grpc 1.24.0 → 1.25.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (505) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +306 -243
  3. data/etc/roots.pem +0 -100
  4. data/include/grpc/grpc_security.h +44 -18
  5. data/include/grpc/impl/codegen/grpc_types.h +15 -0
  6. data/include/grpc/impl/codegen/port_platform.h +27 -11
  7. data/include/grpc/impl/codegen/sync_generic.h +1 -1
  8. data/src/boringssl/err_data.c +695 -650
  9. data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
  10. data/src/core/ext/filters/client_channel/client_channel.h +24 -0
  11. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
  12. data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
  13. data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
  14. data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
  15. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
  17. data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
  18. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
  19. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
  20. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
  21. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
  22. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
  26. data/src/core/ext/filters/client_channel/resolver.cc +1 -2
  27. data/src/core/ext/filters/client_channel/resolver.h +8 -16
  28. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
  29. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
  30. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
  31. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
  32. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
  33. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
  34. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
  35. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
  36. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
  37. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
  38. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
  39. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
  40. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
  41. data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
  42. data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
  43. data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
  44. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
  45. data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
  46. data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
  47. data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
  48. data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
  49. data/src/core/ext/filters/client_channel/service_config.h +8 -8
  50. data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
  51. data/src/core/ext/filters/client_channel/subchannel.h +7 -9
  52. data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
  53. data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
  54. data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
  55. data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
  56. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
  57. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
  58. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
  59. data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
  60. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
  61. data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
  62. data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
  63. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
  64. data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
  65. data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
  66. data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
  67. data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
  68. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
  69. data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
  70. data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
  71. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
  72. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
  73. data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
  74. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
  75. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
  76. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
  77. data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
  78. data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
  79. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
  80. data/src/core/lib/channel/channel_args.cc +16 -0
  81. data/src/core/lib/channel/channel_args.h +22 -0
  82. data/src/core/lib/channel/channelz.cc +5 -6
  83. data/src/core/lib/channel/channelz.h +1 -1
  84. data/src/core/lib/channel/connected_channel.cc +20 -20
  85. data/src/core/lib/channel/handshaker.h +3 -4
  86. data/src/core/lib/channel/handshaker_factory.h +1 -3
  87. data/src/core/lib/debug/trace.h +3 -2
  88. data/src/core/lib/gprpp/arena.cc +3 -3
  89. data/src/core/lib/gprpp/arena.h +2 -3
  90. data/src/core/lib/gprpp/inlined_vector.h +9 -0
  91. data/src/core/lib/gprpp/map.h +3 -501
  92. data/src/core/lib/gprpp/memory.h +45 -41
  93. data/src/core/lib/gprpp/mpscq.cc +108 -0
  94. data/src/core/lib/gprpp/mpscq.h +98 -0
  95. data/src/core/lib/gprpp/orphanable.h +6 -11
  96. data/src/core/lib/gprpp/ref_counted.h +25 -19
  97. data/src/core/lib/gprpp/set.h +33 -0
  98. data/src/core/lib/gprpp/thd.h +2 -4
  99. data/src/core/lib/http/httpcli.cc +1 -1
  100. data/src/core/lib/http/httpcli_security_connector.cc +15 -11
  101. data/src/core/lib/http/parser.cc +1 -1
  102. data/src/core/lib/iomgr/buffer_list.cc +4 -5
  103. data/src/core/lib/iomgr/buffer_list.h +5 -6
  104. data/src/core/lib/iomgr/call_combiner.cc +4 -5
  105. data/src/core/lib/iomgr/call_combiner.h +2 -2
  106. data/src/core/lib/iomgr/cfstream_handle.h +3 -5
  107. data/src/core/lib/iomgr/closure.h +8 -3
  108. data/src/core/lib/iomgr/combiner.cc +45 -82
  109. data/src/core/lib/iomgr/combiner.h +32 -8
  110. data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
  111. data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
  112. data/src/core/lib/iomgr/ev_poll_posix.cc +3 -1
  113. data/src/core/lib/iomgr/exec_ctx.h +4 -3
  114. data/src/core/lib/iomgr/executor.cc +4 -2
  115. data/src/core/lib/iomgr/executor.h +3 -0
  116. data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
  117. data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
  118. data/src/core/lib/iomgr/executor/threadpool.h +7 -11
  119. data/src/core/lib/iomgr/resource_quota.cc +55 -51
  120. data/src/core/lib/iomgr/resource_quota.h +13 -9
  121. data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
  122. data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
  123. data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
  124. data/src/core/lib/iomgr/tcp_custom.cc +9 -7
  125. data/src/core/lib/iomgr/tcp_posix.cc +20 -16
  126. data/src/core/lib/iomgr/tcp_server.h +1 -4
  127. data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
  128. data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
  129. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
  130. data/src/core/lib/iomgr/timer_custom.cc +2 -2
  131. data/src/core/lib/iomgr/udp_server.cc +3 -2
  132. data/src/core/lib/iomgr/udp_server.h +6 -12
  133. data/src/core/lib/json/json.h +1 -1
  134. data/src/core/lib/json/json_string.cc +2 -2
  135. data/src/core/lib/profiling/basic_timers.cc +2 -2
  136. data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
  137. data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
  138. data/src/core/lib/security/credentials/credentials.h +4 -20
  139. data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
  140. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
  141. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
  142. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
  143. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
  144. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
  145. data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
  146. data/src/core/lib/security/security_connector/security_connector.cc +1 -0
  147. data/src/core/lib/security/security_connector/security_connector.h +19 -17
  148. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
  149. data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
  150. data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
  151. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
  152. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
  153. data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
  154. data/src/core/lib/security/transport/security_handshaker.cc +29 -13
  155. data/src/core/lib/security/transport/security_handshaker.h +4 -2
  156. data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
  157. data/src/core/lib/slice/slice.cc +2 -10
  158. data/src/core/lib/slice/slice_hash_table.h +4 -6
  159. data/src/core/lib/slice/slice_intern.cc +42 -39
  160. data/src/core/lib/slice/slice_internal.h +3 -3
  161. data/src/core/lib/slice/slice_utils.h +21 -4
  162. data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
  163. data/src/core/lib/surface/call.cc +3 -3
  164. data/src/core/lib/surface/channel.cc +7 -0
  165. data/src/core/lib/surface/completion_queue.cc +12 -11
  166. data/src/core/lib/surface/completion_queue.h +4 -2
  167. data/src/core/lib/surface/init.cc +1 -0
  168. data/src/core/lib/surface/lame_client.cc +33 -18
  169. data/src/core/lib/surface/server.cc +77 -76
  170. data/src/core/lib/surface/version.cc +1 -1
  171. data/src/core/lib/transport/byte_stream.h +3 -7
  172. data/src/core/lib/transport/connectivity_state.cc +112 -98
  173. data/src/core/lib/transport/connectivity_state.h +100 -50
  174. data/src/core/lib/transport/static_metadata.cc +276 -288
  175. data/src/core/lib/transport/static_metadata.h +73 -76
  176. data/src/core/lib/transport/status_conversion.cc +1 -1
  177. data/src/core/lib/transport/status_metadata.cc +1 -1
  178. data/src/core/lib/transport/transport.cc +2 -2
  179. data/src/core/lib/transport/transport.h +12 -4
  180. data/src/core/lib/transport/transport_op_string.cc +14 -11
