include/openssl/bio.h +112 -81
  405. data/third_party/boringssl/include/openssl/blowfish.h +3 -3
  406. data/third_party/boringssl/include/openssl/bn.h +55 -29
  407. data/third_party/boringssl/include/openssl/buf.h +2 -2
  408. data/third_party/boringssl/include/openssl/bytestring.h +54 -32
  409. data/third_party/boringssl/include/openssl/cast.h +2 -2
  410. data/third_party/boringssl/include/openssl/cipher.h +46 -16
  411. data/third_party/boringssl/include/openssl/cmac.h +6 -2
  412. data/third_party/boringssl/include/openssl/conf.h +3 -6
  413. data/third_party/boringssl/include/openssl/cpu.h +25 -9
  414. data/third_party/boringssl/include/openssl/crypto.h +32 -10
  415. data/third_party/boringssl/include/openssl/curve25519.h +4 -4
  416. data/third_party/boringssl/include/openssl/dh.h +3 -2
  417. data/third_party/boringssl/include/openssl/digest.h +21 -7
  418. data/third_party/boringssl/include/openssl/dsa.h +8 -2
  419. data/third_party/boringssl/include/openssl/e_os2.h +18 -0
  420. data/third_party/boringssl/include/openssl/ec.h +25 -21
  421. data/third_party/boringssl/include/openssl/ec_key.h +36 -8
  422. data/third_party/boringssl/include/openssl/ecdh.h +17 -0
  423. data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
  424. data/third_party/boringssl/include/openssl/engine.h +4 -4
  425. data/third_party/boringssl/include/openssl/err.h +3 -0
  426. data/third_party/boringssl/include/openssl/evp.h +199 -42
  427. data/third_party/boringssl/include/openssl/hmac.h +4 -4
  428. data/third_party/boringssl/include/openssl/hrss.h +100 -0
  429. data/third_party/boringssl/include/openssl/lhash.h +131 -23
  430. data/third_party/boringssl/include/openssl/md4.h +6 -4
  431. data/third_party/boringssl/include/openssl/md5.h +6 -4
  432. data/third_party/boringssl/include/openssl/mem.h +6 -2
  433. data/third_party/boringssl/include/openssl/nid.h +3 -0
  434. data/third_party/boringssl/include/openssl/obj.h +3 -0
  435. data/third_party/boringssl/include/openssl/pem.h +102 -64
  436. data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
  437. data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
  438. data/third_party/boringssl/include/openssl/pool.h +13 -2
  439. data/third_party/boringssl/include/openssl/ripemd.h +5 -4
  440. data/third_party/boringssl/include/openssl/rsa.h +46 -15
  441. data/third_party/boringssl/include/openssl/sha.h +40 -28
  442. data/third_party/boringssl/include/openssl/siphash.h +37 -0
  443. data/third_party/boringssl/include/openssl/span.h +17 -9
  444. data/third_party/boringssl/include/openssl/ssl.h +766 -393
  445. data/third_party/boringssl/include/openssl/ssl3.h +4 -3
  446. data/third_party/boringssl/include/openssl/stack.h +134 -77
  447. data/third_party/boringssl/include/openssl/thread.h +1 -1
  448. data/third_party/boringssl/include/openssl/tls1.h +25 -9
  449. data/third_party/boringssl/include/openssl/type_check.h +14 -15
  450. data/third_party/boringssl/include/openssl/x509.h +28 -3
  451. data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
  452. data/third_party/boringssl/include/openssl/x509v3.h +17 -13
  453. data/third_party/boringssl/ssl/d1_both.cc +9 -18
  454. data/third_party/boringssl/ssl/d1_lib.cc +4 -3
  455. data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
  456. data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
  457. data/third_party/boringssl/ssl/dtls_method.cc +0 -1
  458. data/third_party/boringssl/ssl/dtls_record.cc +28 -28
  459. data/third_party/boringssl/ssl/handoff.cc +295 -91
  460. data/third_party/boringssl/ssl/handshake.cc +133 -72
  461. data/third_party/boringssl/ssl/handshake_client.cc +218 -189
  462. data/third_party/boringssl/ssl/handshake_server.cc +399 -272
  463. data/third_party/boringssl/ssl/internal.h +1413 -928
  464. data/third_party/boringssl/ssl/s3_both.cc +175 -36
  465. data/third_party/boringssl/ssl/s3_lib.cc +9 -13
  466. data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
  467. data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
  468. data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
  469. data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
  470. data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
  471. data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
  472. data/third_party/boringssl/ssl/ssl_file.cc +2 -0
  473. data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
  474. data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
  475. data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
  476. data/third_party/boringssl/ssl/ssl_session.cc +230 -178
  477. data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
  478. data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
  479. data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
  480. data/third_party/boringssl/ssl/t1_enc.cc +5 -96
  481. data/third_party/boringssl/ssl/t1_lib.cc +931 -678
  482. data/third_party/boringssl/ssl/tls13_both.cc +251 -121
  483. data/third_party/boringssl/ssl/tls13_client.cc +129 -73
  484. data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
  485. data/third_party/boringssl/ssl/tls13_server.cc +259 -192
  486. data/third_party/boringssl/ssl/tls_method.cc +26 -21
  487. data/third_party/boringssl/ssl/tls_record.cc +42 -47
  488. data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
  489. data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
  490. data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
  491. data/third_party/boringssl/third_party/fiat/p256.c +238 -999
  492. data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
  493. data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
  494. data/third_party/upb/upb/port_def.inc +1 -1
  495. data/third_party/upb/upb/table.c +2 -1
  496. metadata +72 -44
  497. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
  498. data/src/core/lib/gpr/mpscq.cc +0 -117
  499. data/src/core/lib/gpr/mpscq.h +0 -88
  500. data/src/core/lib/gprpp/abstract.h +0 -47
  501. data/src/core/lib/gprpp/pair.h +0 -38
  502. data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
  503. data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
  504. data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
  505. data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -63,6 +63,9 @@
63
63
  #include <openssl/obj.h>
64
64
  #include <openssl/x509v3.h>
65
65
 
