grpc 1.32.0 → 1.33.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +175 -376
- data/include/grpc/grpc.h +0 -5
- data/include/grpc/grpc_security.h +16 -0
- data/include/grpc/impl/codegen/grpc_types.h +0 -5
- data/src/core/ext/filters/client_channel/client_channel.cc +204 -170
- data/src/core/ext/filters/client_channel/config_selector.cc +0 -4
- data/src/core/ext/filters/client_channel/config_selector.h +34 -5
- data/src/core/ext/filters/client_channel/lb_policy.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +48 -35
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +7 -5
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +106 -106
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +9 -32
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +198 -126
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +439 -249
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds_drop.cc +571 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +727 -0
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +8 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +553 -358
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +28 -0
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +8 -39
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +4 -2
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +44 -43
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +5 -9
- data/src/core/ext/filters/client_channel/server_address.cc +80 -0
- data/src/core/ext/filters/client_channel/server_address.h +25 -36
- data/src/core/ext/filters/client_channel/service_config.cc +16 -13
- data/src/core/ext/filters/client_channel/service_config.h +7 -4
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +2 -2
- data/src/core/ext/filters/client_channel/service_config_parser.cc +8 -6
- data/src/core/ext/filters/client_channel/service_config_parser.h +8 -5
- data/src/core/ext/filters/client_channel/subchannel_interface.h +44 -0
- data/src/core/ext/filters/message_size/message_size_filter.cc +2 -1
- data/src/core/ext/filters/message_size/message_size_filter.h +2 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +17 -10
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +10 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +10 -0
- data/src/core/ext/transport/chttp2/transport/internal.h +5 -0
- data/src/core/ext/transport/chttp2/transport/parsing.cc +16 -2
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +29 -9
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +66 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +123 -45
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +310 -53
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +17 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +45 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +16 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +38 -15
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c +53 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h +133 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +54 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +123 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +40 -16
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +114 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +85 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +36 -16
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +86 -20
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +23 -6
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +54 -5
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +10 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +28 -11
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +184 -57
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +504 -69
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +6 -5
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +78 -26
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +236 -25
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +8 -9
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +19 -33
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +7 -3
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +16 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +65 -23
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +229 -47
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +20 -10
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +67 -4
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +6 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c +242 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h +753 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +31 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.h +57 -0
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +53 -0
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +129 -0
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +77 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.c +36 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +85 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +160 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +84 -0
- data/src/core/ext/xds/certificate_provider_factory.h +59 -0
- data/src/core/ext/xds/certificate_provider_registry.cc +103 -0
- data/src/core/ext/xds/certificate_provider_registry.h +57 -0
- data/src/core/ext/xds/certificate_provider_store.h +50 -0
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc +377 -0
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h +102 -0
- data/src/core/ext/xds/xds_api.cc +301 -93
- data/src/core/ext/xds/xds_api.h +129 -92
- data/src/core/ext/xds/xds_channel_args.h +6 -3
- data/src/core/ext/xds/xds_client.cc +498 -410
- data/src/core/ext/xds/xds_client.h +105 -51
- data/src/core/ext/xds/xds_client_stats.cc +18 -12
- data/src/core/ext/xds/xds_client_stats.h +33 -5
