grpc 1.35.0 → 1.36.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +60 -57
- data/include/grpc/grpc_security.h +16 -11
- data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
- data/src/core/ext/filters/client_channel/resolver.cc +2 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
- data/src/core/ext/filters/client_channel/server_address.cc +6 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +738 -567
- data/src/core/ext/xds/xds_api.h +46 -84
- data/src/core/ext/xds/xds_bootstrap.cc +59 -40
- data/src/core/ext/xds/xds_bootstrap.h +12 -4
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +13 -11
- data/src/core/ext/xds/xds_client.h +3 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
- data/src/core/lib/channel/handshaker.cc +2 -5
- data/src/core/lib/channel/handshaker.h +1 -1
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/ev_apple.cc +10 -7
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +4 -4
- data/src/core/lib/security/authorization/matchers.cc +339 -0
- data/src/core/lib/security/authorization/matchers.h +158 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
- data/src/core/lib/security/transport/security_handshaker.cc +1 -3
- data/src/core/lib/slice/slice_intern.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/server.cc +3 -3
- data/src/core/lib/surface/server.h +3 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/fake_transport_security.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +725 -723
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- metadata +77 -65
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
@@ -431,9 +431,24 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void);
|
|
431
431
|
// EVP_aes_128_cfb128 is only available in decrepit.
|
432
432
|
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void);
|
433
433
|
|
434
|
+
// EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in
|
435
|
+
// decrepit.
|
436
|
+
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb(void);
|
437
|
+
|
438
|
+
// EVP_aes_192_cfb128 is only available in decrepit.
|
439
|
+
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb128(void);
|
440
|
+
|
441
|
+
// EVP_aes_192_cfb is an alias for |EVP_aes_192_cfb128| and is only available in
|
442
|
+
// decrepit.
|
443
|
+
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb(void);
|
444
|
+
|
434
445
|
// EVP_aes_256_cfb128 is only available in decrepit.
|
435
446
|
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void);
|
436
447
|
|
448
|
+
// EVP_aes_256_cfb is an alias for |EVP_aes_256_cfb128| and is only available in
|
449
|
+
// decrepit.
|
450
|
+
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb(void);
|
451
|
+
|
437
452
|
// EVP_bf_ecb is Blowfish in ECB mode and is only available in decrepit.
|
438
453
|
OPENSSL_EXPORT const EVP_CIPHER *EVP_bf_ecb(void);
|
439
454
|
|
@@ -59,7 +59,6 @@
|
|
59
59
|
|
60
60
|
#include <openssl/base.h>
|
61
61
|
|
62
|
-
#include <openssl/ex_data.h>
|
63
62
|
#include <openssl/thread.h>
|
64
63
|
|
65
64
|
#if defined(__cplusplus)
|
@@ -140,6 +139,11 @@ OPENSSL_EXPORT int DH_set_length(DH *dh, unsigned priv_length);
|
|
140
139
|
// and returned. It returns NULL on allocation failure.
|
141
140
|
OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret);
|
142
141
|
|
142
|
+
// DH_get_rfc7919_2048 returns the group `ffdhe2048` from
|
143
|
+
// https://tools.ietf.org/html/rfc7919#appendix-A.1. It returns NULL if out
|
144
|
+
// of memory.
|
145
|
+
OPENSSL_EXPORT DH *DH_get_rfc7919_2048(void);
|
146
|
+
|
143
147
|
|
144
148
|
// Parameter generation.
|
145
149
|
|
@@ -164,20 +168,37 @@ OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits,
|
|
164
168
|
// |dh|. It returns one on success and zero on error.
|
165
169
|
OPENSSL_EXPORT int DH_generate_key(DH *dh);
|
166
170
|
|
167
|
-
//
|
168
|
-
// writes it as a big-endian integer into |out|,
|
169
|
-
// bytes
|
170
|
-
// on error.
|
171
|
+
// DH_compute_key_padded calculates the shared key between |dh| and |peers_key|
|
172
|
+
// and writes it as a big-endian integer into |out|, padded up to |DH_size|
|
173
|
+
// bytes. It returns the number of bytes written, which is always |DH_size|, or
|
174
|
+
// a negative number on error. |out| must have |DH_size| bytes of space.
|
171
175
|
//
|
172
|
-
//
|
173
|
-
// this function returns a variable-length shared key with leading zeros
|
174
|
-
// removed. This may result in sporadic key mismatch and, if |dh| is reused,
|
175
|
-
// side channel attacks such as https://raccoon-attack.com/.
|
176
|
+
// WARNING: this differs from the usual BoringSSL return-value convention.