66
+ #include "internal.h"
67
+
68
+
66
69
  static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
67
70
  X509V3_CTX *ctx, char *str);
68
71
  const X509V3_EXT_METHOD v3_skey_id = {
@@ -76,7 +79,7 @@ const X509V3_EXT_METHOD v3_skey_id = {
76
79
 
77
80
  char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
78
81
  {
79
- return hex_to_string(oct->data, oct->length);
82
+ return x509v3_bytes_to_hex(oct->data, oct->length);
80
83
  }
81
84
 
82
85
  ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
@@ -90,7 +93,7 @@ ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
90
93
  return NULL;
91
94
  }
92
95
 
93
- if (!(oct->data = string_to_hex(str, &length))) {
96
+ if (!(oct->data = x509v3_hex_to_bytes(str, &length))) {
94
97
  M_ASN1_OCTET_STRING_free(oct);
95
98
  return NULL;
96
99
  }
@@ -72,6 +72,7 @@
72
72
 
73
73
  #include "../conf/internal.h"
74
74
  #include "../internal.h"
75
+ #include "internal.h"
75
76
 
76
77
 
77
78
  static char *strip_spaces(char *name);
@@ -446,7 +447,7 @@ static char *strip_spaces(char *name)
446
447
  * on EBCDIC machines)
447
448
  */
448
449
 
449
- char *hex_to_string(const unsigned char *buffer, long len)
450
+ char *x509v3_bytes_to_hex(const unsigned char *buffer, long len)
450
451
  {
451
452
  char *tmp, *q;
452
453
  const unsigned char *p;
@@ -469,11 +470,7 @@ char *hex_to_string(const unsigned char *buffer, long len)
469
470
  return tmp;
470
471
  }
471
472
 
472
- /*
473
- * Give a string of hex digits convert to a buffer
474
- */
475
-
476
- unsigned char *string_to_hex(const char *str, long *len)
473
+ unsigned char *x509v3_hex_to_bytes(const char *str, long *len)
477
474
  {
478
475
  unsigned char *hexbuf, *q;
479
476
  unsigned char ch, cl, *p;
@@ -533,11 +530,7 @@ unsigned char *string_to_hex(const char *str, long *len)
533
530
 
