grpc 1.28.0 → 1.31.0.pre2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +8314 -11869
- data/include/grpc/grpc.h +2 -2
- data/include/grpc/grpc_security.h +30 -9
- data/include/grpc/grpc_security_constants.h +4 -0
- data/include/grpc/impl/codegen/grpc_types.h +23 -23
- data/include/grpc/impl/codegen/port_platform.h +6 -34
- data/include/grpc/module.modulemap +24 -39
- data/src/core/ext/filters/client_channel/backend_metric.cc +18 -12
- data/src/core/ext/filters/client_channel/client_channel.cc +591 -479
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +3 -2
- data/src/core/ext/filters/client_channel/config_selector.cc +62 -0
- data/src/core/ext/filters/client_channel/config_selector.h +93 -0
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -2
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +9 -22
- data/src/core/ext/filters/client_channel/health/health_check_client.h +3 -3
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +6 -5
- data/src/core/ext/filters/client_channel/http_proxy.cc +23 -14
- data/src/core/ext/filters/client_channel/lb_policy.cc +19 -18
- data/src/core/ext/filters/client_channel/lb_policy.h +44 -33
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +83 -0
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +99 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +10 -4
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +279 -324
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +89 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +40 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +11 -9
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +871 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +9 -17
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +733 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +84 -37
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +938 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +528 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +1143 -0
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +10 -7
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +2 -1
- data/src/core/ext/filters/client_channel/parse_address.cc +22 -21
- data/src/core/ext/filters/client_channel/resolver.cc +5 -8
- data/src/core/ext/filters/client_channel/resolver.h +12 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +78 -61
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +41 -40
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +8 -7
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +22 -24
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +12 -10
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +79 -122
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +199 -163
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +5 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +7 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +46 -45
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +93 -102
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +0 -4
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +38 -8
- data/src/core/ext/filters/client_channel/resolver_factory.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_registry.cc +19 -17
- data/src/core/ext/filters/client_channel/resolver_registry.h +8 -8
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +21 -22
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +19 -16
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +49 -55
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +43 -23
- data/src/core/ext/filters/client_channel/server_address.cc +6 -9
- data/src/core/ext/filters/client_channel/server_address.h +6 -12
- data/src/core/ext/filters/client_channel/service_config.cc +104 -144
- data/src/core/ext/filters/client_channel/service_config.h +28 -98
- data/src/core/ext/filters/client_channel/service_config_call_data.h +68 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +142 -0
- data/src/core/ext/filters/client_channel/service_config_parser.cc +87 -0
- data/src/core/ext/filters/client_channel/service_config_parser.h +89 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +55 -25
- data/src/core/ext/filters/client_channel/subchannel.h +35 -11
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +565 -234
- data/src/core/ext/filters/client_channel/xds/xds_api.h +102 -37
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +55 -71
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +4 -3
- data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +4 -2
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +619 -347
- data/src/core/ext/filters/client_channel/xds/xds_client.h +57 -22
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +11 -12
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +40 -28
- data/src/core/ext/filters/http/client/http_client_filter.cc +28 -33
- data/src/core/ext/filters/http/client_authority_filter.cc +4 -4
- data/src/core/ext/filters/http/http_filters_plugin.cc +28 -12
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +258 -221
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +399 -0
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +31 -0
- data/src/core/ext/filters/message_size/message_size_filter.cc +61 -88
- data/src/core/ext/filters/message_size/message_size_filter.h +10 -4
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +386 -350
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +6 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +1 -1
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +7 -13
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +7 -8
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +42 -26
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +1 -0
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +25 -30
- data/src/core/ext/transport/chttp2/transport/flow_control.h +14 -16
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +9 -12
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +5 -6
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +12 -13
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +6 -7
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +9 -12
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +29 -16
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +25 -29
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +2 -3
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +13 -17
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +2 -2
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
- data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +27 -21
- data/src/core/ext/transport/chttp2/transport/parsing.cc +33 -43
- data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
- data/src/core/ext/transport/chttp2/transport/writing.cc +24 -22
- data/src/core/ext/transport/inproc/inproc_transport.cc +54 -15
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +3 -4
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.c +4 -229
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +5 -876
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.c +114 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.h +429 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.c +72 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.h +198 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.c +105 -0
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.h +388 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +23 -10
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +352 -310
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.h +42 -34
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.h +7 -7
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.h +79 -61
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.h +55 -49
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.h +79 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +48 -27
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +258 -214
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.h +51 -45
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.h +71 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.h +107 -100
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.c +24 -20
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +157 -122
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.c +38 -18
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +173 -73
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.h +88 -0
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.h +95 -101
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.h +49 -65
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.c +9 -6
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +53 -38
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.h +70 -62
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.c +15 -10
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +95 -63
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.h +91 -80
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.h +9 -10
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.h +36 -31
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +68 -46
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +770 -722
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.h +16 -15
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +2 -1
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.h +95 -88
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.c +48 -28
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +305 -210
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.h +5 -5
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.c +51 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.h +125 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.c +4 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +22 -16
- data/src/core/ext/upb-generated/envoy/type/http.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/http.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.c +16 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +48 -11
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.h +14 -14
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.h +23 -23
- data/src/core/ext/upb-generated/envoy/type/percent.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/percent.upb.h +8 -9
- data/src/core/ext/upb-generated/envoy/type/range.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/range.upb.h +15 -16
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.h +7 -8
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.h +36 -35
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.h +0 -1
- data/src/core/ext/upb-generated/google/api/annotations.upb.h +0 -1
- data/src/core/ext/upb-generated/google/api/http.upb.h +29 -28
- data/src/core/ext/upb-generated/google/protobuf/any.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +12 -11
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +421 -389
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +1 -2
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +1 -1
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +33 -54
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +27 -28
- data/src/core/ext/upb-generated/google/rpc/status.upb.h +8 -8
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +1 -1
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +32 -45
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +4 -4
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +157 -178
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +14 -13
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +6 -7
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +59 -56
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +11 -12
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +0 -1
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +64 -0
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +6 -6
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +41 -68
- data/src/core/ext/upb-generated/validate/validate.upb.c +21 -20
- data/src/core/ext/upb-generated/validate/validate.upb.h +569 -562
- data/src/core/lib/channel/channel_args.cc +15 -14
- data/src/core/lib/channel/channel_args.h +3 -1
- data/src/core/lib/channel/channel_stack.h +20 -13
- data/src/core/lib/channel/channel_trace.cc +2 -6
- data/src/core/lib/channel/channelz.cc +10 -21
- data/src/core/lib/channel/channelz.h +3 -2
- data/src/core/lib/channel/channelz_registry.cc +5 -3
- data/src/core/lib/channel/connected_channel.cc +7 -5
- data/src/core/lib/channel/context.h +1 -1
- data/src/core/lib/channel/handshaker.cc +11 -13
- data/src/core/lib/channel/handshaker.h +4 -2
- data/src/core/lib/channel/handshaker_registry.cc +5 -17
- data/src/core/lib/channel/status_util.cc +2 -3
- data/src/core/lib/compression/message_compress.cc +5 -1
- data/src/core/lib/debug/stats.cc +21 -27
- data/src/core/lib/debug/stats.h +3 -1
- data/src/core/lib/gpr/log_linux.cc +6 -8
- data/src/core/lib/gpr/log_posix.cc +6 -8
- data/src/core/lib/gpr/spinlock.h +2 -3
- data/src/core/lib/gpr/string.cc +10 -33
- data/src/core/lib/gpr/string.h +4 -18
- data/src/core/lib/gpr/sync_abseil.cc +2 -0
- data/src/core/lib/gpr/time.cc +4 -0
- data/src/core/lib/gpr/time_posix.cc +1 -1
- data/src/core/lib/gprpp/atomic.h +6 -6
- data/src/core/lib/gprpp/fork.cc +1 -1
- data/src/core/lib/gprpp/global_config_env.cc +8 -6
- data/src/core/lib/gprpp/host_port.cc +29 -35
- data/src/core/lib/gprpp/host_port.h +14 -17
- data/src/core/lib/gprpp/map.h +5 -11
- data/src/core/lib/gprpp/ref_counted_ptr.h +5 -0
- data/src/core/lib/http/format_request.cc +46 -65
- data/src/core/lib/http/httpcli.cc +15 -13
- data/src/core/lib/http/httpcli.h +2 -3
- data/src/core/lib/http/httpcli_security_connector.cc +10 -10
- data/src/core/lib/http/parser.h +2 -3
- data/src/core/lib/iomgr/buffer_list.h +22 -21
- data/src/core/lib/iomgr/call_combiner.h +3 -2
- data/src/core/lib/iomgr/cfstream_handle.cc +4 -2
- data/src/core/lib/iomgr/closure.h +2 -3
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +47 -0
- data/src/core/lib/iomgr/endpoint_cfstream.cc +2 -3
- data/src/core/lib/iomgr/endpoint_pair.h +2 -3
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +10 -10
- data/src/core/lib/iomgr/error.cc +6 -9
- data/src/core/lib/iomgr/error.h +0 -1
- data/src/core/lib/iomgr/error_cfstream.cc +9 -8
- data/src/core/lib/iomgr/ev_apple.cc +356 -0
- data/src/core/lib/iomgr/ev_apple.h +43 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +25 -29
- data/src/core/lib/iomgr/ev_epollex_linux.cc +17 -24
- data/src/core/lib/iomgr/ev_poll_posix.cc +9 -8
- data/src/core/lib/iomgr/ev_posix.cc +4 -3
- data/src/core/lib/iomgr/exec_ctx.h +14 -2
- data/src/core/lib/iomgr/iomgr.cc +10 -0
- data/src/core/lib/iomgr/iomgr.h +10 -0
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +84 -20
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +14 -0
- data/src/core/lib/iomgr/pollset_set_custom.cc +10 -10
- data/src/core/lib/{gprpp/optional.h → iomgr/pollset_uv.h} +11 -12
- data/src/core/lib/iomgr/port.h +2 -21
- data/src/core/lib/iomgr/python_util.h +46 -0
- data/src/core/lib/iomgr/resolve_address.h +4 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +42 -57
- data/src/core/lib/iomgr/resolve_address_custom.h +4 -2
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -11
- data/src/core/lib/iomgr/resolve_address_windows.cc +16 -25
- data/src/core/lib/iomgr/resource_quota.cc +38 -37
- data/src/core/lib/iomgr/sockaddr_utils.cc +29 -33
- data/src/core/lib/iomgr/sockaddr_utils.h +10 -15
- data/src/core/lib/iomgr/socket_factory_posix.h +2 -3
- data/src/core/lib/iomgr/socket_mutator.h +2 -3
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +102 -81
- data/src/core/lib/iomgr/socket_utils_posix.h +3 -0
- data/src/core/lib/iomgr/socket_windows.cc +4 -5
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -18
- data/src/core/lib/iomgr/tcp_client_custom.cc +6 -9
- data/src/core/lib/iomgr/tcp_client_posix.cc +30 -36
- data/src/core/lib/iomgr/tcp_client_windows.cc +10 -11
- data/src/core/lib/iomgr/tcp_custom.cc +3 -4
- data/src/core/lib/iomgr/tcp_custom.h +1 -1
- data/src/core/lib/iomgr/tcp_server.cc +3 -4
- data/src/core/lib/iomgr/tcp_server.h +7 -5
- data/src/core/lib/iomgr/tcp_server_custom.cc +11 -23