  181. data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
  182. data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
  183. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
  184. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
  185. data/src/core/tsi/fake_transport_security.cc +7 -5
  186. data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
  187. data/src/core/tsi/local_transport_security.cc +8 -6
  188. data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
  189. data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
  190. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
  191. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
  192. data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
  193. data/src/core/tsi/ssl_transport_security.cc +12 -12
  194. data/src/core/tsi/ssl_transport_security.h +2 -2
  195. data/src/core/tsi/transport_security_grpc.cc +7 -0
  196. data/src/core/tsi/transport_security_grpc.h +6 -0
  197. data/src/ruby/ext/grpc/extconf.rb +1 -0
  198. data/src/ruby/ext/grpc/rb_call.c +1 -1
  199. data/src/ruby/ext/grpc/rb_channel.c +1 -1
  200. data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
  201. data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
  202. data/src/ruby/lib/grpc/version.rb +1 -1
  203. data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
  204. data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
  205. data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
  206. data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
  207. data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
  208. data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
  209. data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
  210. data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
  211. data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
  212. data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
  213. data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
  214. data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
  215. data/third_party/boringssl/crypto/base64/base64.c +2 -2
  216. data/third_party/boringssl/crypto/bio/bio.c +73 -9
  217. data/third_party/boringssl/crypto/bio/connect.c +4 -0
  218. data/third_party/boringssl/crypto/bio/fd.c +4 -0
  219. data/third_party/boringssl/crypto/bio/file.c +5 -2
  220. data/third_party/boringssl/crypto/bio/socket.c +4 -0
  221. data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
  222. data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
  223. data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
  224. data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
  225. data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
  226. data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
  227. data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
  228. data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
  229. data/third_party/boringssl/crypto/chacha/internal.h +45 -0
  230. data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
  231. data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
  232. data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
  233. data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
  234. data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
  235. data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
  236. data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
  237. data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
  238. data/third_party/boringssl/crypto/conf/conf.c +7 -0
  239. data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
  240. data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
  241. data/third_party/boringssl/crypto/cpu-intel.c +45 -51
  242. data/third_party/boringssl/crypto/crypto.c +39 -22
  243. data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
  244. data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
  245. data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
  246. data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
  247. data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
  248. data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
  249. data/third_party/boringssl/crypto/engine/engine.c +2 -1
  250. data/third_party/boringssl/crypto/err/err.c +2 -0
  251. data/third_party/boringssl/crypto/err/internal.h +2 -2
  252. data/third_party/boringssl/crypto/evp/evp.c +89 -8
  253. data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
  254. data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
  255. data/third_party/boringssl/crypto/evp/internal.h +18 -1
  256. data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
  257. data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
  258. data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
  259. data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
  260. data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
  261. data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
  262. data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
  263. data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
  264. data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
  265. data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
  266. data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
  267. data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
  268. data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
  269. data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
  270. data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
  271. data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
  272. data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
  273. data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
  274. data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
  275. data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
  276. data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
  277. data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
  278. data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
  279. data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
  280. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
  281. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
  282. data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
  283. data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
  284. data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
  285. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
  286. data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
  287. data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
  288. data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
  289. data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
  290. data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
  291. data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
  292. data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
  293. data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
  294. data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
  295. data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
  296. data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
  297. data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
  298. data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
  299. data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
  300. data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
  301. data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
  302. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
  303. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
  304. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
  305. data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
  306. data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
  307. data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
  308. data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
  309. data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
  310. data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
  311. data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
  312. data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
  313. data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
  314. data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
  315. data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
  316. data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
  317. data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
  318. data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
  319. data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
  320. data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
  321. data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
  322. data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
  323. data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
  324. data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
  325. data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
  326. data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
  327. data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
  328. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
  329. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
  330. data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
  331. data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
  332. data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
  333. data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
  334. data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
  335. data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
  336. data/third_party/boringssl/crypto/hrss/internal.h +62 -0
  337. data/third_party/boringssl/crypto/internal.h +95 -20
  338. data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
  339. data/third_party/boringssl/crypto/mem.c +39 -2
  340. data/third_party/boringssl/crypto/obj/obj.c +4 -4
  341. data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
  342. data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
  343. data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