534
531
  }
535
532
 
536
- /*
537
- * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
538
- */
539
-
540
- int name_cmp(const char *name, const char *cmp)
533
+ int x509v3_name_cmp(const char *name, const char *cmp)
541
534
  {
542
535
  int len, ret;
543
536
  char c;
@@ -650,6 +643,7 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
650
643
  if (!*sk)
651
644
  return 0;
652
645
  /* Don't add duplicates */
646
+ sk_OPENSSL_STRING_sort(*sk);
653
647
  if (sk_OPENSSL_STRING_find(*sk, NULL, (char *)email->data))
654
648
  return 1;
655
649
  emtmp = BUF_strdup((char *)email->data);
@@ -915,6 +909,53 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
915
909
  subject, subject_len, flags);
916
910
  }
917
911
 
912
+ int x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {
913
+ /* This function is used as a heuristic for whether a common name is a
914
+ * hostname to be matched, or merely a decorative name to describe the
915
+ * subject. This heuristic must be applied to both name constraints and the
916
+ * common name fallback, so it must be loose enough to accept hostname
917
+ * common names, and tight enough to reject decorative common names. */
918
+
919
+ if (len > 0 && in[len - 1] == '.') {
920
+ len--;
921
+ }
922
+
923
+ /* Wildcards are allowed in front. */
924
+ if (len >= 2 && in[0] == '*' && in[1] == '.') {
925
+ in += 2;
926
+ len -= 2;
927
+ }
928
+
929
+ if (len == 0) {
930
+ return 0;
931
+ }
932
+
933
+ size_t label_start = 0;
934
+ for (size_t i = 0; i < len; i++) {
935
+ unsigned char c = in[i];
936
+ if ((c >= 'a' && c <= 'z') ||
937
+ (c >= '0' && c <= '9') ||
938
+ (c >= 'A' && c <= 'Z') ||
939
+ (c == '-' && i > label_start) ||
940
+ /* These are not valid characters in hostnames, but commonly found
941
+ * in deployments outside the Web PKI. */
942
+ c == '_' ||
943
+ c == ':') {
944
+ continue;
945
+ }
946
+
947
+ /* Labels must not be empty. */
948
+ if (c == '.' && i > label_start && i < len - 1) {
949
+ label_start = i + 1;
950
+ continue;
951
+ }
952
+
953
+ return 0;
954
+ }
955
+
956
+ return 1;
957
+ }
958
+
918
959
  /*
919
960
  * Compare an ASN1_STRING to a supplied string. If they match return 1. If
920
961
  * cmp_type > 0 only compare if string matches the type, otherwise convert it
@@ -922,8 +963,8 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
922
963
  */
923
964
 
924
965
  static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
925
- unsigned int flags, const char *b, size_t blen,
926
- char **peername)
966
+ unsigned int flags, int check_type, const char *b,
967
+ size_t blen, char **peername)
927
968
  {
928
969
  int rv = 0;
929
970
 
@@ -944,7 +985,17 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
944
985
  astrlen = ASN1_STRING_to_UTF8(&astr, a);
945
986
  if (astrlen < 0)
946
987
  return -1;
947
- rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
988
+ /*
989
+ * We check the common name against DNS name constraints if it passes
990
+ * |x509v3_looks_like_dns_name|. Thus we must not consider common names
991
+ * for DNS fallbacks if they fail this check.
992
+ */
993
+ if (check_type == GEN_DNS &&
994
+ !x509v3_looks_like_dns_name(astr, astrlen)) {
995
+ rv = 0;
996
+ } else {
997
+ rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
998
+ }
948
999
  if (rv > 0 && peername)
949
1000
  *peername = BUF_strndup((char *)astr, astrlen);
950
1001
  OPENSSL_free(astr);
@@ -961,7 +1012,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
961
1012
  int j;
962
1013
  int cnid = NID_undef;
963
1014
  int alt_type;
964
- int san_present = 0;
965
1015
  int rv = 0;
966
1016
  equal_fn equal;
967
1017
 