- data/src/core/lib/channel/channel_args.h +0 -1
- data/src/core/lib/channel/channelz.cc +10 -45
- data/src/core/lib/channel/channelz.h +11 -19
- data/src/core/lib/channel/channelz_registry.cc +12 -11
- data/src/core/lib/channel/channelz_registry.h +3 -0
- data/src/core/lib/gpr/time_precise.cc +2 -0
- data/src/core/lib/gpr/time_precise.h +6 -2
- data/src/core/lib/gprpp/dual_ref_counted.h +336 -0
- data/src/core/lib/gprpp/ref_counted.h +51 -22
- data/src/core/lib/gprpp/ref_counted_ptr.h +153 -0
- data/src/core/lib/iomgr/endpoint_cfstream.cc +9 -5
- data/src/core/lib/iomgr/exec_ctx.h +10 -8
- data/src/core/lib/json/json_util.cc +58 -0
- data/src/core/lib/json/json_util.h +37 -0
- data/src/core/lib/security/certificate_provider.h +60 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +321 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +214 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +45 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.h +51 -0
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +6 -10
- data/src/core/lib/security/security_connector/ssl_utils.h +5 -0
- data/src/core/lib/surface/channel.cc +9 -31
- data/src/core/lib/surface/channel.h +6 -1
- data/src/core/lib/surface/init.cc +26 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.h +2 -1
- data/src/core/lib/transport/connectivity_state.h +2 -2
- data/src/core/lib/transport/metadata.cc +11 -1
- data/src/core/plugin_registry/grpc_plugin_registry.cc +35 -20
- data/src/core/tsi/ssl_transport_security.cc +2 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +3 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +465 -463
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +0 -6
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +9 -43
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +55 -4
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +6 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +30 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -15
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +98 -11
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +51 -6
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +44 -2
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +221 -49
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +64 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +7 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +21 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +24 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +67 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +29 -35
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +13 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +28 -40
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +7 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +55 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +0 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +12 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +4 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +9 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +26 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +188 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +52 -43
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +18 -18
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +9 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +8 -9
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +1 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +4 -8
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +2 -2
- metadata +72 -42
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +0 -537
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +0 -1141
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.c +0 -17
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.h +0 -29
- data/src/core/ext/xds/xds_channel.h +0 -46
- data/src/core/ext/xds/xds_channel_secure.cc +0 -103
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pku.c +0 -110
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_sxnet.c +0 -274
@@ -66,20 +66,20 @@
|
|
66
66
|
#include <openssl/rsa.h>
|
67
67
|
#include <openssl/stack.h>
|
68
68
|
|
69
|
-
int X509_verify(X509 *
|
69
|
+
int X509_verify(X509 *x509, EVP_PKEY *pkey)
|
70
70
|
{
|
71
|
-
if (X509_ALGOR_cmp(
|
71
|
+
if (X509_ALGOR_cmp(x509->sig_alg, x509->cert_info->signature)) {
|
72
72
|
OPENSSL_PUT_ERROR(X509, X509_R_SIGNATURE_ALGORITHM_MISMATCH);
|
73
73
|
return 0;
|
74
74
|
}
|
75
|
-
return
|
76
|
-
|
75
|
+
return ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), x509->sig_alg,
|
76
|
+
x509->signature, x509->cert_info, pkey);
|
77
77
|
}
|
78
78
|
|
79
|
-
int X509_REQ_verify(X509_REQ *
|
79
|
+
int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey)
|
80
80
|
{
|
81
|
-
return
|
82
|
-
|
81
|
+
return ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
|
82
|
+
req->sig_alg, req->signature, req->req_info, pkey);
|
83
83
|
}
|
84
84
|
|
85
85
|
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
|
@@ -131,10 +131,10 @@ int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
|
|
131
131
|
x->signature, x->spkac, pkey, md));
|
132
132
|
}
|
133
133
|
|
134
|
-
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *
|
134
|
+
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey)
|
135
135
|
{
|
136
|
-
return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
|
137
|
-
|
136
|
+
return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), spki->sig_algor,
|
137
|
+
spki->signature, spki->spkac, pkey));
|
138
138
|
}
|
139
139
|
|
140
140
|
#ifndef OPENSSL_NO_FP_API
|
@@ -411,10 +411,10 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
|
|
411
411
|
return 1;
|
412
412
|
}
|
413
413
|
|
414
|
-
int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *
|
414
|
+
int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
