grpc 1.26.0 → 1.30.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (1240) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +7860 -11139
  3. data/etc/roots.pem +44 -0
  4. data/include/grpc/grpc.h +2 -2
  5. data/include/grpc/grpc_security.h +59 -24
  6. data/include/grpc/grpc_security_constants.h +28 -0
  7. data/include/grpc/impl/codegen/grpc_types.h +38 -21
  8. data/include/grpc/impl/codegen/port_platform.h +14 -3
  9. data/include/grpc/impl/codegen/sync.h +5 -3
  10. data/include/grpc/impl/codegen/sync_abseil.h +36 -0
  11. data/include/grpc/module.modulemap +25 -37
  12. data/include/grpc/support/sync_abseil.h +26 -0
  13. data/src/core/ext/filters/client_channel/backend_metric.cc +7 -4
  14. data/src/core/ext/filters/client_channel/client_channel.cc +273 -264
  15. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +31 -47
  16. data/src/core/ext/filters/client_channel/client_channel_channelz.h +1 -3
  17. data/src/core/ext/filters/client_channel/client_channel_plugin.cc +3 -2
  18. data/src/core/ext/filters/client_channel/health/health_check_client.cc +7 -22
  19. data/src/core/ext/filters/client_channel/health/health_check_client.h +3 -3
  20. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
  21. data/src/core/ext/filters/client_channel/http_proxy.cc +25 -15
  22. data/src/core/ext/filters/client_channel/lb_policy.cc +20 -18
  23. data/src/core/ext/filters/client_channel/lb_policy.h +42 -33
  24. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +83 -0
  25. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +99 -0
  26. data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +297 -0
  27. data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.h +83 -0
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +423 -627
  29. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +89 -0
  30. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +40 -0
  31. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +11 -9
  32. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +3 -2
  33. data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +88 -121
  34. data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +28 -57
  35. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +18 -21
  36. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +871 -0
  37. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +10 -14
  38. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +5 -11
  39. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +734 -0
  40. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +150 -101
  41. data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +938 -0
  42. data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +528 -0
  43. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +1 -2
  44. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +834 -0
  45. data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -3
  46. data/src/core/ext/filters/client_channel/lb_policy_registry.cc +49 -77
  47. data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
  48. data/src/core/ext/filters/client_channel/local_subchannel_pool.h +2 -1
  49. data/src/core/ext/filters/client_channel/parse_address.cc +22 -21
  50. data/src/core/ext/filters/client_channel/resolver.cc +5 -8
  51. data/src/core/ext/filters/client_channel/resolver.h +12 -14
  52. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +129 -128
  53. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +35 -35
  54. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +8 -7
  55. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +17 -21
  56. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +5 -5
  57. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +72 -117
  58. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +186 -135
  59. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +5 -3
  60. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +7 -4
  61. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +42 -45
  62. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +94 -103
  63. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +0 -4
  64. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +5 -5
  65. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +61 -10
  66. data/src/core/ext/filters/client_channel/resolver_factory.h +2 -2
  67. data/src/core/ext/filters/client_channel/resolver_registry.cc +6 -3
  68. data/src/core/ext/filters/client_channel/resolver_registry.h +8 -8
  69. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +242 -300
  70. data/src/core/ext/filters/client_channel/resolver_result_parsing.h +21 -18
  71. data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +56 -206
  72. data/src/core/ext/filters/client_channel/resolving_lb_policy.h +11 -14
  73. data/src/core/ext/filters/client_channel/server_address.cc +6 -9
  74. data/src/core/ext/filters/client_channel/server_address.h +6 -12
  75. data/src/core/ext/filters/client_channel/service_config.cc +144 -253
  76. data/src/core/ext/filters/client_channel/service_config.h +32 -109
  77. data/src/core/ext/filters/client_channel/service_config_call_data.h +68 -0
  78. data/src/core/ext/filters/client_channel/service_config_parser.cc +87 -0
  79. data/src/core/ext/filters/client_channel/service_config_parser.h +89 -0
  80. data/src/core/ext/filters/client_channel/subchannel.cc +54 -24
  81. data/src/core/ext/filters/client_channel/subchannel.h +35 -11
  82. data/src/core/ext/filters/client_channel/xds/xds_api.cc +1556 -232
  83. data/src/core/ext/filters/client_channel/xds/xds_api.h +213 -114
  84. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +237 -345
  85. data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +34 -46
  86. data/src/core/ext/filters/client_channel/xds/xds_channel.h +3 -1
  87. data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +18 -11
  88. data/src/core/ext/filters/client_channel/xds/xds_client.cc +1326 -399
  89. data/src/core/ext/filters/client_channel/xds/xds_client.h +124 -41
  90. data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +59 -138
  91. data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +133 -154
  92. data/src/core/ext/filters/http/client/http_client_filter.cc +23 -28
  93. data/src/core/ext/filters/http/client_authority_filter.cc +4 -4
  94. data/src/core/ext/filters/http/http_filters_plugin.cc +27 -12
  95. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +258 -221
  96. data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +358 -0
  97. data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +29 -0
  98. data/src/core/ext/filters/message_size/message_size_filter.cc +38 -44
  99. data/src/core/ext/filters/message_size/message_size_filter.h +5 -5
  100. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +7 -10
  101. data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +4 -6
  102. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +28 -29
  103. data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +1 -0
  104. data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
  105. data/src/core/ext/transport/chttp2/transport/frame_goaway.h +2 -3
  106. data/src/core/ext/transport/chttp2/transport/frame_ping.h +2 -3
  107. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +2 -3
  108. data/src/core/ext/transport/chttp2/transport/frame_settings.h +2 -3
  109. data/src/core/ext/transport/chttp2/transport/frame_window_update.h +2 -3
  110. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +29 -16
  111. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +2 -3
  112. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +2 -3
  113. data/src/core/ext/transport/chttp2/transport/hpack_table.h +2 -2
  114. data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
  115. data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
  116. data/src/core/ext/transport/chttp2/transport/internal.h +14 -21
  117. data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
  118. data/src/core/ext/transport/chttp2/transport/writing.cc +16 -9
  119. data/src/core/ext/transport/inproc/inproc_transport.cc +41 -42
  120. data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.c +17 -0
  121. data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +30 -0
  122. data/src/core/ext/upb-generated/envoy/annotations/resource.upb.c +27 -0
  123. data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +54 -0
  124. data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.c +5 -205
  125. data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +5 -788
  126. data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.c +114 -0
  127. data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.h +418 -0
  128. data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.c +72 -0
  129. data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.h +197 -0
  130. data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.c +105 -0
  131. data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.h +378 -0
  132. data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.c +5 -362
  133. data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.h +14 -1337
  134. data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +403 -0
  135. data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +1447 -0
  136. data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.c +30 -8
  137. data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.h +60 -0
  138. data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.c +2 -0
  139. data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.c +2 -0
  140. data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.c +7 -4
  141. data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.h +6 -2
  142. data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.c +35 -0
  143. data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.h +78 -0
  144. data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +87 -23
  145. data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +262 -62
  146. data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.c +20 -15
  147. data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.h +46 -32
  148. data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.c +34 -0
  149. data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.h +72 -0
  150. data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.c +27 -4
  151. data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.h +70 -0
  152. data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.c +46 -25
  153. data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +98 -25
  154. data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.c +2 -0
  155. data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.c +77 -21
  156. data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +201 -4
  157. data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.c +34 -0
  158. data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.h +89 -0
  159. data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +2 -0
  160. data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.c +8 -68
  161. data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.h +14 -201
  162. data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +92 -0
  163. data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.h +240 -0
  164. data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.c +2 -71
  165. data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.h +3 -228
  166. data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.c +91 -0
  167. data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +266 -0
  168. data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.c +2 -0
  169. data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.c +31 -0
  170. data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.h +53 -0
  171. data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.c +109 -0
  172. data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +399 -0
  173. data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.c +18 -0
  174. data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.h +33 -0
  175. data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +145 -0
  176. data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.h +527 -0
  177. data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.c +43 -0
  178. data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.h +112 -0
  179. data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.c +30 -0
  180. data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.h +53 -0
  181. data/src/core/ext/upb-generated/envoy/api/v2/route.upb.c +63 -0
  182. data/src/core/ext/upb-generated/envoy/api/v2/route.upb.h +199 -0
  183. data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.c +18 -0
  184. data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.h +33 -0
  185. data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +815 -0
  186. data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +3032 -0
  187. data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.c +59 -0
  188. data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.h +134 -0
  189. data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.c +28 -0
  190. data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.h +53 -0
  191. data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +228 -0
  192. data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.h +725 -0
  193. data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.c +316 -0
  194. data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +1132 -0
  195. data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.c +33 -0
  196. data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.h +65 -0
  197. data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.c +51 -0
  198. data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.h +125 -0
  199. data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.c +1 -0
  200. data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.c +4 -2
  201. data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +4 -0
  202. data/src/core/ext/upb-generated/envoy/type/http.upb.c +1 -0
  203. data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.c +63 -0
  204. data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +144 -0
  205. data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.c +53 -0
  206. data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.h +133 -0
  207. data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.c +88 -0
  208. data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.h +258 -0
  209. data/src/core/ext/upb-generated/envoy/type/percent.upb.c +1 -0
  210. data/src/core/ext/upb-generated/envoy/type/range.upb.c +12 -0
  211. data/src/core/ext/upb-generated/envoy/type/range.upb.h +27 -0
  212. data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.c +29 -0
  213. data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.h +62 -0
  214. data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.c +89 -0
  215. data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.h +249 -0
  216. data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +9 -8
  217. data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +30 -24
  218. data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +30 -27
  219. data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +64 -52
  220. data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +13 -5
  221. data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +34 -0
  222. data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.c +48 -0
  223. data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +104 -0
  224. data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c +17 -0
  225. data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +30 -0
  226. data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
  227. data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +65 -0
  228. data/src/core/ext/upb-generated/validate/validate.upb.c +44 -39
  229. data/src/core/ext/upb-generated/validate/validate.upb.h +155 -119
  230. data/src/core/lib/channel/channel_args.cc +15 -14
  231. data/src/core/lib/channel/channel_args.h +3 -1
  232. data/src/core/lib/channel/channel_stack.h +20 -13
  233. data/src/core/lib/channel/channel_trace.cc +32 -41
  234. data/src/core/lib/channel/channel_trace.h +3 -3
  235. data/src/core/lib/channel/channelz.cc +163 -254
  236. data/src/core/lib/channel/channelz.h +20 -12
  237. data/src/core/lib/channel/channelz_registry.cc +52 -77
  238. data/src/core/lib/channel/channelz_registry.h +4 -4
  239. data/src/core/lib/channel/connected_channel.cc +7 -5
  240. data/src/core/lib/channel/context.h +1 -1
  241. data/src/core/lib/channel/handshaker.cc +11 -13
  242. data/src/core/lib/channel/handshaker.h +4 -2
  243. data/src/core/lib/channel/handshaker_registry.cc +5 -17
  244. data/src/core/lib/channel/status_util.cc +2 -3
  245. data/src/core/lib/compression/message_compress.cc +5 -1
  246. data/src/core/lib/debug/stats.cc +21 -27
  247. data/src/core/lib/debug/stats.h +3 -1
  248. data/src/core/lib/gpr/spinlock.h +2 -3
  249. data/src/core/lib/gpr/string.cc +2 -26
  250. data/src/core/lib/gpr/string.h +0 -16
  251. data/src/core/lib/gpr/sync_abseil.cc +116 -0
  252. data/src/core/lib/gpr/sync_posix.cc +8 -5
  253. data/src/core/lib/gpr/sync_windows.cc +4 -2
  254. data/src/core/lib/gpr/time.cc +4 -0
  255. data/src/core/lib/gpr/time_posix.cc +1 -1
  256. data/src/core/lib/gpr/time_precise.cc +1 -1
  257. data/src/core/lib/gprpp/atomic.h +6 -6
  258. data/src/core/lib/gprpp/fork.cc +1 -1
  259. data/src/core/lib/gprpp/host_port.cc +30 -36
  260. data/src/core/lib/gprpp/host_port.h +14 -17
  261. data/src/core/lib/gprpp/map.h +5 -11
  262. data/src/core/lib/gprpp/memory.h +2 -6
  263. data/src/core/lib/gprpp/ref_counted_ptr.h +5 -0
  264. data/src/core/lib/gprpp/sync.h +9 -0
  265. data/src/core/lib/http/format_request.cc +46 -65
  266. data/src/core/lib/http/httpcli.cc +2 -3
  267. data/src/core/lib/http/httpcli.h +2 -3
  268. data/src/core/lib/http/httpcli_security_connector.cc +5 -5
  269. data/src/core/lib/http/parser.h +2 -3
  270. data/src/core/lib/iomgr/buffer_list.cc +36 -35
  271. data/src/core/lib/iomgr/buffer_list.h +22 -21
  272. data/src/core/lib/iomgr/call_combiner.h +3 -2
  273. data/src/core/lib/iomgr/cfstream_handle.cc +3 -2
  274. data/src/core/lib/iomgr/closure.h +2 -3
  275. data/src/core/lib/iomgr/dualstack_socket_posix.cc +47 -0
  276. data/src/core/lib/iomgr/endpoint_cfstream.cc +2 -3
  277. data/src/core/lib/iomgr/endpoint_pair.h +2 -3
  278. data/src/core/lib/iomgr/error.cc +6 -9
  279. data/src/core/lib/iomgr/error.h +4 -5
  280. data/src/core/lib/iomgr/ev_apple.cc +356 -0
  281. data/src/core/lib/iomgr/ev_apple.h +43 -0
  282. data/src/core/lib/iomgr/ev_epoll1_linux.cc +20 -23
  283. data/src/core/lib/iomgr/ev_epollex_linux.cc +14 -7
  284. data/src/core/lib/iomgr/ev_poll_posix.cc +3 -3
  285. data/src/core/lib/iomgr/ev_posix.cc +2 -3
  286. data/src/core/lib/iomgr/exec_ctx.h +14 -2
  287. data/src/core/lib/iomgr/executor.cc +1 -1
  288. data/src/core/lib/iomgr/fork_posix.cc +4 -0
  289. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +84 -20
  290. data/src/core/lib/iomgr/load_file.cc +1 -0
  291. data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +87 -0
  292. data/src/core/lib/iomgr/poller/eventmanager_libuv.h +88 -0
  293. data/src/core/lib/iomgr/pollset_set_custom.cc +10 -10
  294. data/src/core/lib/iomgr/pollset_uv.h +32 -0
  295. data/src/core/lib/iomgr/port.h +1 -0
  296. data/src/core/lib/iomgr/python_util.h +46 -0
  297. data/src/core/lib/iomgr/resolve_address.h +4 -6
  298. data/src/core/lib/iomgr/resolve_address_custom.cc +29 -39
  299. data/src/core/lib/iomgr/resolve_address_custom.h +4 -2
  300. data/src/core/lib/iomgr/resolve_address_posix.cc +10 -11
  301. data/src/core/lib/iomgr/resolve_address_windows.cc +8 -17
  302. data/src/core/lib/iomgr/resource_quota.cc +4 -6
  303. data/src/core/lib/iomgr/sockaddr_utils.cc +23 -29
  304. data/src/core/lib/iomgr/sockaddr_utils.h +9 -14
  305. data/src/core/lib/iomgr/socket_factory_posix.h +2 -3
  306. data/src/core/lib/iomgr/socket_mutator.h +2 -3
  307. data/src/core/lib/iomgr/socket_utils_common_posix.cc +21 -26
  308. data/src/core/lib/iomgr/socket_utils_posix.h +15 -0
  309. data/src/core/lib/iomgr/tcp_client_cfstream.cc +5 -7
  310. data/src/core/lib/iomgr/tcp_client_posix.cc +25 -22
  311. data/src/core/lib/iomgr/tcp_client_posix.h +6 -6
  312. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -3
  313. data/src/core/lib/iomgr/tcp_custom.cc +2 -3
  314. data/src/core/lib/iomgr/tcp_custom.h +3 -0
  315. data/src/core/lib/iomgr/tcp_posix.cc +608 -56
  316. data/src/core/lib/iomgr/tcp_server_custom.cc +20 -11
  317. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -4
  318. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +13 -4
  319. data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +8 -11
  320. data/src/core/lib/iomgr/tcp_uv.cc +3 -2
  321. data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
  322. data/src/core/lib/iomgr/timer_generic.cc +2 -3
  323. data/src/core/lib/iomgr/timer_generic.h +39 -0
  324. data/src/core/lib/iomgr/timer_heap.h +2 -3
  325. data/src/core/lib/iomgr/udp_server.cc +9 -14
  326. data/src/core/lib/iomgr/work_serializer.cc +155 -0
  327. data/src/core/lib/iomgr/work_serializer.h +65 -0
  328. data/src/core/lib/json/json.h +209 -68
  329. data/src/core/lib/json/json_reader.cc +511 -319
  330. data/src/core/lib/json/json_writer.cc +202 -110
  331. data/src/core/lib/security/credentials/alts/check_gcp_environment.cc +1 -1
  332. data/src/core/lib/security/credentials/composite/composite_credentials.cc +19 -0
  333. data/src/core/lib/security/credentials/composite/composite_credentials.h +11 -4
  334. data/src/core/lib/security/credentials/credentials.cc +0 -84
  335. data/src/core/lib/security/credentials/credentials.h +18 -60
  336. data/src/core/lib/security/credentials/fake/fake_credentials.h +6 -1
  337. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +9 -12
  338. data/src/core/lib/security/credentials/iam/iam_credentials.cc +8 -6
  339. data/src/core/lib/security/credentials/iam/iam_credentials.h +4 -0
  340. data/src/core/lib/security/credentials/jwt/json_token.cc +26 -56
  341. data/src/core/lib/security/credentials/jwt/json_token.h +4 -6
  342. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +8 -18
  343. data/src/core/lib/security/credentials/jwt/jwt_credentials.h +12 -0
  344. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +151 -168
  345. data/src/core/lib/security/credentials/jwt/jwt_verifier.h +4 -6
  346. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +92 -61
  347. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +10 -4
  348. data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +19 -4
  349. data/src/core/lib/security/credentials/plugin/plugin_credentials.h +4 -1
  350. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +43 -13
  351. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +47 -11
  352. data/src/core/lib/security/credentials/tls/tls_credentials.cc +128 -0