@@ -994,7 +1044,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
994
1044
  gen = sk_GENERAL_NAME_value(gens, i);
995
1045
  if (gen->type != check_type)
996
1046
  continue;
997
- san_present = 1;
998
1047
  if (check_type == GEN_EMAIL)
999
1048
  cstr = gen->d.rfc822Name;
1000
1049
  else if (check_type == GEN_DNS)
@@ -1002,21 +1051,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
1002
1051
  else
1003
1052
  cstr = gen->d.iPAddress;
1004
1053
  /* Positive on success, negative on error! */
1005
- if ((rv = do_check_string(cstr, alt_type, equal, flags,
1054
+ if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type,
1006
1055
  chk, chklen, peername)) != 0)
1007
1056
  break;
1008
1057
  }
1009
1058
  GENERAL_NAMES_free(gens);
1010
- if (rv != 0)
1011
- return rv;
1012
- if (cnid == NID_undef
1013
- || (san_present
1014
- && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
1015
- return 0;
1059
+ return rv;
1016
1060
  }
1017
1061
 
1018
1062
  /* We're done if CN-ID is not pertinent */
1019
- if (cnid == NID_undef)
1063
+ if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
1020
1064
  return 0;
1021
1065
 
1022
1066
  j = -1;
@@ -1027,7 +1071,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
1027
1071
  ne = X509_NAME_get_entry(name, j);
1028
1072
  str = X509_NAME_ENTRY_get_data(ne);
1029
1073
  /* Positive on success, negative on error! */
1030
- if ((rv = do_check_string(str, -1, equal, flags,
1074
+ if ((rv = do_check_string(str, -1, equal, flags, check_type,
1031
1075
  chk, chklen, peername)) != 0)
1032
1076
  return rv;
1033
1077
  }
@@ -91,15 +91,44 @@ extern "C" {
91
91
  // AEAD algorithms.
92
92
 
93
93
  // EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode.
94
+ //
95
+ // Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
96
+ // is specified to take a variable-length nonce, nonces with other lengths are
97
+ // effectively randomized, which means one must consider collisions. Unless
98
+ // implementing an existing protocol which has already specified incorrect
99
+ // parameters, only use 12-byte nonces.
94
100
  OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);
95
101
 
102
+ // EVP_aead_aes_192_gcm is AES-192 in Galois Counter Mode.
103
+ //
104
+ // WARNING: AES-192 is superfluous and shouldn't exist. NIST should never have
105
+ // defined it. Use only when interop with another system requires it, never
106
+ // de novo.
107
+ //
108
+ // Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
109
+ // is specified to take a variable-length nonce, nonces with other lengths are
110
+ // effectively randomized, which means one must consider collisions. Unless
111
+ // implementing an existing protocol which has already specified incorrect
112
+ // parameters, only use 12-byte nonces.
113
+ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_192_gcm(void);
114
+
96
115
  // EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode.
116
+ //
117
+ // Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it
118
+ // is specified to take a variable-length nonce, nonces with other lengths are
119
+ // effectively randomized, which means one must consider collisions. Unless
120
+ // implementing an existing protocol which has already specified incorrect
121
+ // parameters, only use 12-byte nonces.
97
122
  OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
98
123
 
99
124
  // EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
100
125
  // Poly1305 as described in RFC 7539.
101
126
  OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
102
127
 
128
+ // EVP_aead_xchacha20_poly1305 is ChaCha20-Poly1305 with an extended nonce that
129
+ // makes random generation of nonces safe.
130
+ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_xchacha20_poly1305(void);
131
+
103
132
  // EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
104
133
  // authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
105
134
  // block counter, thus the maximum plaintext size is 64GB.
@@ -154,13 +183,16 @@ OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
154
183
 
155
184
  // AEAD operations.
156
185
 
186
+ union evp_aead_ctx_st_state {
187
+ uint8_t opaque[580];
188
+ uint64_t alignment;
189
+ };
190
+
157
191
  // An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
158
192
  // and message-independent IV.
159
193
  typedef struct evp_aead_ctx_st {
160
194
  const EVP_AEAD *aead;
161
- // aead_state is an opaque pointer to whatever state the AEAD needs to
162
- // maintain.
163
- void *aead_state;
195
+ union evp_aead_ctx_st_state state;
164
196
  // tag_len may contain the actual length of the authentication tag if it is
165
197
  // known at initialization time.
166
198
  uint8_t tag_len;
@@ -172,7 +204,7 @@ typedef struct evp_aead_ctx_st {
172
204
 
173
205
  // EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
174
206
  // any AEAD defined in this header.
175
- #define EVP_AEAD_MAX_NONCE_LENGTH 16
207
+ #define EVP_AEAD_MAX_NONCE_LENGTH 24
176
208
 