- data/src/core/lib/iomgr/tcp_server_posix.cc +38 -44
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +3 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +7 -8
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +10 -18
- data/src/core/lib/iomgr/tcp_server_windows.cc +16 -16
- data/src/core/lib/iomgr/tcp_uv.cc +3 -2
- data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
- data/src/core/lib/iomgr/timer_generic.cc +15 -15
- data/src/core/lib/{gprpp/inlined_vector.h → iomgr/timer_generic.h} +19 -17
- data/src/core/lib/iomgr/timer_heap.h +2 -3
- data/src/core/lib/iomgr/udp_server.cc +32 -36
- data/src/core/lib/iomgr/udp_server.h +5 -2
- data/src/core/lib/iomgr/unix_sockets_posix.cc +9 -14
- data/src/core/lib/iomgr/unix_sockets_posix.h +3 -1
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +5 -2
- data/src/core/lib/json/json.h +3 -2
- data/src/core/lib/json/json_reader.cc +25 -26
- data/src/core/lib/json/json_writer.cc +13 -12
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +12 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.h +6 -3
- data/src/core/lib/security/credentials/credentials.cc +0 -84
- data/src/core/lib/security/credentials/credentials.h +13 -62
- data/src/core/lib/security/credentials/fake/fake_credentials.h +4 -0
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +8 -6
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +15 -17
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +8 -6
- data/src/core/lib/security/credentials/iam/iam_credentials.h +4 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +1 -1
- data/src/core/lib/security/credentials/jwt/json_token.h +2 -5
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +7 -4
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +12 -0
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +8 -15
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +2 -3
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +73 -54
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +9 -3
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +19 -6
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -0
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +20 -0
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +10 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +23 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +48 -11
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +21 -6
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +17 -17
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +3 -2
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +1 -1
- data/src/core/lib/security/security_connector/security_connector.cc +2 -0
- data/src/core/lib/security/security_connector/security_connector.h +2 -2
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +38 -36
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +8 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +89 -21
- data/src/core/lib/security/security_connector/ssl_utils.h +18 -12
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +101 -72
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +27 -5
- data/src/core/lib/security/transport/auth_filters.h +0 -5
- data/src/core/lib/security/transport/client_auth_filter.cc +11 -11
- data/src/core/lib/security/util/json_util.cc +12 -13
- data/src/core/lib/slice/slice.cc +38 -1
- data/src/core/lib/slice/slice_intern.cc +2 -3
- data/src/core/lib/slice/slice_internal.h +15 -0
- data/src/core/lib/slice/slice_utils.h +9 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +2 -47
- data/src/core/lib/surface/call.cc +42 -44
- data/src/core/lib/surface/call_log_batch.cc +50 -58
- data/src/core/lib/surface/channel.cc +53 -31
- data/src/core/lib/surface/channel.h +35 -4
- data/src/core/lib/surface/channel_ping.cc +2 -3
- data/src/core/lib/surface/completion_queue.cc +304 -47
- data/src/core/lib/surface/completion_queue.h +8 -0
- data/src/core/lib/surface/event_string.cc +18 -25
- data/src/core/lib/surface/event_string.h +3 -1
- data/src/core/lib/surface/init.cc +2 -0
- data/src/core/lib/surface/init_secure.cc +1 -4
- data/src/core/lib/surface/server.cc +971 -837
- data/src/core/lib/surface/server.h +66 -12
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/byte_stream.h +7 -2
- data/src/core/lib/transport/connectivity_state.cc +7 -6
- data/src/core/lib/transport/connectivity_state.h +5 -3
- data/src/core/lib/transport/metadata.cc +3 -3
- data/src/core/lib/transport/metadata_batch.h +2 -3
- data/src/core/lib/transport/static_metadata.h +1 -1
- data/src/core/lib/transport/status_conversion.cc +6 -14
- data/src/core/lib/transport/transport.cc +2 -3
- data/src/core/lib/transport/transport.h +9 -2
- data/src/core/lib/transport/transport_op_string.cc +61 -102
- data/src/core/lib/uri/uri_parser.cc +8 -15
- data/src/core/lib/uri/uri_parser.h +2 -3
- data/src/core/plugin_registry/grpc_plugin_registry.cc +24 -4
- data/src/core/tsi/alts/crypt/aes_gcm.cc +0 -2
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +31 -14
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +8 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +34 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +9 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +2 -0
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
- data/src/core/tsi/fake_transport_security.cc +10 -15
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +0 -2
- data/src/core/tsi/ssl_transport_security.cc +154 -50
- data/src/core/tsi/ssl_transport_security.h +22 -10
- data/src/core/tsi/ssl_types.h +0 -2
- data/src/core/tsi/transport_security.h +6 -9
- data/src/core/tsi/transport_security_grpc.h +2 -3
- data/src/core/tsi/transport_security_interface.h +8 -3
- data/src/ruby/ext/grpc/extconf.rb +5 -2
- data/src/ruby/ext/grpc/rb_call.c +12 -3
- data/src/ruby/ext/grpc/rb_call.h +4 -0
- data/src/ruby/ext/grpc/rb_call_credentials.c +57 -12
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
- data/src/ruby/lib/grpc/errors.rb +103 -42
- data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
- data/src/ruby/lib/grpc/generic/interceptors.rb +5 -5
- data/src/ruby/lib/grpc/generic/rpc_server.rb +9 -10
- data/src/ruby/lib/grpc/generic/service.rb +5 -4
- data/src/ruby/lib/grpc/structs.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/generate_proto_ruby.sh +5 -3
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +11 -0
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +16 -0
- data/src/ruby/spec/debug_message_spec.rb +134 -0
- data/src/ruby/spec/generic/service_spec.rb +2 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto +23 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +7 -0
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +7 -1
- data/src/ruby/spec/support/services.rb +10 -4
- data/src/ruby/spec/testdata/ca.pem +18 -13
- data/src/ruby/spec/testdata/client.key +26 -14
- data/src/ruby/spec/testdata/client.pem +18 -12
- data/src/ruby/spec/testdata/server1.key +26 -14
- data/src/ruby/spec/testdata/server1.pem +20 -14
- data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
- data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
- data/third_party/abseil-cpp/absl/time/clock.cc +569 -0
- data/third_party/abseil-cpp/absl/time/clock.h +74 -0
- data/third_party/abseil-cpp/absl/time/duration.cc +922 -0
- data/third_party/abseil-cpp/absl/time/format.cc +153 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +622 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +384 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +922 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +121 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +958 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +138 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +308 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +115 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
- data/third_party/abseil-cpp/absl/time/time.cc +499 -0
- data/third_party/abseil-cpp/absl/time/time.h +1584 -0
- data/third_party/boringssl-with-bazel/err_data.c +335 -297
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_enum.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +7 -5
- data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +11 -0
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519.c +18 -26
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519_tables.h +13 -21
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/internal.h +14 -22
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh/dh.c +15 -0
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +385 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +33 -32
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +143 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +17 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +25 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +30 -154
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +289 -117
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +13 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +96 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +25 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +434 -161
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +63 -71
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +18 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9481 -9485
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +104 -122
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +740 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +90 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +125 -148
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +189 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +61 -18
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +20 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +41 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +32 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +24 -114
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +51 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +44 -35
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +47 -16
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -5
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +249 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1227 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +682 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +0 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +13 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +57 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +33 -9
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +35 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +0 -154
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +28 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +74 -35
- data/third_party/boringssl-with-bazel/src/include/openssl/aes.h +16 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +22 -22
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +6 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +9 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +20 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +16 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +2 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +69 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +31 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +26 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +191 -79
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +282 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +791 -715
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +0 -4
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +3 -3
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +13 -4
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +146 -57
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +23 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +30 -22
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +21 -4
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +74 -54
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +10 -10
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +21 -21
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +29 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +34 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +13 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +44 -5
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +6 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +51 -26
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +47 -53
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +129 -48
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +23 -75
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +55 -22
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +63 -25
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +245 -175
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +135 -75
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +1593 -1672
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +512 -503
- data/third_party/re2/re2/bitmap256.h +117 -0
- data/third_party/re2/re2/bitstate.cc +385 -0
- data/third_party/re2/re2/compile.cc +1279 -0
- data/third_party/re2/re2/dfa.cc +2130 -0
- data/third_party/re2/re2/filtered_re2.cc +121 -0
- data/third_party/re2/re2/filtered_re2.h +109 -0
- data/third_party/re2/re2/mimics_pcre.cc +197 -0
- data/third_party/re2/re2/nfa.cc +713 -0
- data/third_party/re2/re2/onepass.cc +623 -0
- data/third_party/re2/re2/parse.cc +2464 -0
- data/third_party/re2/re2/perl_groups.cc +119 -0
- data/third_party/re2/re2/pod_array.h +55 -0
- data/third_party/re2/re2/prefilter.cc +710 -0
- data/third_party/re2/re2/prefilter.h +108 -0
- data/third_party/re2/re2/prefilter_tree.cc +407 -0
- data/third_party/re2/re2/prefilter_tree.h +139 -0
- data/third_party/re2/re2/prog.cc +988 -0
- data/third_party/re2/re2/prog.h +436 -0
- data/third_party/re2/re2/re2.cc +1362 -0
- data/third_party/re2/re2/re2.h +1002 -0
- data/third_party/re2/re2/regexp.cc +980 -0
- data/third_party/re2/re2/regexp.h +659 -0
- data/third_party/re2/re2/set.cc +154 -0
- data/third_party/re2/re2/set.h +80 -0
- data/third_party/re2/re2/simplify.cc +657 -0
- data/third_party/re2/re2/sparse_array.h +392 -0
- data/third_party/re2/re2/sparse_set.h +264 -0
- data/third_party/re2/re2/stringpiece.cc +65 -0
- data/third_party/re2/re2/stringpiece.h +210 -0
- data/third_party/re2/re2/tostring.cc +351 -0
- data/third_party/re2/re2/unicode_casefold.cc +582 -0
- data/third_party/re2/re2/unicode_casefold.h +78 -0
- data/third_party/re2/re2/unicode_groups.cc +6269 -0
- data/third_party/re2/re2/unicode_groups.h +67 -0
- data/third_party/re2/re2/walker-inl.h +246 -0
- data/third_party/re2/util/benchmark.h +156 -0
- data/third_party/re2/util/flags.h +26 -0
- data/third_party/re2/util/logging.h +109 -0
- data/third_party/re2/util/malloc_counter.h +19 -0
- data/third_party/re2/util/mix.h +41 -0
- data/third_party/re2/util/mutex.h +148 -0
- data/third_party/re2/util/pcre.cc +1025 -0
- data/third_party/re2/util/pcre.h +681 -0
- data/third_party/re2/util/rune.cc +260 -0
- data/third_party/re2/util/strutil.cc +149 -0
- data/third_party/re2/util/strutil.h +21 -0
- data/third_party/re2/util/test.h +50 -0
- data/third_party/re2/util/utf.h +44 -0
- data/third_party/re2/util/util.h +42 -0
- data/third_party/upb/upb/decode.c +467 -504
- data/third_party/upb/upb/encode.c +163 -121
- data/third_party/upb/upb/msg.c +130 -64
- data/third_party/upb/upb/msg.h +418 -14
- data/third_party/upb/upb/port_def.inc +35 -6
- data/third_party/upb/upb/port_undef.inc +8 -1
- data/third_party/upb/upb/table.c +53 -75
- data/third_party/upb/upb/table.int.h +11 -43
- data/third_party/upb/upb/upb.c +148 -124
- data/third_party/upb/upb/upb.h +65 -147
- data/third_party/upb/upb/upb.hpp +86 -0
- metadata +175 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -1754
- data/src/core/lib/gprpp/string_view.h +0 -60
- data/src/core/tsi/grpc_shadow_boringssl.h +0 -3311
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256.c +0 -1063
- data/third_party/upb/upb/generated_util.h +0 -105
|
@@ -0,0 +1,1227 @@
|
|
|
1
|
+
/* Copyright (c) 2020, Google Inc.