  344. data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
  345. data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
  346. data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
  347. data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
  348. data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
  349. data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
  350. data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
  351. data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
  352. data/third_party/boringssl/crypto/pool/internal.h +1 -1
  353. data/third_party/boringssl/crypto/pool/pool.c +21 -0
  354. data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
  355. data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
  356. data/third_party/boringssl/crypto/refcount_lock.c +2 -2
  357. data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
  358. data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
  359. data/third_party/boringssl/crypto/stack/stack.c +83 -32
  360. data/third_party/boringssl/crypto/thread_none.c +2 -2
  361. data/third_party/boringssl/crypto/thread_pthread.c +2 -2
  362. data/third_party/boringssl/crypto/thread_win.c +38 -19
  363. data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
  364. data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
  365. data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
  366. data/third_party/boringssl/crypto/x509/by_file.c +12 -10
  367. data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
  368. data/third_party/boringssl/crypto/x509/t_req.c +1 -3
  369. data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
  370. data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
  371. data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
  372. data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
  373. data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
  374. data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
  375. data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
  376. data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
  377. data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
  378. data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
  379. data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
  380. data/third_party/boringssl/crypto/x509/x509name.c +2 -3
  381. data/third_party/boringssl/crypto/x509/x_all.c +109 -210
  382. data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
  383. data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
  384. data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
  385. data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
  386. data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
  387. data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
  388. data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
  389. data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
  390. data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
  391. data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
  392. data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
  393. data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
  394. data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
  395. data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
  396. data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
  397. data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
  398. data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
  399. data/third_party/boringssl/include/openssl/aead.h +45 -19
  400. data/third_party/boringssl/include/openssl/aes.h +32 -7
  401. data/third_party/boringssl/include/openssl/asn1.h +7 -77
  402. data/third_party/boringssl/include/openssl/base.h +120 -6
  403. data/third_party/boringssl/include/openssl/base64.h +4 -1
  404. data/third_party/boringssl/include/openssl/bio.h +112 -81
  405. data/third_party/boringssl/include/openssl/blowfish.h +3 -3
  406. data/third_party/boringssl/include/openssl/bn.h +55 -29
  407. data/third_party/boringssl/include/openssl/buf.h +2 -2
  408. data/third_party/boringssl/include/openssl/bytestring.h +54 -32
  409. data/third_party/boringssl/include/openssl/cast.h +2 -2
  410. data/third_party/boringssl/include/openssl/cipher.h +46 -16
  411. data/third_party/boringssl/include/openssl/cmac.h +6 -2
  412. data/third_party/boringssl/include/openssl/conf.h +3 -6
  413. data/third_party/boringssl/include/openssl/cpu.h +25 -9
  414. data/third_party/boringssl/include/openssl/crypto.h +32 -10
  415. data/third_party/boringssl/include/openssl/curve25519.h +4 -4
  416. data/third_party/boringssl/include/openssl/dh.h +3 -2
  417. data/third_party/boringssl/include/openssl/digest.h +21 -7
  418. data/third_party/boringssl/include/openssl/dsa.h +8 -2
  419. data/third_party/boringssl/include/openssl/e_os2.h +18 -0
  420. data/third_party/boringssl/include/openssl/ec.h +25 -21
  421. data/third_party/boringssl/include/openssl/ec_key.h +36 -8
  422. data/third_party/boringssl/include/openssl/ecdh.h +17 -0
  423. data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
  424. data/third_party/boringssl/include/openssl/engine.h +4 -4
  425. data/third_party/boringssl/include/openssl/err.h +3 -0
  426. data/third_party/boringssl/include/openssl/evp.h +199 -42
  427. data/third_party/boringssl/include/openssl/hmac.h +4 -4
  428. data/third_party/boringssl/include/openssl/hrss.h +100 -0
  429. data/third_party/boringssl/include/openssl/lhash.h +131 -23
  430. data/third_party/boringssl/include/openssl/md4.h +6 -4
  431. data/third_party/boringssl/include/openssl/md5.h +6 -4
  432. data/third_party/boringssl/include/openssl/mem.h +6 -2
  433. data/third_party/boringssl/include/openssl/nid.h +3 -0
  434. data/third_party/boringssl/include/openssl/obj.h +3 -0
  435. data/third_party/boringssl/include/openssl/pem.h +102 -64
  436. data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
  437. data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
  438. data/third_party/boringssl/include/openssl/pool.h +13 -2
  439. data/third_party/boringssl/include/openssl/ripemd.h +5 -4
  440. data/third_party/boringssl/include/openssl/rsa.h +46 -15
  441. data/third_party/boringssl/include/openssl/sha.h +40 -28
  442. data/third_party/boringssl/include/openssl/siphash.h +37 -0
  443. data/third_party/boringssl/include/openssl/span.h +17 -9
  444. data/third_party/boringssl/include/openssl/ssl.h +766 -393
  445. data/third_party/boringssl/include/openssl/ssl3.h +4 -3
  446. data/third_party/boringssl/include/openssl/stack.h +134 -77
  447. data/third_party/boringssl/include/openssl/thread.h +1 -1
  448. data/third_party/boringssl/include/openssl/tls1.h +25 -9
  449. data/third_party/boringssl/include/openssl/type_check.h +14 -15
  450. data/third_party/boringssl/include/openssl/x509.h +28 -3
  451. data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
  452. data/third_party/boringssl/include/openssl/x509v3.h +17 -13
  453. data/third_party/boringssl/ssl/d1_both.cc +9 -18
  454. data/third_party/boringssl/ssl/d1_lib.cc +4 -3
  455. data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
  456. data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
  457. data/third_party/boringssl/ssl/dtls_method.cc +0 -1
  458. data/third_party/boringssl/ssl/dtls_record.cc +28 -28
  459. data/third_party/boringssl/ssl/handoff.cc +295 -91
  460. data/third_party/boringssl/ssl/handshake.cc +133 -72
  461. data/third_party/boringssl/ssl/handshake_client.cc +218 -189
  462. data/third_party/boringssl/ssl/handshake_server.cc +399 -272
  463. data/third_party/boringssl/ssl/internal.h +1413 -928
  464. data/third_party/boringssl/ssl/s3_both.cc +175 -36
  465. data/third_party/boringssl/ssl/s3_lib.cc +9 -13
  466. data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
  467. data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
  468. data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
  469. data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
  470. data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
  471. data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
  472. data/third_party/boringssl/ssl/ssl_file.cc +2 -0
  473. data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
  474. data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
  475. data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
  476. data/third_party/boringssl/ssl/ssl_session.cc +230 -178
  477. data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
  478. data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
  479. data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
  480. data/third_party/boringssl/ssl/t1_enc.cc +5 -96
  481. data/third_party/boringssl/ssl/t1_lib.cc +931 -678
  482. data/third_party/boringssl/ssl/tls13_both.cc +251 -121
  483. data/third_party/boringssl/ssl/tls13_client.cc +129 -73
  484. data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
  485. data/third_party/boringssl/ssl/tls13_server.cc +259 -192
  486. data/third_party/boringssl/ssl/tls_method.cc +26 -21
  487. data/third_party/boringssl/ssl/tls_record.cc +42 -47
  488. data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
  489. data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
  490. data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
  491. data/third_party/boringssl/third_party/fiat/p256.c +238 -999
  492. data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
  493. data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
  494. data/third_party/upb/upb/port_def.inc +1 -1
  495. data/third_party/upb/upb/table.c +2 -1
  496. metadata +72 -44
  497. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
  498. data/src/core/lib/gpr/mpscq.cc +0 -117
  499. data/src/core/lib/gpr/mpscq.h +0 -88
  500. data/src/core/lib/gprpp/abstract.h +0 -47
  501. data/src/core/lib/gprpp/pair.h +0 -38
  502. data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
  503. data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
  504. data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
  505. data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -27,7 +27,7 @@
27
27
  #include "internal.h"
28
28
 