177
209
  // EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
178
210
  // defined in this header.
@@ -361,19 +393,13 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);
361
393
  // 1.2 nonce construction.
362
394
  OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void);
363
395
 
396
+ // EVP_aead_aes_128_gcm_tls13 is AES-128 in Galois Counter Mode using the TLS
397
+ // 1.3 nonce construction.
398
+ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls13(void);
364
399
 
365
- // SSLv3-specific AEAD algorithms.
366
- //
367
- // These AEAD primitives do not meet the definition of generic AEADs. They are
368
- // all specific to SSLv3 and should not be used outside of that context. They
369
- // must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
370
- // and may not be used concurrently. They only accept an |ad| parameter of
371
- // length 9 (the standard TLS one with length and version omitted).
372
-
373
- OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
374
- OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
375
- OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
376
- OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
400
+ // EVP_aead_aes_256_gcm_tls13 is AES-256 in Galois Counter Mode using the TLS
401
+ // 1.3 nonce construction.
402
+ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void);
377
403
 
378
404
 
379
405
  // Obscure functions.
@@ -393,7 +419,7 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
393
419
 
394
420
  // EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
395
421
  // sets |*out_iv| to point to that many bytes of the current IV. This is only
396
- // meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).
422
+ // meaningful for AEADs with implicit IVs (i.e. CBC mode in TLS 1.0).
397
423
  //
398
424
  // It returns one on success or zero on error.
399
425
  OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,
@@ -415,7 +441,7 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,
415
441
  #if !defined(BORINGSSL_NO_CXX)
416
442
  extern "C++" {
417
443
 
418
- namespace bssl {
444
+ BSSL_NAMESPACE_BEGIN
419
445
 
420
446
  using ScopedEVP_AEAD_CTX =
421
447
  internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,
@@ -423,7 +449,7 @@ using ScopedEVP_AEAD_CTX =
423
449
 
424
450
  BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)
425
451
 
426
- } // namespace bssl
452
+ BSSL_NAMESPACE_END
427
453
 
428
454
  } // extern C++
429
455
  #endif
@@ -6,7 +6,7 @@
6
6
  * are met:
7
7
  *
8
8
  * 1. Redistributions of source code must retain the above copyright
9
- * notice, this list of conditions and the following disclaimer.
9
+ * notice, this list of conditions and the following disclaimer.
10
10
  *
11
11
  * 2. Redistributions in binary form must reproduce the above copyright
12
12
  * notice, this list of conditions and the following disclaimer in
@@ -76,18 +76,18 @@ struct aes_key_st {
76
76
  typedef struct aes_key_st AES_KEY;
77
77
 
78
78
  // AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key,
79
- // |key|.
79
+ // |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a
80
+ // negative number if |bits| is an invalid AES key size.
80
81
  //
81
- // WARNING: unlike other OpenSSL functions, this returns zero on success and a
82
- // negative number on error.
82
+ // WARNING: this function breaks the usual return value convention.
83
83
  OPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits,
84
84
  AES_KEY *aeskey);
85
85
 
86
86
  // AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key,
87
- // |key|.
87
+ // |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a
88
+ // negative number if |bits| is an invalid AES key size.
88
89
  //
89
- // WARNING: unlike other OpenSSL functions, this returns zero on success and a
90
- // negative number on error.
90
+ // WARNING: this function breaks the usual return value convention.
91
91
  OPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits,
92
92
  AES_KEY *aeskey);
93
93
 
@@ -163,6 +163,31 @@ OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv,
163
163
  size_t in_len);
164
164
 