  353. data/src/core/lib/security/credentials/tls/tls_credentials.h +62 -0
  354. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +34 -6
  355. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +29 -9
  356. data/src/core/lib/security/security_connector/load_system_roots_fallback.cc +2 -2
  357. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +5 -4
  358. data/src/core/lib/security/security_connector/local/local_security_connector.cc +32 -7
  359. data/src/core/lib/security/security_connector/security_connector.h +1 -1
  360. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +20 -37
  361. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +4 -6
  362. data/src/core/lib/security/security_connector/ssl_utils.cc +107 -16
  363. data/src/core/lib/security/security_connector/ssl_utils.h +24 -11
  364. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +603 -0
  365. data/src/core/lib/security/security_connector/tls/tls_security_connector.h +183 -0
  366. data/src/core/lib/security/transport/client_auth_filter.cc +34 -2
  367. data/src/core/lib/security/transport/security_handshaker.cc +2 -2
  368. data/src/core/lib/security/util/json_util.cc +22 -15
  369. data/src/core/lib/security/util/json_util.h +2 -2
  370. data/src/core/lib/slice/slice_intern.cc +2 -3
  371. data/src/core/lib/slice/slice_internal.h +14 -0
  372. data/src/core/lib/slice/slice_utils.h +9 -0
  373. data/src/core/lib/surface/byte_buffer_reader.cc +2 -47
  374. data/src/core/lib/surface/call.cc +2 -3
  375. data/src/core/lib/surface/call_log_batch.cc +50 -58
  376. data/src/core/lib/surface/channel.cc +53 -31
  377. data/src/core/lib/surface/channel.h +35 -4
  378. data/src/core/lib/surface/channel_ping.cc +2 -3
  379. data/src/core/lib/surface/completion_queue.cc +55 -34
  380. data/src/core/lib/surface/event_string.cc +18 -25
  381. data/src/core/lib/surface/event_string.h +3 -1
  382. data/src/core/lib/surface/init_secure.cc +1 -4
  383. data/src/core/lib/surface/server.cc +570 -369
  384. data/src/core/lib/surface/server.h +32 -0
  385. data/src/core/lib/surface/version.cc +2 -2
  386. data/src/core/lib/transport/byte_stream.h +7 -2
  387. data/src/core/lib/transport/connectivity_state.cc +7 -6
  388. data/src/core/lib/transport/connectivity_state.h +5 -3
  389. data/src/core/lib/transport/metadata.cc +3 -3
  390. data/src/core/lib/transport/metadata_batch.h +2 -3
  391. data/src/core/lib/transport/static_metadata.h +1 -1
  392. data/src/core/lib/transport/status_conversion.cc +6 -14
  393. data/src/core/lib/transport/transport.cc +2 -3
  394. data/src/core/lib/transport/transport.h +3 -2
  395. data/src/core/lib/transport/transport_op_string.cc +61 -102
  396. data/src/core/lib/uri/uri_parser.h +2 -3
  397. data/src/core/plugin_registry/grpc_plugin_registry.cc +20 -4
  398. data/src/core/tsi/alts/crypt/aes_gcm.cc +0 -2
  399. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +9 -2
  400. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +8 -4
  401. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +44 -4
  402. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +10 -2
  403. data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
  404. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +3 -3
  405. data/src/core/tsi/fake_transport_security.cc +17 -18
  406. data/src/core/tsi/fake_transport_security.h +2 -0
  407. data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -2
  408. data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -1
  409. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +0 -2
  410. data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -1
  411. data/src/core/tsi/ssl_transport_security.cc +197 -47
  412. data/src/core/tsi/ssl_transport_security.h +23 -9
  413. data/src/core/tsi/ssl_types.h +0 -2
  414. data/src/core/tsi/transport_security.cc +13 -0
  415. data/src/core/tsi/transport_security.h +6 -9
  416. data/src/core/tsi/transport_security_grpc.cc +2 -2
  417. data/src/core/tsi/transport_security_grpc.h +4 -5
  418. data/src/core/tsi/transport_security_interface.h +15 -3
  419. data/src/ruby/bin/math_pb.rb +5 -5
  420. data/src/ruby/ext/grpc/rb_call.c +9 -1
  421. data/src/ruby/ext/grpc/rb_call_credentials.c +4 -1
  422. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
  423. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +4 -1
  424. data/src/ruby/lib/grpc/errors.rb +103 -42
  425. data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
  426. data/src/ruby/lib/grpc/generic/interceptors.rb +4 -4
  427. data/src/ruby/lib/grpc/generic/rpc_server.rb +9 -10
  428. data/src/ruby/lib/grpc/generic/service.rb +5 -4
  429. data/src/ruby/lib/grpc/structs.rb +1 -1
  430. data/src/ruby/lib/grpc/version.rb +1 -1
  431. data/src/ruby/pb/generate_proto_ruby.sh +5 -3
  432. data/src/ruby/pb/grpc/health/v1/health_pb.rb +3 -3
  433. data/src/ruby/pb/src/proto/grpc/testing/empty_pb.rb +1 -1
  434. data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +34 -13
  435. data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +16 -0
  436. data/src/ruby/spec/debug_message_spec.rb +134 -0
  437. data/src/ruby/spec/generic/service_spec.rb +2 -0
  438. data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +5 -0
  439. data/src/ruby/spec/pb/codegen/package_option_spec.rb +2 -0
  440. data/src/ruby/spec/testdata/ca.pem +18 -13
  441. data/src/ruby/spec/testdata/client.key +26 -14
  442. data/src/ruby/spec/testdata/client.pem +18 -12
  443. data/src/ruby/spec/testdata/server1.key +26 -14
  444. data/src/ruby/spec/testdata/server1.pem +20 -14
  445. data/third_party/abseil-cpp/absl/algorithm/algorithm.h +159 -0
  446. data/third_party/abseil-cpp/absl/base/attributes.h +621 -0
  447. data/third_party/abseil-cpp/absl/base/call_once.h +226 -0
  448. data/third_party/abseil-cpp/absl/base/casts.h +184 -0
  449. data/third_party/abseil-cpp/absl/base/config.h +671 -0
  450. data/third_party/abseil-cpp/absl/base/const_init.h +76 -0
  451. data/third_party/abseil-cpp/absl/base/dynamic_annotations.cc +129 -0
  452. data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +389 -0
  453. data/third_party/abseil-cpp/absl/base/internal/atomic_hook.h +200 -0
  454. data/third_party/abseil-cpp/absl/base/internal/bits.h +218 -0
  455. data/third_party/abseil-cpp/absl/base/internal/cycleclock.cc +107 -0
  456. data/third_party/abseil-cpp/absl/base/internal/cycleclock.h +94 -0
  457. data/third_party/abseil-cpp/absl/base/internal/endian.h +266 -0
  458. data/third_party/abseil-cpp/absl/base/internal/errno_saver.h +43 -0
  459. data/third_party/abseil-cpp/absl/base/internal/hide_ptr.h +51 -0
  460. data/third_party/abseil-cpp/absl/base/internal/identity.h +37 -0
  461. data/third_party/abseil-cpp/absl/base/internal/inline_variable.h +107 -0
  462. data/third_party/abseil-cpp/absl/base/internal/invoke.h +187 -0
  463. data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +107 -0
  464. data/third_party/abseil-cpp/absl/base/internal/per_thread_tls.h +52 -0
  465. data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +240 -0
  466. data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +183 -0
  467. data/third_party/abseil-cpp/absl/base/internal/scheduling_mode.h +58 -0
  468. data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +233 -0
  469. data/third_party/abseil-cpp/absl/base/internal/spinlock.h +243 -0
  470. data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +35 -0
  471. data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +66 -0
  472. data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +46 -0
  473. data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.cc +81 -0
  474. data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +93 -0
  475. data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +37 -0
  476. data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +416 -0
  477. data/third_party/abseil-cpp/absl/base/internal/sysinfo.h +66 -0
  478. data/third_party/abseil-cpp/absl/base/internal/thread_annotations.h +271 -0
  479. data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +152 -0
  480. data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +259 -0
  481. data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +108 -0
  482. data/third_party/abseil-cpp/absl/base/internal/throw_delegate.h +75 -0
  483. data/third_party/abseil-cpp/absl/base/internal/tsan_mutex_interface.h +66 -0
  484. data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +158 -0
  485. data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +140 -0
  486. data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.h +124 -0
  487. data/third_party/abseil-cpp/absl/base/log_severity.cc +27 -0
  488. data/third_party/abseil-cpp/absl/base/log_severity.h +121 -0
  489. data/third_party/abseil-cpp/absl/base/macros.h +220 -0
  490. data/third_party/abseil-cpp/absl/base/optimization.h +181 -0
  491. data/third_party/abseil-cpp/absl/base/options.h +211 -0
  492. data/third_party/abseil-cpp/absl/base/policy_checks.h +111 -0
  493. data/third_party/abseil-cpp/absl/base/port.h +26 -0
  494. data/third_party/abseil-cpp/absl/base/thread_annotations.h +280 -0
  495. data/third_party/abseil-cpp/absl/container/inlined_vector.h +848 -0
  496. data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +265 -0
  497. data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +892 -0
  498. data/third_party/abseil-cpp/absl/memory/memory.h +695 -0
  499. data/third_party/abseil-cpp/absl/meta/type_traits.h +759 -0
  500. data/third_party/abseil-cpp/absl/numeric/int128.cc +404 -0
  501. data/third_party/abseil-cpp/absl/numeric/int128.h +1091 -0
  502. data/third_party/abseil-cpp/absl/numeric/int128_have_intrinsic.inc +302 -0
  503. data/third_party/abseil-cpp/absl/numeric/int128_no_intrinsic.inc +308 -0
  504. data/third_party/abseil-cpp/absl/strings/ascii.cc +200 -0
  505. data/third_party/abseil-cpp/absl/strings/ascii.h +242 -0
  506. data/third_party/abseil-cpp/absl/strings/charconv.cc +984 -0
  507. data/third_party/abseil-cpp/absl/strings/charconv.h +119 -0
  508. data/third_party/abseil-cpp/absl/strings/escaping.cc +949 -0
  509. data/third_party/abseil-cpp/absl/strings/escaping.h +164 -0
  510. data/third_party/abseil-cpp/absl/strings/internal/char_map.h +156 -0
  511. data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.cc +359 -0
  512. data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.h +423 -0
  513. data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +504 -0
  514. data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.h +99 -0
  515. data/third_party/abseil-cpp/absl/strings/internal/escaping.cc +180 -0
  516. data/third_party/abseil-cpp/absl/strings/internal/escaping.h +58 -0
  517. data/third_party/abseil-cpp/absl/strings/internal/memutil.cc +112 -0
  518. data/third_party/abseil-cpp/absl/strings/internal/memutil.h +148 -0
  519. data/third_party/abseil-cpp/absl/strings/internal/ostringstream.cc +36 -0
  520. data/third_party/abseil-cpp/absl/strings/internal/ostringstream.h +89 -0
  521. data/third_party/abseil-cpp/absl/strings/internal/resize_uninitialized.h +73 -0
  522. data/third_party/abseil-cpp/absl/strings/internal/stl_type_traits.h +248 -0
  523. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +388 -0
  524. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +432 -0
  525. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +245 -0
  526. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +209 -0
  527. data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +326 -0
  528. data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.cc +51 -0
  529. data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h +415 -0
  530. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +493 -0
  531. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +23 -0
  532. data/third_party/abseil-cpp/absl/strings/internal/str_format/output.cc +72 -0
  533. data/third_party/abseil-cpp/absl/strings/internal/str_format/output.h +104 -0
  534. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +334 -0
  535. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +333 -0
  536. data/third_party/abseil-cpp/absl/strings/internal/str_join_internal.h +314 -0
  537. data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +455 -0
  538. data/third_party/abseil-cpp/absl/strings/internal/utf8.cc +53 -0
  539. data/third_party/abseil-cpp/absl/strings/internal/utf8.h +50 -0
  540. data/third_party/abseil-cpp/absl/strings/match.cc +40 -0
  541. data/third_party/abseil-cpp/absl/strings/match.h +90 -0
  542. data/third_party/abseil-cpp/absl/strings/numbers.cc +965 -0
  543. data/third_party/abseil-cpp/absl/strings/numbers.h +266 -0
  544. data/third_party/abseil-cpp/absl/strings/str_cat.cc +246 -0
  545. data/third_party/abseil-cpp/absl/strings/str_cat.h +408 -0
  546. data/third_party/abseil-cpp/absl/strings/str_format.h +537 -0
  547. data/third_party/abseil-cpp/absl/strings/str_join.h +293 -0
  548. data/third_party/abseil-cpp/absl/strings/str_replace.cc +82 -0
  549. data/third_party/abseil-cpp/absl/strings/str_replace.h +219 -0
  550. data/third_party/abseil-cpp/absl/strings/str_split.cc +139 -0
  551. data/third_party/abseil-cpp/absl/strings/str_split.h +513 -0
  552. data/third_party/abseil-cpp/absl/strings/string_view.cc +235 -0
  553. data/third_party/abseil-cpp/absl/strings/string_view.h +622 -0
  554. data/third_party/abseil-cpp/absl/strings/strip.h +91 -0
  555. data/third_party/abseil-cpp/absl/strings/substitute.cc +171 -0
  556. data/third_party/abseil-cpp/absl/strings/substitute.h +693 -0
  557. data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
  558. data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
  559. data/third_party/abseil-cpp/absl/time/clock.cc +569 -0
  560. data/third_party/abseil-cpp/absl/time/clock.h +74 -0
  561. data/third_party/abseil-cpp/absl/time/duration.cc +922 -0
  562. data/third_party/abseil-cpp/absl/time/format.cc +153 -0
  563. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
  564. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +622 -0
  565. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +384 -0
  566. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
  567. data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
  568. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
  569. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
  570. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +922 -0
  571. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
  572. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
  573. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +121 -0
  574. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
  575. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +958 -0
  576. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +138 -0
  577. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +308 -0
  578. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
  579. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
  580. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
  581. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
  582. data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
  583. data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +115 -0
  584. data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
  585. data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
  586. data/third_party/abseil-cpp/absl/time/time.cc +499 -0
  587. data/third_party/abseil-cpp/absl/time/time.h +1584 -0
  588. data/third_party/abseil-cpp/absl/types/bad_optional_access.cc +48 -0
  589. data/third_party/abseil-cpp/absl/types/bad_optional_access.h +78 -0
  590. data/third_party/abseil-cpp/absl/types/internal/optional.h +396 -0
  591. data/third_party/abseil-cpp/absl/types/internal/span.h +128 -0
  592. data/third_party/abseil-cpp/absl/types/optional.h +776 -0
  593. data/third_party/abseil-cpp/absl/types/span.h +713 -0
  594. data/third_party/abseil-cpp/absl/utility/utility.h +350 -0
  595. data/third_party/boringssl-with-bazel/err_data.c +1439 -0
  596. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_bitstr.c +0 -0
  597. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_bool.c +0 -0
  598. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_d2i_fp.c +0 -0
  599. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_dup.c +0 -0
  600. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_enum.c +0 -0
  601. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_gentm.c +0 -0
  602. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_i2d_fp.c +0 -0
  603. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_int.c +0 -0
  604. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_mbstr.c +0 -0
  605. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_object.c +0 -0
  606. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_octet.c +0 -0
  607. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_print.c +0 -0
  608. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_strnid.c +0 -0
  609. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +212 -0
  610. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_type.c +0 -0
  611. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_utctm.c +0 -0
  612. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/a_utf8.c +0 -0
  613. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn1_lib.c +0 -0
  614. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn1_locl.h +0 -0
  615. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn1_par.c +0 -0
  616. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/asn_pack.c +0 -0
  617. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/f_enum.c +0 -0
  618. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/f_int.c +0 -0
  619. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/f_string.c +0 -0
  620. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_dec.c +0 -0
  621. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_enc.c +0 -0
  622. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_fre.c +0 -0
  623. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_new.c +0 -0
  624. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_typ.c +0 -0
  625. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/tasn_utl.c +0 -0
  626. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/asn1/time_support.c +0 -0
  627. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/base64/base64.c +0 -0
  628. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/bio.c +0 -0
  629. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/bio_mem.c +0 -0
  630. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +545 -0
  631. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +279 -0
  632. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +317 -0
  633. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/hexdump.c +0 -0
  634. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/internal.h +0 -0
  635. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +488 -0
  636. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/printf.c +0 -0
  637. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/socket.c +0 -0
  638. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bio/socket_helper.c +0 -0
  639. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bn_extra/bn_asn1.c +0 -0
  640. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bn_extra/convert.c +0 -0
  641. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +172 -0
  642. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bytestring/asn1_compat.c +0 -0
  643. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bytestring/ber.c +0 -0
  644. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +719 -0
  645. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +688 -0
  646. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bytestring/internal.h +0 -0
  647. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/bytestring/unicode.c +0 -0
  648. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/chacha/chacha.c +0 -0
  649. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/chacha/internal.h +0 -0
  650. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/cipher_extra.c +0 -0
  651. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +152 -0
  652. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_aesccm.c +0 -0
  653. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_aesctrhmac.c +0 -0
  654. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +891 -0
  655. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_chacha20poly1305.c +0 -0
  656. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_null.c +0 -0
  657. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_rc2.c +0 -0
  658. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_rc4.c +0 -0
  659. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/e_tls.c +0 -0
  660. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/internal.h +0 -0
  661. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cipher_extra/tls_cbc.c +0 -0
  662. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cmac/cmac.c +0 -0
  663. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/conf/conf.c +0 -0
  664. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/conf/conf_def.h +0 -0
  665. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/conf/internal.h +0 -0
  666. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-aarch64-fuchsia.c +0 -0
  667. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-aarch64-linux.c +0 -0
  668. data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +220 -0
  669. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-arm-linux.h +0 -0
  670. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-arm.c +0 -0
  671. data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +291 -0
  672. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/cpu-ppc64le.c +0 -0
  673. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +226 -0
  674. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +2159 -0
  675. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +7872 -0
  676. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +146 -0
  677. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +539 -0
  678. data/third_party/boringssl-with-bazel/src/crypto/dh/check.c +217 -0
  679. data/third_party/boringssl-with-bazel/src/crypto/dh/dh.c +533 -0
  680. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dh/dh_asn1.c +0 -0
  681. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dh/params.c +0 -0
  682. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/digest_extra/digest_extra.c +0 -0
  683. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +980 -0
  684. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/dsa/dsa_asn1.c +0 -0
  685. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/ec_extra/ec_asn1.c +0 -0
  686. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_derive.c +95 -0
  687. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +425 -0
  688. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +78 -0
  689. data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +124 -0
  690. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/ecdsa_extra/ecdsa_asn1.c +0 -0