|
415
415
|
{
|
416
416
|
if (crl->meth->crl_verify)
|
417
|
-
return crl->meth->crl_verify(crl,
|
417
|
+
return crl->meth->crl_verify(crl, pkey);
|
418
418
|
return 0;
|
419
419
|
}
|
420
420
|
|
@@ -197,18 +197,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
|
|
197
197
|
char opt, ASN1_TLC *ctx)
|
198
198
|
{
|
199
199
|
const unsigned char *p = *in, *q;
|
200
|
-
|
201
|
-
|
202
|
-
ASN1_VALUE *a;
|
203
|
-
} intname = {
|
204
|
-
NULL
|
205
|
-
};
|
206
|
-
union {
|
207
|
-
X509_NAME *x;
|
208
|
-
ASN1_VALUE *a;
|
209
|
-
} nm = {
|
210
|
-
NULL
|
211
|
-
};
|
200
|
+
STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL;
|
201
|
+
X509_NAME *nm = NULL;
|
212
202
|
size_t i, j;
|
213
203
|
int ret;
|
214
204
|
STACK_OF(X509_NAME_ENTRY) *entries;
|
@@ -220,46 +210,48 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
|
|
220
210
|
q = p;
|
221
211
|
|
222
212
|
/* Get internal representation of Name */
|
223
|
-
|
213
|
+
ASN1_VALUE *intname_val = NULL;
|
214
|
+
ret = ASN1_item_ex_d2i(&intname_val,
|
224
215
|
&p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
|
225
216
|
tag, aclass, opt, ctx);
|
226
|
-
|
227
217
|
if (ret <= 0)
|
228
218
|
return ret;
|
219
|
+
intname = (STACK_OF(STACK_OF_X509_NAME_ENTRY) *)intname_val;
|
229
220
|
|
230
221
|
if (*val)
|
231
222
|
x509_name_ex_free(val, NULL);
|
232
|
-
|
223
|
+
ASN1_VALUE *nm_val = NULL;
|
224
|
+
if (!x509_name_ex_new(&nm_val, NULL))
|
233
225
|
goto err;
|
226
|
+
nm = (X509_NAME *)nm_val;
|
234
227
|
/* We've decoded it: now cache encoding */
|
235
|
-
if (!BUF_MEM_grow(nm
|
228
|
+
if (!BUF_MEM_grow(nm->bytes, p - q))
|
236
229
|
goto err;
|
237
|
-
OPENSSL_memcpy(nm
|
230
|
+
OPENSSL_memcpy(nm->bytes->data, q, p - q);
|
238
231
|
|
239
232
|
/* Convert internal representation to X509_NAME structure */
|
240
|
-
for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname
|
241
|
-
entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname
|
233
|
+
for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname); i++) {
|
234
|
+
entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname, i);
|
242
235
|
for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
|
243
236
|
entry = sk_X509_NAME_ENTRY_value(entries, j);
|
244
237
|
entry->set = i;
|
245
|
-
if (!sk_X509_NAME_ENTRY_push(nm
|
238
|
+
if (!sk_X509_NAME_ENTRY_push(nm->entries, entry))
|
246
239
|
goto err;
|
247
240
|
(void)sk_X509_NAME_ENTRY_set(entries, j, NULL);
|
248
241
|
}
|
249
242
|
}
|
250
|
-
ret = x509_name_canon(nm
|
243
|
+
ret = x509_name_canon(nm);
|
251
244
|
if (!ret)
|
252
245
|
goto err;
|
253
|
-
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
|
246
|
+
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
254
247
|
local_sk_X509_NAME_ENTRY_free);
|
255
|
-
nm
|
256
|
-
*val = nm
|
248
|
+
nm->modified = 0;
|
249
|
+
*val = (ASN1_VALUE *)nm;
|
257
250
|
*in = p;
|
258
251
|
return ret;
|
259
252
|
err:
|
260
|
-
|
261
|
-
|
262
|
-
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
|
253
|
+
X509_NAME_free(nm);
|
254
|
+
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
263
255
|
local_sk_X509_NAME_ENTRY_pop_free);
|
264
256
|
OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB);
|
265
257
|
return 0;
|
@@ -288,20 +280,15 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
|
|
288
280
|
|
289
281
|
static int x509_name_encode(X509_NAME *a)
|
290
282
|
{
|
291
|
-
union {
|
292
|
-
STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
|
293
|
-
ASN1_VALUE *a;
|
294
|
-
} intname = {
|
295
|
-
NULL
|
296
|
-
};
|
297
283
|
int len;
|
298
284
|
unsigned char *p;
|
299
285
|
STACK_OF(X509_NAME_ENTRY) *entries = NULL;
|
300
286
|
X509_NAME_ENTRY *entry;
|
301
287
|
int set = -1;
|
302
288
|
size_t i;
|
303
|
-
intname
|
304
|
-
|
289
|
+
STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname =
|
290
|
+
sk_STACK_OF_X509_NAME_ENTRY_new_null();
|
291
|
+
if (!intname)
|
305
292
|
goto memerr;
|
306
293
|
for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
|
307
294
|
entry = sk_X509_NAME_ENTRY_value(a->entries, i);
|
@@ -309,7 +296,7 @@ static int x509_name_encode(X509_NAME *a)
|
|
309
296
|
entries = sk_X509_NAME_ENTRY_new_null();
|
310
297
|
if (!entries)
|
311
298
|
goto memerr;
|
312
|
-
if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname
|
299
|
+
if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {
|
313
300
|
sk_X509_NAME_ENTRY_free(entries);
|
314
301
|
goto memerr;
|
315
302
|
}
|
@@ -318,19 +305,20 @@ static int x509_name_encode(X509_NAME *a)
|
|
318
305
|
if (!sk_X509_NAME_ENTRY_push(entries, entry))
|
319
306
|
goto memerr;
|
320
307
|
}
|
321
|
-
|
308
|
+
ASN1_VALUE *intname_val = (ASN1_VALUE *)intname;
|
309
|
+
len = ASN1_item_ex_i2d(&intname_val, NULL,
|
322
310
|
ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
|
323
311
|
if (!BUF_MEM_grow(a->bytes, len))
|
324
312
|
goto memerr;
|
325
313
|
p = (unsigned char *)a->bytes->data;
|
326
|
-
ASN1_item_ex_i2d(&
|
314
|
+
ASN1_item_ex_i2d(&intname_val,
|
327
315
|
&p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
|
328
|
-
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
|
316
|
+
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
329
317
|
local_sk_X509_NAME_ENTRY_free);
|
330
318
|
a->modified = 0;
|
331
319
|
return len;
|
332
320
|
memerr:
|
333
|
-
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
|
321
|
+
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
334
322
|
local_sk_X509_NAME_ENTRY_free);
|
335
323
|
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
336
324
|
return -1;
|
@@ -136,10 +136,12 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|
136
136
|
}
|
137
137
|
|
138
138
|
/* Per RFC5280, section 4.1.2.9, extensions require v3. */
|
139
|
+
/* Check disabled. TODO re-enable in Jan 2021.