|
176
177
|
//
|
177
|
-
//
|
178
|
-
//
|
179
|
-
|
180
|
-
|
178
|
+
// Note this function differs from |DH_compute_key| in that it preserves leading
|
179
|
+
// zeros in the secret. This function is the preferred variant. It matches PKCS
|
180
|
+
// #3 and avoids some side channel attacks. However, the two functions are not
|
181
|
+
// drop-in replacements for each other. Using a different variant than the
|
182
|
+
// application expects will result in sporadic key mismatches.
|
183
|
+
//
|
184
|
+
// Callers that expect a fixed-width secret should use this function over
|
185
|
+
// |DH_compute_key|. Callers that use either function should migrate to a modern
|
186
|
+
// primitive such as X25519 or ECDH with P-256 instead.
|
187
|
+
OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key,
|
188
|
+
DH *dh);
|
189
|
+
|
190
|
+
// DH_compute_key_hashed calculates the shared key between |dh| and |peers_key|
|
191
|
+
// and hashes it with the given |digest|. If the hash output is less than
|
192
|
+
// |max_out_len| bytes then it writes the hash output to |out| and sets
|
193
|
+
// |*out_len| to the number of bytes written. Otherwise it signals an error. It
|
194
|
+
// returns one on success or zero on error.
|
195
|
+
//
|
196
|
+
// NOTE: this follows the usual BoringSSL return-value convention, but that's
|
197
|
+
// different from |DH_compute_key| and |DH_compute_key_padded|.
|
198
|
+
OPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len,
|
199
|
+
size_t max_out_len,
|
200
|
+
const BIGNUM *peers_key,
|
201
|
+
const EVP_MD *digest);
|
181
202
|
|
182
203
|
|
183
204
|
// Utility functions.
|
@@ -237,18 +258,6 @@ OPENSSL_EXPORT DH *DH_parse_parameters(CBS *cbs);
|
|
237
258
|
OPENSSL_EXPORT int DH_marshal_parameters(CBB *cbb, const DH *dh);
|
238
259
|
|
239
260
|
|
240
|
-
// ex_data functions.
|
241
|
-
//
|
242
|
-
// See |ex_data.h| for details.
|
243
|
-
|
244
|
-
OPENSSL_EXPORT int DH_get_ex_new_index(long argl, void *argp,
|
245
|
-
CRYPTO_EX_unused *unused,
|
246
|
-
CRYPTO_EX_dup *dup_unused,
|
247
|
-
CRYPTO_EX_free *free_func);
|
248
|
-
OPENSSL_EXPORT int DH_set_ex_data(DH *d, int idx, void *arg);
|
249
|
-
OPENSSL_EXPORT void *DH_get_ex_data(DH *d, int idx);
|
250
|
-
|
251
|
-
|
252
261
|
// Deprecated functions.
|
253
262
|
|
254
263
|
// DH_generate_parameters behaves like |DH_generate_parameters_ex|, which is
|
@@ -278,6 +287,28 @@ OPENSSL_EXPORT DH *d2i_DHparams(DH **ret, const unsigned char **inp, long len);
|
|
278
287
|
// Use |DH_marshal_parameters| instead.
|
279
288
|
OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp);
|
280
289
|
|
290
|
+
// DH_compute_key behaves like |DH_compute_key_padded| but, contrary to PKCS #3,
|
291
|
+
// returns a variable-length shared key with leading zeros. It returns the
|
292
|
+
// number of bytes written, or a negative number on error. |out| must have
|
293
|
+
// |DH_size| bytes of space.
|
294
|
+
//
|
295
|
+
// WARNING: this differs from the usual BoringSSL return-value convention.
|
296
|
+
//
|
297
|
+
// Note this function's running time and memory access pattern leaks information
|
298
|
+
// about the shared secret. Particularly if |dh| is reused, this may result in
|
299
|
+
// side channel attacks such as https://raccoon-attack.com/.
|
300
|
+
//
|
301
|
+
// |DH_compute_key_padded| is the preferred variant and avoids the above
|
302
|
+
// attacks. However, the two functions are not drop-in replacements for each
|
303
|
+
// other. Using a different variant than the application expects will result in
|
304
|
+
// sporadic key mismatches.
|
305
|
+
//
|
306
|
+
// Callers that expect a fixed-width secret should use |DH_compute_key_padded|
|
307
|
+
// instead. Callers that use either function should migrate to a modern
|
308
|
+
// primitive such as X25519 or ECDH with P-256 instead.