29
29
 
30
- namespace bssl {
30
+ BSSL_NAMESPACE_BEGIN
31
31
 
32
32
  // BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
33
33
  // not overflow.
@@ -113,9 +113,10 @@ static int dtls_read_buffer_next_packet(SSL *ssl) {
113
113
  }
114
114
 
115
115
  // Read a single packet from |ssl->rbio|. |buf->cap()| must fit in an int.
116
- int ret = BIO_read(ssl->rbio, buf->data(), static_cast<int>(buf->cap()));
116
+ int ret =
117
+ BIO_read(ssl->rbio.get(), buf->data(), static_cast<int>(buf->cap()));
117
118
  if (ret <= 0) {
118
- ssl->s3->rwstate = SSL_READING;
119
+ ssl->s3->rwstate = SSL_ERROR_WANT_READ;
119
120
  return ret;
120
121
  }
121
122
  buf->DidWrite(static_cast<size_t>(ret));
@@ -134,10 +135,10 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
134
135
  while (buf->size() < len) {
135
136
  // The amount of data to read is bounded by |buf->cap|, which must fit in an
136
137
  // int.
137
- int ret = BIO_read(ssl->rbio, buf->data() + buf->size(),
138
+ int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(),
138
139
  static_cast<int>(len - buf->size()));
139
140
  if (ret <= 0) {
140
- ssl->s3->rwstate = SSL_READING;
141
+ ssl->s3->rwstate = SSL_ERROR_WANT_READ;
141
142
  return ret;
142
143
  }
143
144
  buf->DidWrite(static_cast<size_t>(ret));
@@ -163,7 +164,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
163
164
  return -1;
164
165
  }
165
166
 
166
- if (ssl->rbio == NULL) {
167
+ if (ssl->rbio == nullptr) {
167
168
  OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
168
169
  return -1;
169
170
  }
@@ -240,9 +241,9 @@ static int tls_write_buffer_flush(SSL *ssl) {
240
241
  SSLBuffer *buf = &ssl->s3->write_buffer;
241
242
 
242
243
  while (!buf->empty()) {
243
- int ret = BIO_write(ssl->wbio, buf->data(), buf->size());
244
+ int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
244
245
  if (ret <= 0) {
245
- ssl->s3->rwstate = SSL_WRITING;
246
+ ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
246
247
  return ret;
247
248
  }
248
249
  buf->Consume(static_cast<size_t>(ret));
@@ -257,9 +258,9 @@ static int dtls_write_buffer_flush(SSL *ssl) {
257
258
  return 1;
258
259
  }
259
260
 
260
- int ret = BIO_write(ssl->wbio, buf->data(), buf->size());
261
+ int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());
261
262
  if (ret <= 0) {
262
- ssl->s3->rwstate = SSL_WRITING;
263
+ ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
263
264
  // If the write failed, drop the write buffer anyway. Datagram transports
264
265
  // can't write half a packet, so the caller is expected to retry from the
265
266
  // top.
@@ -271,7 +272,7 @@ static int dtls_write_buffer_flush(SSL *ssl) {
271
272
  }
272
273
 
273
274
  int ssl_write_buffer_flush(SSL *ssl) {
274
- if (ssl->wbio == NULL) {
275
+ if (ssl->wbio == nullptr) {
275
276
  OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
276
277
  return -1;
277
278
  }
@@ -283,4 +284,4 @@ int ssl_write_buffer_flush(SSL *ssl) {
283
284
  }
284
285
  }
285
286
 
286
- } // namespace bssl
287
+ BSSL_NAMESPACE_END
@@ -133,18 +133,14 @@
133
133
  #include "internal.h"
134
134
 
135
135
 
136
- namespace bssl {
136
+ BSSL_NAMESPACE_BEGIN
137
137
 
138
- CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method) {
139
- CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
140
- if (ret == NULL) {
141
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
142
- return NULL;
143
- }
144
- OPENSSL_memset(ret, 0, sizeof(CERT));
145
- ret->x509_method = x509_method;
138
+ CERT::CERT(const SSL_X509_METHOD *x509_method_arg)
139
+ : x509_method(x509_method_arg) {}
146
140
 
147
- return ret;
141
+ CERT::~CERT() {
142
+ ssl_cert_clear_certs(this);
143
+ x509_method->cert_free(this);
148
144
  }
149
145
 
150
146
  static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {
@@ -152,59 +148,49 @@ static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {
152
148
  return buffer;
153
149
  }
154
150
 
155
- CERT *ssl_cert_dup(CERT *cert) {
156
- CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
157
- if (ret == NULL) {
158
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
159
- return NULL;
151
+ UniquePtr<CERT> ssl_cert_dup(CERT *cert) {
152
+ UniquePtr<CERT> ret = MakeUnique<CERT>(cert->x509_method);
153
+ if (!ret) {
154
+ return nullptr;
160
155
  }
161
- OPENSSL_memset(ret, 0, sizeof(CERT));
162
-
163
- ret->chain = sk_CRYPTO_BUFFER_deep_copy(cert->chain, buffer_up_ref,
164
- CRYPTO_BUFFER_free);
165
156
 
166
- if (cert->privatekey != NULL) {
167
- EVP_PKEY_up_ref(cert->privatekey);
168
- ret->privatekey = cert->privatekey;
157
+ if (cert->chain) {
158
+ ret->chain.reset(sk_CRYPTO_BUFFER_deep_copy(
159
+ cert->chain.get(), buffer_up_ref, CRYPTO_BUFFER_free));
160
+ if (!ret->chain) {
161
+ return nullptr;
162
+ }
169
163
  }
170
164
 
165
+ ret->privatekey = UpRef(cert->privatekey);
171
166
  ret->key_method = cert->key_method;
172
- ret->x509_method = cert->x509_method;
173
167
 
174
- if (cert->sigalgs != NULL) {
175
- ret->sigalgs = (uint16_t *)BUF_memdup(
176
- cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0]));
177
- if (ret->sigalgs == NULL) {
178
- goto err;
179
- }
168
+ if (!ret->sigalgs.CopyFrom(cert->sigalgs)) {
169
+ return nullptr;
180
170
  }
181
- ret->num_sigalgs = cert->num_sigalgs;
182
171
 
183
172
  ret->cert_cb = cert->cert_cb;
184
173
  ret->cert_cb_arg = cert->cert_cb_arg;
185
174
 
186
- ret->x509_method->cert_dup(ret, cert);
187
-
188
- if (cert->signed_cert_timestamp_list != NULL) {
189
- CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list);
190
- ret->signed_cert_timestamp_list = cert->signed_cert_timestamp_list;
191
- }
175
+ ret->x509_method->cert_dup(ret.get(), cert);
192
176
 
193
- if (cert->ocsp_response != NULL) {
194
- CRYPTO_BUFFER_up_ref(cert->ocsp_response);
195
- ret->ocsp_response = cert->ocsp_response;
196
- }
177
+ ret->signed_cert_timestamp_list = UpRef(cert->signed_cert_timestamp_list);
178
+ ret->ocsp_response = UpRef(cert->ocsp_response);
197
179
 
198
180
  ret->sid_ctx_length = cert->sid_ctx_length;
199
181
  OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));
200
182
 
201
- ret->enable_early_data = cert->enable_early_data;
183
+ if (cert->dc) {
184
+ ret->dc = cert->dc->Dup();
185
+ if (!ret->dc) {
186
+ return nullptr;
187
+ }
188
+ }
202
189
 
203
- return ret;
190
+ ret->dc_privatekey = UpRef(cert->dc_privatekey);
191
+ ret->dc_key_method = cert->dc_key_method;
204
192
 