  691. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/engine/engine.c +0 -0
  692. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +850 -0
  693. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/err/internal.h +0 -0
  694. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/digestsign.c +0 -0
  695. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/evp.c +0 -0
  696. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/evp_asn1.c +0 -0
  697. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/evp_ctx.c +0 -0
  698. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/internal.h +0 -0
  699. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_dsa_asn1.c +0 -0
  700. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +286 -0
  701. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_ec_asn1.c +0 -0
  702. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_ed25519.c +0 -0
  703. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_ed25519_asn1.c +0 -0
  704. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +648 -0
  705. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_rsa_asn1.c +0 -0
  706. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/p_x25519.c +0 -0
  707. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +248 -0
  708. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/pbkdf.c +0 -0
  709. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/print.c +0 -0
  710. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/scrypt.c +0 -0
  711. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/evp/sign.c +0 -0
  712. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/ex_data.c +0 -0
  713. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +108 -0
  714. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1282 -0
  715. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +238 -0
  716. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/aes/key_wrap.c +0 -0
  717. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +106 -0
  718. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +263 -0
  719. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/add.c +0 -0
  720. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/asm/x86_64-gcc.c +0 -0
  721. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/bn.c +0 -0
  722. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/bytes.c +0 -0
  723. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/cmp.c +0 -0
  724. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/ctx.c +0 -0
  725. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/div.c +0 -0
  726. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/div_extra.c +0 -0
  727. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +1288 -0
  728. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/gcd.c +0 -0
  729. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/gcd_extra.c +0 -0
  730. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/generic.c +0 -0
  731. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +694 -0
  732. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/jacobi.c +0 -0
  733. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +502 -0
  734. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/montgomery_inv.c +0 -0
  735. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +749 -0
  736. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +1068 -0
  737. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/random.c +0 -0
  738. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/rsaz_exp.c +0 -0
  739. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/rsaz_exp.h +0 -0
  740. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/shift.c +0 -0
  741. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/bn/sqrt.c +0 -0
  742. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/cipher/aead.c +0 -0
  743. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/cipher/cipher.c +0 -0
  744. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +1302 -0
  745. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/cipher/e_des.c +0 -0
  746. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/cipher/internal.h +0 -0
  747. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/delocate.h +0 -0
  748. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/des/des.c +0 -0
  749. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/des/internal.h +0 -0
  750. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/digest/digest.c +0 -0
  751. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +296 -0
  752. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/digest/internal.h +0 -0
  753. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/digest/md32_common.h +0 -0
  754. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +1252 -0
  755. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +465 -0
  756. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +524 -0
  757. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +100 -0
  758. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +775 -0
  759. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +328 -0
  760. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +1178 -0
  761. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9497 -0
  762. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +632 -0
  763. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/ec/p256-x86_64.h +0 -0
  764. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +736 -0
  765. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
  766. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +175 -0
  767. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +357 -0
  768. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +270 -0
  769. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/ec/util.c +0 -0
  770. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +270 -0
  771. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +122 -0
  772. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +328 -0
  773. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/fips_shared_support.c +0 -0
  774. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/hmac/hmac.c +0 -0
  775. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/is_fips.c +0 -0
  776. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/md4/md4.c +0 -0
  777. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/md5/internal.h +0 -0
  778. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/md5/md5.c +0 -0
  779. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/cbc.c +0 -0
  780. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/cfb.c +0 -0
  781. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/ctr.c +0 -0
  782. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +729 -0
  783. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +304 -0
  784. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +441 -0
  785. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/ofb.c +0 -0
  786. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/modes/polyval.c +0 -0
  787. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/rand/ctrdrbg.c +0 -0
  788. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
  789. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
  790. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
  791. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +163 -0
  792. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +378 -0
  793. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +391 -0
  794. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +243 -0
  795. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +127 -0
  796. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/rsa/padding.c +0 -0
  797. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +898 -0
  798. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +1358 -0
  799. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/self_check/self_check.c +0 -0
  800. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/sha/internal.h +0 -0
  801. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/sha/sha1-altivec.c +0 -0
  802. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/sha/sha1.c +0 -0
  803. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/sha/sha256.c +0 -0
  804. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +544 -0
  805. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/tls/internal.h +0 -0
  806. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/fipsmodule/tls/kdf.c +0 -0
  807. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/hkdf/hkdf.c +0 -0
  808. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +2100 -0
  809. data/third_party/boringssl-with-bazel/src/crypto/hrss/internal.h +61 -0
  810. data/third_party/boringssl-with-bazel/src/crypto/internal.h +834 -0
  811. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/lhash/lhash.c +0 -0
  812. data/third_party/boringssl-with-bazel/src/crypto/mem.c +359 -0
  813. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +549 -0
  814. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +11585 -0
  815. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/obj/obj_xref.c +0 -0
  816. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pem/pem_all.c +0 -0
  817. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +360 -0
  818. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +777 -0
  819. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +87 -0
  820. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +257 -0
  821. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +218 -0
  822. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pem/pem_x509.c +0 -0
  823. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pem/pem_xaux.c +0 -0
  824. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs7/internal.h +0 -0
  825. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs7/pkcs7.c +0 -0
  826. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +385 -0
  827. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs8/internal.h +0 -0
  828. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs8/p5_pbev2.c +0 -0
  829. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs8/pkcs8.c +0 -0
  830. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pkcs8/pkcs8_x509.c +0 -0
  831. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/poly1305/internal.h +0 -0
  832. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +318 -0
  833. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +305 -0
  834. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +856 -0
  835. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/pool/internal.h +0 -0
  836. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +220 -0
  837. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +52 -0
  838. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rand_extra/forkunsafe.c +0 -0
  839. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rand_extra/fuchsia.c +0 -0
  840. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rand_extra/rand_extra.c +0 -0
  841. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +69 -0
  842. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rc4/rc4.c +0 -0
  843. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/refcount_c11.c +0 -0
  844. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/refcount_lock.c +0 -0
  845. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rsa_extra/rsa_asn1.c +0 -0
  846. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/rsa_extra/rsa_print.c +0 -0
  847. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +82 -0
  848. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/stack/stack.c +0 -0
  849. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/thread.c +0 -0
  850. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/thread_none.c +0 -0
  851. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +210 -0
  852. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +260 -0
  853. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +278 -0
  854. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1474 -0
  855. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +720 -0
  856. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/a_digest.c +0 -0
  857. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/a_sign.c +0 -0
  858. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/a_strex.c +0 -0
  859. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +114 -0
  860. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/algorithm.c +0 -0
  861. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/asn1_gen.c +0 -0
  862. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +458 -0
  863. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +275 -0
  864. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/charmap.h +0 -0
  865. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/i2d_pr.c +0 -0
  866. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/internal.h +0 -0
  867. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/rsa_pss.c +0 -0
  868. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/t_crl.c +0 -0
  869. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/t_req.c +0 -0
  870. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/t_x509.c +0 -0
  871. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/t_x509a.c +0 -0
  872. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/vpm_int.h +0 -0
  873. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509.c +0 -0
  874. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_att.c +0 -0
  875. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +476 -0
  876. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_d2.c +0 -0
  877. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_def.c +0 -0
  878. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_ext.c +0 -0
  879. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_lu.c +0 -0
  880. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +198 -0
  881. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +116 -0
  882. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +341 -0
  883. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +185 -0
  884. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +326 -0
  885. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_txt.c +0 -0
  886. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509_v3.c +0 -0
  887. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +2487 -0
  888. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +671 -0
  889. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509cset.c +0 -0
  890. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +389 -0
  891. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509rset.c +0 -0
  892. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x509spki.c +0 -0
  893. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_algor.c +0 -0
  894. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +399 -0
  895. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_attrib.c +0 -0
  896. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_crl.c +0 -0
  897. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_exten.c +0 -0
  898. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_info.c +0 -0
  899. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_name.c +0 -0
  900. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_pkey.c +0 -0
  901. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_pubkey.c +0 -0
  902. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_req.c +0 -0
  903. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_sig.c +0 -0
  904. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_spki.c +0 -0
  905. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_val.c +0 -0
  906. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_x509.c +0 -0
  907. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509/x_x509a.c +0 -0
  908. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/ext_dat.h +0 -0
  909. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/internal.h +0 -0
  910. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_cache.c +0 -0
  911. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_data.c +0 -0
  912. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_int.h +0 -0
  913. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_lib.c +0 -0
  914. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_map.c +0 -0
  915. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_node.c +0 -0
  916. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/pcy_tree.c +0 -0
  917. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_akey.c +0 -0
  918. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_akeya.c +0 -0
  919. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +629 -0
  920. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_bcons.c +0 -0
  921. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_bitst.c +0 -0
  922. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_conf.c +0 -0
  923. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_cpols.c +0 -0
  924. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_crld.c +0 -0
  925. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +100 -0
  926. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_extku.c +0 -0
  927. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_genn.c +0 -0
  928. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_ia5.c +0 -0
  929. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +218 -0
  930. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_int.c +0 -0
  931. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_lib.c +0 -0
  932. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_ncons.c +0 -0
  933. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_ocsp.c +0 -0
  934. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pci.c +0 -0
  935. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pcia.c +0 -0
  936. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pcons.c +0 -0
  937. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pku.c +0 -0
  938. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_pmaps.c +0 -0
  939. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_prn.c +0 -0
  940. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +843 -0
  941. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_skey.c +0 -0
  942. data/third_party/{boringssl → boringssl-with-bazel/src}/crypto/x509v3/v3_sxnet.c +0 -0
  943. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1395 -0
  944. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/aead.h +0 -0
  945. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/aes.h +0 -0
  946. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/arm_arch.h +0 -0
  947. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/asn1.h +0 -0
  948. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/asn1_mac.h +0 -0
  949. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/asn1t.h +0 -0
  950. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +575 -0
  951. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/base64.h +0 -0
  952. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/bio.h +0 -0
  953. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/blowfish.h +0 -0
  954. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +1057 -0
  955. data/third_party/boringssl-with-bazel/src/include/openssl/buf.h +137 -0
  956. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/buffer.h +0 -0
  957. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +561 -0
  958. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/cast.h +0 -0
  959. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/chacha.h +0 -0
  960. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/cipher.h +0 -0
  961. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/cmac.h +0 -0
  962. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/conf.h +0 -0
  963. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/cpu.h +0 -0
  964. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +149 -0
  965. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/curve25519.h +0 -0
  966. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/des.h +0 -0
  967. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +319 -0
  968. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +331 -0
  969. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +457 -0
  970. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/dtls1.h +0 -0
  971. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/e_os2.h +0 -0
  972. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +424 -0
  973. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +372 -0
  974. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ecdh.h +0 -0
  975. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +205 -0
  976. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/engine.h +0 -0
  977. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +465 -0
  978. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +1050 -0
  979. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ex_data.h +0 -0
  980. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/hkdf.h +0 -0
  981. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/hmac.h +0 -0
  982. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/hrss.h +0 -0
  983. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/is_boringssl.h +0 -0
  984. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/lhash.h +0 -0
  985. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/md4.h +0 -0
  986. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/md5.h +0 -0
  987. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +175 -0
  988. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +4259 -0
  989. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/obj.h +0 -0
  990. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/obj_mac.h +0 -0
  991. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/objects.h +0 -0
  992. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/opensslconf.h +0 -0
  993. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/opensslv.h +0 -0
  994. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ossl_typ.h +0 -0
  995. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pem.h +0 -0
  996. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pkcs12.h +0 -0
  997. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pkcs7.h +0 -0
  998. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pkcs8.h +0 -0
  999. data/third_party/boringssl-with-bazel/src/include/openssl/poly1305.h +49 -0
  1000. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/pool.h +0 -0
  1001. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +111 -0
  1002. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/rc4.h +0 -0
  1003. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ripemd.h +0 -0
  1004. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +818 -0
  1005. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/safestack.h +0 -0
  1006. data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +294 -0
  1007. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/siphash.h +0 -0