|
140
|
+
https://crbug.com/boringssl/375
|
139
141
|
if (version != 2 && ret->cert_info->extensions != NULL) {
|
140
142
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
|
141
143
|
return 0;
|
142
|
-
}
|
144
|
+
}*/
|
143
145
|
|
144
146
|
break;
|
145
147
|
}
|
@@ -61,8 +61,7 @@ extern "C" {
|
|
61
61
|
#endif
|
62
62
|
|
63
63
|
extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
|
64
|
-
extern const X509V3_EXT_METHOD
|
65
|
-
v3_sinfo;
|
64
|
+
extern const X509V3_EXT_METHOD v3_info, v3_sinfo;
|
66
65
|
extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id,
|
67
66
|
v3_akey_id;
|
68
67
|
extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
|
@@ -96,7 +95,6 @@ static const X509V3_EXT_METHOD *const standard_exts[] = {
|
|
96
95
|
&v3_ns_ia5_list[6],
|
97
96
|
&v3_skey_id,
|
98
97
|
&v3_key_usage,
|
99
|
-
&v3_pkey_usage_period,
|
100
98
|
&v3_alt[0],
|
101
99
|
&v3_alt[1],
|
102
100
|
&v3_bcons,
|
@@ -108,7 +106,6 @@ static const X509V3_EXT_METHOD *const standard_exts[] = {
|
|
108
106
|
&v3_delta_crl,
|
109
107
|
&v3_crl_reason,
|
110
108
|
&v3_crl_invdate,
|
111
|
-
&v3_sxnet,
|
112
109
|
&v3_info,
|
113
110
|
#ifndef OPENSSL_NO_OCSP
|
114
111
|
&v3_ocsp_nonce,
|
@@ -428,13 +428,17 @@ void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
|
|
428
428
|
ctx->db_meth->free_section(ctx->db, section);
|
429
429
|
}
|
430
430
|
|
431
|
-
static char *nconf_get_string(void *db, char *section, char *value)
|
431
|
+
static char *nconf_get_string(void *db, const char *section, const char *value)
|
432
432
|
{
|
433
|
-
/* TODO(fork):
|
433
|
+
/* TODO(fork): This returns a non-const pointer because |X509V3_CONF_METHOD|
|
434
|
+
* allows |get_string| to return caller-owned pointers, provided they're
|
435
|
+
* freed by |free_string|. |nconf_method| leaves |free_string| NULL, and
|
436
|
+
* there are no other implementations of |X509V3_CONF_METHOD|, so this can
|
437
|
+
* be simplified if we make it private. */
|
434
438
|
return (char *)NCONF_get_string(db, section, value);
|
435
439
|
}
|
436
440
|
|
437
|
-
static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
|
441
|
+
static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, const char *section)
|
438
442
|
{
|
439
443
|
return NCONF_get_section(db, section);
|
440
444
|
}
|
@@ -188,7 +188,7 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
|
|
188
188
|
a->type = type;
|
189
189
|
}
|
190
190
|
|
191
|
-
void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
|
191
|
+
void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
|
192
192
|
{
|
193
193
|
if (ptype)
|
194
194
|
*ptype = a->type;
|
@@ -233,7 +233,7 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
|
|
233
233
|
return 1;
|
234
234
|
}
|
235
235
|
|
236
|
-
int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
|
236
|
+
int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
|
237
237
|
ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
|
238
238
|
{
|
239
239
|
if (gen->type != GEN_OTHERNAME)
|
@@ -208,7 +208,7 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
|
|
208
208
|
return NULL;
|
209
209
|
}
|
210
210
|
|
211
|
-
int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION *a)
|
211
|
+
int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a)
|
212
212
|
{
|
213
213
|
i2a_ASN1_OBJECT(bp, a->method);
|
214
214
|
#ifdef UNDEF
|