205
- err:
206
- ssl_cert_free(ret);
207
- return NULL;
193
+ return ret;
208
194
  }
209
195
 
210
196
  // Free up and clear all certificates and chains
@@ -215,25 +201,13 @@ void ssl_cert_clear_certs(CERT *cert) {
215
201
 
216
202
  cert->x509_method->cert_clear(cert);
217
203
 
218
- sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
219
- cert->chain = NULL;
220
- EVP_PKEY_free(cert->privatekey);
221
- cert->privatekey = NULL;
222
- cert->key_method = NULL;
223
- }
224
-
225
- void ssl_cert_free(CERT *cert) {
226
- if (cert == NULL) {
227
- return;
228
- }
229
-
230
- ssl_cert_clear_certs(cert);
231
- cert->x509_method->cert_free(cert);
232
- OPENSSL_free(cert->sigalgs);
233
- CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);
234
- CRYPTO_BUFFER_free(cert->ocsp_response);
204
+ cert->chain.reset();
205
+ cert->privatekey.reset();
206
+ cert->key_method = nullptr;
235
207
 
236
- OPENSSL_free(cert);
208
+ cert->dc.reset();
209
+ cert->dc_privatekey.reset();
210
+ cert->dc_key_method = nullptr;
237
211
  }
238
212
 
239
213
  static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),
@@ -272,7 +246,7 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
272
246
  // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
273
247
  // certificates, so sanity-check the key usage extension.
274
248
  if (pubkey->type == EVP_PKEY_EC &&
275
- !ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {
249
+ !ssl_cert_check_key_usage(&cert_cbs, key_usage_digital_signature)) {
276
250
  OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
277
251
  return leaf_cert_and_privkey_error;
278
252
  }
@@ -311,42 +285,33 @@ static int cert_set_chain_and_key(
311
285
  break;
312
286
  }
313
287
 
314
- STACK_OF(CRYPTO_BUFFER) *certs_sk = sk_CRYPTO_BUFFER_new_null();
315
- if (certs_sk == NULL) {
288
+ UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs_sk(sk_CRYPTO_BUFFER_new_null());
289
+ if (!certs_sk) {
316
290
  return 0;
317
291
  }
318
292
 
319
293
  for (size_t i = 0; i < num_certs; i++) {
320
- if (!sk_CRYPTO_BUFFER_push(certs_sk, certs[i])) {
321
- sk_CRYPTO_BUFFER_pop_free(certs_sk, CRYPTO_BUFFER_free);
294
+ if (!PushToStack(certs_sk.get(), UpRef(certs[i]))) {
322
295
  return 0;
323
296
  }
324
- CRYPTO_BUFFER_up_ref(certs[i]);
325
297
  }
326
298
 
327
- EVP_PKEY_free(cert->privatekey);
328
- cert->privatekey = privkey;
329
- if (privkey != NULL) {
330
- EVP_PKEY_up_ref(privkey);
331
- }
299
+ cert->privatekey = UpRef(privkey);
332
300
  cert->key_method = privkey_method;
333
301
 
334
- sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
335
- cert->chain = certs_sk;
336
-
302
+ cert->chain = std::move(certs_sk);
337
303
  return 1;
338
304
  }
339
305
 
340
- int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
341
- switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey)) {
306
+ bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
307
+ switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey.get())) {
342
308
  case leaf_cert_and_privkey_error:
343
- return 0;
309
+ return false;
344
310
  case leaf_cert_and_privkey_mismatch:
345
311
  // don't fail for a cert/key mismatch, just free current private key
346
312
  // (when switching to a different cert & key, first this function should
347
313
  // be used, then |ssl_set_pkey|.
348
- EVP_PKEY_free(cert->privatekey);
349
- cert->privatekey = NULL;
314
+ cert->privatekey.reset();
350
315
  break;
351
316
  case leaf_cert_and_privkey_ok:
352
317
  break;
@@ -354,30 +319,29 @@ int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
354
319
 
355
320
  cert->x509_method->cert_flush_cached_leaf(cert);
356
321
 
357
- if (cert->chain != NULL) {
358
- CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain, 0));
359
- sk_CRYPTO_BUFFER_set(cert->chain, 0, buffer.release());
360
- return 1;
322
+ if (cert->chain != nullptr) {
323
+ CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0));
324
+ sk_CRYPTO_BUFFER_set(cert->chain.get(), 0, buffer.release());
325
+ return true;
361
326
  }
362
327
 
363
- cert->chain = sk_CRYPTO_BUFFER_new_null();
364
- if (cert->chain == NULL) {
365
- return 0;
328
+ cert->chain.reset(sk_CRYPTO_BUFFER_new_null());
329
+ if (cert->chain == nullptr) {
330
+ return false;
366
331
  }
367
332
 
368
- if (!PushToStack(cert->chain, std::move(buffer))) {
369
- sk_CRYPTO_BUFFER_free(cert->chain);
370
- cert->chain = NULL;
371
- return 0;
333
+ if (!PushToStack(cert->chain.get(), std::move(buffer))) {
334
+ cert->chain.reset();
335
+ return false;
372
336
  }
373
337
 
374
- return 1;
338
+ return true;
375
339
  }
376
340
 
377
- int ssl_has_certificate(const SSL *ssl) {
378
- return ssl->cert->chain != NULL &&
379
- sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0) != NULL &&
380
- ssl_has_private_key(ssl);
341
+ bool ssl_has_certificate(const SSL_HANDSHAKE *hs) {
342
+ return hs->config->cert->chain != nullptr &&
343
+ sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0) != nullptr &&
344
+ ssl_has_private_key(hs);
381
345
  }
382
346
 
383
347
  bool ssl_parse_cert_chain(uint8_t *out_alert,
@@ -444,18 +408,18 @@ bool ssl_parse_cert_chain(uint8_t *out_alert,
444
408
  return true;
445
409
  }
446
410
 
447
- int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
448
- if (!ssl_has_certificate(ssl)) {
411
+ bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb) {
412
+ if (!ssl_has_certificate(hs)) {
449
413
  return CBB_add_u24(cbb, 0);
450
414
  }
451
415
 
452
416
  CBB certs;
453
417
  if (!CBB_add_u24_length_prefixed(cbb, &certs)) {
454
418
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
455
- return 0;
419
+ return false;
456
420
  }
457
421
 
458
- STACK_OF(CRYPTO_BUFFER) *chain = ssl->cert->chain;
422
+ STACK_OF(CRYPTO_BUFFER) *chain = hs->config->cert->chain.get();
459
423
  for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {
460
424
  CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);
461
425
  CBB child;
@@ -464,7 +428,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
464
428
  CRYPTO_BUFFER_len(buffer)) ||
465
429
  !CBB_flush(&certs)) {
466
430
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
467
- return 0;
431
+ return false;
468
432
  }
469
433
  }
470
434
 