  1008. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/span.h +0 -0
  1009. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/srtp.h +0 -0
  1010. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +5198 -0
  1011. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ssl3.h +0 -0
  1012. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/stack.h +0 -0
  1013. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/thread.h +0 -0
  1014. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +632 -0
  1015. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +291 -0
  1016. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/type_check.h +0 -0
  1017. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1207 -0
  1018. data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +681 -0
  1019. data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/x509v3.h +0 -0
  1020. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/bio_ssl.cc +0 -0
  1021. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +837 -0
  1022. data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +268 -0
  1023. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +273 -0
  1024. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/d1_srtp.cc +0 -0
  1025. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +200 -0
  1026. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/dtls_record.cc +0 -0
  1027. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +675 -0
  1028. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +703 -0
  1029. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +1890 -0
  1030. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +1805 -0
  1031. data/third_party/boringssl-with-bazel/src/ssl/internal.h +3572 -0
  1032. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +724 -0
  1033. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +221 -0
  1034. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +458 -0
  1035. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_aead_ctx.cc +0 -0
  1036. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +856 -0
  1037. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +306 -0
  1038. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +1019 -0
  1039. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +1718 -0
  1040. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_file.cc +0 -0
  1041. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_key_share.cc +0 -0
  1042. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +3015 -0
  1043. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +835 -0
  1044. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +1333 -0
  1045. data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +230 -0
  1046. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_transcript.cc +0 -0
  1047. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +394 -0
  1048. data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/ssl_x509.cc +0 -0
  1049. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +365 -0
  1050. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +3870 -0
  1051. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +689 -0
  1052. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1017 -0
  1053. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +513 -0
  1054. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +1096 -0
  1055. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +317 -0
  1056. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +703 -0
  1057. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +981 -0
  1058. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +619 -0
  1059. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3147 -0
  1060. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1226 -0
  1061. data/third_party/upb/upb/decode.c +4 -0
  1062. data/third_party/upb/upb/port.c +0 -1
  1063. data/third_party/upb/upb/port_def.inc +1 -3
  1064. data/third_party/upb/upb/table.c +2 -1
  1065. metadata +758 -509
  1066. data/src/boringssl/err_data.c +0 -1407
  1067. data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -1898
  1068. data/src/core/lib/gprpp/inlined_vector.h +0 -246
  1069. data/src/core/lib/gprpp/optional.h +0 -48
  1070. data/src/core/lib/gprpp/string_view.h +0 -165
  1071. data/src/core/lib/iomgr/logical_thread.cc +0 -103
  1072. data/src/core/lib/iomgr/logical_thread.h +0 -52
  1073. data/src/core/lib/json/json.cc +0 -94
  1074. data/src/core/lib/json/json_common.h +0 -34
  1075. data/src/core/lib/json/json_reader.h +0 -146
  1076. data/src/core/lib/json/json_string.cc +0 -367
  1077. data/src/core/lib/json/json_writer.h +0 -84
  1078. data/src/core/lib/security/credentials/tls/spiffe_credentials.cc +0 -129
  1079. data/src/core/lib/security/credentials/tls/spiffe_credentials.h +0 -62
  1080. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +0 -541
  1081. data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +0 -158
  1082. data/src/core/tsi/grpc_shadow_boringssl.h +0 -3297
  1083. data/third_party/boringssl/crypto/asn1/a_time.c +0 -213
  1084. data/third_party/boringssl/crypto/bio/connect.c +0 -546
  1085. data/third_party/boringssl/crypto/bio/fd.c +0 -280
  1086. data/third_party/boringssl/crypto/bio/file.c +0 -318
  1087. data/third_party/boringssl/crypto/bio/pair.c +0 -489
  1088. data/third_party/boringssl/crypto/buf/buf.c +0 -231
  1089. data/third_party/boringssl/crypto/bytestring/cbb.c +0 -680
  1090. data/third_party/boringssl/crypto/bytestring/cbs.c +0 -631
  1091. data/third_party/boringssl/crypto/cipher_extra/derive_key.c +0 -152
  1092. data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +0 -883
  1093. data/third_party/boringssl/crypto/cpu-arm-linux.c +0 -219
  1094. data/third_party/boringssl/crypto/cpu-intel.c +0 -282
  1095. data/third_party/boringssl/crypto/crypto.c +0 -215
  1096. data/third_party/boringssl/crypto/curve25519/spake25519.c +0 -539
  1097. data/third_party/boringssl/crypto/dh/check.c +0 -217
  1098. data/third_party/boringssl/crypto/dh/dh.c +0 -519
  1099. data/third_party/boringssl/crypto/dsa/dsa.c +0 -970
  1100. data/third_party/boringssl/crypto/ec_extra/ec_derive.c +0 -96
  1101. data/third_party/boringssl/crypto/ecdh_extra/ecdh_extra.c +0 -124
  1102. data/third_party/boringssl/crypto/err/err.c +0 -849
  1103. data/third_party/boringssl/crypto/evp/p_ec.c +0 -287
  1104. data/third_party/boringssl/crypto/evp/p_rsa.c +0 -636
  1105. data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +0 -249
  1106. data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +0 -860
  1107. data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +0 -240
  1108. data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +0 -108
  1109. data/third_party/boringssl/crypto/fipsmodule/bcm.c +0 -260
  1110. data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +0 -1288
  1111. data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +0 -691
  1112. data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +0 -502
  1113. data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +0 -873
  1114. data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +0 -1069
  1115. data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +0 -1304
  1116. data/third_party/boringssl/crypto/fipsmodule/digest/digests.c +0 -280
  1117. data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +0 -1080
  1118. data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +0 -479
  1119. data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +0 -483
  1120. data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +0 -82
  1121. data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +0 -503
  1122. data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +0 -336
  1123. data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +0 -1187
  1124. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +0 -9501
  1125. data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +0 -651
  1126. data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +0 -96
  1127. data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +0 -380
  1128. data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +0 -84
  1129. data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +0 -227
  1130. data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +0 -122
  1131. data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +0 -313
  1132. data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +0 -877
  1133. data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +0 -451
  1134. data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +0 -127
  1135. data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +0 -363
  1136. data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +0 -481
  1137. data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c +0 -239
  1138. data/third_party/boringssl/crypto/fipsmodule/rsa/internal.h +0 -126
  1139. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +0 -879
  1140. data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +0 -1335
  1141. data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +0 -535
  1142. data/third_party/boringssl/crypto/hrss/hrss.c +0 -2201
  1143. data/third_party/boringssl/crypto/hrss/internal.h +0 -62
  1144. data/third_party/boringssl/crypto/internal.h +0 -814
  1145. data/third_party/boringssl/crypto/mem.c +0 -272
  1146. data/third_party/boringssl/crypto/obj/obj.c +0 -554
  1147. data/third_party/boringssl/crypto/obj/obj_dat.h +0 -11550
  1148. data/third_party/boringssl/crypto/pem/pem_info.c +0 -361
  1149. data/third_party/boringssl/crypto/pem/pem_lib.c +0 -777
  1150. data/third_party/boringssl/crypto/pem/pem_oth.c +0 -88
  1151. data/third_party/boringssl/crypto/pem/pem_pk8.c +0 -258
  1152. data/third_party/boringssl/crypto/pem/pem_pkey.c +0 -219
  1153. data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +0 -385
  1154. data/third_party/boringssl/crypto/poly1305/poly1305.c +0 -318
  1155. data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +0 -304
  1156. data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +0 -839
  1157. data/third_party/boringssl/crypto/pool/pool.c +0 -221
  1158. data/third_party/boringssl/crypto/rand_extra/deterministic.c +0 -56
  1159. data/third_party/boringssl/crypto/rand_extra/windows.c +0 -53
  1160. data/third_party/boringssl/crypto/siphash/siphash.c +0 -80
  1161. data/third_party/boringssl/crypto/thread_pthread.c +0 -206
  1162. data/third_party/boringssl/crypto/thread_win.c +0 -256
  1163. data/third_party/boringssl/crypto/x509/a_verify.c +0 -115
  1164. data/third_party/boringssl/crypto/x509/by_dir.c +0 -458
  1165. data/third_party/boringssl/crypto/x509/by_file.c +0 -276
  1166. data/third_party/boringssl/crypto/x509/x509_cmp.c +0 -477
  1167. data/third_party/boringssl/crypto/x509/x509_obj.c +0 -198
  1168. data/third_party/boringssl/crypto/x509/x509_r2x.c +0 -117
  1169. data/third_party/boringssl/crypto/x509/x509_req.c +0 -342
  1170. data/third_party/boringssl/crypto/x509/x509_set.c +0 -169
  1171. data/third_party/boringssl/crypto/x509/x509_trs.c +0 -327
  1172. data/third_party/boringssl/crypto/x509/x509_vfy.c +0 -2483
  1173. data/third_party/boringssl/crypto/x509/x509_vpm.c +0 -672
  1174. data/third_party/boringssl/crypto/x509/x509name.c +0 -388
  1175. data/third_party/boringssl/crypto/x509/x_all.c +0 -400
  1176. data/third_party/boringssl/crypto/x509v3/v3_alt.c +0 -629
  1177. data/third_party/boringssl/crypto/x509v3/v3_enum.c +0 -100
  1178. data/third_party/boringssl/crypto/x509v3/v3_info.c +0 -219
  1179. data/third_party/boringssl/crypto/x509v3/v3_purp.c +0 -844
  1180. data/third_party/boringssl/crypto/x509v3/v3_utl.c +0 -1396
  1181. data/third_party/boringssl/include/openssl/base.h +0 -571
  1182. data/third_party/boringssl/include/openssl/bn.h +0 -1045
  1183. data/third_party/boringssl/include/openssl/buf.h +0 -137
  1184. data/third_party/boringssl/include/openssl/bytestring.h +0 -527
  1185. data/third_party/boringssl/include/openssl/crypto.h +0 -144
  1186. data/third_party/boringssl/include/openssl/dh.h +0 -299
  1187. data/third_party/boringssl/include/openssl/digest.h +0 -330
  1188. data/third_party/boringssl/include/openssl/dsa.h +0 -441
  1189. data/third_party/boringssl/include/openssl/ec.h +0 -417
  1190. data/third_party/boringssl/include/openssl/ec_key.h +0 -370
  1191. data/third_party/boringssl/include/openssl/ecdsa.h +0 -199
  1192. data/third_party/boringssl/include/openssl/err.h +0 -461
  1193. data/third_party/boringssl/include/openssl/evp.h +0 -1030
  1194. data/third_party/boringssl/include/openssl/mem.h +0 -160
  1195. data/third_party/boringssl/include/openssl/nid.h +0 -4245
  1196. data/third_party/boringssl/include/openssl/poly1305.h +0 -51
  1197. data/third_party/boringssl/include/openssl/rand.h +0 -125
  1198. data/third_party/boringssl/include/openssl/rsa.h +0 -787
  1199. data/third_party/boringssl/include/openssl/sha.h +0 -268
  1200. data/third_party/boringssl/include/openssl/ssl.h +0 -5113
  1201. data/third_party/boringssl/include/openssl/tls1.h +0 -634
  1202. data/third_party/boringssl/include/openssl/x509.h +0 -1205
  1203. data/third_party/boringssl/include/openssl/x509_vfy.h +0 -680
  1204. data/third_party/boringssl/ssl/d1_both.cc +0 -842
  1205. data/third_party/boringssl/ssl/d1_lib.cc +0 -268
  1206. data/third_party/boringssl/ssl/d1_pkt.cc +0 -274
  1207. data/third_party/boringssl/ssl/dtls_method.cc +0 -192
  1208. data/third_party/boringssl/ssl/handoff.cc +0 -489
  1209. data/third_party/boringssl/ssl/handshake.cc +0 -691
  1210. data/third_party/boringssl/ssl/handshake_client.cc +0 -1871
  1211. data/third_party/boringssl/ssl/handshake_server.cc +0 -1801
  1212. data/third_party/boringssl/ssl/internal.h +0 -3549
  1213. data/third_party/boringssl/ssl/s3_both.cc +0 -724
  1214. data/third_party/boringssl/ssl/s3_lib.cc +0 -222
  1215. data/third_party/boringssl/ssl/s3_pkt.cc +0 -459
  1216. data/third_party/boringssl/ssl/ssl_asn1.cc +0 -828
  1217. data/third_party/boringssl/ssl/ssl_buffer.cc +0 -287
  1218. data/third_party/boringssl/ssl/ssl_cert.cc +0 -1016
  1219. data/third_party/boringssl/ssl/ssl_cipher.cc +0 -1719
  1220. data/third_party/boringssl/ssl/ssl_lib.cc +0 -3011
  1221. data/third_party/boringssl/ssl/ssl_privkey.cc +0 -824
  1222. data/third_party/boringssl/ssl/ssl_session.cc +0 -1273
  1223. data/third_party/boringssl/ssl/ssl_stat.cc +0 -224
  1224. data/third_party/boringssl/ssl/ssl_versions.cc +0 -394
  1225. data/third_party/boringssl/ssl/t1_enc.cc +0 -361
  1226. data/third_party/boringssl/ssl/t1_lib.cc +0 -4036
  1227. data/third_party/boringssl/ssl/tls13_both.cc +0 -689
  1228. data/third_party/boringssl/ssl/tls13_client.cc +0 -947
  1229. data/third_party/boringssl/ssl/tls13_enc.cc +0 -561
  1230. data/third_party/boringssl/ssl/tls13_server.cc +0 -1089
  1231. data/third_party/boringssl/ssl/tls_method.cc +0 -279
  1232. data/third_party/boringssl/ssl/tls_record.cc +0 -698
  1233. data/third_party/boringssl/third_party/fiat/curve25519.c +0 -2167
  1234. data/third_party/boringssl/third_party/fiat/curve25519_32.h +0 -911
  1235. data/third_party/boringssl/third_party/fiat/curve25519_64.h +0 -559
  1236. data/third_party/boringssl/third_party/fiat/curve25519_tables.h +0 -7880
  1237. data/third_party/boringssl/third_party/fiat/internal.h +0 -154
  1238. data/third_party/boringssl/third_party/fiat/p256.c +0 -1063
  1239. data/third_party/boringssl/third_party/fiat/p256_32.h +0 -3226
  1240. data/third_party/boringssl/third_party/fiat/p256_64.h +0 -1217
@@ -0,0 +1,2487 @@
1
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
+ * All rights reserved.
3
+ *
4
+ * This package is an SSL implementation written
5
+ * by Eric Young (eay@cryptsoft.com).
6
+ * The implementation was written so as to conform with Netscapes SSL.
7
+ *
8
+ * This library is free for commercial and non-commercial use as long as
9
+ * the following conditions are aheared to. The following conditions
10
+ * apply to all code found in this distribution, be it the RC4, RSA,
11
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12
+ * included with this distribution is covered by the same copyright terms
13
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
+ *
15
+ * Copyright remains Eric Young's, and as such any Copyright notices in
16
+ * the code are not to be removed.
17
+ * If this package is used in a product, Eric Young should be given attribution
18
+ * as the author of the parts of the library used.
19
+ * This can be in the form of a textual message at program startup or
20
+ * in documentation (online or textual) provided with the package.
21
+ *
22
+ * Redistribution and use in source and binary forms, with or without
23
+ * modification, are permitted provided that the following conditions
24
+ * are met:
25
+ * 1. Redistributions of source code must retain the copyright
26
+ * notice, this list of conditions and the following disclaimer.
27
+ * 2. Redistributions in binary form must reproduce the above copyright
28
+ * notice, this list of conditions and the following disclaimer in the
29
+ * documentation and/or other materials provided with the distribution.
30
+ * 3. All advertising materials mentioning features or use of this software
31
+ * must display the following acknowledgement:
32
+ * "This product includes cryptographic software written by
33
+ * Eric Young (eay@cryptsoft.com)"
34
+ * The word 'cryptographic' can be left out if the rouines from the library
35
+ * being used are not cryptographic related :-).
36
+ * 4. If you include any Windows specific code (or a derivative thereof) from
37
+ * the apps directory (application code) you must include an acknowledgement:
38
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
+ *
40
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
+ * SUCH DAMAGE.
51
+ *
52
+ * The licence and distribution terms for any publically available version or
53
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
54
+ * copied and put under another distribution licence
55
+ * [including the GNU Public Licence.] */
56
+
57
+ #include <ctype.h>
58
+ #include <string.h>
59
+ #include <time.h>
60
+
61
+ #include <openssl/asn1.h>
62
+ #include <openssl/err.h>
63
+ #include <openssl/evp.h>
64
+ #include <openssl/mem.h>
65
+ #include <openssl/obj.h>
66
+ #include <openssl/thread.h>
67
+ #include <openssl/x509.h>
68
+ #include <openssl/x509v3.h>
69
+
70
+ #include "vpm_int.h"
71
+ #include "../internal.h"
72
+ #include "../x509v3/internal.h"
73
+
74
+ static CRYPTO_EX_DATA_CLASS g_ex_data_class =
75
+ CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
76
+
77
+ /* CRL score values */
78
+
79
+ /* No unhandled critical extensions */
80
+
81
+ #define CRL_SCORE_NOCRITICAL 0x100
82
+
83
+ /* certificate is within CRL scope */
84
+
85
+ #define CRL_SCORE_SCOPE 0x080
86
+
87
+ /* CRL times valid */
88
+
89
+ #define CRL_SCORE_TIME 0x040
90
+
91
+ /* Issuer name matches certificate */
92
+
93
+ #define CRL_SCORE_ISSUER_NAME 0x020
94
+
95
+ /* If this score or above CRL is probably valid */
96
+
97
+ #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
98
+
99
+ /* CRL issuer is certificate issuer */
100
+
101
+ #define CRL_SCORE_ISSUER_CERT 0x018
102
+
103
+ /* CRL issuer is on certificate path */
104
+
105
+ #define CRL_SCORE_SAME_PATH 0x008
106
+
107
+ /* CRL issuer matches CRL AKID */
108
+
109
+ #define CRL_SCORE_AKID 0x004
110
+
111
+ /* Have a delta CRL with valid times */
112
+
113
+ #define CRL_SCORE_TIME_DELTA 0x002
114
+
115
+ static int null_callback(int ok, X509_STORE_CTX *e);
116
+ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
117
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
118
+ static int check_chain_extensions(X509_STORE_CTX *ctx);
119
+ static int check_name_constraints(X509_STORE_CTX *ctx);
120
+ static int check_id(X509_STORE_CTX *ctx);
121
+ static int check_trust(X509_STORE_CTX *ctx);
122
+ static int check_revocation(X509_STORE_CTX *ctx);
123
+ static int check_cert(X509_STORE_CTX *ctx);
124
+ static int check_policy(X509_STORE_CTX *ctx);
125
+
126
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
127
+ unsigned int *preasons, X509_CRL *crl, X509 *x);
128
+ static int get_crl_delta(X509_STORE_CTX *ctx,
129
+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
130
+ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
131
+ int *pcrl_score, X509_CRL *base,
132
+ STACK_OF(X509_CRL) *crls);
133
+ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
134
+ int *pcrl_score);
135
+ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
136
+ unsigned int *preasons);
137
+ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
138
+ static int check_crl_chain(X509_STORE_CTX *ctx,
139
+ STACK_OF(X509) *cert_path,
140
+ STACK_OF(X509) *crl_path);
141
+
142
+ static int internal_verify(X509_STORE_CTX *ctx);
143
+
144
+ static int null_callback(int ok, X509_STORE_CTX *e)
145
+ {
146
+ return ok;
147
+ }
148
+
149
+ /* Return 1 is a certificate is self signed */
150
+ static int cert_self_signed(X509 *x)
151
+ {
152
+ X509_check_purpose(x, -1, 0);
153
+ if (x->ex_flags & EXFLAG_SS)
154
+ return 1;
155
+ else
156
+ return 0;
157
+ }
158
+
159
+ /* Given a certificate try and find an exact match in the store */
160
+
161
+ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
162
+ {
163
+ STACK_OF(X509) *certs;
164
+ X509 *xtmp = NULL;
165
+ size_t i;
166
+ /* Lookup all certs with matching subject name */
167
+ certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
168
+ if (certs == NULL)
169
+ return NULL;
170
+ /* Look for exact match */
171
+ for (i = 0; i < sk_X509_num(certs); i++) {
172
+ xtmp = sk_X509_value(certs, i);
173
+ if (!X509_cmp(xtmp, x))
174
+ break;
175
+ }
176
+ if (i < sk_X509_num(certs))
177
+ X509_up_ref(xtmp);
178
+ else
179
+ xtmp = NULL;
180
+ sk_X509_pop_free(certs, X509_free);
181
+ return xtmp;
182
+ }
183
+
184
+ int X509_verify_cert(X509_STORE_CTX *ctx)
185
+ {
186
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
187
+ int bad_chain = 0;
188
+ X509_VERIFY_PARAM *param = ctx->param;
189
+ int depth, i, ok = 0;
190
+ int num, j, retry, trust;
191
+ int (*cb) (int xok, X509_STORE_CTX *xctx);
192
+ STACK_OF(X509) *sktmp = NULL;
193
+ if (ctx->cert == NULL) {
194
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
195
+ ctx->error = X509_V_ERR_INVALID_CALL;
196
+ return -1;
197
+ }
198
+ if (ctx->chain != NULL) {
199
+ /*
200
+ * This X509_STORE_CTX has already been used to verify a cert. We
201
+ * cannot do another one.
202
+ */
203
+ OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
204
+ ctx->error = X509_V_ERR_INVALID_CALL;
205
+ return -1;
206
+ }
207
+
208
+ cb = ctx->verify_cb;
209
+
210
+ /*
211
+ * first we make sure the chain we are going to build is present and that
212
+ * the first entry is in place
213
+ */
214
+ ctx->chain = sk_X509_new_null();
215
+ if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
216
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
217
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
218
+ goto end;
219
+ }
220
+ X509_up_ref(ctx->cert);
221
+ ctx->last_untrusted = 1;
222
+
223
+ /* We use a temporary STACK so we can chop and hack at it.