|
|
2
|
+
*
|
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
|
6
|
+
*
|
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
14
|
+
|
|
15
|
+
#include <openssl/trust_token.h>
|
|
16
|
+
|
|
17
|
+
#include <openssl/bn.h>
|
|
18
|
+
#include <openssl/bytestring.h>
|
|
19
|
+
#include <openssl/ec.h>
|
|
20
|
+
#include <openssl/err.h>
|
|
21
|
+
#include <openssl/mem.h>
|
|
22
|
+
#include <openssl/nid.h>
|
|
23
|
+
#include <openssl/rand.h>
|
|
24
|
+
#include <openssl/sha.h>
|
|
25
|
+
|
|
26
|
+
#include "../ec_extra/internal.h"
|
|
27
|
+
#include "../fipsmodule/bn/internal.h"
|
|
28
|
+
#include "../fipsmodule/ec/internal.h"
|
|
29
|
+
|
|
30
|
+
#include "internal.h"
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
|
|
34
|
+
const uint8_t t[PMBTOKEN_NONCE_SIZE]);
|
|
35
|
+
typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
|
|
36
|
+
const EC_AFFINE *t,
|
|
37
|
+
const uint8_t s[PMBTOKEN_NONCE_SIZE]);
|
|
38
|
+
typedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out,
|
|
39
|
+
uint8_t *buf, size_t len);
|
|
40
|
+
|
|
41
|
+
typedef struct {
|
|
42
|
+
const EC_GROUP *group;
|
|
43
|
+
EC_PRECOMP g_precomp;
|
|
44
|
+
EC_PRECOMP h_precomp;
|
|
45
|
+
EC_RAW_POINT h;
|
|
46
|
+
// hash_t implements the H_t operation in PMBTokens. It returns one on success
|
|
47
|
+
// and zero on error.
|
|
48
|
+
hash_t_func_t hash_t;
|
|
49
|
+
// hash_s implements the H_s operation in PMBTokens. It returns one on success
|
|
50
|
+
// and zero on error.
|
|
51
|
+
hash_s_func_t hash_s;
|
|
52
|
+
// hash_c implements the H_c operation in PMBTokens. It returns one on success
|
|
53
|
+
// and zero on error.
|
|
54
|
+
hash_c_func_t hash_c;
|
|
55
|
+
} PMBTOKEN_METHOD;
|
|
56
|
+
|
|
57
|
+
static const uint8_t kDefaultAdditionalData[32] = {0};
|
|
58
|
+
|
|
59
|
+
static int pmbtoken_init_method(PMBTOKEN_METHOD *method, int curve_nid,
|
|
60
|
+
const uint8_t *h_bytes, size_t h_len,
|
|
61
|
+
hash_t_func_t hash_t, hash_s_func_t hash_s,
|
|
62
|
+
hash_c_func_t hash_c) {
|
|
63
|
+
method->group = EC_GROUP_new_by_curve_name(curve_nid);
|
|
64
|
+
if (method->group == NULL) {
|
|
65
|
+
return 0;
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
method->hash_t = hash_t;
|
|
69
|
+
method->hash_s = hash_s;
|
|
70
|
+
method->hash_c = hash_c;
|
|
71
|
+
|
|
72
|
+
EC_AFFINE h;
|
|
73
|
+
if (!ec_point_from_uncompressed(method->group, &h, h_bytes, h_len)) {
|
|
74
|
+
return 0;
|
|
75
|
+
}
|
|
76
|
+
ec_affine_to_jacobian(method->group, &method->h, &h);
|
|
77
|
+
|
|
78
|
+
if (!ec_init_precomp(method->group, &method->g_precomp,
|
|
79
|
+
&method->group->generator->raw) ||
|
|
80
|
+
!ec_init_precomp(method->group, &method->h_precomp, &method->h)) {
|
|
81
|
+
return 0;
|
|
82
|
+
}
|
|
83
|
+
return 1;
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
// generate_keypair generates a keypair for the PMBTokens construction.
|
|
87
|
+
// |out_x| and |out_y| are set to the secret half of the keypair, while
|
|
88
|
+
// |*out_pub| is set to the public half of the keypair. It returns one on
|
|
89
|
+
// success and zero on failure.
|
|
90
|
+
static int generate_keypair(const PMBTOKEN_METHOD *method, EC_SCALAR *out_x,
|
|
91
|
+
EC_SCALAR *out_y, EC_RAW_POINT *out_pub) {
|
|
92
|
+
if (!ec_random_nonzero_scalar(method->group, out_x, kDefaultAdditionalData) ||
|
|
93
|
+
!ec_random_nonzero_scalar(method->group, out_y, kDefaultAdditionalData) ||
|
|
94
|
+
!ec_point_mul_scalar_precomp(method->group, out_pub, &method->g_precomp,
|
|
95
|
+
out_x, &method->h_precomp, out_y, NULL,
|
|
96
|
+
NULL)) {
|
|
97
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
98
|
+
return 0;
|
|
99
|
+
}
|
|
100
|
+
return 1;
|
|
101
|
+
}
|
|
102
|
+
|
|
103
|
+
static int point_to_cbb(CBB *out, const EC_GROUP *group,
|
|
104
|
+
const EC_AFFINE *point) {
|
|
105
|
+
size_t len =
|
|
106
|
+
ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0);
|
|
107
|
+
if (len == 0) {
|
|
108
|
+
return 0;
|
|
109
|
+
}
|
|
110
|
+
uint8_t *p;
|
|
111
|
+
return CBB_add_space(out, &p, len) &&
|
|
112
|
+
ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,
|
|
113
|
+
len) == len;
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
static int cbs_get_prefixed_point(CBS *cbs, const EC_GROUP *group,
|
|
117
|
+
EC_AFFINE *out) {
|
|
118
|
+
CBS child;
|
|
119
|
+
if (!CBS_get_u16_length_prefixed(cbs, &child) ||
|
|
120
|
+
!ec_point_from_uncompressed(group, out, CBS_data(&child),
|
|
121
|
+
CBS_len(&child))) {
|
|
122
|
+
return 0;
|
|
123
|
+
}
|
|
124
|
+
return 1;
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
static int mul_public_3(const EC_GROUP *group, EC_RAW_POINT *out,
|
|
128
|
+
const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
|
|
129
|
+
const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
|
|
130
|
+
const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
|
|
131
|
+
EC_RAW_POINT points[3] = {*p0, *p1, *p2};
|
|
132
|
+
EC_SCALAR scalars[3] = {*scalar0, *scalar1, *scalar2};
|
|
133
|
+
return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,
|
|
134
|
+
scalars, 3);
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
void PMBTOKEN_PRETOKEN_free(PMBTOKEN_PRETOKEN *pretoken) {
|
|
138
|
+
OPENSSL_free(pretoken);
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
static int pmbtoken_generate_key(const PMBTOKEN_METHOD *method,
|
|
142
|
+
CBB *out_private, CBB *out_public) {
|
|
143
|
+
const EC_GROUP *group = method->group;
|
|
144
|
+
EC_RAW_POINT pub[3];
|
|
145
|
+
EC_SCALAR x0, y0, x1, y1, xs, ys;
|
|
146
|
+
if (!generate_keypair(method, &x0, &y0, &pub[0]) ||
|
|
147
|
+
!generate_keypair(method, &x1, &y1, &pub[1]) ||
|
|
148
|
+
!generate_keypair(method, &xs, &ys, &pub[2])) {
|
|
149
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);
|
|
150
|
+
return 0;
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
const EC_SCALAR *scalars[] = {&x0, &y0, &x1, &y1, &xs, &ys};
|
|
154
|
+
size_t scalar_len = BN_num_bytes(&group->order);
|
|
155
|
+
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
|
|
156
|
+
uint8_t *buf;
|
|
157
|
+
if (!CBB_add_space(out_private, &buf, scalar_len)) {
|
|
158
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
|
|
159
|
+
return 0;
|
|
160
|
+
}
|
|
161
|
+
ec_scalar_to_bytes(group, buf, &scalar_len, scalars[i]);
|
|
162
|
+
}
|
|
163
|
+
|
|
164
|
+
EC_AFFINE pub_affine[3];
|
|
165
|
+
if (!ec_jacobian_to_affine_batch(group, pub_affine, pub, 3)) {
|
|
166
|
+
return 0;
|
|
167
|
+
}
|
|
168
|
+
|
|
169
|
+
// TODO(https://crbug.com/boringssl/331): When updating the key format, remove
|
|
170
|
+
// the redundant length prefixes.
|
|
171
|
+
CBB child;
|
|
172
|
+
if (!CBB_add_u16_length_prefixed(out_public, &child) ||
|
|
173
|
+
!point_to_cbb(&child, group, &pub_affine[0]) ||
|
|
174
|
+
!CBB_add_u16_length_prefixed(out_public, &child) ||
|
|
175
|
+
!point_to_cbb(&child, group, &pub_affine[1]) ||
|
|
176
|
+
!CBB_add_u16_length_prefixed(out_public, &child) ||
|
|
177
|
+
!point_to_cbb(&child, group, &pub_affine[2]) ||
|
|
178
|
+
!CBB_flush(out_public)) {
|
|
179
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
|
|
180
|
+
return 0;
|
|
181
|
+
}
|
|
182
|
+
|
|
183
|
+
return 1;
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
static int pmbtoken_client_key_from_bytes(const PMBTOKEN_METHOD *method,
|
|
187
|
+
PMBTOKEN_CLIENT_KEY *key,
|
|
188
|
+
const uint8_t *in, size_t len) {
|
|
189
|
+
// TODO(https://crbug.com/boringssl/331): When updating the key format, remove
|
|
190
|
+
// the redundant length prefixes.
|
|
191
|
+
CBS cbs;
|
|
192
|
+
CBS_init(&cbs, in, len);
|
|
193
|
+
if (!cbs_get_prefixed_point(&cbs, method->group, &key->pub0) ||
|
|
194
|
+
!cbs_get_prefixed_point(&cbs, method->group, &key->pub1) ||
|
|
195
|
+
!cbs_get_prefixed_point(&cbs, method->group, &key->pubs) ||
|
|
196
|
+
CBS_len(&cbs) != 0) {
|
|
197
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
198
|
+
return 0;
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
return 1;
|
|
202
|
+
}
|
|
203
|
+
|
|
204
|
+
static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
|
|
205
|
+
PMBTOKEN_ISSUER_KEY *key,
|
|
206
|
+
const uint8_t *in, size_t len) {
|
|
207
|
+
const EC_GROUP *group = method->group;
|
|
208
|
+
CBS cbs, tmp;
|
|
209
|
+
CBS_init(&cbs, in, len);
|
|
210
|
+
size_t scalar_len = BN_num_bytes(&group->order);
|
|
211
|
+
EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1,
|
|
212
|
+
&key->y1, &key->xs, &key->ys};
|
|
213
|
+
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
|
|
214
|
+
if (!CBS_get_bytes(&cbs, &tmp, scalar_len) ||
|
|
215
|
+
!ec_scalar_from_bytes(group, scalars[i], CBS_data(&tmp),
|
|
216
|
+
CBS_len(&tmp))) {
|
|
217
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
218
|
+
return 0;
|
|
219
|
+
}
|
|
220
|
+
}
|
|
221
|
+
|
|
222
|
+
// Recompute the public key.
|
|
223
|
+
EC_RAW_POINT pub[3];
|
|
224
|
+
EC_AFFINE pub_affine[3];
|
|
225
|
+
if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, &key->x0,
|
|
226
|
+
&method->h_precomp, &key->y0, NULL, NULL) ||
|
|
227
|
+
!ec_init_precomp(group, &key->pub0_precomp, &pub[0]) ||
|
|
228
|
+
!ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp, &key->x1,
|
|
229
|
+
&method->h_precomp, &key->y1, NULL, NULL) ||
|
|
230
|
+
!ec_init_precomp(group, &key->pub1_precomp, &pub[1]) ||
|
|
231
|
+
!ec_point_mul_scalar_precomp(group, &pub[2], &method->g_precomp, &key->xs,
|
|
232
|
+
&method->h_precomp, &key->ys, NULL, NULL) ||
|
|
233
|
+
!ec_init_precomp(group, &key->pubs_precomp, &pub[2]) ||
|
|
234
|
+
!ec_jacobian_to_affine_batch(group, pub_affine, pub, 3)) {
|
|
235
|
+
return 0;
|
|
236
|
+
}
|
|
237
|
+
|
|
238
|
+
key->pub0 = pub_affine[0];
|
|
239
|
+
key->pub1 = pub_affine[1];
|
|
240
|
+
key->pubs = pub_affine[2];
|
|
241
|
+
return 1;
|
|
242
|
+
}
|
|
243
|
+
|
|
244
|
+
static STACK_OF(PMBTOKEN_PRETOKEN) *
|
|
245
|
+
pmbtoken_blind(const PMBTOKEN_METHOD *method, CBB *cbb, size_t count) {
|
|
246
|
+
const EC_GROUP *group = method->group;
|
|
247
|
+
STACK_OF(PMBTOKEN_PRETOKEN) *pretokens = sk_PMBTOKEN_PRETOKEN_new_null();
|
|
248
|
+
if (pretokens == NULL) {
|
|
249
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
250
|
+
goto err;
|
|
251
|
+
}
|
|
252
|
+
|
|
253
|
+
for (size_t i = 0; i < count; i++) {
|
|
254
|
+
// Insert |pretoken| into |pretokens| early to simplify error-handling.