@@ -307,22 +307,22 @@ void X509_PURPOSE_cleanup(void)
|
|
307
307
|
xptable = NULL;
|
308
308
|
}
|
309
309
|
|
310
|
-
int X509_PURPOSE_get_id(X509_PURPOSE *xp)
|
310
|
+
int X509_PURPOSE_get_id(const X509_PURPOSE *xp)
|
311
311
|
{
|
312
312
|
return xp->purpose;
|
313
313
|
}
|
314
314
|
|
315
|
-
char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
|
315
|
+
char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
|
316
316
|
{
|
317
317
|
return xp->name;
|
318
318
|
}
|
319
319
|
|
320
|
-
char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
|
320
|
+
char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
|
321
321
|
{
|
322
322
|
return xp->sname;
|
323
323
|
}
|
324
324
|
|
325
|
-
int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
|
325
|
+
int X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
|
326
326
|
{
|
327
327
|
return xp->trust;
|
328
328
|
}
|
@@ -451,8 +451,14 @@ int x509v3_cache_extensions(X509 *x)
|
|
451
451
|
|| !bs->ca) {
|
452
452
|
x->ex_flags |= EXFLAG_INVALID;
|
453
453
|
x->ex_pathlen = 0;
|
454
|
-
} else
|
454
|
+
} else {
|
455
|
+
/* TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,
|
456
|
+
* which currently acts as if the constraint isn't present. This
|
457
|
+
* works (an overflowing path length constraint may as well be
|
458
|
+
* infinity), but Chromium's verifier simply treats values above
|
459
|
+
* 255 as an error. */
|
455
460
|
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
|
461
|
+
}
|
456
462
|
} else
|
457
463
|
x->ex_pathlen = -1;
|
458
464
|
BASIC_CONSTRAINTS_free(bs);
|
@@ -855,9 +861,9 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
|
|
855
861
|
|
856
862
|
uint32_t X509_get_extension_flags(X509 *x)
|
857
863
|
{
|
858
|
-
|
859
|
-
|
860
|
-
|
864
|
+
/* Ignore the return value. On failure, |x->ex_flags| will include
|
865
|
+
* |EXFLAG_INVALID|. */
|
866
|
+
x509v3_cache_extensions(x);
|
861
867
|
return x->ex_flags;
|
862
868
|
}
|
863
869
|
|
@@ -880,3 +886,44 @@ uint32_t X509_get_extended_key_usage(X509 *x)
|
|
880
886
|
return x->ex_xkusage;
|
881
887
|
return UINT32_MAX;
|
882
888
|
}
|
889
|
+
|
890
|
+
const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509)
|
891
|
+
{
|
892
|
+
if (!x509v3_cache_extensions(x509)) {
|
893
|
+
return NULL;
|
894
|
+
}
|
895
|
+
return x509->skid;
|
896
|
+
}
|
897
|
+
|
898
|
+
const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509)
|
899
|
+
{
|
900
|
+
if (!x509v3_cache_extensions(x509)) {
|
901
|
+
return NULL;
|
902
|
+
}
|
903
|
+
return x509->akid != NULL ? x509->akid->keyid : NULL;
|
904
|
+
}
|
905
|
+
|
906
|
+
const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509)
|
907
|
+
{
|
908
|
+
if (!x509v3_cache_extensions(x509)) {
|
909
|
+
return NULL;
|
910
|
+
}
|
911
|
+
return x509->akid != NULL ? x509->akid->issuer : NULL;
|
912
|
+
}
|
913
|
+
|
914
|
+
const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509)
|
915
|
+
{
|
916
|
+
if (!x509v3_cache_extensions(x509)) {
|
917
|
+
return NULL;
|
918
|
+
}
|
919
|
+
return x509->akid != NULL ? x509->akid->serial : NULL;
|
920
|
+
}
|
921
|
+
|
922
|
+
long X509_get_pathlen(X509 *x509)
|
923
|
+
{
|
924
|
+
if (!x509v3_cache_extensions(x509) ||
|
925
|
+
(x509->ex_flags & EXFLAG_BCONS) == 0) {
|
926
|
+
return -1;
|
927
|
+
}
|
928
|
+
return x509->ex_pathlen;
|
929
|
+
}
|
@@ -77,7 +77,7 @@ const X509V3_EXT_METHOD v3_skey_id = {
|
|
77