@@ -474,7 +438,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
474
438
  // ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
475
439
  // positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
476
440
  // subjectPublicKeyInfo.
477
- static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
441
+ static bool ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
478
442
  /* From RFC 5280, section 4.1
479
443
  * Certificate ::= SEQUENCE {
480
444
  * tbsCertificate TBSCertificate,
@@ -510,10 +474,10 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
510
474
  !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
511
475
  // subject
512
476
  !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
513
- return 0;
477
+ return false;
514
478
  }
515
479
 
516
- return 1;
480
+ return true;
517
481
  }
518
482
 
519
483
  UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
@@ -526,61 +490,57 @@ UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
526
490
  return UniquePtr<EVP_PKEY>(EVP_parse_public_key(&tbs_cert));
527
491
  }
528
492
 
529
- int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
530
- const EVP_PKEY *privkey) {
493
+ bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
494
+ const EVP_PKEY *privkey) {
531
495
  if (EVP_PKEY_is_opaque(privkey)) {
532
496
  // We cannot check an opaque private key and have to trust that it
533
497
  // matches.
534
- return 1;
498
+ return true;
535
499
  }
536
500
 
537
- int ret = 0;
538
-
539
501
  switch (EVP_PKEY_cmp(pubkey, privkey)) {
540
502
  case 1:
541
- ret = 1;
542
- break;
503
+ return true;
543
504
  case 0:
544
505
  OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);
545
- break;
506
+ return false;
546
507
  case -1:
547
508
  OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);
548
- break;
509
+ return false;
549
510
  case -2:
550
511
  OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
551
- break;
552
- default:
553
- assert(0);
554
- break;
512
+ return false;
555
513
  }
556
514
 
557
- return ret;
515
+ assert(0);
516
+ return false;
558
517
  }
559
518
 
560
- int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
561
- if (privkey == NULL) {
519
+ bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
520
+ if (privkey == nullptr) {
562
521
  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
563
- return 0;
522
+ return false;
564
523
  }
565
524
 
566
- if (cert->chain == NULL ||
567
- sk_CRYPTO_BUFFER_value(cert->chain, 0) == NULL) {
525
+ if (cert->chain == nullptr ||
526
+ sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) {
568
527
  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
569
- return 0;
528
+ return false;
570
529
  }
571
530
 
572
531
  CBS cert_cbs;
573
- CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain, 0), &cert_cbs);
532
+ CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0),
533
+ &cert_cbs);
574
534
  UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
575
535
  if (!pubkey) {
576
536
  OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
577
- return 0;
537
+ return false;
578
538
  }
579
539
 
580
540
  return ssl_compare_public_and_private_key(pubkey.get(), privkey);
581
541
  }
582
542
 
583
- int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
543
+ bool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit) {
584
544
  CBS buf = *in;
585
545
 
586
546
  CBS tbs_cert, outer_extensions;
@@ -600,17 +560,17 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
600
560
  &tbs_cert, &outer_extensions, &has_extensions,
601
561
  CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {
602
562
  OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
603
- return 0;
563
+ return false;
604
564
  }
605
565
 
606
566
  if (!has_extensions) {
607
- return 1;
567
+ return true;
608
568
  }
609
569
 
610
570
  CBS extensions;
611
571
  if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {
612
572
  OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
613
- return 0;
573
+ return false;
614
574
  }
615
575
 
616
576
  while (CBS_len(&extensions) > 0) {
@@ -622,7 +582,7 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
622
582
  !CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||
623
583
  CBS_len(&extension) != 0) {
624
584
  OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
625
- return 0;
585
+ return false;
626
586
  }
627
587
 
628
588
  static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};
@@ -636,26 +596,26 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
636
596
  if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||
637
597
  CBS_len(&contents) != 0) {
638
598
  OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
639
- return 0;
599
+ return false;
640
600
  }
641
601
 
642
602
  // This is the KeyUsage extension. See
643
603
  // https://tools.ietf.org/html/rfc5280#section-4.2.1.3
644
604
  if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
645
605
  OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
646
- return 0;
606
+ return false;
647
607
  }
648
608
 
649
- if (!CBS_asn1_bitstring_has_bit(&bit_string, 0)) {
650
- OPENSSL_PUT_ERROR(SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
651
- return 0;
609
+ if (!CBS_asn1_bitstring_has_bit(&bit_string, bit)) {
610
+ OPENSSL_PUT_ERROR(SSL, SSL_R_KEY_USAGE_BIT_INCORRECT);
611
+ return false;
652
612
  }
653
613
 
654
- return 1;
614
+ return true;
655
615
  }
656
616
 
657
617
  // No KeyUsage extension found.
658
- return 1;
618
+ return true;
659
619
  }
660
620
 
661
621
  UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
@@ -696,7 +656,7 @@ UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
696
656
  }
697
657
 
698
658
  if (!ssl->ctx->x509_method->check_client_CA_list(ret.get())) {
699
- *out_alert = SSL_AD_INTERNAL_ERROR;
659
+ *out_alert = SSL_AD_DECODE_ERROR;
700
660
  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
701
661
  return nullptr;
702
662
  }
@@ -704,26 +664,26 @@ UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
704
664
  return ret;
705
665
  }
706
666
 
707
- bool ssl_has_client_CAs(SSL *ssl) {
708
- STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;
709
- if (names == NULL) {
710
- names = ssl->ctx->client_CA;
667
+ bool ssl_has_client_CAs(const SSL_CONFIG *cfg) {
668
+ const STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA.get();
669
+ if (names == nullptr) {
670
+ names = cfg->ssl->ctx->client_CA.get();
711
671
  }
712
- if (names == NULL) {
672
+ if (names == nullptr) {
713
673
  return false;
714
674
  }
715
675
  return sk_CRYPTO_BUFFER_num(names) > 0;
716
676
  }
717
677
 
718
- int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
678
+ bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) {
719
679
  CBB child, name_cbb;
720
680
  if (!CBB_add_u16_length_prefixed(cbb, &child)) {
721
- return 0;
681
+ return false;
722
682
  }
723
683
 
724
- STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;
684
+ const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get();
725
685
  if (names == NULL) {
726
- names = ssl->ctx->client_CA;
686
+ names = hs->ssl->ctx->client_CA.get();
727
687
  }
728
688
  if (names == NULL) {
729
689
  return CBB_flush(cbb);
@@ -733,36 +693,21 @@ int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
733
693
  if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||
734
694
  !CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),
735
695
  CRYPTO_BUFFER_len(name))) {
736
- return 0;
696
+ return false;
737
697
  }
738
698
  }
739
699
 