|
|
255
|
+
PMBTOKEN_PRETOKEN *pretoken = OPENSSL_malloc(sizeof(PMBTOKEN_PRETOKEN));
|
|
256
|
+
if (pretoken == NULL ||
|
|
257
|
+
!sk_PMBTOKEN_PRETOKEN_push(pretokens, pretoken)) {
|
|
258
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
259
|
+
PMBTOKEN_PRETOKEN_free(pretoken);
|
|
260
|
+
goto err;
|
|
261
|
+
}
|
|
262
|
+
|
|
263
|
+
RAND_bytes(pretoken->t, sizeof(pretoken->t));
|
|
264
|
+
|
|
265
|
+
// We sample |pretoken->r| in Montgomery form to simplify inverting.
|
|
266
|
+
if (!ec_random_nonzero_scalar(group, &pretoken->r,
|
|
267
|
+
kDefaultAdditionalData)) {
|
|
268
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
269
|
+
goto err;
|
|
270
|
+
}
|
|
271
|
+
|
|
272
|
+
EC_SCALAR rinv;
|
|
273
|
+
ec_scalar_inv0_montgomery(group, &rinv, &pretoken->r);
|
|
274
|
+
// Convert both out of Montgomery form.
|
|
275
|
+
ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);
|
|
276
|
+
ec_scalar_from_montgomery(group, &rinv, &rinv);
|
|
277
|
+
|
|
278
|
+
EC_RAW_POINT T, Tp;
|
|
279
|
+
if (!method->hash_t(group, &T, pretoken->t) ||
|
|
280
|
+
!ec_point_mul_scalar(group, &Tp, &T, &rinv) ||
|
|
281
|
+
!ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {
|
|
282
|
+
goto err;
|
|
283
|
+
}
|
|
284
|
+
|
|
285
|
+
// TODO(https://crbug.com/boringssl/331): When updating the key format,
|
|
286
|
+
// remove the redundant length prefixes.
|
|
287
|
+
CBB child;
|
|
288
|
+
if (!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
289
|
+
!point_to_cbb(&child, group, &pretoken->Tp) ||
|
|
290
|
+
!CBB_flush(cbb)) {
|
|
291
|
+
goto err;
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
|
|
295
|
+
return pretokens;
|
|
296
|
+
|
|
297
|
+
err:
|
|
298
|
+
sk_PMBTOKEN_PRETOKEN_pop_free(pretokens, PMBTOKEN_PRETOKEN_free);
|
|
299
|
+
return NULL;
|
|
300
|
+
}
|
|
301
|
+
|
|
302
|
+
static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
|
|
303
|
+
const EC_SCALAR *scalar) {
|
|
304
|
+
uint8_t *buf;
|
|
305
|
+
size_t scalar_len = BN_num_bytes(&group->order);
|
|
306
|
+
if (!CBB_add_space(out, &buf, scalar_len)) {
|
|
307
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
308
|
+
return 0;
|
|
309
|
+
}
|
|
310
|
+
ec_scalar_to_bytes(group, buf, &scalar_len, scalar);
|
|
311
|
+
return 1;
|
|
312
|
+
}
|
|
313
|
+
|
|
314
|
+
static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
|
|
315
|
+
size_t scalar_len = BN_num_bytes(&group->order);
|
|
316
|
+
CBS tmp;
|
|
317
|
+
if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
|
|
318
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
319
|
+
return 0;
|
|
320
|
+
}
|
|
321
|
+
|
|
322
|
+
ec_scalar_from_bytes(group, out, CBS_data(&tmp), CBS_len(&tmp));
|
|
323
|
+
return 1;
|
|
324
|
+
}
|
|
325
|
+
|
|
326
|
+
static int hash_c_dleq(const PMBTOKEN_METHOD *method, EC_SCALAR *out,
|
|
327
|
+
const EC_AFFINE *X, const EC_AFFINE *T,
|
|
328
|
+
const EC_AFFINE *S, const EC_AFFINE *W,
|
|
329
|
+
const EC_AFFINE *K0, const EC_AFFINE *K1) {
|
|
330
|
+
static const uint8_t kDLEQ2Label[] = "DLEQ2";
|
|
331
|
+
|
|
332
|
+
int ok = 0;
|
|
333
|
+
CBB cbb;
|
|
334
|
+
CBB_zero(&cbb);
|
|
335
|
+
uint8_t *buf = NULL;
|
|
336
|
+
size_t len;
|
|
337
|
+
if (!CBB_init(&cbb, 0) ||
|
|
338
|
+
!CBB_add_bytes(&cbb, kDLEQ2Label, sizeof(kDLEQ2Label)) ||
|
|
339
|
+
!point_to_cbb(&cbb, method->group, X) ||
|
|
340
|
+
!point_to_cbb(&cbb, method->group, T) ||
|
|
341
|
+
!point_to_cbb(&cbb, method->group, S) ||
|
|
342
|
+
!point_to_cbb(&cbb, method->group, W) ||
|
|
343
|
+
!point_to_cbb(&cbb, method->group, K0) ||
|
|
344
|
+
!point_to_cbb(&cbb, method->group, K1) ||
|
|
345
|
+
!CBB_finish(&cbb, &buf, &len) ||
|
|
346
|
+
!method->hash_c(method->group, out, buf, len)) {
|
|
347
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
348
|
+
goto err;
|
|
349
|
+
}
|
|
350
|
+
|
|
351
|
+
ok = 1;
|
|
352
|
+
|
|
353
|
+
err:
|
|
354
|
+
CBB_cleanup(&cbb);
|
|
355
|
+
OPENSSL_free(buf);
|
|
356
|
+
return ok;
|
|
357
|
+
}
|
|
358
|
+
|
|
359
|
+
static int hash_c_dleqor(const PMBTOKEN_METHOD *method, EC_SCALAR *out,
|
|
360
|
+
const EC_AFFINE *X0, const EC_AFFINE *X1,
|
|
361
|
+
const EC_AFFINE *T, const EC_AFFINE *S,
|
|
362
|
+
const EC_AFFINE *W, const EC_AFFINE *K00,
|
|
363
|
+
const EC_AFFINE *K01, const EC_AFFINE *K10,
|
|
364
|
+
const EC_AFFINE *K11) {
|
|
365
|
+
static const uint8_t kDLEQOR2Label[] = "DLEQOR2";
|
|
366
|
+
|
|
367
|
+
int ok = 0;
|
|
368
|
+
CBB cbb;
|
|
369
|
+
CBB_zero(&cbb);
|
|
370
|
+
uint8_t *buf = NULL;
|
|
371
|
+
size_t len;
|
|
372
|
+
if (!CBB_init(&cbb, 0) ||
|
|
373
|
+
!CBB_add_bytes(&cbb, kDLEQOR2Label, sizeof(kDLEQOR2Label)) ||
|
|
374
|
+
!point_to_cbb(&cbb, method->group, X0) ||
|
|
375
|
+
!point_to_cbb(&cbb, method->group, X1) ||
|
|
376
|
+
!point_to_cbb(&cbb, method->group, T) ||
|
|
377
|
+
!point_to_cbb(&cbb, method->group, S) ||
|
|
378
|
+
!point_to_cbb(&cbb, method->group, W) ||
|
|
379
|
+
!point_to_cbb(&cbb, method->group, K00) ||
|
|
380
|
+
!point_to_cbb(&cbb, method->group, K01) ||
|
|
381
|
+
!point_to_cbb(&cbb, method->group, K10) ||
|
|
382
|
+
!point_to_cbb(&cbb, method->group, K11) ||
|
|
383
|
+
!CBB_finish(&cbb, &buf, &len) ||
|
|
384
|
+
!method->hash_c(method->group, out, buf, len)) {
|
|
385
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
386
|
+
goto err;
|
|
387
|
+
}
|
|
388
|
+
|
|
389
|
+
ok = 1;
|
|
390
|
+
|
|
391
|
+
err:
|
|
392
|
+
CBB_cleanup(&cbb);
|
|
393
|
+
OPENSSL_free(buf);
|
|
394
|
+
return ok;
|
|
395
|
+
}
|
|
396
|
+
|
|
397
|
+
static int hash_c_batch(const PMBTOKEN_METHOD *method, EC_SCALAR *out,
|
|
398
|
+
const CBB *points, size_t index) {
|
|
399
|
+
static const uint8_t kDLEQBatchLabel[] = "DLEQ BATCH";
|
|
400
|
+
if (index > 0xffff) {
|
|
401
|
+
// The protocol supports only two-byte batches.
|
|
402
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
|
|
403
|
+
return 0;
|
|
404
|
+
}
|
|
405
|
+
|
|
406
|
+
int ok = 0;
|
|
407
|
+
CBB cbb;
|
|
408
|
+
CBB_zero(&cbb);
|
|
409
|
+
uint8_t *buf = NULL;
|
|
410
|
+
size_t len;
|
|
411
|
+
if (!CBB_init(&cbb, 0) ||
|
|
412
|
+
!CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) ||
|
|
413
|
+
!CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) ||
|
|
414
|
+
!CBB_add_u16(&cbb, (uint16_t)index) ||
|
|
415
|
+
!CBB_finish(&cbb, &buf, &len) ||
|
|
416
|
+
!method->hash_c(method->group, out, buf, len)) {
|
|
417
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
418
|
+
goto err;
|
|
419
|
+
}
|
|
420
|
+
|
|
421
|
+
ok = 1;
|
|
422
|
+
|
|
423
|
+
err:
|
|
424
|
+
CBB_cleanup(&cbb);
|
|
425
|
+
OPENSSL_free(buf);
|
|
426
|
+
return ok;
|
|
427
|
+
}
|
|
428
|
+
|
|
429
|
+
// The DLEQ2 and DLEQOR2 constructions are described in appendix B of
|
|
430
|
+
// https://eprint.iacr.org/2020/072/20200324:214215. DLEQ2 is an instance of
|
|
431
|
+
// DLEQOR2 with only one value (n=1).
|
|
432
|
+
|
|
433
|
+
static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,
|
|
434
|
+
const PMBTOKEN_ISSUER_KEY *priv, const EC_RAW_POINT *T,
|
|
435
|
+
const EC_RAW_POINT *S, const EC_RAW_POINT *W,
|
|
436
|
+
const EC_RAW_POINT *Ws, uint8_t private_metadata) {
|
|
437
|
+
const EC_GROUP *group = method->group;
|
|
438
|
+
|
|
439
|
+
// We generate a DLEQ proof for the validity token and a DLEQOR2 proof for the
|
|
440
|
+
// private metadata token. To allow amortizing Jacobian-to-affine conversions,
|
|
441
|
+
// we compute Ki for both proofs first.
|
|
442
|
+
enum {
|
|
443
|
+
idx_T,
|
|
444
|
+
idx_S,
|
|
445
|
+
idx_W,
|
|
446
|
+
idx_Ws,
|
|
447
|
+
idx_Ks0,
|
|
448
|
+
idx_Ks1,
|
|
449
|
+
idx_Kb0,
|
|
450
|
+
idx_Kb1,
|
|
451
|
+
idx_Ko0,
|
|
452
|
+
idx_Ko1,
|
|
453
|
+
num_idx,
|
|
454
|
+
};
|
|
455
|
+
EC_RAW_POINT jacobians[num_idx];
|
|
456
|
+
|
|
457
|
+
// Setup the DLEQ proof.