224
+ * sktmp = ctx->untrusted ++ ctx->ctx->additional_untrusted */
225
+ if (ctx->untrusted != NULL
226
+ && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
227
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
228
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
229
+ goto end;
230
+ }
231
+
232
+ if (ctx->ctx->additional_untrusted != NULL) {
233
+ if (sktmp == NULL) {
234
+ sktmp = sk_X509_new_null();
235
+ if (sktmp == NULL) {
236
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
237
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
238
+ goto end;
239
+ }
240
+ }
241
+
242
+ for (size_t k = 0; k < sk_X509_num(ctx->ctx->additional_untrusted);
243
+ k++) {
244
+ if (!sk_X509_push(sktmp,
245
+ sk_X509_value(ctx->ctx->additional_untrusted,
246
+ k))) {
247
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
248
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
249
+ goto end;
250
+ }
251
+ }
252
+ }
253
+
254
+ num = sk_X509_num(ctx->chain);
255
+ x = sk_X509_value(ctx->chain, num - 1);
256
+ depth = param->depth;
257
+
258
+ for (;;) {
259
+ /* If we have enough, we break */
260
+ if (depth < num)
261
+ break; /* FIXME: If this happens, we should take
262
+ * note of it and, if appropriate, use the
263
+ * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
264
+ * later. */
265
+
266
+ /* If we are self signed, we break */
267
+ if (cert_self_signed(x))
268
+ break;
269
+ /*
270
+ * If asked see if we can find issuer in trusted store first
271
+ */
272
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
273
+ ok = ctx->get_issuer(&xtmp, ctx, x);
274
+ if (ok < 0) {
275
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
276
+ goto end;
277
+ }
278
+ /*
279
+ * If successful for now free up cert so it will be picked up
280
+ * again later.
281
+ */
282
+ if (ok > 0) {
283
+ X509_free(xtmp);
284
+ break;
285
+ }
286
+ }
287
+
288
+ /* If we were passed a cert chain, use it first */
289
+ if (sktmp != NULL) {
290
+ xtmp = find_issuer(ctx, sktmp, x);
291
+ if (xtmp != NULL) {
292
+ if (!sk_X509_push(ctx->chain, xtmp)) {
293
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
294
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
295
+ ok = 0;
296
+ goto end;
297
+ }
298
+ X509_up_ref(xtmp);
299
+ (void)sk_X509_delete_ptr(sktmp, xtmp);
300
+ ctx->last_untrusted++;
301
+ x = xtmp;
302
+ num++;
303
+ /*
304
+ * reparse the full chain for the next one
305
+ */
306
+ continue;
307
+ }
308
+ }
309
+ break;
310
+ }
311
+
312
+ /* Remember how many untrusted certs we have */
313
+ j = num;
314
+ /*
315
+ * at this point, chain should contain a list of untrusted certificates.
316
+ * We now need to add at least one trusted one, if possible, otherwise we
317
+ * complain.
318
+ */
319
+
320
+ do {
321
+ /*
322
+ * Examine last certificate in chain and see if it is self signed.
323
+ */
324
+ i = sk_X509_num(ctx->chain);
325
+ x = sk_X509_value(ctx->chain, i - 1);
326
+ if (cert_self_signed(x)) {
327
+ /* we have a self signed certificate */
328
+ if (sk_X509_num(ctx->chain) == 1) {
329
+ /*
330
+ * We have a single self signed certificate: see if we can
331
+ * find it in the store. We must have an exact match to avoid
332
+ * possible impersonation.
333
+ */
334
+ ok = ctx->get_issuer(&xtmp, ctx, x);
335
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
336
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
337
+ ctx->current_cert = x;
338
+ ctx->error_depth = i - 1;
339
+ if (ok == 1)
340
+ X509_free(xtmp);
341
+ bad_chain = 1;
342
+ ok = cb(0, ctx);
343
+ if (!ok)
344
+ goto end;
345
+ } else {
346
+ /*
347
+ * We have a match: replace certificate with store
348
+ * version so we get any trust settings.
349
+ */
350
+ X509_free(x);
351
+ x = xtmp;
352
+ (void)sk_X509_set(ctx->chain, i - 1, x);
353
+ ctx->last_untrusted = 0;
354
+ }
355
+ } else {
356
+ /*
357
+ * extract and save self signed certificate for later use
358
+ */
359
+ chain_ss = sk_X509_pop(ctx->chain);
360
+ ctx->last_untrusted--;
361
+ num--;
362
+ j--;
363
+ x = sk_X509_value(ctx->chain, num - 1);
364
+ }
365
+ }
366
+ /* We now lookup certs from the certificate store */
367
+ for (;;) {
368
+ /* If we have enough, we break */
369
+ if (depth < num)
370
+ break;
371
+ /* If we are self signed, we break */
372
+ if (cert_self_signed(x))
373
+ break;
374
+ ok = ctx->get_issuer(&xtmp, ctx, x);
375
+
376
+ if (ok < 0) {
377
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
378
+ goto end;
379
+ }
380
+ if (ok == 0)
381
+ break;
382
+ x = xtmp;
383
+ if (!sk_X509_push(ctx->chain, x)) {
384
+ X509_free(xtmp);
385
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
386
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
387
+ ok = 0;
388
+ goto end;
389
+ }
390
+ num++;
391
+ }
392
+
393
+ /* we now have our chain, lets check it... */
394
+ trust = check_trust(ctx);
395
+
396
+ /* If explicitly rejected error */
397
+ if (trust == X509_TRUST_REJECTED) {
398
+ ok = 0;
399
+ goto end;
400
+ }
401
+ /*
402
+ * If it's not explicitly trusted then check if there is an alternative
403
+ * chain that could be used. We only do this if we haven't already
404
+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
405
+ * chain checking
406
+ */
407
+ retry = 0;
408
+ if (trust != X509_TRUST_TRUSTED
409
+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
410
+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
411
+ while (j-- > 1) {
412
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
413
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
414
+ if (ok < 0)
415
+ goto end;
416
+ /* Check if we found an alternate chain */
417
+ if (ok > 0) {
418
+ /*
419
+ * Free up the found cert we'll add it again later
420
+ */
421
+ X509_free(xtmp);
422
+
423
+ /*
424
+ * Dump all the certs above this point - we've found an
425
+ * alternate chain
426
+ */
427
+ while (num > j) {
428
+ xtmp = sk_X509_pop(ctx->chain);
429
+ X509_free(xtmp);
430
+ num--;
431
+ }
432
+ ctx->last_untrusted = sk_X509_num(ctx->chain);
433
+ retry = 1;
434
+ break;
435
+ }
436
+ }
437
+ }
438
+ } while (retry);
439
+
440
+ /*
441
+ * If not explicitly trusted then indicate error unless it's a single
442
+ * self signed certificate in which case we've indicated an error already
443
+ * and set bad_chain == 1
444
+ */
445
+ if (trust != X509_TRUST_TRUSTED && !bad_chain) {
446
+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
447
+ if (ctx->last_untrusted >= num)
448
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
449
+ else
450
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
451
+ ctx->current_cert = x;
452
+ } else {
453
+
454
+ sk_X509_push(ctx->chain, chain_ss);
455
+ num++;
456
+ ctx->last_untrusted = num;
457
+ ctx->current_cert = chain_ss;
458
+ ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
459
+ chain_ss = NULL;
460
+ }
461
+
462
+ ctx->error_depth = num - 1;
463
+ bad_chain = 1;
464
+ ok = cb(0, ctx);
465
+ if (!ok)
466
+ goto end;
467
+ }
468
+
469
+ /* We have the chain complete: now we need to check its purpose */
470
+ ok = check_chain_extensions(ctx);
471
+
472
+ if (!ok)
473
+ goto end;
474
+
475
+ ok = check_id(ctx);
476
+
477
+ if (!ok)
478
+ goto end;
479
+
480
+ /*
481
+ * Check revocation status: we do this after copying parameters because
482
+ * they may be needed for CRL signature verification.
483
+ */
484
+
485
+ ok = ctx->check_revocation(ctx);
486
+ if (!ok)
487
+ goto end;
488
+
489
+ int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
490
+ ctx->param->flags);
491
+ if (err != X509_V_OK) {
492
+ ctx->error = err;
493
+ ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
494
+ ok = cb(0, ctx);
495
+ if (!ok)
496
+ goto end;
497
+ }
498
+
499
+ /* At this point, we have a chain and need to verify it */
500
+ if (ctx->verify != NULL)
501
+ ok = ctx->verify(ctx);
502
+ else
503
+ ok = internal_verify(ctx);
504
+ if (!ok)
505
+ goto end;
506
+
507
+ /* Check name constraints */
508
+
509
+ ok = check_name_constraints(ctx);
510
+ if (!ok)
511
+ goto end;
512
+
513
+ /* If we get this far evaluate policies */
514
+ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
515
+ ok = ctx->check_policy(ctx);
516
+
517
+ end:
518
+ if (sktmp != NULL)
519
+ sk_X509_free(sktmp);
520
+ if (chain_ss != NULL)
521
+ X509_free(chain_ss);
522
+
523
+ /* Safety net, error returns must set ctx->error */
524
+ if (ok <= 0 && ctx->error == X509_V_OK)
525
+ ctx->error = X509_V_ERR_UNSPECIFIED;
526
+ return ok;
527
+ }
528
+
529
+ /*
530
+ * Given a STACK_OF(X509) find the issuer of cert (if any)
531
+ */
532
+
533
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
534
+ {
535
+ size_t i;
536
+ X509 *issuer;
537
+ for (i = 0; i < sk_X509_num(sk); i++) {
538
+ issuer = sk_X509_value(sk, i);
539
+ if (ctx->check_issued(ctx, x, issuer))
540
+ return issuer;
541
+ }
542
+ return NULL;
543
+ }
544
+
545
+ /* Given a possible certificate and issuer check them */
546
+
547
+ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
548
+ {
549
+ int ret;
550
+ ret = X509_check_issued(issuer, x);
551
+ if (ret == X509_V_OK)
552
+ return 1;
553
+ /* If we haven't asked for issuer errors don't set ctx */
554
+ if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
555
+ return 0;
556
+
557
+ ctx->error = ret;
558
+ ctx->current_cert = x;
559
+ ctx->current_issuer = issuer;
560
+ return ctx->verify_cb(0, ctx);
561
+ }
562
+
563
+ /* Alternative lookup method: look from a STACK stored in other_ctx */
564
+
565
+ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
566
+ {
567
+ *issuer = find_issuer(ctx, ctx->other_ctx, x);
568
+ if (*issuer) {
569
+ X509_up_ref(*issuer);
570
+ return 1;
571
+ } else
572
+ return 0;
573
+ }
574
+
575
+ /*
576
+ * Check a certificate chains extensions for consistency with the supplied
577
+ * purpose
578
+ */
579
+
580
+ static int check_chain_extensions(X509_STORE_CTX *ctx)
581
+ {
582
+ int i, ok = 0, plen = 0;
583
+ X509 *x;
584
+ int (*cb) (int xok, X509_STORE_CTX *xctx);
585
+ int proxy_path_length = 0;
586
+ int purpose;
587
+ int allow_proxy_certs;
588
+ cb = ctx->verify_cb;
589
+
590
+ enum {
591
+ // ca_or_leaf allows either type of certificate so that direct use of
592
+ // self-signed certificates works.
593
+ ca_or_leaf,
594
+ must_be_ca,
595
+ must_not_be_ca,
596
+ } ca_requirement;
597
+
598
+ /* CRL path validation */
599
+ if (ctx->parent) {
600
+ allow_proxy_certs = 0;
601
+ purpose = X509_PURPOSE_CRL_SIGN;
602
+ } else {
603
+ allow_proxy_certs =
604
+ ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
605
+ purpose = ctx->param->purpose;
606
+ }
607
+
608
+ ca_requirement = ca_or_leaf;
609
+
610
+ /* Check all untrusted certificates */
611
+ for (i = 0; i < ctx->last_untrusted; i++) {
612
+ int ret;
613
+ x = sk_X509_value(ctx->chain, i);
614
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
615
+ && (x->ex_flags & EXFLAG_CRITICAL)) {
616
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
617
+ ctx->error_depth = i;
618
+ ctx->current_cert = x;
619
+ ok = cb(0, ctx);
620
+ if (!ok)
621
+ goto end;
622
+ }
623
+ if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
624
+ ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
625
+ ctx->error_depth = i;
626
+ ctx->current_cert = x;
627
+ ok = cb(0, ctx);
628
+ if (!ok)
629
+ goto end;
630
+ }
631
+
632
+ switch (ca_requirement) {
633
+ case ca_or_leaf:
634
+ ret = 1;
635
+ break;
636
+ case must_not_be_ca:
637
+ if (X509_check_ca(x)) {
638
+ ret = 0;
639
+ ctx->error = X509_V_ERR_INVALID_NON_CA;
640
+ } else
641
+ ret = 1;
642
+ break;
643
+ case must_be_ca:
644
+ if (!X509_check_ca(x)) {
645
+ ret = 0;
646
+ ctx->error = X509_V_ERR_INVALID_CA;
647
+ } else
648
+ ret = 1;
649
+ break;
650
+ default:
651
+ // impossible.
652
+ ret = 0;
653
+ }
654
+
655
+ if (ret == 0) {
656
+ ctx->error_depth = i;
657
+ ctx->current_cert = x;
658
+ ok = cb(0, ctx);
659
+ if (!ok)
660
+ goto end;
661
+ }
662
+ if (ctx->param->purpose > 0) {
663
+ ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
664
+ if (ret != 1) {
665
+ ret = 0;
666
+ ctx->error = X509_V_ERR_INVALID_PURPOSE;
667
+ ctx->error_depth = i;
668
+ ctx->current_cert = x;
669
+ ok = cb(0, ctx);
670
+ if (!ok)
671
+ goto end;
672
+ }
673
+ }
674
+ /* Check pathlen if not self issued */
675
+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
676
+ && (x->ex_pathlen != -1)
677
+ && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
678
+ ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
679
+ ctx->error_depth = i;
680
+ ctx->current_cert = x;
681
+ ok = cb(0, ctx);
682
+ if (!ok)
683
+ goto end;
684
+ }
685
+ /* Increment path length if not self issued */
686
+ if (!(x->ex_flags & EXFLAG_SI))
687
+ plen++;
688
+ /*
689
+ * If this certificate is a proxy certificate, the next certificate
690
+ * must be another proxy certificate or a EE certificate. If not,
691
+ * the next certificate must be a CA certificate.
692
+ */
693
+ if (x->ex_flags & EXFLAG_PROXY) {
694
+ if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
695
+ ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
696
+ ctx->error_depth = i;
697
+ ctx->current_cert = x;
698
+ ok = cb(0, ctx);
699
+ if (!ok)
700
+ goto end;
701
+ }
702
+ proxy_path_length++;
703
+ ca_requirement = must_not_be_ca;
704
+ } else {
705
+ ca_requirement = must_be_ca;
706
+ }
707
+ }
708
+ ok = 1;
709
+ end:
710
+ return ok;
711
+ }
712
+
713
+ static int reject_dns_name_in_common_name(X509 *x509)
714
+ {
715
+ X509_NAME *name = X509_get_subject_name(x509);
716
+ int i = -1;
717
+ for (;;) {
718
+ i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
719
+ if (i == -1) {
720
+ return X509_V_OK;
721
+ }
722
+
723
+ X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
724
+ ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
725
+ unsigned char *idval;
726
+ int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
727
+ if (idlen < 0) {
728
+ return X509_V_ERR_OUT_OF_MEM;
729
+ }
730
+ /* Only process attributes that look like host names. Note it is
731
+ * important that this check be mirrored in |X509_check_host|. */
732
+ int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
733
+ OPENSSL_free(idval);
734
+ if (looks_like_dns) {
735
+ return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
736
+ }
737
+ }
738
+ }
739
+
740
+ static int check_name_constraints(X509_STORE_CTX *ctx)
741
+ {
742
+ int i, j, rv;
743
+ int has_name_constraints = 0;
744
+ /* Check name constraints for all certificates */
745
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
746
+ X509 *x = sk_X509_value(ctx->chain, i);
747
+ /* Ignore self issued certs unless last in chain */
748
+ if (i && (x->ex_flags & EXFLAG_SI))
749
+ continue;
750
+ /*
751
+ * Check against constraints for all certificates higher in chain
752
+ * including trust anchor. Trust anchor not strictly speaking needed
753
+ * but if it includes constraints it is to be assumed it expects them
754
+ * to be obeyed.
755
+ */
756
+ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
757
+ NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
758
+ if (nc) {
759
+ has_name_constraints = 1;
760
+ rv = NAME_CONSTRAINTS_check(x, nc);
761
+ switch (rv) {
762
+ case X509_V_OK:
763
+ continue;
764
+ case X509_V_ERR_OUT_OF_MEM:
765
+ ctx->error = rv;
766
+ return 0;
767
+ default:
768
+ ctx->error = rv;
769
+ ctx->error_depth = i;
770
+ ctx->current_cert = x;
771
+ if (!ctx->verify_cb(0, ctx))
772
+ return 0;
773
+ break;
774
+ }
775
+ }
776
+ }
777
+ }
778
+
779
+ /* Name constraints do not match against the common name, but
780
+ * |X509_check_host| still implements the legacy behavior where, on
781
+ * certificates lacking a SAN list, DNS-like names in the common name are
782
+ * checked instead.