77
|
NULL
|
78
78
|
};
|
79
79
|
|
80
|
-
char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
|
80
|
+
char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
|
81
81
|
{
|
82
82
|
return x509v3_bytes_to_hex(oct->data, oct->length);
|
83
83
|
}
|
@@ -487,7 +487,6 @@ typedef struct BIT_STRING_BITNAME_st {
|
|
487
487
|
|
488
488
|
|
489
489
|
#define M_ASN1_STRING_length(x) ((x)->length)
|
490
|
-
#define M_ASN1_STRING_length_set(x, n) ((x)->length = (n))
|
491
490
|
#define M_ASN1_STRING_type(x) ((x)->type)
|
492
491
|
#define M_ASN1_STRING_data(x) ((x)->data)
|
493
492
|
|
@@ -173,7 +173,7 @@ extern "C" {
|
|
173
173
|
#endif
|
174
174
|
|
175
175
|
#define OPENSSL_IS_BORINGSSL
|
176
|
-
#define OPENSSL_VERSION_NUMBER
|
176
|
+
#define OPENSSL_VERSION_NUMBER 0x1010107f
|
177
177
|
#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
|
178
178
|
|
179
179
|
// BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL
|
@@ -380,6 +380,12 @@ OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
|
380
380
|
// processing.
|
381
381
|
#define EVP_CIPH_CUSTOM_COPY 0x1000
|
382
382
|
|
383
|
+
// EVP_CIPH_FLAG_NON_FIPS_ALLOW is meaningless. In OpenSSL it permits non-FIPS
|
384
|
+
// algorithms in FIPS mode. But BoringSSL FIPS mode doesn't prohibit algorithms
|
385
|
+
// (it's up the the caller to use the FIPS module in a fashion compliant with
|
386
|
+
// their needs). Thus this exists only to allow code to compile.
|
387
|
+
#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0
|
388
|
+
|
383
389
|
|
384
390
|
// Deprecated functions
|
385
391
|
|
@@ -76,7 +76,7 @@ OPENSSL_EXPORT void CRYPTO_pre_sandbox_init(void);
|
|
76
76
|
|
77
77
|
// OPENSSL_VERSION_TEXT contains a string the identifies the version of
|
78
78
|
// “OpenSSL”. node.js requires a version number in this text.
|
79
|
-
#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.
|
79
|
+
#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 (compatible; BoringSSL)"
|
80
80
|
|
81
81
|
#define OPENSSL_VERSION 0
|
82
82
|
#define OPENSSL_CFLAGS 1
|
@@ -69,6 +69,10 @@ extern "C" {
|
|
69
69
|
|
70
70
|
// DH contains functions for performing Diffie-Hellman key agreement in
|
71
71
|
// multiplicative groups.
|
72
|
+
//
|
73
|
+
// This module is deprecated and retained for legacy reasons only. It is not
|
74
|
+
// considered a priority for performance or hardening work. Do not use it in
|
75
|
+
// new code. Use X25519 or ECDH with P-256 instead.
|
72
76
|
|
73
77
|
|
74
78
|
// Allocation and destruction.
|
@@ -164,6 +168,14 @@ OPENSSL_EXPORT int DH_generate_key(DH *dh);
|
|
164
168
|
// writes it as a big-endian integer into |out|, which must have |DH_size|
|
165
169
|
// bytes of space. It returns the number of bytes written, or a negative number
|
166
170
|
// on error.
|
171
|
+
//
|
172
|
+
// Note the output may be shorter than |DH_size| bytes. Contrary to PKCS #3,
|
173
|
+
// this function returns a variable-length shared key with leading zeros
|
174
|
+
// removed. This may result in sporadic key mismatch and, if |dh| is reused,
|
175
|
+
// side channel attacks such as https://raccoon-attack.com/.
|
176
|
+
//
|
177
|
+
// This is a legacy algorithm, so we do not provide a fixed-width variant. Use
|
178
|
+
// X25519 or ECDH with P-256 instead.
|
167
179
|
OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key,
|
168
180
|
DH *dh);
|
169
181
|
|