|
|
458
|
+
EC_SCALAR ks0, ks1;
|
|
459
|
+
if (// ks0, ks1 <- Zp
|
|
460
|
+
!ec_random_nonzero_scalar(group, &ks0, kDefaultAdditionalData) ||
|
|
461
|
+
!ec_random_nonzero_scalar(group, &ks1, kDefaultAdditionalData) ||
|
|
462
|
+
// Ks = ks0*(G;T) + ks1*(H;S)
|
|
463
|
+
!ec_point_mul_scalar_precomp(group, &jacobians[idx_Ks0],
|
|
464
|
+
&method->g_precomp, &ks0, &method->h_precomp,
|
|
465
|
+
&ks1, NULL, NULL) ||
|
|
466
|
+
!ec_point_mul_scalar_batch(group, &jacobians[idx_Ks1], T, &ks0, S, &ks1,
|
|
467
|
+
NULL, NULL)) {
|
|
468
|
+
return 0;
|
|
469
|
+
}
|
|
470
|
+
|
|
471
|
+
// Setup the DLEQOR proof. First, select values of xb, yb (keys corresponding
|
|
472
|
+
// to the private metadata value) and pubo (public key corresponding to the
|
|
473
|
+
// other value) in constant time.
|
|
474
|
+
BN_ULONG mask = ((BN_ULONG)0) - (private_metadata & 1);
|
|
475
|
+
EC_PRECOMP pubo_precomp;
|
|
476
|
+
EC_SCALAR xb, yb;
|
|
477
|
+
ec_scalar_select(group, &xb, mask, &priv->x1, &priv->x0);
|
|
478
|
+
ec_scalar_select(group, &yb, mask, &priv->y1, &priv->y0);
|
|
479
|
+
ec_precomp_select(group, &pubo_precomp, mask, &priv->pub0_precomp,
|
|
480
|
+
&priv->pub1_precomp);
|
|
481
|
+
|
|
482
|
+
EC_SCALAR k0, k1, minus_co, uo, vo;
|
|
483
|
+
if (// k0, k1 <- Zp
|
|
484
|
+
!ec_random_nonzero_scalar(group, &k0, kDefaultAdditionalData) ||
|
|
485
|
+
!ec_random_nonzero_scalar(group, &k1, kDefaultAdditionalData) ||
|
|
486
|
+
// Kb = k0*(G;T) + k1*(H;S)
|
|
487
|
+
!ec_point_mul_scalar_precomp(group, &jacobians[idx_Kb0],
|
|
488
|
+
&method->g_precomp, &k0, &method->h_precomp,
|
|
489
|
+
&k1, NULL, NULL) ||
|
|
490
|
+
!ec_point_mul_scalar_batch(group, &jacobians[idx_Kb1], T, &k0, S, &k1,
|
|
491
|
+
NULL, NULL) ||
|
|
492
|
+
// co, uo, vo <- Zp
|
|
493
|
+
!ec_random_nonzero_scalar(group, &minus_co, kDefaultAdditionalData) ||
|
|
494
|
+
!ec_random_nonzero_scalar(group, &uo, kDefaultAdditionalData) ||
|
|
495
|
+
!ec_random_nonzero_scalar(group, &vo, kDefaultAdditionalData) ||
|
|
496
|
+
// Ko = uo*(G;T) + vo*(H;S) - co*(pubo;W)
|
|
497
|
+
!ec_point_mul_scalar_precomp(group, &jacobians[idx_Ko0],
|
|
498
|
+
&method->g_precomp, &uo, &method->h_precomp,
|
|
499
|
+
&vo, &pubo_precomp, &minus_co) ||
|
|
500
|
+
!ec_point_mul_scalar_batch(group, &jacobians[idx_Ko1], T, &uo, S, &vo, W,
|
|
501
|
+
&minus_co)) {
|
|
502
|
+
return 0;
|
|
503
|
+
}
|
|
504
|
+
|
|
505
|
+
EC_AFFINE affines[num_idx];
|
|
506
|
+
jacobians[idx_T] = *T;
|
|
507
|
+
jacobians[idx_S] = *S;
|
|
508
|
+
jacobians[idx_W] = *W;
|
|
509
|
+
jacobians[idx_Ws] = *Ws;
|
|
510
|
+
if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {
|
|
511
|
+
return 0;
|
|
512
|
+
}
|
|
513
|
+
|
|
514
|
+
// Select the K corresponding to K0 and K1 in constant-time.
|
|
515
|
+
EC_AFFINE K00, K01, K10, K11;
|
|
516
|
+
ec_affine_select(group, &K00, mask, &affines[idx_Ko0], &affines[idx_Kb0]);
|
|
517
|
+
ec_affine_select(group, &K01, mask, &affines[idx_Ko1], &affines[idx_Kb1]);
|
|
518
|
+
ec_affine_select(group, &K10, mask, &affines[idx_Kb0], &affines[idx_Ko0]);
|
|
519
|
+
ec_affine_select(group, &K11, mask, &affines[idx_Kb1], &affines[idx_Ko1]);
|
|
520
|
+
|
|
521
|
+
// Compute c = Hc(...) for the two proofs.
|
|
522
|
+
EC_SCALAR cs, c;
|
|
523
|
+
if (!hash_c_dleq(method, &cs, &priv->pubs, &affines[idx_T], &affines[idx_S],
|
|
524
|
+
&affines[idx_Ws], &affines[idx_Ks0], &affines[idx_Ks1]) ||
|
|
525
|
+
!hash_c_dleqor(method, &c, &priv->pub0, &priv->pub1, &affines[idx_T],
|
|
526
|
+
&affines[idx_S], &affines[idx_W], &K00, &K01, &K10,
|
|
527
|
+
&K11)) {
|
|
528
|
+
return 0;
|
|
529
|
+
}
|
|
530
|
+
|
|
531
|
+
// Compute cb, ub, and ub for the two proofs. In each of these products, only
|
|
532
|
+
// one operand is in Montgomery form, so the product does not need to be
|
|
533
|
+
// converted.
|
|
534
|
+
|
|
535
|
+
EC_SCALAR cs_mont;
|
|
536
|
+
ec_scalar_to_montgomery(group, &cs_mont, &cs);
|
|
537
|
+
|
|
538
|
+
// us = ks0 + cs*xs
|
|
539
|
+
EC_SCALAR us, vs;
|
|
540
|
+
ec_scalar_mul_montgomery(group, &us, &priv->xs, &cs_mont);
|
|
541
|
+
ec_scalar_add(group, &us, &ks0, &us);
|
|
542
|
+
|
|
543
|
+
// vs = ks1 + cs*ys
|
|
544
|
+
ec_scalar_mul_montgomery(group, &vs, &priv->ys, &cs_mont);
|
|
545
|
+
ec_scalar_add(group, &vs, &ks1, &vs);
|
|
546
|
+
|
|
547
|
+
// Store DLEQ2 proof in transcript.
|
|
548
|
+
if (!scalar_to_cbb(cbb, group, &cs) ||
|
|
549
|
+
!scalar_to_cbb(cbb, group, &us) ||
|
|
550
|
+
!scalar_to_cbb(cbb, group, &vs)) {
|
|
551
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
552
|
+
return 0;
|
|
553
|
+
}
|
|
554
|
+
|
|
555
|
+
// cb = c - co
|
|
556
|
+
EC_SCALAR cb, ub, vb;
|
|
557
|
+
ec_scalar_add(group, &cb, &c, &minus_co);
|
|
558
|
+
|
|
559
|
+
EC_SCALAR cb_mont;
|
|
560
|
+
ec_scalar_to_montgomery(group, &cb_mont, &cb);
|
|
561
|
+
|
|
562
|
+
// ub = k0 + cb*xb
|
|
563
|
+
ec_scalar_mul_montgomery(group, &ub, &xb, &cb_mont);
|
|
564
|
+
ec_scalar_add(group, &ub, &k0, &ub);
|
|
565
|
+
|
|
566
|
+
// vb = k1 + cb*yb
|
|
567
|
+
ec_scalar_mul_montgomery(group, &vb, &yb, &cb_mont);
|
|
568
|
+
ec_scalar_add(group, &vb, &k1, &vb);
|
|
569
|
+
|
|
570
|
+
// Select c, u, v in constant-time.
|
|
571
|
+
EC_SCALAR co, c0, c1, u0, u1, v0, v1;
|
|
572
|
+
ec_scalar_neg(group, &co, &minus_co);
|
|
573
|
+
ec_scalar_select(group, &c0, mask, &co, &cb);
|
|
574
|
+
ec_scalar_select(group, &u0, mask, &uo, &ub);
|
|
575
|
+
ec_scalar_select(group, &v0, mask, &vo, &vb);
|
|
576
|
+
ec_scalar_select(group, &c1, mask, &cb, &co);
|
|
577
|
+
ec_scalar_select(group, &u1, mask, &ub, &uo);
|
|
578
|
+
ec_scalar_select(group, &v1, mask, &vb, &vo);
|
|
579
|
+
|
|
580
|
+
// Store DLEQOR2 proof in transcript.
|
|
581
|
+
if (!scalar_to_cbb(cbb, group, &c0) ||
|
|
582
|
+
!scalar_to_cbb(cbb, group, &c1) ||
|
|
583
|
+
!scalar_to_cbb(cbb, group, &u0) ||
|
|
584
|
+
!scalar_to_cbb(cbb, group, &u1) ||
|
|
585
|
+
!scalar_to_cbb(cbb, group, &v0) ||
|
|
586
|
+
!scalar_to_cbb(cbb, group, &v1)) {
|
|
587
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
588
|
+
return 0;
|
|
589
|
+
}
|
|
590
|
+
|
|
591
|
+
return 1;
|
|
592
|
+
}
|
|
593
|
+
|
|
594
|
+
static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,
|
|
595
|
+
const PMBTOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T,
|
|
596
|
+
const EC_RAW_POINT *S, const EC_RAW_POINT *W,
|
|
597
|
+
const EC_RAW_POINT *Ws) {
|
|
598
|
+
const EC_GROUP *group = method->group;
|
|
599
|
+
const EC_RAW_POINT *g = &group->generator->raw;
|
|
600
|
+
|
|
601
|
+
// We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the
|
|
602
|
+
// private metadata token. To allow amortizing Jacobian-to-affine conversions,
|
|
603
|
+
// we compute Ki for both proofs first. Additionally, all inputs to this
|
|
604
|
+
// function are public, so we can use the faster variable-time
|
|
605
|
+
// multiplications.
|
|
606
|
+
enum {
|
|
607
|
+
idx_T,
|
|
608
|
+
idx_S,
|
|
609
|
+
idx_W,
|
|
610
|
+
idx_Ws,
|
|
611
|
+
idx_Ks0,
|
|
612
|
+
idx_Ks1,
|
|
613
|
+
idx_K00,
|
|
614
|
+
idx_K01,
|
|
615
|
+
idx_K10,
|
|
616
|
+
idx_K11,
|
|
617
|
+
num_idx,
|
|
618
|
+
};
|
|
619
|
+
EC_RAW_POINT jacobians[num_idx];
|
|
620
|
+
|
|
621
|
+
// Decode the DLEQ proof.
|
|
622
|
+
EC_SCALAR cs, us, vs;
|
|
623
|
+
if (!scalar_from_cbs(cbs, group, &cs) ||
|
|
624
|
+
!scalar_from_cbs(cbs, group, &us) ||
|
|
625
|
+
!scalar_from_cbs(cbs, group, &vs)) {
|
|
626
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
627
|
+
return 0;
|
|
628
|
+
}
|
|
629
|
+
|
|
630
|
+
// Ks = us*(G;T) + vs*(H;S) - cs*(pubs;Ws)
|
|
631
|
+
EC_RAW_POINT pubs;
|
|
632
|
+
ec_affine_to_jacobian(group, &pubs, &pub->pubs);
|
|
633
|
+
EC_SCALAR minus_cs;
|
|
634
|
+
ec_scalar_neg(group, &minus_cs, &cs);
|
|
635
|
+
if (!mul_public_3(group, &jacobians[idx_Ks0], g, &us, &method->h, &vs, &pubs,
|
|
636
|
+
&minus_cs) ||
|
|
637
|
+
!mul_public_3(group, &jacobians[idx_Ks1], T, &us, S, &vs, Ws,
|
|
638
|
+
&minus_cs)) {
|
|
639
|
+
return 0;
|
|
640
|
+
}
|
|
641
|
+
|
|
642
|
+
// Decode the DLEQOR proof.