783
+ *
784
+ * While we could apply the name constraints to the common name, name
785
+ * constraints are rare enough that can hold such certificates to a higher
786
+ * standard. Note this does not make "DNS-like" heuristic failures any
787
+ * worse. A decorative common-name misidentified as a DNS name would fail
788
+ * the name constraint anyway. */
789
+ X509 *leaf = sk_X509_value(ctx->chain, 0);
790
+ if (has_name_constraints && leaf->altname == NULL) {
791
+ rv = reject_dns_name_in_common_name(leaf);
792
+ switch (rv) {
793
+ case X509_V_OK:
794
+ break;
795
+ case X509_V_ERR_OUT_OF_MEM:
796
+ ctx->error = rv;
797
+ return 0;
798
+ default:
799
+ ctx->error = rv;
800
+ ctx->error_depth = i;
801
+ ctx->current_cert = leaf;
802
+ if (!ctx->verify_cb(0, ctx))
803
+ return 0;
804
+ break;
805
+ }
806
+ }
807
+
808
+ return 1;
809
+ }
810
+
811
+ static int check_id_error(X509_STORE_CTX *ctx, int errcode)
812
+ {
813
+ ctx->error = errcode;
814
+ ctx->current_cert = ctx->cert;
815
+ ctx->error_depth = 0;
816
+ return ctx->verify_cb(0, ctx);
817
+ }
818
+
819
+ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
820
+ {
821
+ size_t i;
822
+ size_t n = sk_OPENSSL_STRING_num(id->hosts);
823
+ char *name;
824
+
825
+ if (id->peername != NULL) {
826
+ OPENSSL_free(id->peername);
827
+ id->peername = NULL;
828
+ }
829
+ for (i = 0; i < n; ++i) {
830
+ name = sk_OPENSSL_STRING_value(id->hosts, i);
831
+ if (X509_check_host(x, name, strlen(name), id->hostflags,
832
+ &id->peername) > 0)
833
+ return 1;
834
+ }
835
+ return n == 0;
836
+ }
837
+
838
+ static int check_id(X509_STORE_CTX *ctx)
839
+ {
840
+ X509_VERIFY_PARAM *vpm = ctx->param;
841
+ X509_VERIFY_PARAM_ID *id = vpm->id;
842
+ X509 *x = ctx->cert;
843
+ if (id->poison) {
844
+ if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
845
+ return 0;
846
+ }
847
+ if (id->hosts && check_hosts(x, id) <= 0) {
848
+ if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
849
+ return 0;
850
+ }
851
+ if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) {
852
+ if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
853
+ return 0;
854
+ }
855
+ if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {
856
+ if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
857
+ return 0;
858
+ }
859
+ return 1;
860
+ }
861
+
862
+ static int check_trust(X509_STORE_CTX *ctx)
863
+ {
864
+ size_t i;
865
+ int ok;
866
+ X509 *x = NULL;
867
+ int (*cb) (int xok, X509_STORE_CTX *xctx);
868
+ cb = ctx->verify_cb;
869
+ /* Check all trusted certificates in chain */
870
+ for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
871
+ x = sk_X509_value(ctx->chain, i);
872
+ ok = X509_check_trust(x, ctx->param->trust, 0);
873
+ /* If explicitly trusted return trusted */
874
+ if (ok == X509_TRUST_TRUSTED)
875
+ return X509_TRUST_TRUSTED;
876
+ /*
877
+ * If explicitly rejected notify callback and reject if not
878
+ * overridden.
879
+ */
880
+ if (ok == X509_TRUST_REJECTED) {
881
+ ctx->error_depth = i;
882
+ ctx->current_cert = x;
883
+ ctx->error = X509_V_ERR_CERT_REJECTED;
884
+ ok = cb(0, ctx);
885
+ if (!ok)
886
+ return X509_TRUST_REJECTED;
887
+ }
888
+ }
889
+ /*
890
+ * If we accept partial chains and have at least one trusted certificate
891
+ * return success.
892
+ */
893
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
894
+ X509 *mx;
895
+ if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
896
+ return X509_TRUST_TRUSTED;
897
+ x = sk_X509_value(ctx->chain, 0);
898
+ mx = lookup_cert_match(ctx, x);
899
+ if (mx) {
900
+ (void)sk_X509_set(ctx->chain, 0, mx);
901
+ X509_free(x);
902
+ ctx->last_untrusted = 0;
903
+ return X509_TRUST_TRUSTED;
904
+ }
905
+ }
906
+
907
+ /*
908
+ * If no trusted certs in chain at all return untrusted and allow
909
+ * standard (no issuer cert) etc errors to be indicated.
910
+ */
911
+ return X509_TRUST_UNTRUSTED;
912
+ }
913
+
914
+ static int check_revocation(X509_STORE_CTX *ctx)
915
+ {
916
+ int i, last, ok;
917
+ if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
918
+ return 1;
919
+ if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
920
+ last = sk_X509_num(ctx->chain) - 1;
921
+ else {
922
+ /* If checking CRL paths this isn't the EE certificate */
923
+ if (ctx->parent)
924
+ return 1;
925
+ last = 0;
926
+ }
927
+ for (i = 0; i <= last; i++) {
928
+ ctx->error_depth = i;
929
+ ok = check_cert(ctx);
930
+ if (!ok)
931
+ return ok;
932
+ }
933
+ return 1;
934
+ }
935
+
936
+ static int check_cert(X509_STORE_CTX *ctx)
937
+ {
938
+ X509_CRL *crl = NULL, *dcrl = NULL;
939
+ X509 *x;
940
+ int ok = 0, cnum;
941
+ unsigned int last_reasons;
942
+ cnum = ctx->error_depth;
943
+ x = sk_X509_value(ctx->chain, cnum);
944
+ ctx->current_cert = x;
945
+ ctx->current_issuer = NULL;
946
+ ctx->current_crl_score = 0;
947
+ ctx->current_reasons = 0;
948
+ while (ctx->current_reasons != CRLDP_ALL_REASONS) {
949
+ last_reasons = ctx->current_reasons;
950
+ /* Try to retrieve relevant CRL */
951
+ if (ctx->get_crl)
952
+ ok = ctx->get_crl(ctx, &crl, x);
953
+ else
954
+ ok = get_crl_delta(ctx, &crl, &dcrl, x);
955
+ /*
956
+ * If error looking up CRL, nothing we can do except notify callback
957
+ */
958
+ if (!ok) {
959
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
960
+ ok = ctx->verify_cb(0, ctx);
961
+ goto err;
962
+ }
963
+ ctx->current_crl = crl;
964
+ ok = ctx->check_crl(ctx, crl);
965
+ if (!ok)
966
+ goto err;
967
+
968
+ if (dcrl) {
969
+ ok = ctx->check_crl(ctx, dcrl);
970
+ if (!ok)
971
+ goto err;
972
+ ok = ctx->cert_crl(ctx, dcrl, x);
973
+ if (!ok)
974
+ goto err;
975
+ } else
976
+ ok = 1;
977
+
978
+ /* Don't look in full CRL if delta reason is removefromCRL */
979
+ if (ok != 2) {
980
+ ok = ctx->cert_crl(ctx, crl, x);
981
+ if (!ok)
982
+ goto err;
983
+ }
984
+
985
+ X509_CRL_free(crl);
986
+ X509_CRL_free(dcrl);
987
+ crl = NULL;
988
+ dcrl = NULL;
989
+ /*
990
+ * If reasons not updated we wont get anywhere by another iteration,
991
+ * so exit loop.
992
+ */
993
+ if (last_reasons == ctx->current_reasons) {
994
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
995
+ ok = ctx->verify_cb(0, ctx);
996
+ goto err;
997
+ }
998
+ }
999
+ err:
1000
+ X509_CRL_free(crl);
1001
+ X509_CRL_free(dcrl);
1002
+
1003
+ ctx->current_crl = NULL;
1004
+ return ok;
1005
+
1006
+ }
1007
+
1008
+ /* Check CRL times against values in X509_STORE_CTX */
1009
+
1010
+ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
1011
+ {
1012
+ time_t *ptime;
1013
+ int i;
1014
+ if (notify)
1015
+ ctx->current_crl = crl;
1016
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1017
+ ptime = &ctx->param->check_time;
1018
+ else
1019
+ ptime = NULL;
1020
+
1021
+ i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
1022
+ if (i == 0) {
1023
+ if (!notify)
1024
+ return 0;
1025
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
1026
+ if (!ctx->verify_cb(0, ctx))
1027
+ return 0;
1028
+ }
1029
+
1030
+ if (i > 0) {
1031
+ if (!notify)
1032
+ return 0;
1033
+ ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
1034
+ if (!ctx->verify_cb(0, ctx))
1035
+ return 0;
1036
+ }
1037
+
1038
+ if (X509_CRL_get_nextUpdate(crl)) {
1039
+ i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
1040
+
1041
+ if (i == 0) {
1042
+ if (!notify)
1043
+ return 0;
1044
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
1045
+ if (!ctx->verify_cb(0, ctx))
1046
+ return 0;
1047
+ }
1048
+ /* Ignore expiry of base CRL is delta is valid */
1049
+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
1050
+ if (!notify)
1051
+ return 0;
1052
+ ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
1053
+ if (!ctx->verify_cb(0, ctx))
1054
+ return 0;
1055
+ }
1056
+ }
1057
+
1058
+ if (notify)
1059
+ ctx->current_crl = NULL;
1060
+
1061
+ return 1;
1062
+ }
1063
+
1064
+ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1065
+ X509 **pissuer, int *pscore, unsigned int *preasons,
1066
+ STACK_OF(X509_CRL) *crls)
1067
+ {
1068
+ int crl_score, best_score = *pscore;
1069
+ size_t i;
1070
+ unsigned int reasons, best_reasons = 0;
1071
+ X509 *x = ctx->current_cert;
1072
+ X509_CRL *crl, *best_crl = NULL;
1073
+ X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
1074
+
1075
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1076
+ crl = sk_X509_CRL_value(crls, i);
1077
+ reasons = *preasons;
1078
+ crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1079
+ if (crl_score < best_score || crl_score == 0)
1080
+ continue;
1081
+ /* If current CRL is equivalent use it if it is newer */
1082
+ if (crl_score == best_score && best_crl != NULL) {
1083
+ int day, sec;
1084
+ if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
1085
+ X509_CRL_get_lastUpdate(crl)) == 0)
1086
+ continue;
1087
+ /*
1088
+ * ASN1_TIME_diff never returns inconsistent signs for |day|
1089
+ * and |sec|.
1090
+ */
1091
+ if (day <= 0 && sec <= 0)
1092
+ continue;
1093
+ }
1094
+ best_crl = crl;
1095
+ best_crl_issuer = crl_issuer;
1096
+ best_score = crl_score;
1097
+ best_reasons = reasons;
1098
+ }
1099
+
1100
+ if (best_crl) {
1101
+ if (*pcrl)
1102
+ X509_CRL_free(*pcrl);
1103
+ *pcrl = best_crl;
1104
+ *pissuer = best_crl_issuer;
1105
+ *pscore = best_score;
1106
+ *preasons = best_reasons;
1107
+ X509_CRL_up_ref(best_crl);
1108
+ if (*pdcrl) {
1109
+ X509_CRL_free(*pdcrl);
1110
+ *pdcrl = NULL;
1111
+ }
1112
+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1113
+ }
1114
+
1115
+ if (best_score >= CRL_SCORE_VALID)
1116
+ return 1;
1117
+
1118
+ return 0;
1119
+ }
1120
+
1121
+ /*
1122
+ * Compare two CRL extensions for delta checking purposes. They should be
1123
+ * both present or both absent. If both present all fields must be identical.
1124
+ */
1125
+
1126
+ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
1127
+ {
1128
+ ASN1_OCTET_STRING *exta, *extb;
1129
+ int i;
1130
+ i = X509_CRL_get_ext_by_NID(a, nid, -1);
1131
+ if (i >= 0) {
1132
+ /* Can't have multiple occurrences */
1133
+ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
1134
+ return 0;
1135
+ exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1136
+ } else
1137
+ exta = NULL;
1138
+
1139
+ i = X509_CRL_get_ext_by_NID(b, nid, -1);
1140
+
1141
+ if (i >= 0) {
1142
+
1143
+ if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
1144
+ return 0;
1145
+ extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1146
+ } else
1147
+ extb = NULL;
1148
+
1149
+ if (!exta && !extb)
1150
+ return 1;
1151
+
1152
+ if (!exta || !extb)
1153
+ return 0;
1154
+
1155
+ if (ASN1_OCTET_STRING_cmp(exta, extb))
1156
+ return 0;
1157
+
1158
+ return 1;
1159
+ }
1160
+
1161
+ /* See if a base and delta are compatible */
1162
+
1163
+ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
1164
+ {
1165
+ /* Delta CRL must be a delta */
1166
+ if (!delta->base_crl_number)
1167
+ return 0;
1168
+ /* Base must have a CRL number */
1169
+ if (!base->crl_number)
1170
+ return 0;
1171
+ /* Issuer names must match */
1172
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
1173
+ return 0;
1174
+ /* AKID and IDP must match */
1175
+ if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1176
+ return 0;
1177
+ if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1178
+ return 0;
1179
+ /* Delta CRL base number must not exceed Full CRL number. */
1180
+ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1181
+ return 0;
1182
+ /* Delta CRL number must exceed full CRL number */
1183
+ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1184
+ return 1;
1185
+ return 0;
1186
+ }
1187
+
1188
+ /*
1189
+ * For a given base CRL find a delta... maybe extend to delta scoring or
1190
+ * retrieve a chain of deltas...
1191
+ */
1192
+
1193
+ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
1194
+ X509_CRL *base, STACK_OF(X509_CRL) *crls)
1195
+ {
1196
+ X509_CRL *delta;
1197
+ size_t i;
1198
+ if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1199
+ return;
1200
+ if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1201
+ return;
1202
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1203
+ delta = sk_X509_CRL_value(crls, i);
1204
+ if (check_delta_base(delta, base)) {
1205
+ if (check_crl_time(ctx, delta, 0))
1206
+ *pscore |= CRL_SCORE_TIME_DELTA;
1207
+ X509_CRL_up_ref(delta);
1208
+ *dcrl = delta;
1209
+ return;
1210
+ }
1211
+ }
1212
+ *dcrl = NULL;
1213
+ }
1214
+
1215
+ /*
1216
+ * For a given CRL return how suitable it is for the supplied certificate
1217
+ * 'x'. The return value is a mask of several criteria. If the issuer is not
1218
+ * the certificate issuer this is returned in *pissuer. The reasons mask is
1219
+ * also used to determine if the CRL is suitable: if no new reasons the CRL
1220
+ * is rejected, otherwise reasons is updated.
1221
+ */
1222
+
1223
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1224
+ unsigned int *preasons, X509_CRL *crl, X509 *x)
1225
+ {
1226
+
1227
+ int crl_score = 0;
1228
+ unsigned int tmp_reasons = *preasons, crl_reasons;
1229
+
1230
+ /* First see if we can reject CRL straight away */
1231
+
1232
+ /* Invalid IDP cannot be processed */
1233
+ if (crl->idp_flags & IDP_INVALID)
1234
+ return 0;
1235
+ /* Reason codes or indirect CRLs need extended CRL support */
1236
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1237
+ if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1238
+ return 0;
1239
+ } else if (crl->idp_flags & IDP_REASONS) {
1240
+ /* If no new reasons reject */
1241
+ if (!(crl->idp_reasons & ~tmp_reasons))
1242
+ return 0;
1243
+ }
1244
+ /* Don't process deltas at this stage */
1245
+ else if (crl->base_crl_number)
1246
+ return 0;
1247
+ /* If issuer name doesn't match certificate need indirect CRL */
1248
+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1249
+ if (!(crl->idp_flags & IDP_INDIRECT))
1250
+ return 0;
1251
+ } else
1252
+ crl_score |= CRL_SCORE_ISSUER_NAME;
1253
+
1254
+ if (!(crl->flags & EXFLAG_CRITICAL))
1255
+ crl_score |= CRL_SCORE_NOCRITICAL;
1256
+
1257
+ /* Check expiry */
1258
+ if (check_crl_time(ctx, crl, 0))
1259
+ crl_score |= CRL_SCORE_TIME;
1260
+
1261
+ /* Check authority key ID and locate certificate issuer */
1262
+ crl_akid_check(ctx, crl, pissuer, &crl_score);
1263
+
1264
+ /* If we can't locate certificate issuer at this point forget it */
1265
+
1266
+ if (!(crl_score & CRL_SCORE_AKID))
1267
+ return 0;
1268
+
1269
+ /* Check cert for matching CRL distribution points */
1270
+
1271
+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1272
+ /* If no new reasons reject */
1273
+ if (!(crl_reasons & ~tmp_reasons))
1274
+ return 0;
1275
+ tmp_reasons |= crl_reasons;
1276
+ crl_score |= CRL_SCORE_SCOPE;
1277
+ }
1278
+
1279
+ *preasons = tmp_reasons;
1280
+
1281
+ return crl_score;
1282
+
1283
+ }
1284
+
1285
+ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1286
+ X509 **pissuer, int *pcrl_score)
1287
+ {
1288
+ X509 *crl_issuer = NULL;
1289
+ X509_NAME *cnm = X509_CRL_get_issuer(crl);
1290
+ int cidx = ctx->error_depth;
1291
+ size_t i;
1292
+
1293
+ if ((size_t)cidx != sk_X509_num(ctx->chain) - 1)
1294
+ cidx++;
1295
+
1296
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1297
+
1298
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1299
+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1300
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1301
+ *pissuer = crl_issuer;
1302
+ return;
1303
+ }
1304
+ }
1305
+
1306
+ for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1307
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1308
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1309
+ continue;
1310
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1311
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1312
+ *pissuer = crl_issuer;
1313
+ return;
1314
+ }
1315
+ }
1316
+
1317
+ /* Anything else needs extended CRL support */
1318
+
1319
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1320
+ return;
1321
+
1322
+ /*
1323
+ * Otherwise the CRL issuer is not on the path. Look for it in the set of
1324
+ * untrusted certificates.
1325
+ */
1326
+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1327
+ crl_issuer = sk_X509_value(ctx->untrusted, i);
1328
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1329
+ continue;
1330
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1331
+ *pissuer = crl_issuer;
1332
+ *pcrl_score |= CRL_SCORE_AKID;
1333
+ return;
1334
+ }
1335
+ }
1336
+
1337
+ for (i = 0; i < sk_X509_num(ctx->ctx->additional_untrusted); i++) {
1338
+ crl_issuer = sk_X509_value(ctx->ctx->additional_untrusted, i);
1339
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1340
+ continue;
1341
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1342
+ *pissuer = crl_issuer;
1343
+ *pcrl_score |= CRL_SCORE_AKID;
1344
+ return;
1345
+ }
1346
+ }
1347
+ }
1348
+
1349
+ /*
1350
+ * Check the path of a CRL issuer certificate. This creates a new
1351
+ * X509_STORE_CTX and populates it with most of the parameters from the
1352
+ * parent. This could be optimised somewhat since a lot of path checking will
1353
+ * be duplicated by the parent, but this will rarely be used in practice.