165
165
 
166
+ // AES key wrap with padding.
167
+ //
168
+ // These functions implement AES Key Wrap with Padding mode, as defined in RFC
169
+ // 5649. They should never be used except to interoperate with existing systems
170
+ // that use this mode.
171
+
172
+ // AES_wrap_key_padded performs a padded AES key wrap on |in| which must be
173
+ // between 1 and 2^32-1 bytes. |key| must have been configured for encryption.
174
+ // On success it writes at most |max_out| bytes of ciphertext to |out|, sets
175
+ // |*out_len| to the number of bytes written, and returns one. On failure it
176
+ // returns zero. To ensure success, set |max_out| to at least |in_len| + 15.
177
+ OPENSSL_EXPORT int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out,
178
+ size_t *out_len, size_t max_out,
179
+ const uint8_t *in, size_t in_len);
180
+
181
+ // AES_unwrap_key_padded performs a padded AES key unwrap on |in| which must be
182
+ // a multiple of 8 bytes. |key| must have been configured for decryption. On
183
+ // success it writes at most |max_out| bytes to |out|, sets |*out_len| to the
184
+ // number of bytes written, and returns one. On failure it returns zero. Setting
185
+ // |max_out| to |in_len| is a sensible estimate.
186
+ OPENSSL_EXPORT int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out,
187
+ size_t *out_len, size_t max_out,
188
+ const uint8_t *in, size_t in_len);
189
+
190
+
166
191
  #if defined(__cplusplus)
167
192
  } // extern C
168
193
  #endif
@@ -152,6 +152,9 @@ extern "C" {
152
152
  /* For use with ASN1_mbstring_copy() */
153
153
  #define MBSTRING_FLAG 0x1000
154
154
  #define MBSTRING_UTF8 (MBSTRING_FLAG)
155
+ /* |MBSTRING_ASC| refers to Latin-1, not ASCII. It is used with TeletexString
156
+ * which, in turn, is treated as Latin-1 rather than T.61 by OpenSSL and most
157
+ * other software. */
155
158
  #define MBSTRING_ASC (MBSTRING_FLAG|1)
156
159
  #define MBSTRING_BMP (MBSTRING_FLAG|2)
157
160
  #define MBSTRING_UNIV (MBSTRING_FLAG|4)
@@ -295,19 +298,6 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
295
298
  OPENSSL_EXPORT int fname##_print_ctx(BIO *out, stname *x, int indent, \
296
299
  const ASN1_PCTX *pctx);
297
300
 
298
- #define D2I_OF(type) type *(*)(type **,const unsigned char **,long)
299
- #define I2D_OF(type) int (*)(type *,unsigned char **)
300
- #define I2D_OF_const(type) int (*)(const type *,unsigned char **)
301
-
302
- #define CHECKED_D2I_OF(type, d2i) \
303
- ((d2i_of_void*) (1 ? d2i : ((D2I_OF(type))0)))
304
- #define CHECKED_I2D_OF(type, i2d) \
305
- ((i2d_of_void*) (1 ? i2d : ((I2D_OF(type))0)))
306
- #define CHECKED_NEW_OF(type, xnew) \
307
- ((void *(*)(void)) (1 ? xnew : ((type *(*)(void))0)))
308
- #define CHECKED_PPTR_OF(type, p) \
309
- ((void**) (1 ? p : (type**)0))
310
-
311
301
  typedef void *d2i_of_void(void **, const unsigned char **, long);
312
302
  typedef int i2d_of_void(const void *, unsigned char **);
313
303
 
@@ -676,7 +666,6 @@ OPENSSL_EXPORT int d2i_ASN1_BOOLEAN(int *a,const unsigned char **pp,long lengt
676
666
  DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER)
677
667
  OPENSSL_EXPORT int i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
678
668
  OPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length);
679
- OPENSSL_EXPORT ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length);
680
669
  OPENSSL_EXPORT ASN1_INTEGER * ASN1_INTEGER_dup(const ASN1_INTEGER *x);
681
670
  OPENSSL_EXPORT int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y);
682
671
 
@@ -759,76 +748,17 @@ OPENSSL_EXPORT void ASN1_put_object(unsigned char **pp, int constructed, int len
759
748
  OPENSSL_EXPORT int ASN1_put_eoc(unsigned char **pp);
760
749
  OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag);
761
750
 
762
- /* Used to implement other functions */
763
- OPENSSL_EXPORT void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x);
764
-
765
- #define ASN1_dup_of(type,i2d,d2i,x) \
766
- ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \
767
- CHECKED_D2I_OF(type, d2i), \
768
- CHECKED_PTR_OF(type, x)))
769
-
770
- #define ASN1_dup_of_const(type,i2d,d2i,x) \
771
- ((type*)ASN1_dup(CHECKED_I2D_OF(const type, i2d), \
772
- CHECKED_D2I_OF(type, d2i), \
773
- CHECKED_PTR_OF(const type, x)))
774
-
775
751
  OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x);
776
752
 