740
700
  return CBB_flush(cbb);
741
701
  }
742
702
 
743
- int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
744
- const CRYPTO_BUFFER *leaf) {
745
- SSL *const ssl = hs->ssl;
746
- assert(ssl_protocol_version(ssl) < TLS1_3_VERSION);
703
+ bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
704
+ const CRYPTO_BUFFER *leaf) {
705
+ assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION);
747
706
 
748
707
  // Check the certificate's type matches the cipher.
749
708
  if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
750
709
  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
751
- return 0;
752
- }
753
-
754
- // Check key usages for all key types but RSA. This is needed to distinguish
755
- // ECDH certificates, which we do not support, from ECDSA certificates. In
756
- // principle, we should check RSA key usages based on cipher, but this breaks
757
- // buggy antivirus deployments. Other key types are always used for signing.
758
- //
759
- // TODO(davidben): Get more recent data on RSA key usages.
760
- if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
761
- CBS leaf_cbs;
762
- CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
763
- if (!ssl_cert_check_digital_signature_key_usage(&leaf_cbs)) {
764
- return 0;
765
- }
710
+ return false;
766
711
  }
767
712
 
768
713
  if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
@@ -771,49 +716,184 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
771
716
  uint16_t group_id;
772
717
  if (!ssl_nid_to_group_id(
773
718
  &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||
774
- !tls1_check_group_id(ssl, group_id) ||
719
+ !tls1_check_group_id(hs, group_id) ||
775
720
  EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {
776
721
  OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);
777
- return 0;
722
+ return false;
778
723
  }
779
724
  }
780
725
 
781
- return 1;
726
+ return true;
782
727
  }
783
728
 
784
- int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
729
+ bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
785
730
  SSL *const ssl = hs->ssl;
786
- if (!ssl_has_certificate(ssl)) {
731
+ if (!ssl_has_certificate(hs)) {
787
732
  // Nothing to do.
788
- return 1;
733
+ return true;
789
734
  }
790
735
 
791
- if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl)) {
792
- return 0;
736
+ if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(hs)) {
737
+ return false;
793
738
  }
794
739
 
795
740
  CBS leaf;
796
- CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0), &leaf);
741
+ CRYPTO_BUFFER_init_CBS(
742
+ sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0), &leaf);
797
743
 
798
- hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);
744
+ if (ssl_signing_with_dc(hs)) {
745
+ hs->local_pubkey = UpRef(hs->config->cert->dc->pkey);
746
+ } else {
747
+ hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);
748
+ }
799
749
  return hs->local_pubkey != NULL;
800
750
  }
801
751
 
802
- } // namespace bssl
752
+
753
+ // Delegated credentials.
754
+
755
+ DC::DC() = default;
756
+ DC::~DC() = default;
757
+
758
+ UniquePtr<DC> DC::Dup() {
759
+ bssl::UniquePtr<DC> ret = MakeUnique<DC>();
760
+ if (!ret) {
761
+ return nullptr;
762
+ }
763
+
764
+ ret->raw = UpRef(raw);
765
+ ret->expected_cert_verify_algorithm = expected_cert_verify_algorithm;
766
+ ret->pkey = UpRef(pkey);
767
+ return ret;
768
+ }
769
+
770
+ // static
771
+ UniquePtr<DC> DC::Parse(CRYPTO_BUFFER *in, uint8_t *out_alert) {
772
+ UniquePtr<DC> dc = MakeUnique<DC>();
773
+ if (!dc) {
774
+ *out_alert = SSL_AD_INTERNAL_ERROR;
775
+ return nullptr;
776
+ }
777
+
778
+ dc->raw = UpRef(in);
779
+
780
+ CBS pubkey, deleg, sig;
781
+ uint32_t valid_time;
782
+ uint16_t algorithm;
783
+ CRYPTO_BUFFER_init_CBS(dc->raw.get(), &deleg);
784
+ if (!CBS_get_u32(&deleg, &valid_time) ||
785
+ !CBS_get_u16(&deleg, &dc->expected_cert_verify_algorithm) ||
786
+ !CBS_get_u24_length_prefixed(&deleg, &pubkey) ||
787
+ !CBS_get_u16(&deleg, &algorithm) ||
788
+ !CBS_get_u16_length_prefixed(&deleg, &sig) ||
789
+ CBS_len(&deleg) != 0) {
790
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
791
+ *out_alert = SSL_AD_DECODE_ERROR;
792
+ return nullptr;
793
+ }
794
+
795
+ dc->pkey.reset(EVP_parse_public_key(&pubkey));
796
+ if (dc->pkey == nullptr) {
797
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
798
+ *out_alert = SSL_AD_DECODE_ERROR;
799
+ return nullptr;
800
+ }
801
+
802
+ return dc;
803
+ }
804
+
805
+ // ssl_can_serve_dc returns true if the host has configured a DC that it can
806
+ // serve in the handshake. Specifically, it checks that a DC has been
807
+ // configured and that the DC signature algorithm is supported by the peer.
808
+ static bool ssl_can_serve_dc(const SSL_HANDSHAKE *hs) {
809
+ // Check that a DC has been configured.
810
+ const CERT *cert = hs->config->cert.get();
811
+ if (cert->dc == nullptr ||
812
+ cert->dc->raw == nullptr ||
813
+ (cert->dc_privatekey == nullptr && cert->dc_key_method == nullptr)) {
814
+ return false;
815
+ }
816
+
817
+ // Check that 1.3 or higher has been negotiated.
818
+ const DC *dc = cert->dc.get();
819
+ assert(hs->ssl->s3->have_version);
820
+ if (ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
821
+ return false;
822
+ }
823
+
824
+ // Check that the DC signature algorithm is supported by the peer.
825
+ Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
826
+ bool sigalg_found = false;
827
+ for (uint16_t peer_sigalg : peer_sigalgs) {
828
+ if (dc->expected_cert_verify_algorithm == peer_sigalg) {
829
+ sigalg_found = true;
830
+ break;
831
+ }
832
+ }
833
+
834
+ return sigalg_found;
835
+ }
836
+
837
+ bool ssl_signing_with_dc(const SSL_HANDSHAKE *hs) {
838
+ // As of draft-ietf-tls-subcert-03, only the server may use delegated
839
+ // credentials to authenticate itself.
840
+ return hs->ssl->server &&
841
+ hs->delegated_credential_requested &&
842
+ ssl_can_serve_dc(hs);
843
+ }
844
+
845
+ static int cert_set_dc(CERT *cert, CRYPTO_BUFFER *const raw, EVP_PKEY *privkey,
846
+ const SSL_PRIVATE_KEY_METHOD *key_method) {
847
+ if (privkey == nullptr && key_method == nullptr) {
848
+ OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
849
+ return 0;
850
+ }
851
+
852
+ if (privkey != nullptr && key_method != nullptr) {
853
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);
854
+ return 0;
855
+ }
856
+
857
+ uint8_t alert;
858
+ UniquePtr<DC> dc = DC::Parse(raw, &alert);
859
+ if (dc == nullptr) {
860
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_DELEGATED_CREDENTIAL);
861
+ return 0;
862
+ }
863
+
864
+ if (privkey) {
865
+ // Check that the public and private keys match.
866
+ if (!ssl_compare_public_and_private_key(dc->pkey.get(), privkey)) {
867
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);
868
+ return 0;
869
+ }
870
+ }
871
+
872
+ cert->dc = std::move(dc);
873
+ cert->dc_privatekey = UpRef(privkey);
874
+ cert->dc_key_method = key_method;
875
+
876
+ return 1;
877
+ }
878
+
879
+ BSSL_NAMESPACE_END
803
880
 