|
309
|
+
OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key,
|
310
|
+
DH *dh);
|
311
|
+
|
281
312
|
|
282
313
|
struct dh_st {
|
283
314
|
BIGNUM *p;
|
@@ -301,7 +332,6 @@ struct dh_st {
|
|
301
332
|
|
302
333
|
int flags;
|
303
334
|
CRYPTO_refcount_t references;
|
304
|
-
CRYPTO_EX_DATA ex_data;
|
305
335
|
};
|
306
336
|
|
307
337
|
|
@@ -84,6 +84,7 @@ OPENSSL_EXPORT const EVP_MD *EVP_sha256(void);
|
|
84
84
|
OPENSSL_EXPORT const EVP_MD *EVP_sha384(void);
|
85
85
|
OPENSSL_EXPORT const EVP_MD *EVP_sha512(void);
|
86
86
|
OPENSSL_EXPORT const EVP_MD *EVP_sha512_256(void);
|
87
|
+
OPENSSL_EXPORT const EVP_MD *EVP_blake2b256(void);
|
87
88
|
|
88
89
|
// EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of
|
89
90
|
// MD5 and SHA-1, as used in TLS 1.1 and below.
|
@@ -221,6 +221,13 @@ OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
|
|
221
221
|
BIGNUM *x, BIGNUM *y,
|
222
222
|
BN_CTX *ctx);
|
223
223
|
|
224
|
+
// EC_POINT_get_affine_coordinates is an alias of
|
225
|
+
// |EC_POINT_get_affine_coordinates_GFp|.
|
226
|
+
OPENSSL_EXPORT int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
|
227
|
+
const EC_POINT *point,
|
228
|
+
BIGNUM *x, BIGNUM *y,
|
229
|
+
BN_CTX *ctx);
|
230
|
+
|
224
231
|
// EC_POINT_set_affine_coordinates_GFp sets the value of |point| to be
|
225
232
|
// (|x|, |y|). The |ctx| argument may be used if not NULL. It returns one
|
226
233
|
// on success or zero on error. It's considered an error if the point is not on
|
@@ -237,6 +244,14 @@ OPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
|
|
237
244
|
const BIGNUM *y,
|
238
245
|
BN_CTX *ctx);
|
239
246
|
|
247
|
+
// EC_POINT_set_affine_coordinates is an alias of
|
248
|
+
// |EC_POINT_set_affine_coordinates_GFp|.
|
249
|
+
OPENSSL_EXPORT int EC_POINT_set_affine_coordinates(const EC_GROUP *group,
|
250
|
+
EC_POINT *point,
|
251
|
+
const BIGNUM *x,
|
252
|
+
const BIGNUM *y,
|
253
|
+
BN_CTX *ctx);
|
254
|
+
|
240
255
|
// EC_POINT_point2oct serialises |point| into the X9.62 form given by |form|
|
241
256
|
// into, at most, |len| bytes at |buf|. It returns the number of bytes written
|
242
257
|
// or zero on error if |buf| is non-NULL, else the number of bytes needed. The
|
@@ -716,7 +716,8 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,
|
|
716
716
|
// RSA specific control functions.
|
717
717
|
|
718
718
|
// EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one
|
719
|
-
// of the |RSA_*_PADDING| values. Returns one on success or zero on error.
|
719
|
+
// of the |RSA_*_PADDING| values. Returns one on success or zero on error. By
|
720
|
+
// default, the padding is |RSA_PKCS1_PADDING|.
|
720
721
|
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding);
|
721
722
|
|
722
723
|
// EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding
|
@@ -734,6 +735,8 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,
|
|
734
735
|
// If unsure, use -1.
|
735
736
|
//
|
736
737
|
// Returns one on success or zero on error.
|
738
|
+
//
|
739
|
+
// TODO(davidben): The default is currently -2. Switch it to -1.
|
737
740
|
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
|
738
741
|
int salt_len);
|
739
742
|
|
@@ -758,7 +761,10 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,
|
|
758
761
|
BIGNUM *e);
|
759
762
|
|
760
763
|
// EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.
|
761
|
-
// Returns one on success or zero on error.
|
764
|
+
// Returns one on success or zero on error. If unset, the default is SHA-1.
|
765
|
+
// Callers are recommended to overwrite this default.
|
766
|
+
//
|
767
|
+
// TODO(davidben): Remove the default and require callers specify this.
|
762
768
|
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx,
|
763
769
|
const EVP_MD *md);
|
764
770
|
|
@@ -769,6 +775,10 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx,
|
|
769
775
|
|
770
776
|
// EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns
|
771
777
|
// one on success or zero on error.
|
778
|
+
//
|
779
|
+
// If unset, the default is the signing hash for |RSA_PKCS1_PSS_PADDING| and the
|
780
|
+
// OAEP hash for |RSA_PKCS1_OAEP_PADDING|. Callers are recommended to use this
|
781
|
+
// default and not call this function.
|
772
782
|
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
|
773
783
|
const EVP_MD *md);
|
774
784
|
|
@@ -97,6 +97,9 @@ struct rand_meth_st {
|
|
97
97
|
// RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|.
|
98
98
|
OPENSSL_EXPORT RAND_METHOD *RAND_SSLeay(void);
|
99
99
|
|
100
|
+
// RAND_OpenSSL returns a pointer to a dummy |RAND_METHOD|.