|
|
643
|
+
EC_SCALAR c0, c1, u0, u1, v0, v1;
|
|
644
|
+
if (!scalar_from_cbs(cbs, group, &c0) ||
|
|
645
|
+
!scalar_from_cbs(cbs, group, &c1) ||
|
|
646
|
+
!scalar_from_cbs(cbs, group, &u0) ||
|
|
647
|
+
!scalar_from_cbs(cbs, group, &u1) ||
|
|
648
|
+
!scalar_from_cbs(cbs, group, &v0) ||
|
|
649
|
+
!scalar_from_cbs(cbs, group, &v1)) {
|
|
650
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
651
|
+
return 0;
|
|
652
|
+
}
|
|
653
|
+
|
|
654
|
+
EC_RAW_POINT pub0, pub1;
|
|
655
|
+
ec_affine_to_jacobian(group, &pub0, &pub->pub0);
|
|
656
|
+
ec_affine_to_jacobian(group, &pub1, &pub->pub1);
|
|
657
|
+
EC_SCALAR minus_c0, minus_c1;
|
|
658
|
+
ec_scalar_neg(group, &minus_c0, &c0);
|
|
659
|
+
ec_scalar_neg(group, &minus_c1, &c1);
|
|
660
|
+
if (// K0 = u0*(G;T) + v0*(H;S) - c0*(pub0;W)
|
|
661
|
+
!mul_public_3(group, &jacobians[idx_K00], g, &u0, &method->h, &v0, &pub0,
|
|
662
|
+
&minus_c0) ||
|
|
663
|
+
!mul_public_3(group, &jacobians[idx_K01], T, &u0, S, &v0, W, &minus_c0) ||
|
|
664
|
+
// K1 = u1*(G;T) + v1*(H;S) - c1*(pub1;W)
|
|
665
|
+
!mul_public_3(group, &jacobians[idx_K10], g, &u1, &method->h, &v1, &pub1,
|
|
666
|
+
&minus_c1) ||
|
|
667
|
+
!mul_public_3(group, &jacobians[idx_K11], T, &u1, S, &v1, W, &minus_c1)) {
|
|
668
|
+
return 0;
|
|
669
|
+
}
|
|
670
|
+
|
|
671
|
+
EC_AFFINE affines[num_idx];
|
|
672
|
+
jacobians[idx_T] = *T;
|
|
673
|
+
jacobians[idx_S] = *S;
|
|
674
|
+
jacobians[idx_W] = *W;
|
|
675
|
+
jacobians[idx_Ws] = *Ws;
|
|
676
|
+
if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {
|
|
677
|
+
return 0;
|
|
678
|
+
}
|
|
679
|
+
|
|
680
|
+
// Check the DLEQ proof.
|
|
681
|
+
EC_SCALAR calculated;
|
|
682
|
+
if (!hash_c_dleq(method, &calculated, &pub->pubs, &affines[idx_T],
|
|
683
|
+
&affines[idx_S], &affines[idx_Ws], &affines[idx_Ks0],
|
|
684
|
+
&affines[idx_Ks1])) {
|
|
685
|
+
return 0;
|
|
686
|
+
}
|
|
687
|
+
|
|
688
|
+
// cs == calculated
|
|
689
|
+
if (!ec_scalar_equal_vartime(group, &cs, &calculated)) {
|
|
690
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);
|
|
691
|
+
return 0;
|
|
692
|
+
}
|
|
693
|
+
|
|
694
|
+
// Check the DLEQOR proof.
|
|
695
|
+
if (!hash_c_dleqor(method, &calculated, &pub->pub0, &pub->pub1,
|
|
696
|
+
&affines[idx_T], &affines[idx_S], &affines[idx_W],
|
|
697
|
+
&affines[idx_K00], &affines[idx_K01], &affines[idx_K10],
|
|
698
|
+
&affines[idx_K11])) {
|
|
699
|
+
return 0;
|
|
700
|
+
}
|
|
701
|
+
|
|
702
|
+
// c0 + c1 == calculated
|
|
703
|
+
EC_SCALAR c;
|
|
704
|
+
ec_scalar_add(group, &c, &c0, &c1);
|
|
705
|
+
if (!ec_scalar_equal_vartime(group, &c, &calculated)) {
|
|
706
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);
|
|
707
|
+
return 0;
|
|
708
|
+
}
|
|
709
|
+
|
|
710
|
+
return 1;
|
|
711
|
+
}
|
|
712
|
+
|
|
713
|
+
static int pmbtoken_sign(const PMBTOKEN_METHOD *method,
|
|
714
|
+
const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
|
|
715
|
+
size_t num_requested, size_t num_to_issue,
|
|
716
|
+
uint8_t private_metadata) {
|
|
717
|
+
const EC_GROUP *group = method->group;
|
|
718
|
+
if (num_requested < num_to_issue) {
|
|
719
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
|
|
720
|
+
return 0;
|
|
721
|
+
}
|
|
722
|
+
|
|
723
|
+
if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
|
|
724
|
+
num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) {
|
|
725
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
|
|
726
|
+
return 0;
|
|
727
|
+
}
|
|
728
|
+
|
|
729
|
+
int ret = 0;
|
|
730
|
+
EC_RAW_POINT *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
|
|
731
|
+
EC_RAW_POINT *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
|
|
732
|
+
EC_RAW_POINT *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
|
|
733
|
+
EC_RAW_POINT *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT));
|
|
734
|
+
EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR));
|
|
735
|
+
CBB batch_cbb;
|
|
736
|
+
CBB_zero(&batch_cbb);
|
|
737
|
+
if (!Tps ||
|
|
738
|
+
!Sps ||
|
|
739
|
+
!Wps ||
|
|
740
|
+
!Wsps ||
|
|
741
|
+
!es ||
|
|
742
|
+
!CBB_init(&batch_cbb, 0) ||
|
|
743
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pubs) ||
|
|
744
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pub0) ||
|
|
745
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pub1)) {
|
|
746
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
747
|
+
goto err;
|
|
748
|
+
}
|
|
749
|
+
|
|
750
|
+
for (size_t i = 0; i < num_to_issue; i++) {
|
|
751
|
+
EC_AFFINE Tp_affine;
|
|
752
|
+
EC_RAW_POINT Tp;
|
|
753
|
+
if (!cbs_get_prefixed_point(cbs, group, &Tp_affine)) {
|
|
754
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
755
|
+
goto err;
|
|
756
|
+
}
|
|
757
|
+
ec_affine_to_jacobian(group, &Tp, &Tp_affine);
|
|
758
|
+
|
|
759
|
+
EC_SCALAR xb, yb;
|
|
760
|
+
BN_ULONG mask = ((BN_ULONG)0) - (private_metadata & 1);
|
|
761
|
+
ec_scalar_select(group, &xb, mask, &key->x1, &key->x0);
|
|
762
|
+
ec_scalar_select(group, &yb, mask, &key->y1, &key->y0);
|
|
763
|
+
|
|
764
|
+
uint8_t s[PMBTOKEN_NONCE_SIZE];
|
|
765
|
+
RAND_bytes(s, PMBTOKEN_NONCE_SIZE);
|
|
766
|
+
// The |jacobians| and |affines| contain Sp, Wp, and Wsp.
|
|
767
|
+
EC_RAW_POINT jacobians[3];
|
|
768
|
+
EC_AFFINE affines[3];
|
|
769
|
+
CBB child;
|
|
770
|
+
if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) ||
|
|
771
|
+
!ec_point_mul_scalar_batch(group, &jacobians[1], &Tp, &xb,
|
|
772
|
+
&jacobians[0], &yb, NULL, NULL) ||
|
|
773
|
+
!ec_point_mul_scalar_batch(group, &jacobians[2], &Tp, &key->xs,
|
|
774
|
+
&jacobians[0], &key->ys, NULL, NULL) ||
|
|
775
|
+
!ec_jacobian_to_affine_batch(group, affines, jacobians, 3) ||
|
|
776
|
+
!CBB_add_bytes(cbb, s, PMBTOKEN_NONCE_SIZE) ||
|
|
777
|
+
// TODO(https://crbug.com/boringssl/331): When updating the key format,
|
|
778
|
+
// remove the redundant length prefixes.
|
|
779
|
+
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
780
|
+
!point_to_cbb(&child, group, &affines[1]) ||
|
|
781
|
+
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
782
|
+
!point_to_cbb(&child, group, &affines[2])) {
|
|
783
|
+
goto err;
|
|
784
|
+
}
|
|
785
|
+
|
|
786
|
+
if (!point_to_cbb(&batch_cbb, group, &Tp_affine) ||
|
|
787
|
+
!point_to_cbb(&batch_cbb, group, &affines[0]) ||
|
|
788
|
+
!point_to_cbb(&batch_cbb, group, &affines[1]) ||
|
|
789
|
+
!point_to_cbb(&batch_cbb, group, &affines[2])) {
|
|
790
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
791
|
+
goto err;
|
|
792
|
+
}
|
|
793
|
+
Tps[i] = Tp;
|
|
794
|
+
Sps[i] = jacobians[0];
|
|
795
|
+
Wps[i] = jacobians[1];
|
|
796
|
+
Wsps[i] = jacobians[2];
|
|
797
|
+
|
|
798
|
+
if (!CBB_flush(cbb)) {
|
|
799
|
+
goto err;
|
|
800
|
+
}
|
|
801
|
+
}
|
|
802
|
+
|
|
803
|
+
// The DLEQ batching construction is described in appendix B of
|
|
804
|
+
// https://eprint.iacr.org/2020/072/20200324:214215. Note the additional
|
|
805
|
+
// computations all act on public inputs.
|
|
806
|
+
for (size_t i = 0; i < num_to_issue; i++) {
|
|
807
|
+
if (!hash_c_batch(method, &es[i], &batch_cbb, i)) {
|
|
808
|
+
goto err;
|
|
809
|
+
}
|
|
810
|
+
}
|
|
811
|
+
|
|
812
|
+
EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
|
|
813
|
+
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
|
|
814
|
+
/*g_scalar=*/NULL, Tps, es,
|
|
815
|
+
num_to_issue) ||
|
|
816
|
+
!ec_point_mul_scalar_public_batch(group, &Sp_batch,
|
|
817
|
+
/*g_scalar=*/NULL, Sps, es,
|
|
818
|
+
num_to_issue) ||
|
|
819
|
+
!ec_point_mul_scalar_public_batch(group, &Wp_batch,
|
|
820
|
+
/*g_scalar=*/NULL, Wps, es,
|
|
821
|
+
num_to_issue) ||
|
|
822
|
+
!ec_point_mul_scalar_public_batch(group, &Wsp_batch,
|
|
823
|
+
/*g_scalar=*/NULL, Wsps, es,
|
|
824
|
+
num_to_issue)) {
|
|
825
|
+
goto err;
|
|
826
|
+
}
|
|
827
|
+
|
|
828
|
+
CBB proof;
|
|
829
|
+
if (!CBB_add_u16_length_prefixed(cbb, &proof) ||
|
|
830
|
+
!dleq_generate(method, &proof, key, &Tp_batch, &Sp_batch, &Wp_batch,
|
|
831
|
+
&Wsp_batch, private_metadata) ||
|
|
832
|
+
!CBB_flush(cbb)) {
|
|
833
|
+
goto err;
|
|
834
|
+
}
|
|
835
|
+
|
|
836
|
+
// Skip over any unused requests.