1354
+ */
1355
+
1356
+ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1357
+ {
1358
+ X509_STORE_CTX crl_ctx;
1359
+ int ret;
1360
+ /* Don't allow recursive CRL path validation */
1361
+ if (ctx->parent)
1362
+ return 0;
1363
+ if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1364
+ return -1;
1365
+
1366
+ crl_ctx.crls = ctx->crls;
1367
+ /* Copy verify params across */
1368
+ X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1369
+
1370
+ crl_ctx.parent = ctx;
1371
+ crl_ctx.verify_cb = ctx->verify_cb;
1372
+
1373
+ /* Verify CRL issuer */
1374
+ ret = X509_verify_cert(&crl_ctx);
1375
+
1376
+ if (ret <= 0)
1377
+ goto err;
1378
+
1379
+ /* Check chain is acceptable */
1380
+
1381
+ ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1382
+ err:
1383
+ X509_STORE_CTX_cleanup(&crl_ctx);
1384
+ return ret;
1385
+ }
1386
+
1387
+ /*
1388
+ * RFC3280 says nothing about the relationship between CRL path and
1389
+ * certificate path, which could lead to situations where a certificate could
1390
+ * be revoked or validated by a CA not authorised to do so. RFC5280 is more
1391
+ * strict and states that the two paths must end in the same trust anchor,
1392
+ * though some discussions remain... until this is resolved we use the
1393
+ * RFC5280 version
1394
+ */
1395
+
1396
+ static int check_crl_chain(X509_STORE_CTX *ctx,
1397
+ STACK_OF(X509) *cert_path,
1398
+ STACK_OF(X509) *crl_path)
1399
+ {
1400
+ X509 *cert_ta, *crl_ta;
1401
+ cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1402
+ crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1403
+ if (!X509_cmp(cert_ta, crl_ta))
1404
+ return 1;
1405
+ return 0;
1406
+ }
1407
+
1408
+ /*
1409
+ * Check for match between two dist point names: three separate cases. 1.
1410
+ * Both are relative names and compare X509_NAME types. 2. One full, one
1411
+ * relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1412
+ * compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1413
+ */
1414
+
1415
+ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1416
+ {
1417
+ X509_NAME *nm = NULL;
1418
+ GENERAL_NAMES *gens = NULL;
1419
+ GENERAL_NAME *gena, *genb;
1420
+ size_t i, j;
1421
+ if (!a || !b)
1422
+ return 1;
1423
+ if (a->type == 1) {
1424
+ if (!a->dpname)
1425
+ return 0;
1426
+ /* Case 1: two X509_NAME */
1427
+ if (b->type == 1) {
1428
+ if (!b->dpname)
1429
+ return 0;
1430
+ if (!X509_NAME_cmp(a->dpname, b->dpname))
1431
+ return 1;
1432
+ else
1433
+ return 0;
1434
+ }
1435
+ /* Case 2: set name and GENERAL_NAMES appropriately */
1436
+ nm = a->dpname;
1437
+ gens = b->name.fullname;
1438
+ } else if (b->type == 1) {
1439
+ if (!b->dpname)
1440
+ return 0;
1441
+ /* Case 2: set name and GENERAL_NAMES appropriately */
1442
+ gens = a->name.fullname;
1443
+ nm = b->dpname;
1444
+ }
1445
+
1446
+ /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1447
+ if (nm) {
1448
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1449
+ gena = sk_GENERAL_NAME_value(gens, i);
1450
+ if (gena->type != GEN_DIRNAME)
1451
+ continue;
1452
+ if (!X509_NAME_cmp(nm, gena->d.directoryName))
1453
+ return 1;
1454
+ }
1455
+ return 0;
1456
+ }
1457
+
1458
+ /* Else case 3: two GENERAL_NAMES */
1459
+
1460
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1461
+ gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1462
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1463
+ genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1464
+ if (!GENERAL_NAME_cmp(gena, genb))
1465
+ return 1;
1466
+ }
1467
+ }
1468
+
1469
+ return 0;
1470
+
1471
+ }
1472
+
1473
+ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1474
+ {
1475
+ size_t i;
1476
+ X509_NAME *nm = X509_CRL_get_issuer(crl);
1477
+ /* If no CRLissuer return is successful iff don't need a match */
1478
+ if (!dp->CRLissuer)
1479
+ return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
1480
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1481
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1482
+ if (gen->type != GEN_DIRNAME)
1483
+ continue;
1484
+ if (!X509_NAME_cmp(gen->d.directoryName, nm))
1485
+ return 1;
1486
+ }
1487
+ return 0;
1488
+ }
1489
+
1490
+ /* Check CRLDP and IDP */
1491
+
1492
+ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1493
+ unsigned int *preasons)
1494
+ {
1495
+ size_t i;
1496
+ if (crl->idp_flags & IDP_ONLYATTR)
1497
+ return 0;
1498
+ if (x->ex_flags & EXFLAG_CA) {
1499
+ if (crl->idp_flags & IDP_ONLYUSER)
1500
+ return 0;
1501
+ } else {
1502
+ if (crl->idp_flags & IDP_ONLYCA)
1503
+ return 0;
1504
+ }
1505
+ *preasons = crl->idp_reasons;
1506
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1507
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1508
+ if (crldp_check_crlissuer(dp, crl, crl_score)) {
1509
+ if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1510
+ *preasons &= dp->dp_reasons;
1511
+ return 1;
1512
+ }
1513
+ }
1514
+ }
1515
+ if ((!crl->idp || !crl->idp->distpoint)
1516
+ && (crl_score & CRL_SCORE_ISSUER_NAME))
1517
+ return 1;
1518
+ return 0;
1519
+ }
1520
+
1521
+ /*
1522
+ * Retrieve CRL corresponding to current certificate. If deltas enabled try
1523
+ * to find a delta CRL too
1524
+ */
1525
+
1526
+ static int get_crl_delta(X509_STORE_CTX *ctx,
1527
+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1528
+ {
1529
+ int ok;
1530
+ X509 *issuer = NULL;
1531
+ int crl_score = 0;
1532
+ unsigned int reasons;
1533
+ X509_CRL *crl = NULL, *dcrl = NULL;
1534
+ STACK_OF(X509_CRL) *skcrl;
1535
+ X509_NAME *nm = X509_get_issuer_name(x);
1536
+ reasons = ctx->current_reasons;
1537
+ ok = get_crl_sk(ctx, &crl, &dcrl,
1538
+ &issuer, &crl_score, &reasons, ctx->crls);
1539
+
1540
+ if (ok)
1541
+ goto done;
1542
+
1543
+ /* Lookup CRLs from store */
1544
+
1545
+ skcrl = ctx->lookup_crls(ctx, nm);
1546
+
1547
+ /* If no CRLs found and a near match from get_crl_sk use that */
1548
+ if (!skcrl && crl)
1549
+ goto done;
1550
+
1551
+ get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1552
+
1553
+ sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1554
+
1555
+ done:
1556
+
1557
+ /* If we got any kind of CRL use it and return success */
1558
+ if (crl) {
1559
+ ctx->current_issuer = issuer;
1560
+ ctx->current_crl_score = crl_score;
1561
+ ctx->current_reasons = reasons;
1562
+ *pcrl = crl;
1563
+ *pdcrl = dcrl;
1564
+ return 1;
1565
+ }
1566
+
1567
+ return 0;
1568
+ }
1569
+
1570
+ /* Check CRL validity */
1571
+ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1572
+ {
1573
+ X509 *issuer = NULL;
1574
+ EVP_PKEY *ikey = NULL;
1575
+ int ok = 0, chnum, cnum;
1576
+ cnum = ctx->error_depth;
1577
+ chnum = sk_X509_num(ctx->chain) - 1;
1578
+ /* if we have an alternative CRL issuer cert use that */
1579
+ if (ctx->current_issuer)
1580
+ issuer = ctx->current_issuer;
1581
+
1582
+ /*
1583
+ * Else find CRL issuer: if not last certificate then issuer is next
1584
+ * certificate in chain.
1585
+ */
1586
+ else if (cnum < chnum)
1587
+ issuer = sk_X509_value(ctx->chain, cnum + 1);
1588
+ else {
1589
+ issuer = sk_X509_value(ctx->chain, chnum);
1590
+ /* If not self signed, can't check signature */
1591
+ if (!ctx->check_issued(ctx, issuer, issuer)) {
1592
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1593
+ ok = ctx->verify_cb(0, ctx);
1594
+ if (!ok)
1595
+ goto err;
1596
+ }
1597
+ }
1598
+
1599
+ if (issuer) {
1600
+ /*
1601
+ * Skip most tests for deltas because they have already been done
1602
+ */
1603
+ if (!crl->base_crl_number) {
1604
+ /* Check for cRLSign bit if keyUsage present */
1605
+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1606
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
1607
+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1608
+ ok = ctx->verify_cb(0, ctx);
1609
+ if (!ok)
1610
+ goto err;
1611
+ }
1612
+
1613
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1614
+ ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1615
+ ok = ctx->verify_cb(0, ctx);
1616
+ if (!ok)
1617
+ goto err;
1618
+ }
1619
+
1620
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1621
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1622
+ ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1623
+ ok = ctx->verify_cb(0, ctx);
1624
+ if (!ok)
1625
+ goto err;
1626
+ }
1627
+ }
1628
+
1629
+ if (crl->idp_flags & IDP_INVALID) {
1630
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
1631
+ ok = ctx->verify_cb(0, ctx);
1632
+ if (!ok)
1633
+ goto err;
1634
+ }
1635
+
1636
+ }
1637
+
1638
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1639
+ ok = check_crl_time(ctx, crl, 1);
1640
+ if (!ok)
1641
+ goto err;
1642
+ }
1643
+
1644
+ /* Attempt to get issuer certificate public key */
1645
+ ikey = X509_get_pubkey(issuer);
1646
+
1647
+ if (!ikey) {
1648
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1649
+ ok = ctx->verify_cb(0, ctx);
1650
+ if (!ok)
1651
+ goto err;
1652
+ } else {
1653
+ int rv;
1654
+ rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1655
+ if (rv != X509_V_OK) {
1656
+ ctx->error = rv;
1657
+ ok = ctx->verify_cb(0, ctx);
1658
+ if (!ok)
1659
+ goto err;
1660
+ }
1661
+ /* Verify CRL signature */
1662
+ if (X509_CRL_verify(crl, ikey) <= 0) {
1663
+ ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1664
+ ok = ctx->verify_cb(0, ctx);
1665
+ if (!ok)
1666
+ goto err;
1667
+ }
1668
+ }
1669
+ }
1670
+
1671
+ ok = 1;
1672
+
1673
+ err:
1674
+ EVP_PKEY_free(ikey);
1675
+ return ok;
1676
+ }
1677
+
1678
+ /* Check certificate against CRL */
1679
+ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1680
+ {
1681
+ int ok;
1682
+ X509_REVOKED *rev;
1683
+ /*
1684
+ * The rules changed for this... previously if a CRL contained unhandled
1685
+ * critical extensions it could still be used to indicate a certificate
1686
+ * was revoked. This has since been changed since critical extension can
1687
+ * change the meaning of CRL entries.
1688
+ */
1689
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1690
+ && (crl->flags & EXFLAG_CRITICAL)) {
1691
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1692
+ ok = ctx->verify_cb(0, ctx);
1693
+ if (!ok)
1694
+ return 0;
1695
+ }
1696
+ /*
1697
+ * Look for serial number of certificate in CRL If found make sure reason
1698
+ * is not removeFromCRL.
1699
+ */
1700
+ if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1701
+ if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1702
+ return 2;
1703
+ ctx->error = X509_V_ERR_CERT_REVOKED;
1704
+ ok = ctx->verify_cb(0, ctx);
1705
+ if (!ok)
1706
+ return 0;
1707
+ }
1708
+
1709
+ return 1;
1710
+ }
1711
+
1712
+ static int check_policy(X509_STORE_CTX *ctx)
1713
+ {
1714
+ int ret;
1715
+ if (ctx->parent)
1716
+ return 1;
1717
+ ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1718
+ ctx->param->policies, ctx->param->flags);
1719
+ if (ret == 0) {
1720
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
1721
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
1722
+ return 0;
1723
+ }
1724
+ /* Invalid or inconsistent extensions */
1725
+ if (ret == -1) {
1726
+ /*
1727
+ * Locate certificates with bad extensions and notify callback.
1728
+ */
1729
+ X509 *x;
1730
+ size_t i;
1731
+ for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1732
+ x = sk_X509_value(ctx->chain, i);
1733
+ if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1734
+ continue;
1735
+ ctx->current_cert = x;
1736
+ ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1737
+ if (!ctx->verify_cb(0, ctx))
1738
+ return 0;
1739
+ }
1740
+ return 1;
1741
+ }
1742
+ if (ret == -2) {
1743
+ ctx->current_cert = NULL;
1744
+ ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1745
+ return ctx->verify_cb(0, ctx);
1746
+ }
1747
+
1748
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1749
+ ctx->current_cert = NULL;
1750
+ /*
1751
+ * Verification errors need to be "sticky", a callback may have allowed
1752
+ * an SSL handshake to continue despite an error, and we must then
1753
+ * remain in an error state. Therefore, we MUST NOT clear earlier
1754
+ * verification errors by setting the error to X509_V_OK.
1755
+ */
1756
+ if (!ctx->verify_cb(2, ctx))
1757
+ return 0;
1758
+ }
1759
+
1760
+ return 1;
1761
+ }
1762
+
1763
+ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1764
+ {
1765
+ time_t *ptime;
1766
+ int i;
1767
+
1768
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1769
+ ptime = &ctx->param->check_time;
1770
+ else
1771
+ ptime = NULL;
1772
+
1773
+ i = X509_cmp_time(X509_get_notBefore(x), ptime);
1774
+ if (i == 0) {
1775
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1776
+ ctx->current_cert = x;
1777
+ if (!ctx->verify_cb(0, ctx))
1778
+ return 0;
1779
+ }
1780
+
1781
+ if (i > 0) {
1782
+ ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1783
+ ctx->current_cert = x;
1784
+ if (!ctx->verify_cb(0, ctx))
1785
+ return 0;
1786
+ }
1787
+
1788
+ i = X509_cmp_time(X509_get_notAfter(x), ptime);
1789
+ if (i == 0) {
1790
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1791
+ ctx->current_cert = x;
1792
+ if (!ctx->verify_cb(0, ctx))
1793
+ return 0;
1794
+ }
1795
+
1796
+ if (i < 0) {
1797
+ ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1798
+ ctx->current_cert = x;
1799
+ if (!ctx->verify_cb(0, ctx))
1800
+ return 0;
1801
+ }
1802
+
1803
+ return 1;
1804
+ }
1805
+
1806
+ static int internal_verify(X509_STORE_CTX *ctx)
1807
+ {
1808
+ int ok = 0, n;
1809
+ X509 *xs, *xi;
1810
+ EVP_PKEY *pkey = NULL;
1811
+ int (*cb) (int xok, X509_STORE_CTX *xctx);
1812
+
1813
+ cb = ctx->verify_cb;
1814
+
1815
+ n = sk_X509_num(ctx->chain);
1816
+ ctx->error_depth = n - 1;
1817
+ n--;
1818
+ xi = sk_X509_value(ctx->chain, n);
1819
+
1820
+ if (ctx->check_issued(ctx, xi, xi))
1821
+ xs = xi;
1822
+ else {
1823
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1824
+ xs = xi;
1825
+ goto check_cert;
1826
+ }
1827
+ if (n <= 0) {
1828
+ ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1829
+ ctx->current_cert = xi;
1830
+ ok = cb(0, ctx);
1831
+ goto end;
1832
+ } else {
1833
+ n--;
1834
+ ctx->error_depth = n;
1835
+ xs = sk_X509_value(ctx->chain, n);
1836
+ }
1837
+ }
1838
+
1839
+ /* ctx->error=0; not needed */
1840
+ while (n >= 0) {
1841
+ ctx->error_depth = n;
1842
+
1843
+ /*
1844
+ * Skip signature check for self signed certificates unless
1845
+ * explicitly asked for. It doesn't add any security and just wastes
1846
+ * time.
1847
+ */
1848
+ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1849
+ if ((pkey = X509_get_pubkey(xi)) == NULL) {
1850
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1851
+ ctx->current_cert = xi;
1852
+ ok = (*cb) (0, ctx);
1853
+ if (!ok)
1854
+ goto end;
1855
+ } else if (X509_verify(xs, pkey) <= 0) {
1856
+ ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1857
+ ctx->current_cert = xs;
1858
+ ok = (*cb) (0, ctx);
1859
+ if (!ok) {
1860
+ EVP_PKEY_free(pkey);
1861
+ goto end;
1862
+ }
1863
+ }
1864
+ EVP_PKEY_free(pkey);
1865
+ pkey = NULL;
1866
+ }
1867
+
1868
+ check_cert:
1869
+ ok = check_cert_time(ctx, xs);
1870
+ if (!ok)
1871
+ goto end;
1872
+
1873
+ /* The last error (if any) is still in the error value */
1874
+ ctx->current_issuer = xi;
1875
+ ctx->current_cert = xs;
1876
+ ok = (*cb) (1, ctx);
1877
+ if (!ok)
1878
+ goto end;
1879
+
1880
+ n--;
1881
+ if (n >= 0) {
1882
+ xi = xs;
1883
+ xs = sk_X509_value(ctx->chain, n);
1884
+ }
1885
+ }
1886
+ ok = 1;
1887
+ end:
1888
+ return ok;
1889
+ }
1890
+
1891
+ int X509_cmp_current_time(const ASN1_TIME *ctm)
1892
+ {
1893
+ return X509_cmp_time(ctm, NULL);
1894
+ }
1895
+
1896
+ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1897
+ {
1898
+ static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
1899
+ static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
1900
+ ASN1_TIME *asn1_cmp_time = NULL;
1901
+ int i, day, sec, ret = 0;
1902
+
1903
+ /*
1904
+ * Note that ASN.1 allows much more slack in the time format than RFC5280.