777
- /* ASN1 alloc/free macros for when a type is only used internally */
778
-
779
- #define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type))
780
- #define M_ASN1_free_of(x, type) \
781
- ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type))
782
-
783
753
  #ifndef OPENSSL_NO_FP_API
784
- OPENSSL_EXPORT void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x);
785
-
786
- #define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \
787
- ((type*)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \
788
- CHECKED_D2I_OF(type, d2i), \
789
- in, \
790
- CHECKED_PPTR_OF(type, x)))
791
-
792
754
  OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
793
- OPENSSL_EXPORT int ASN1_i2d_fp(i2d_of_void *i2d,FILE *out,void *x);
794
-
795
- #define ASN1_i2d_fp_of(type,i2d,out,x) \
796
- (ASN1_i2d_fp(CHECKED_I2D_OF(type, i2d), \
797
- out, \
798
- CHECKED_PTR_OF(type, x)))
799
-
800
- #define ASN1_i2d_fp_of_const(type,i2d,out,x) \
801
- (ASN1_i2d_fp(CHECKED_I2D_OF(const type, i2d), \
802
- out, \
803
- CHECKED_PTR_OF(const type, x)))
804
-
805
755
  OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x);
806
756
  OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
807
757
  #endif
808
758
 
809
759
  OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
810
760
 
811
- OPENSSL_EXPORT void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x);
812
-
813
- #define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \
814
- ((type*)ASN1_d2i_bio( CHECKED_NEW_OF(type, xnew), \
815
- CHECKED_D2I_OF(type, d2i), \
816
- in, \
817
- CHECKED_PPTR_OF(type, x)))
818
-
819
761
  OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
820
- OPENSSL_EXPORT int ASN1_i2d_bio(i2d_of_void *i2d,BIO *out, void *x);
821
-
822
- #define ASN1_i2d_bio_of(type,i2d,out,x) \
823
- (ASN1_i2d_bio(CHECKED_I2D_OF(type, i2d), \
824
- out, \
825
- CHECKED_PTR_OF(type, x)))
826
-
827
- #define ASN1_i2d_bio_of_const(type,i2d,out,x) \
828
- (ASN1_i2d_bio(CHECKED_I2D_OF(const type, i2d), \
829
- out, \
830
- CHECKED_PTR_OF(const type, x)))
831
-
832
762
  OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x);
833
763
  OPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a);
834
764
  OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *fp, const ASN1_GENERALIZEDTIME *a);
@@ -872,13 +802,13 @@ OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
872
802
 
873
803
  extern "C++" {
874
804
 
875
- namespace bssl {
805
+ BSSL_NAMESPACE_BEGIN
876
806
 
877
807
  BORINGSSL_MAKE_DELETER(ASN1_OBJECT, ASN1_OBJECT_free)
878
808
  BORINGSSL_MAKE_DELETER(ASN1_STRING, ASN1_STRING_free)
879
809
  BORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)
880
810
 
881
- } // namespace bssl
811
+ BSSL_NAMESPACE_END
882
812
 
883
813
  } /* extern C++ */
884
814
 
@@ -926,14 +856,14 @@ BORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)
926
856
  #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 139
927
857
  #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 140
928
858
  #define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 141
929
- #define ASN1_R_INVALID_BMPSTRING_LENGTH 142
859
+ #define ASN1_R_INVALID_BMPSTRING 142
930
860
  #define ASN1_R_INVALID_DIGIT 143
931
861
  #define ASN1_R_INVALID_MODIFIER 144
932
862
  #define ASN1_R_INVALID_NUMBER 145
933
863
  #define ASN1_R_INVALID_OBJECT_ENCODING 146
934
864
  #define ASN1_R_INVALID_SEPARATOR 147
935
865
  #define ASN1_R_INVALID_TIME_FORMAT 148
936
- #define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 149
866
+ #define ASN1_R_INVALID_UNIVERSALSTRING 149
937
867
  #define ASN1_R_INVALID_UTF8STRING 150
938
868
  #define ASN1_R_LIST_ERROR 151
939
869
  #define ASN1_R_MISSING_ASN1_EOS 152