804
881
  using namespace bssl;
805
882
 
806
883
  int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,
807
884
  size_t num_certs, EVP_PKEY *privkey,
808
885
  const SSL_PRIVATE_KEY_METHOD *privkey_method) {
809
- return cert_set_chain_and_key(ssl->cert, certs, num_certs, privkey,
810
- privkey_method);
886
+ if (!ssl->config) {
887
+ return 0;
888
+ }
889
+ return cert_set_chain_and_key(ssl->config->cert.get(), certs, num_certs,
890
+ privkey, privkey_method);
811
891
  }
812
892
 
813
893
  int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
814
894
  size_t num_certs, EVP_PKEY *privkey,
815
895
  const SSL_PRIVATE_KEY_METHOD *privkey_method) {
816
- return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey,
896
+ return cert_set_chain_and_key(ctx->cert.get(), certs, num_certs, privkey,
817
897
  privkey_method);
818
898
  }
819
899
 
@@ -824,37 +904,40 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
824
904
  return 0;
825
905
  }
826
906
 
827
- return ssl_set_cert(ctx->cert, std::move(buffer));
907
+ return ssl_set_cert(ctx->cert.get(), std::move(buffer));
828
908
  }
829
909
 
830
910
  int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
831
911
  UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));
832
- if (!buffer) {
912
+ if (!buffer || !ssl->config) {
833
913
  return 0;
834
914
  }
835
915
 
836
- return ssl_set_cert(ssl->cert, std::move(buffer));
916
+ return ssl_set_cert(ssl->config->cert.get(), std::move(buffer));
837
917
  }
838
918
 
839
919
  void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
840
920
  void *arg) {
841
- ssl_cert_set_cert_cb(ctx->cert, cb, arg);
921
+ ssl_cert_set_cert_cb(ctx->cert.get(), cb, arg);
842
922
  }
843
923
 
844
924
  void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
845
- ssl_cert_set_cert_cb(ssl->cert, cb, arg);
925
+ if (!ssl->config) {
926
+ return;
927
+ }
928
+ ssl_cert_set_cert_cb(ssl->config->cert.get(), cb, arg);
846
929
  }
847
930
 
848
- STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {
931
+ const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {
849
932
  SSL_SESSION *session = SSL_get_session(ssl);
850
933
  if (session == NULL) {
851
934
  return NULL;
852
935
  }
853
936
 
854
- return session->certs;
937
+ return session->certs.get();
855
938
  }
856
939
 
857
- STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
940
+ const STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
858
941
  if (ssl->s3->hs == NULL) {
859
942
  return NULL;
860
943
  }
@@ -862,7 +945,7 @@ STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
862
945
  }
863
946
 
864
947
  static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,
865
- size_t list_len) {
948
+ size_t list_len) {
866
949
  CBS sct_list;
867
950
  CBS_init(&sct_list, list, list_len);
868
951
  if (!ssl_is_sct_list_valid(&sct_list)) {
@@ -870,44 +953,64 @@ static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,
870
953
  return 0;
871
954
  }
872
955
 
873
- CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);
874
- cert->signed_cert_timestamp_list =
875
- CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL);
876
- return cert->signed_cert_timestamp_list != NULL;
956
+ cert->signed_cert_timestamp_list.reset(
957
+ CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), nullptr));
958
+ return cert->signed_cert_timestamp_list != nullptr;
877
959
  }
878
960
 
879
961
  int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,
880
962
  size_t list_len) {
881
- return set_signed_cert_timestamp_list(ctx->cert, list, list_len);
963
+ return set_signed_cert_timestamp_list(ctx->cert.get(), list, list_len);
882
964
  }
883
965
 
884
966
  int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,
885
967
  size_t list_len) {
886
- return set_signed_cert_timestamp_list(ssl->cert, list, list_len);
968
+ if (!ssl->config) {
969
+ return 0;
970
+ }
971
+ return set_signed_cert_timestamp_list(ssl->config->cert.get(), list,
972
+ list_len);
887
973
  }
888
974
 
889
975
  int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,
890
976
  size_t response_len) {
891
- CRYPTO_BUFFER_free(ctx->cert->ocsp_response);
892
- ctx->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);
893
- return ctx->cert->ocsp_response != NULL;
977
+ ctx->cert->ocsp_response.reset(
978
+ CRYPTO_BUFFER_new(response, response_len, nullptr));
979
+ return ctx->cert->ocsp_response != nullptr;
894
980
  }
895
981
 
896
982
  int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,
897
983
  size_t response_len) {
898
- CRYPTO_BUFFER_free(ssl->cert->ocsp_response);
899
- ssl->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);
900
- return ssl->cert->ocsp_response != NULL;
984
+ if (!ssl->config) {
985
+ return 0;
986
+ }
987
+ ssl->config->cert->ocsp_response.reset(
988
+ CRYPTO_BUFFER_new(response, response_len, nullptr));
989
+ return ssl->config->cert->ocsp_response != nullptr;
901
990
  }
902
991
 
903
992
  void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {
904
993
  ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);
905
- sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free);
906
- ctx->client_CA = name_list;
994
+ ctx->client_CA.reset(name_list);
907
995
  }
908
996
 
909
997
  void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {
910
- ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl);
911
- sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free);
912
- ssl->client_CA = name_list;
998
+ if (!ssl->config) {
999
+ return;
1000
+ }
1001
+ ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());
1002
+ ssl->config->client_CA.reset(name_list);
1003
+ }
1004
+
1005
+ int SSL_set1_delegated_credential(SSL *ssl, CRYPTO_BUFFER *dc, EVP_PKEY *pkey,
1006
+ const SSL_PRIVATE_KEY_METHOD *key_method) {
1007
+ if (!ssl->config) {
1008
+ return 0;
1009
+ }
1010
+
1011
+ return cert_set_dc(ssl->config->cert.get(), dc, pkey, key_method);
1012
+ }
1013
+
1014
+ int SSL_delegated_credential_used(const SSL *ssl) {
1015
+ return ssl->s3->delegated_credential_used;
913
1016
  }