1905
+ * In RFC5280, the representation is fixed:
1906
+ * UTCTime: YYMMDDHHMMSSZ
1907
+ * GeneralizedTime: YYYYMMDDHHMMSSZ
1908
+ *
1909
+ * We do NOT currently enforce the following RFC 5280 requirement:
1910
+ * "CAs conforming to this profile MUST always encode certificate
1911
+ * validity dates through the year 2049 as UTCTime; certificate validity
1912
+ * dates in 2050 or later MUST be encoded as GeneralizedTime."
1913
+ */
1914
+ switch (ctm->type) {
1915
+ case V_ASN1_UTCTIME:
1916
+ if (ctm->length != (int)(utctime_length))
1917
+ return 0;
1918
+ break;
1919
+ case V_ASN1_GENERALIZEDTIME:
1920
+ if (ctm->length != (int)(generalizedtime_length))
1921
+ return 0;
1922
+ break;
1923
+ default:
1924
+ return 0;
1925
+ }
1926
+
1927
+ /**
1928
+ * Verify the format: the ASN.1 functions we use below allow a more
1929
+ * flexible format than what's mandated by RFC 5280.
1930
+ * Digit and date ranges will be verified in the conversion methods.
1931
+ */
1932
+ for (i = 0; i < ctm->length - 1; i++) {
1933
+ if (!isdigit(ctm->data[i]))
1934
+ return 0;
1935
+ }
1936
+ if (ctm->data[ctm->length - 1] != 'Z')
1937
+ return 0;
1938
+
1939
+ /*
1940
+ * There is ASN1_UTCTIME_cmp_time_t but no
1941
+ * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
1942
+ * so we go through ASN.1
1943
+ */
1944
+ asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
1945
+ if (asn1_cmp_time == NULL)
1946
+ goto err;
1947
+ if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
1948
+ goto err;
1949
+
1950
+ /*
1951
+ * X509_cmp_time comparison is <=.
1952
+ * The return value 0 is reserved for errors.
1953
+ */
1954
+ ret = (day >= 0 && sec >= 0) ? -1 : 1;
1955
+
1956
+ err:
1957
+ ASN1_TIME_free(asn1_cmp_time);
1958
+ return ret;
1959
+ }
1960
+
1961
+ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1962
+ {
1963
+ return X509_time_adj(s, adj, NULL);
1964
+ }
1965
+
1966
+ ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1967
+ {
1968
+ return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1969
+ }
1970
+
1971
+ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1972
+ int offset_day, long offset_sec, time_t *in_tm)
1973
+ {
1974
+ time_t t = 0;
1975
+
1976
+ if (in_tm)
1977
+ t = *in_tm;
1978
+ else
1979
+ time(&t);
1980
+
1981
+ if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1982
+ if (s->type == V_ASN1_UTCTIME)
1983
+ return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
1984
+ if (s->type == V_ASN1_GENERALIZEDTIME)
1985
+ return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
1986
+ }
1987
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1988
+ }
1989
+
1990
+ /* Make a delta CRL as the diff between two full CRLs */
1991
+
1992
+ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
1993
+ EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
1994
+ {
1995
+ X509_CRL *crl = NULL;
1996
+ int i;
1997
+ size_t j;
1998
+ STACK_OF(X509_REVOKED) *revs = NULL;
1999
+ /* CRLs can't be delta already */
2000
+ if (base->base_crl_number || newer->base_crl_number) {
2001
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
2002
+ return NULL;
2003
+ }
2004
+ /* Base and new CRL must have a CRL number */
2005
+ if (!base->crl_number || !newer->crl_number) {
2006
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
2007
+ return NULL;
2008
+ }
2009
+ /* Issuer names must match */
2010
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
2011
+ OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
2012
+ return NULL;
2013
+ }
2014
+ /* AKID and IDP must match */
2015
+ if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
2016
+ OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
2017
+ return NULL;
2018
+ }
2019
+ if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
2020
+ OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
2021
+ return NULL;
2022
+ }
2023
+ /* Newer CRL number must exceed full CRL number */
2024
+ if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
2025
+ OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
2026
+ return NULL;
2027
+ }
2028
+ /* CRLs must verify */
2029
+ if (skey && (X509_CRL_verify(base, skey) <= 0 ||
2030
+ X509_CRL_verify(newer, skey) <= 0)) {
2031
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
2032
+ return NULL;
2033
+ }
2034
+ /* Create new CRL */
2035
+ crl = X509_CRL_new();
2036
+ if (!crl || !X509_CRL_set_version(crl, 1))
2037
+ goto memerr;
2038
+ /* Set issuer name */
2039
+ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
2040
+ goto memerr;
2041
+
2042
+ if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
2043
+ goto memerr;
2044
+ if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
2045
+ goto memerr;
2046
+
2047
+ /* Set base CRL number: must be critical */
2048
+
2049
+ if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
2050
+ goto memerr;
2051
+
2052
+ /*
2053
+ * Copy extensions across from newest CRL to delta: this will set CRL
2054
+ * number to correct value too.
2055
+ */
2056
+
2057
+ for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
2058
+ X509_EXTENSION *ext;
2059
+ ext = X509_CRL_get_ext(newer, i);
2060
+ if (!X509_CRL_add_ext(crl, ext, -1))
2061
+ goto memerr;
2062
+ }
2063
+
2064
+ /* Go through revoked entries, copying as needed */
2065
+
2066
+ revs = X509_CRL_get_REVOKED(newer);
2067
+
2068
+ for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
2069
+ X509_REVOKED *rvn, *rvtmp;
2070
+ rvn = sk_X509_REVOKED_value(revs, j);
2071
+ /*
2072
+ * Add only if not also in base. TODO: need something cleverer here
2073
+ * for some more complex CRLs covering multiple CAs.
2074
+ */
2075
+ if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
2076
+ rvtmp = X509_REVOKED_dup(rvn);
2077
+ if (!rvtmp)
2078
+ goto memerr;
2079
+ if (!X509_CRL_add0_revoked(crl, rvtmp)) {
2080
+ X509_REVOKED_free(rvtmp);
2081
+ goto memerr;
2082
+ }
2083
+ }
2084
+ }
2085
+ /* TODO: optionally prune deleted entries */
2086
+
2087
+ if (skey && md && !X509_CRL_sign(crl, skey, md))
2088
+ goto memerr;
2089
+
2090
+ return crl;
2091
+
2092
+ memerr:
2093
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2094
+ if (crl)
2095
+ X509_CRL_free(crl);
2096
+ return NULL;
2097
+ }
2098
+
2099
+ int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
2100
+ CRYPTO_EX_unused * unused,
2101
+ CRYPTO_EX_dup *dup_unused,
2102
+ CRYPTO_EX_free *free_func)
2103
+ {
2104
+ /*
2105
+ * This function is (usually) called only once, by
2106
+ * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
2107
+ */
2108
+ int index;
2109
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
2110
+ free_func)) {
2111
+ return -1;
2112
+ }
2113
+ return index;
2114
+ }
2115
+
2116
+ int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
2117
+ {
2118
+ return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2119
+ }
2120
+
2121
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
2122
+ {
2123
+ return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2124
+ }
2125
+
2126
+ int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
2127
+ {
2128
+ return ctx->error;
2129
+ }
2130
+
2131
+ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
2132
+ {
2133
+ ctx->error = err;
2134
+ }
2135
+
2136
+ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
2137
+ {
2138
+ return ctx->error_depth;
2139
+ }
2140
+
2141
+ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
2142
+ {
2143
+ return ctx->current_cert;
2144
+ }
2145
+
2146
+ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
2147
+ {
2148
+ return ctx->chain;
2149
+ }
2150
+
2151
+ STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
2152
+ {
2153
+ return ctx->chain;
2154
+ }
2155
+
2156
+ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
2157
+ {
2158
+ if (!ctx->chain)
2159
+ return NULL;
2160
+ return X509_chain_up_ref(ctx->chain);
2161
+ }
2162
+
2163
+ X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
2164
+ {
2165
+ return ctx->current_issuer;
2166
+ }
2167
+
2168
+ X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
2169
+ {
2170
+ return ctx->current_crl;
2171
+ }
2172
+
2173
+ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
2174
+ {
2175
+ return ctx->parent;
2176
+ }
2177
+
2178
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
2179
+ {
2180
+ ctx->cert = x;
2181
+ }
2182
+
2183
+ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2184
+ {
2185
+ ctx->untrusted = sk;
2186
+ }
2187
+
2188
+ STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
2189
+ {
2190
+ return ctx->untrusted;
2191
+ }
2192
+
2193
+ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
2194
+ {
2195
+ ctx->crls = sk;
2196
+ }
2197
+
2198
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
2199
+ {
2200
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2201
+ }
2202
+
2203
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2204
+ {
2205
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2206
+ }
2207
+
2208
+ /*
2209
+ * This function is used to set the X509_STORE_CTX purpose and trust values.
2210
+ * This is intended to be used when another structure has its own trust and
2211
+ * purpose values which (if set) will be inherited by the ctx. If they aren't
2212
+ * set then we will usually have a default purpose in mind which should then
2213
+ * be used to set the trust value. An example of this is SSL use: an SSL
2214
+ * structure will have its own purpose and trust settings which the
2215
+ * application can set: if they aren't set then we use the default of SSL
2216
+ * client/server.
2217
+ */
2218
+
2219
+ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
2220
+ int purpose, int trust)
2221
+ {
2222
+ int idx;
2223
+ /* If purpose not set use default */
2224
+ if (!purpose)
2225
+ purpose = def_purpose;
2226
+ /* If we have a purpose then check it is valid */
2227
+ if (purpose) {
2228
+ X509_PURPOSE *ptmp;
2229
+ idx = X509_PURPOSE_get_by_id(purpose);
2230
+ if (idx == -1) {
2231
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2232
+ return 0;
2233
+ }
2234
+ ptmp = X509_PURPOSE_get0(idx);
2235
+ if (ptmp->trust == X509_TRUST_DEFAULT) {
2236
+ idx = X509_PURPOSE_get_by_id(def_purpose);
2237
+ if (idx == -1) {
2238
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2239
+ return 0;
2240
+ }
2241
+ ptmp = X509_PURPOSE_get0(idx);
2242
+ }
2243
+ /* If trust not set then get from purpose default */
2244
+ if (!trust)
2245
+ trust = ptmp->trust;
2246
+ }
2247
+ if (trust) {
2248
+ idx = X509_TRUST_get_by_id(trust);
2249
+ if (idx == -1) {
2250
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2251
+ return 0;
2252
+ }
2253
+ }
2254
+
2255
+ if (purpose && !ctx->param->purpose)
2256
+ ctx->param->purpose = purpose;
2257
+ if (trust && !ctx->param->trust)
2258
+ ctx->param->trust = trust;
2259
+ return 1;
2260
+ }
2261
+
2262
+ X509_STORE_CTX *X509_STORE_CTX_new(void)
2263
+ {
2264
+ X509_STORE_CTX *ctx;
2265
+ ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2266
+ if (!ctx) {
2267
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2268
+ return NULL;
2269
+ }
2270
+ X509_STORE_CTX_zero(ctx);
2271
+ return ctx;
2272
+ }
2273
+
2274
+ void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
2275
+ {
2276
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2277
+ }
2278
+
2279
+ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2280
+ {
2281
+ if (ctx == NULL) {
2282
+ return;
2283
+ }
2284
+ X509_STORE_CTX_cleanup(ctx);
2285
+ OPENSSL_free(ctx);
2286
+ }
2287
+
2288
+ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2289
+ STACK_OF(X509) *chain)
2290
+ {
2291
+ int ret = 1;
2292
+
2293
+ X509_STORE_CTX_zero(ctx);
2294
+ ctx->ctx = store;
2295
+ ctx->cert = x509;
2296
+ ctx->untrusted = chain;
2297
+
2298
+ CRYPTO_new_ex_data(&ctx->ex_data);
2299
+
2300
+ ctx->param = X509_VERIFY_PARAM_new();
2301
+ if (!ctx->param)
2302
+ goto err;
2303
+
2304
+ /*
2305
+ * Inherit callbacks and flags from X509_STORE if not set use defaults.
2306
+ */
2307
+
2308
+ if (store)
2309
+ ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2310
+ else
2311
+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
2312
+
2313
+ if (store) {
2314
+ ctx->verify_cb = store->verify_cb;
2315
+ ctx->cleanup = store->cleanup;
2316
+ } else
2317
+ ctx->cleanup = 0;
2318
+
2319
+ if (ret)
2320
+ ret = X509_VERIFY_PARAM_inherit(ctx->param,
2321
+ X509_VERIFY_PARAM_lookup("default"));
2322
+
2323
+ if (ret == 0)
2324
+ goto err;
2325
+
2326
+ if (store && store->check_issued)
2327
+ ctx->check_issued = store->check_issued;
2328
+ else
2329
+ ctx->check_issued = check_issued;
2330
+
2331
+ if (store && store->get_issuer)
2332
+ ctx->get_issuer = store->get_issuer;
2333
+ else
2334
+ ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2335
+
2336
+ if (store && store->verify_cb)
2337
+ ctx->verify_cb = store->verify_cb;
2338
+ else
2339
+ ctx->verify_cb = null_callback;
2340
+
2341
+ if (store && store->verify)
2342
+ ctx->verify = store->verify;
2343
+ else
2344
+ ctx->verify = internal_verify;
2345
+
2346
+ if (store && store->check_revocation)
2347
+ ctx->check_revocation = store->check_revocation;
2348
+ else
2349
+ ctx->check_revocation = check_revocation;
2350
+
2351
+ if (store && store->get_crl)
2352
+ ctx->get_crl = store->get_crl;
2353
+ else
2354
+ ctx->get_crl = NULL;
2355
+
2356
+ if (store && store->check_crl)
2357
+ ctx->check_crl = store->check_crl;
2358
+ else
2359
+ ctx->check_crl = check_crl;
2360
+
2361
+ if (store && store->cert_crl)
2362
+ ctx->cert_crl = store->cert_crl;
2363
+ else
2364
+ ctx->cert_crl = cert_crl;
2365
+
2366
+ if (store && store->lookup_certs)
2367
+ ctx->lookup_certs = store->lookup_certs;
2368
+ else
2369
+ ctx->lookup_certs = X509_STORE_get1_certs;
2370
+
2371
+ if (store && store->lookup_crls)
2372
+ ctx->lookup_crls = store->lookup_crls;
2373
+ else
2374
+ ctx->lookup_crls = X509_STORE_get1_crls;
2375
+
2376
+ ctx->check_policy = check_policy;
2377
+
2378
+ return 1;
2379
+
2380
+ err:
2381
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2382
+ if (ctx->param != NULL) {
2383
+ X509_VERIFY_PARAM_free(ctx->param);
2384
+ }
2385
+
2386
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2387
+ OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2388
+ return 0;
2389
+ }
2390
+
2391
+ /*
2392
+ * Set alternative lookup method: just a STACK of trusted certificates. This
2393
+ * avoids X509_STORE nastiness where it isn't needed.
2394
+ */
2395
+
2396
+ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2397
+ {
2398
+ ctx->other_ctx = sk;
2399
+ ctx->get_issuer = get_issuer_sk;
2400
+ }
2401
+
2402
+ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2403
+ {
2404
+ /* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2405
+ * also calls this function. */
2406
+ if (ctx->cleanup != NULL) {
2407
+ ctx->cleanup(ctx);
2408
+ ctx->cleanup = NULL;
2409
+ }
2410
+ if (ctx->param != NULL) {
2411
+ if (ctx->parent == NULL)
2412
+ X509_VERIFY_PARAM_free(ctx->param);
2413
+ ctx->param = NULL;
2414
+ }
2415
+ if (ctx->tree != NULL) {
2416
+ X509_policy_tree_free(ctx->tree);
2417
+ ctx->tree = NULL;
2418
+ }
2419
+ if (ctx->chain != NULL) {
2420
+ sk_X509_pop_free(ctx->chain, X509_free);
2421
+ ctx->chain = NULL;
2422
+ }
2423
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2424
+ OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2425
+ }
2426
+
2427
+ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2428
+ {
2429
+ X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2430
+ }
2431
+
2432
+ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2433
+ {
2434
+ X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2435
+ }
2436
+
2437
+ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2438
+ time_t t)
2439
+ {
2440
+ X509_VERIFY_PARAM_set_time(ctx->param, t);
2441
+ }
2442
+
2443
+ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
2444
+ {
2445
+ return ctx->cert;
2446
+ }
2447
+
2448
+ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2449
+ int (*verify_cb) (int, X509_STORE_CTX *))
2450
+ {
2451
+ ctx->verify_cb = verify_cb;
2452
+ }
2453
+
2454
+ X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2455
+ {
2456
+ return ctx->tree;
2457
+ }
2458
+
2459
+ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2460
+ {
2461
+ return ctx->explicit_policy;
2462
+ }
2463
+
2464
+ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2465
+ {
2466
+ const X509_VERIFY_PARAM *param;
2467
+ param = X509_VERIFY_PARAM_lookup(name);
2468
+ if (!param)
2469
+ return 0;
2470
+ return X509_VERIFY_PARAM_inherit(ctx->param, param);
2471
+ }
2472
+
2473
+ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2474
+ {
2475
+ return ctx->param;
2476
+ }
2477
+
2478
+ void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2479
+ {
2480
+ if (ctx->param)
2481
+ X509_VERIFY_PARAM_free(ctx->param);
2482
+ ctx->param = param;
2483
+ }
2484
+
2485
+ IMPLEMENT_ASN1_SET_OF(X509)
2486
+
2487
+ IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)