|
|
837
|
+
size_t point_len = 1 + 2 * BN_num_bytes(&group->field);
|
|
838
|
+
if (!CBS_skip(cbs, (2 + point_len) * (num_requested - num_to_issue))) {
|
|
839
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
840
|
+
goto err;
|
|
841
|
+
}
|
|
842
|
+
|
|
843
|
+
ret = 1;
|
|
844
|
+
|
|
845
|
+
err:
|
|
846
|
+
OPENSSL_free(Tps);
|
|
847
|
+
OPENSSL_free(Sps);
|
|
848
|
+
OPENSSL_free(Wps);
|
|
849
|
+
OPENSSL_free(Wsps);
|
|
850
|
+
OPENSSL_free(es);
|
|
851
|
+
CBB_cleanup(&batch_cbb);
|
|
852
|
+
return ret;
|
|
853
|
+
}
|
|
854
|
+
|
|
855
|
+
static STACK_OF(TRUST_TOKEN) *
|
|
856
|
+
pmbtoken_unblind(const PMBTOKEN_METHOD *method,
|
|
857
|
+
const PMBTOKEN_CLIENT_KEY *key,
|
|
858
|
+
const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, CBS *cbs,
|
|
859
|
+
size_t count, uint32_t key_id) {
|
|
860
|
+
const EC_GROUP *group = method->group;
|
|
861
|
+
if (count > sk_PMBTOKEN_PRETOKEN_num(pretokens)) {
|
|
862
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
863
|
+
return NULL;
|
|
864
|
+
}
|
|
865
|
+
|
|
866
|
+
int ok = 0;
|
|
867
|
+
STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();
|
|
868
|
+
if (ret == NULL) {
|
|
869
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
870
|
+
return NULL;
|
|
871
|
+
}
|
|
872
|
+
|
|
873
|
+
if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) ||
|
|
874
|
+
count > ((size_t)-1) / sizeof(EC_SCALAR)) {
|
|
875
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
|
|
876
|
+
return 0;
|
|
877
|
+
}
|
|
878
|
+
EC_RAW_POINT *Tps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
|
|
879
|
+
EC_RAW_POINT *Sps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
|
|
880
|
+
EC_RAW_POINT *Wps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
|
|
881
|
+
EC_RAW_POINT *Wsps = OPENSSL_malloc(count * sizeof(EC_RAW_POINT));
|
|
882
|
+
EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR));
|
|
883
|
+
CBB batch_cbb;
|
|
884
|
+
CBB_zero(&batch_cbb);
|
|
885
|
+
if (!Tps ||
|
|
886
|
+
!Sps ||
|
|
887
|
+
!Wps ||
|
|
888
|
+
!Wsps ||
|
|
889
|
+
!es ||
|
|
890
|
+
!CBB_init(&batch_cbb, 0) ||
|
|
891
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pubs) ||
|
|
892
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pub0) ||
|
|
893
|
+
!point_to_cbb(&batch_cbb, method->group, &key->pub1)) {
|
|
894
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
895
|
+
goto err;
|
|
896
|
+
}
|
|
897
|
+
|
|
898
|
+
for (size_t i = 0; i < count; i++) {
|
|
899
|
+
const PMBTOKEN_PRETOKEN *pretoken =
|
|
900
|
+
sk_PMBTOKEN_PRETOKEN_value(pretokens, i);
|
|
901
|
+
|
|
902
|
+
uint8_t s[PMBTOKEN_NONCE_SIZE];
|
|
903
|
+
EC_AFFINE Wp_affine, Wsp_affine;
|
|
904
|
+
if (!CBS_copy_bytes(cbs, s, PMBTOKEN_NONCE_SIZE) ||
|
|
905
|
+
!cbs_get_prefixed_point(cbs, group, &Wp_affine) ||
|
|
906
|
+
!cbs_get_prefixed_point(cbs, group, &Wsp_affine)) {
|
|
907
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);
|
|
908
|
+
goto err;
|
|
909
|
+
}
|
|
910
|
+
|
|
911
|
+
ec_affine_to_jacobian(group, &Tps[i], &pretoken->Tp);
|
|
912
|
+
ec_affine_to_jacobian(group, &Wps[i], &Wp_affine);
|
|
913
|
+
ec_affine_to_jacobian(group, &Wsps[i], &Wsp_affine);
|
|
914
|
+
if (!method->hash_s(group, &Sps[i], &pretoken->Tp, s)) {
|
|
915
|
+
goto err;
|
|
916
|
+
}
|
|
917
|
+
|
|
918
|
+
EC_AFFINE Sp_affine;
|
|
919
|
+
if (!point_to_cbb(&batch_cbb, group, &pretoken->Tp) ||
|
|
920
|
+
!ec_jacobian_to_affine(group, &Sp_affine, &Sps[i]) ||
|
|
921
|
+
!point_to_cbb(&batch_cbb, group, &Sp_affine) ||
|
|
922
|
+
!point_to_cbb(&batch_cbb, group, &Wp_affine) ||
|
|
923
|
+
!point_to_cbb(&batch_cbb, group, &Wsp_affine)) {
|
|
924
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
925
|
+
goto err;
|
|
926
|
+
}
|
|
927
|
+
|
|
928
|
+
// Unblind the token.
|
|
929
|
+
EC_RAW_POINT jacobians[3];
|
|
930
|
+
EC_AFFINE affines[3];
|
|
931
|
+
if (!ec_point_mul_scalar(group, &jacobians[0], &Sps[i], &pretoken->r) ||
|
|
932
|
+
!ec_point_mul_scalar(group, &jacobians[1], &Wps[i], &pretoken->r) ||
|
|
933
|
+
!ec_point_mul_scalar(group, &jacobians[2], &Wsps[i], &pretoken->r) ||
|
|
934
|
+
!ec_jacobian_to_affine_batch(group, affines, jacobians, 3)) {
|
|
935
|
+
goto err;
|
|
936
|
+
}
|
|
937
|
+
|
|
938
|
+
// Serialize the token. Include |key_id| to avoid an extra copy in the layer
|
|
939
|
+
// above.
|
|
940
|
+
CBB token_cbb, child;
|
|
941
|
+
size_t point_len = 1 + 2 * BN_num_bytes(&group->field);
|
|
942
|
+
if (!CBB_init(&token_cbb, 4 + PMBTOKEN_NONCE_SIZE + 3 * (2 + point_len)) ||
|
|
943
|
+
!CBB_add_u32(&token_cbb, key_id) ||
|
|
944
|
+
!CBB_add_bytes(&token_cbb, pretoken->t, PMBTOKEN_NONCE_SIZE) ||
|
|
945
|
+
// TODO(https://crbug.com/boringssl/331): When updating the key format,
|
|
946
|
+
// remove the redundant length prefixes.
|
|
947
|
+
!CBB_add_u16_length_prefixed(&token_cbb, &child) ||
|
|
948
|
+
!point_to_cbb(&child, group, &affines[0]) ||
|
|
949
|
+
!CBB_add_u16_length_prefixed(&token_cbb, &child) ||
|
|
950
|
+
!point_to_cbb(&child, group, &affines[1]) ||
|
|
951
|
+
!CBB_add_u16_length_prefixed(&token_cbb, &child) ||
|
|
952
|
+
!point_to_cbb(&child, group, &affines[2]) ||
|
|
953
|
+
!CBB_flush(&token_cbb)) {
|
|
954
|
+
CBB_cleanup(&token_cbb);
|
|
955
|
+
goto err;
|
|
956
|
+
}
|
|
957
|
+
|
|
958
|
+
TRUST_TOKEN *token =
|
|
959
|
+
TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb));
|
|
960
|
+
CBB_cleanup(&token_cbb);
|
|
961
|
+
if (token == NULL ||
|
|
962
|
+
!sk_TRUST_TOKEN_push(ret, token)) {
|
|
963
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
964
|
+
TRUST_TOKEN_free(token);
|
|
965
|
+
goto err;
|
|
966
|
+
}
|
|
967
|
+
}
|
|
968
|
+
|
|
969
|
+
// The DLEQ batching construction is described in appendix B of
|
|
970
|
+
// https://eprint.iacr.org/2020/072/20200324:214215. Note the additional
|
|
971
|
+
// computations all act on public inputs.
|
|
972
|
+
for (size_t i = 0; i < count; i++) {
|
|
973
|
+
if (!hash_c_batch(method, &es[i], &batch_cbb, i)) {
|
|
974
|
+
goto err;
|
|
975
|
+
}
|
|
976
|
+
}
|
|
977
|
+
|
|
978
|
+
EC_RAW_POINT Tp_batch, Sp_batch, Wp_batch, Wsp_batch;
|
|
979
|
+
if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,
|
|
980
|
+
/*g_scalar=*/NULL, Tps, es, count) ||
|
|
981
|
+
!ec_point_mul_scalar_public_batch(group, &Sp_batch,
|
|
982
|
+
/*g_scalar=*/NULL, Sps, es, count) ||
|
|
983
|
+
!ec_point_mul_scalar_public_batch(group, &Wp_batch,
|
|
984
|
+
/*g_scalar=*/NULL, Wps, es, count) ||
|
|
985
|
+
!ec_point_mul_scalar_public_batch(group, &Wsp_batch,
|
|
986
|
+
/*g_scalar=*/NULL, Wsps, es, count)) {
|
|
987
|
+
goto err;
|
|
988
|
+
}
|
|
989
|
+
|
|
990
|
+
CBS proof;
|
|
991
|
+
if (!CBS_get_u16_length_prefixed(cbs, &proof) ||
|
|
992
|
+
!dleq_verify(method, &proof, key, &Tp_batch, &Sp_batch, &Wp_batch,
|
|
993
|
+
&Wsp_batch) ||
|
|
994
|
+
CBS_len(&proof) != 0) {
|
|
995
|
+
goto err;
|
|
996
|
+
}
|
|
997
|
+
|
|
998
|
+
ok = 1;
|
|
999
|
+
|
|
1000
|
+
err:
|
|
1001
|
+
OPENSSL_free(Tps);
|
|
1002
|
+
OPENSSL_free(Sps);
|
|
1003
|
+
OPENSSL_free(Wps);
|
|
1004
|
+
OPENSSL_free(Wsps);
|
|
1005
|
+
OPENSSL_free(es);
|
|
1006
|
+
CBB_cleanup(&batch_cbb);
|
|
1007
|
+
if (!ok) {
|
|
1008
|
+
sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free);
|
|
1009
|
+
ret = NULL;
|
|
1010
|
+
}
|
|
1011
|
+
return ret;
|
|
1012
|
+
}
|
|
1013
|
+
|
|
1014
|
+
static int pmbtoken_read(const PMBTOKEN_METHOD *method,
|
|
1015
|
+
const PMBTOKEN_ISSUER_KEY *key,
|
|
1016
|
+
uint8_t out_nonce[PMBTOKEN_NONCE_SIZE],
|
|
1017
|
+
uint8_t *out_private_metadata, const uint8_t *token,
|
|
1018
|
+
size_t token_len) {
|
|
1019
|
+
const EC_GROUP *group = method->group;
|
|
1020
|
+
CBS cbs;
|
|
1021
|
+
CBS_init(&cbs, token, token_len);
|
|
1022
|
+
EC_AFFINE S, W, Ws;
|
|
1023
|
+
if (!CBS_copy_bytes(&cbs, out_nonce, PMBTOKEN_NONCE_SIZE) ||
|
|
1024
|
+
!cbs_get_prefixed_point(&cbs, group, &S) ||
|
|
1025
|
+
!cbs_get_prefixed_point(&cbs, group, &W) ||
|
|
1026
|
+
!cbs_get_prefixed_point(&cbs, group, &Ws) ||
|
|
1027
|
+
CBS_len(&cbs) != 0) {
|
|
1028
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN);
|
|
1029
|
+
return 0;
|
|
1030
|
+
}
|
|
1031
|
+
|
|
1032
|
+
|
|
1033
|
+
EC_RAW_POINT T;
|
|
1034
|
+
if (!method->hash_t(group, &T, out_nonce)) {
|
|
1035
|
+
return 0;
|
|
1036
|
+
}
|
|
1037
|
+
|
|
1038
|
+
// We perform three multiplications with S and T. This is enough that it is
|
|
1039
|
+
// worth using |ec_point_mul_scalar_precomp|.
|
|
1040
|
+
EC_RAW_POINT S_jacobian;
|
|
1041
|
+
EC_PRECOMP S_precomp, T_precomp;
|
|
1042
|
+
ec_affine_to_jacobian(group, &S_jacobian, &S);
|
|
1043
|
+
if (!ec_init_precomp(group, &S_precomp, &S_jacobian) ||
|
|
1044
|
+
!ec_init_precomp(group, &T_precomp, &T)) {
|
|
1045
|
+
return 0;
|
|
1046
|
+
}
|
|
1047
|
+
|
|
1048
|
+
EC_RAW_POINT Ws_calculated;
|
|
1049
|
+
// Check the validity of the token.
|
|
1050
|
+
if (!ec_point_mul_scalar_precomp(group, &Ws_calculated, &T_precomp, &key->xs,
|
|
1051
|
+
&S_precomp, &key->ys, NULL, NULL) ||
|
|
1052
|
+
!ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {
|
|
1053
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK);
|
|
1054
|
+
return 0;
|
|
1055
|
+
}
|
|
1056
|
+
|
|
1057
|
+
EC_RAW_POINT W0, W1;
|
|
1058
|
+
if (!ec_point_mul_scalar_precomp(group, &W0, &T_precomp, &key->x0, &S_precomp,
|
|
1059
|
+
&key->y0, NULL, NULL) ||
|
|
1060
|
+
!ec_point_mul_scalar_precomp(group, &W1, &T_precomp, &key->x1, &S_precomp,
|
|
1061
|
+
&key->y1, NULL, NULL)) {
|
|
1062
|
+
return 0;
|
|
1063
|
+
}
|
|
1064
|
+
|
|
1065
|
+
const int is_W0 = ec_affine_jacobian_equal(group, &W, &W0);
|
|
1066
|
+
const int is_W1 = ec_affine_jacobian_equal(group, &W, &W1);
|
|
1067
|
+
const int is_valid = is_W0 ^ is_W1;
|
|
1068
|
+
if (!is_valid) {
|
|
1069
|
+
// Invalid tokens will fail the validity check above.
|
|
1070
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
|
|
1071
|
+
return 0;
|
|
1072
|
+
}
|
|
1073
|
+
|
|
1074
|
+
*out_private_metadata = is_W1;
|
|
1075
|
+
return 1;
|
|
1076
|
+
}
|
|
1077
|
+
|
|
1078
|
+
|
|
1079
|
+
// PMBTokens experiment v1.
|
|
1080
|
+
|
|
1081
|
+
static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out,
|
|
1082
|
+
const uint8_t t[PMBTOKEN_NONCE_SIZE]) {
|
|
1083
|
+
const uint8_t kHashTLabel[] = "PMBTokens Experiment V1 HashT";
|
|
1084
|
+
return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
|
|
1085
|
+
group, out, kHashTLabel, sizeof(kHashTLabel), t, PMBTOKEN_NONCE_SIZE);
|
|
1086
|
+
}
|
|
1087
|
+
|
|
1088
|
+
static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out,
|
|
1089
|
+
const EC_AFFINE *t,
|
|
1090
|
+
const uint8_t s[PMBTOKEN_NONCE_SIZE]) {
|
|
1091
|
+
const uint8_t kHashSLabel[] = "PMBTokens Experiment V1 HashS";
|
|
1092
|
+
int ret = 0;
|
|
1093
|
+
CBB cbb;
|
|
1094
|
+
uint8_t *buf = NULL;
|
|
1095
|
+
size_t len;
|
|
1096
|
+
if (!CBB_init(&cbb, 0) ||
|
|
1097
|
+
!point_to_cbb(&cbb, group, t) ||
|
|
1098
|
+
!CBB_add_bytes(&cbb, s, PMBTOKEN_NONCE_SIZE) ||
|
|
1099
|
+
!CBB_finish(&cbb, &buf, &len) ||
|
|
1100
|
+
!ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(
|
|
1101
|
+
group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) {
|
|
1102
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
|
|
1103
|
+
goto err;
|
|
1104
|
+
}
|
|
1105
|
+
|
|
1106
|
+
ret = 1;
|
|
1107
|
+
|
|
1108
|
+
err:
|
|
1109
|
+
OPENSSL_free(buf);
|
|
1110
|
+
CBB_cleanup(&cbb);
|
|
1111
|
+
return ret;
|
|
1112
|
+
}
|
|
1113
|
+
|
|
1114
|
+
static int pmbtoken_exp1_hash_c(const EC_GROUP *group, EC_SCALAR *out,
|
|
1115
|
+
uint8_t *buf, size_t len) {
|
|
1116
|
+
const uint8_t kHashCLabel[] = "PMBTokens Experiment V1 HashC";
|
|
1117
|
+
return ec_hash_to_scalar_p384_xmd_sha512_draft07(
|
|
1118
|
+
group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);
|
|
1119
|
+
}
|
|
1120
|
+
|
|
1121
|
+
static int pmbtoken_exp1_ok = 0;
|
|
1122
|
+
static PMBTOKEN_METHOD pmbtoken_exp1_method;
|
|
1123
|
+
static CRYPTO_once_t pmbtoken_exp1_method_once = CRYPTO_ONCE_INIT;
|
|
1124
|
+
|
|
1125
|
+
static void pmbtoken_exp1_init_method_impl(void) {
|
|
1126
|
+
// This is the output of |ec_hash_to_scalar_p384_xmd_sha512_draft07| with DST
|
|
1127
|
+
// "PMBTokens Experiment V1 HashH" and message "generator".
|
|
1128
|
+
static const uint8_t kH[] = {
|
|
1129
|
+
0x04, 0x82, 0xd5, 0x68, 0xf5, 0x39, 0xf6, 0x08, 0x19, 0xa1, 0x75,
|
|
1130
|
+
0x9f, 0x98, 0xb5, 0x10, 0xf5, 0x0b, 0x9d, 0x2b, 0xe1, 0x64, 0x4d,
|
|
1131
|
+
0x02, 0x76, 0x18, 0x11, 0xf8, 0x2f, 0xd3, 0x33, 0x25, 0x1f, 0x2c,
|
|
1132
|
+
0xb8, 0xf6, 0xf1, 0x9e, 0x93, 0x85, 0x79, 0xb3, 0xb7, 0x81, 0xa3,
|
|
1133
|
+
0xe6, 0x23, 0xc3, 0x1c, 0xff, 0x03, 0xd9, 0x40, 0x6c, 0xec, 0xe0,
|
|
1134
|
+
0x4d, 0xea, 0xdf, 0x9d, 0x94, 0xd1, 0x87, 0xab, 0x27, 0xf7, 0x4f,
|
|
1135
|
+
0x53, 0xea, 0xa3, 0x18, 0x72, 0xb9, 0xd1, 0x56, 0xa0, 0x4e, 0x81,
|
|
1136
|
+
0xaa, 0xeb, 0x1c, 0x22, 0x6d, 0x39, 0x1c, 0x5e, 0xb1, 0x27, 0xfc,
|
|
1137
|
+
0x87, 0xc3, 0x95, 0xd0, 0x13, 0xb7, 0x0b, 0x5c, 0xc7,
|
|
1138
|
+
};
|
|
1139
|
+
|
|
1140
|
+
pmbtoken_exp1_ok =
|
|
1141
|
+
pmbtoken_init_method(&pmbtoken_exp1_method, NID_secp384r1, kH, sizeof(kH),
|
|
1142
|
+
pmbtoken_exp1_hash_t, pmbtoken_exp1_hash_s,
|
|
1143
|
+
pmbtoken_exp1_hash_c);
|
|
1144
|
+
}
|
|
1145
|
+
|
|
1146
|
+
static int pmbtoken_exp1_init_method(void) {
|
|
1147
|
+
CRYPTO_once(&pmbtoken_exp1_method_once, pmbtoken_exp1_init_method_impl);
|
|
1148
|
+
if (!pmbtoken_exp1_ok) {
|
|
1149
|
+
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);
|
|
1150
|
+
return 0;
|
|
1151
|
+
}
|
|
1152
|
+
return 1;
|
|
1153
|
+
}
|
|
1154
|
+
|
|
1155
|
+
int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public) {
|
|
1156
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1157
|
+
return 0;
|
|
1158
|
+
}
|
|
1159
|
+
|
|
1160
|
+
return pmbtoken_generate_key(&pmbtoken_exp1_method, out_private, out_public);
|
|
1161
|
+
}
|
|
1162
|
+
|
|
1163
|
+
int pmbtoken_exp1_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key,
|
|
1164
|
+
const uint8_t *in, size_t len) {
|
|
1165
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1166
|
+
return 0;
|
|
1167
|
+
}
|
|
1168
|
+
return pmbtoken_client_key_from_bytes(&pmbtoken_exp1_method, key, in, len);
|
|
1169
|
+
}
|
|
1170
|
+
|
|
1171
|
+
int pmbtoken_exp1_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key,
|
|
1172
|
+
const uint8_t *in, size_t len) {
|
|
1173
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1174
|
+
return 0;
|
|
1175
|
+
}
|
|
1176
|
+
return pmbtoken_issuer_key_from_bytes(&pmbtoken_exp1_method, key, in, len);
|
|
1177
|
+
}
|
|
1178
|
+
|
|
1179
|
+
STACK_OF(PMBTOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count) {
|
|
1180
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1181
|
+
return NULL;
|
|
1182
|
+
}
|
|
1183
|
+
return pmbtoken_blind(&pmbtoken_exp1_method, cbb, count);
|
|
1184
|
+
}
|
|
1185
|
+
|
|
1186
|
+
int pmbtoken_exp1_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
|
|
1187
|
+
size_t num_requested, size_t num_to_issue,
|
|
1188
|
+
uint8_t private_metadata) {
|
|
1189
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1190
|
+
return 0;
|
|
1191
|
+
}
|
|
1192
|
+
return pmbtoken_sign(&pmbtoken_exp1_method, key, cbb, cbs, num_requested,
|
|
1193
|
+
num_to_issue, private_metadata);
|
|
1194
|
+
}
|
|
1195
|
+
|
|
1196
|
+
STACK_OF(TRUST_TOKEN) *
|
|
1197
|
+
pmbtoken_exp1_unblind(const PMBTOKEN_CLIENT_KEY *key,
|
|
1198
|
+
const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens,
|
|
1199
|
+
CBS *cbs, size_t count, uint32_t key_id) {
|
|
1200
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1201
|
+
return NULL;
|
|
1202
|
+
}
|
|
1203
|
+
return pmbtoken_unblind(&pmbtoken_exp1_method, key, pretokens, cbs, count,
|
|
1204
|
+
key_id);
|
|
1205
|
+
}
|
|
1206
|
+
|
|
1207
|
+
int pmbtoken_exp1_read(const PMBTOKEN_ISSUER_KEY *key,
|
|
1208
|
+
uint8_t out_nonce[PMBTOKEN_NONCE_SIZE],
|
|
1209
|
+
uint8_t *out_private_metadata, const uint8_t *token,
|
|
1210
|
+
size_t token_len) {
|
|
1211
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1212
|
+
return 0;
|
|
1213
|
+
}
|
|
1214
|
+
return pmbtoken_read(&pmbtoken_exp1_method, key, out_nonce,
|
|
1215
|
+
out_private_metadata, token, token_len);
|
|
1216
|
+
}
|
|
1217
|
+
|
|
1218
|
+
int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]) {
|
|
1219
|
+
if (!pmbtoken_exp1_init_method()) {
|
|
1220
|
+
return 0;
|
|
1221
|
+
}
|
|
1222
|
+
EC_AFFINE h;
|
|
1223
|
+
return ec_jacobian_to_affine(pmbtoken_exp1_method.group, &h,
|
|
1224
|
+
&pmbtoken_exp1_method.h) &&
|
|
1225
|
+
ec_point_to_bytes(pmbtoken_exp1_method.group, &h,
|
|
1226
|
+
POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;
|
|
1227
|
+
}
|