|
101
|
+
OPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void);
|
102
|
+
|
100
103
|
// RAND_get_rand_method returns |RAND_SSLeay()|.
|
101
104
|
OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void);
|
102
105
|
|
@@ -267,7 +267,7 @@ OPENSSL_EXPORT int SSL_is_dtls(const SSL *ssl);
|
|
267
267
|
// |SSL_set0_rbio| and |SSL_set0_wbio| instead.
|
268
268
|
OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
|
269
269
|
|
270
|
-
// SSL_set0_rbio configures |ssl| to
|
270
|
+
// SSL_set0_rbio configures |ssl| to read from |rbio|. It takes ownership of
|
271
271
|
// |rbio|.
|
272
272
|
//
|
273
273
|
// Note that, although this function and |SSL_set0_wbio| may be called on the
|
@@ -1738,9 +1738,9 @@ OPENSSL_EXPORT void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,
|
|
1738
1738
|
// SSL_MAX_MASTER_KEY_LENGTH is the maximum length of a master secret.
|
1739
1739
|
#define SSL_MAX_MASTER_KEY_LENGTH 48
|
1740
1740
|
|
1741
|
-
// SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s
|
1742
|
-
//
|
1743
|
-
//
|
1741
|
+
// SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s secret
|
1742
|
+
// to |out| and returns the number of bytes written. If |max_out| is zero, it
|
1743
|
+
// returns the size of the secret.
|
1744
1744
|
OPENSSL_EXPORT size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
|
1745
1745
|
uint8_t *out, size_t max_out);
|
1746
1746
|
|
@@ -2823,13 +2823,11 @@ OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl);
|
|
2823
2823
|
|
2824
2824
|
// Certificate compression.
|
2825
2825
|
//
|
2826
|
-
// Certificates in TLS 1.3 can be compressed
|
2827
|
-
// a client and a server, but does not link against any specific
|
2828
|
-
// libraries in order to keep dependencies to a minimum. Instead,
|
2829
|
-
// compression and decompression can be installed in an |SSL_CTX| to
|
2830
|
-
// support.
|
2831
|
-
//
|
2832
|
-
// [1] https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03.
|
2826
|
+
// Certificates in TLS 1.3 can be compressed (RFC 8879). BoringSSL supports this
|
2827
|
+
// as both a client and a server, but does not link against any specific
|
2828
|
+
// compression libraries in order to keep dependencies to a minimum. Instead,
|
2829
|
+
// hooks for compression and decompression can be installed in an |SSL_CTX| to
|
2830
|
+
// enable support.
|
2833
2831
|
|
2834
2832
|
// ssl_cert_compression_func_t is a pointer to a function that performs
|
2835
2833
|
// compression. It must write the compressed representation of |in| to |out|,
|
@@ -3386,6 +3384,12 @@ OPENSSL_EXPORT int SSL_set_quic_transport_params(SSL *ssl,
|
|
3386
3384
|
OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(
|
3387
3385
|
const SSL *ssl, const uint8_t **out_params, size_t *out_params_len);
|
3388
3386
|
|
3387
|
+
// SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
|
3388
|
+
// extension codepoint 0xffa5 as opposed to the official value 57. Call with
|
3389
|
+
// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. The default
|
3390
|
+
// value for this is currently 1 but it will change to 0 at a later date.
|
3391
|
+
OPENSSL_EXPORT void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
|
3392
|
+
|
3389
3393
|
// SSL_set_quic_early_data_context configures a context string in QUIC servers
|
3390
3394
|
// for accepting early data. If a resumption connection offers early data, the
|
3391
3395
|
// server will check if the value matches that of the connection which minted
|
@@ -3555,6 +3559,21 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string(
|
|
3555
3559
|
enum ssl_early_data_reason_t reason);
|
3556
3560
|
|
3557
3561
|
|
3562
|
+
// Encrypted Client Hello.
|
3563
|
+
//
|
3564
|
+
// ECH is a mechanism for encrypting the entire ClientHello message in TLS 1.3.
|
3565
|
+
// This can prevent observers from seeing cleartext information about the
|
3566
|
+
// connection, such as the server_name extension.
|
3567
|
+
//
|
3568
|
+
// ECH support in BoringSSL is still experimental and under development.
|
3569
|
+
//
|
3570
|
+
// See https://tools.ietf.org/html/draft-ietf-tls-esni-09.
|
3571
|
+
|
3572
|
+
// SSL_set_enable_ech_grease configures whether the client may send ECH GREASE
|
3573
|
+
// as part of this connection.
|
3574
|
+
OPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);
|
3575
|
+
|
3576
|
+
|
3558
3577
|
// Alerts.
|
3559
3578
|
//
|
3560
3579
|
// TLS uses alerts to signal error conditions. Alerts have a type (warning or
|
@@ -4087,19 +4106,6 @@ OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
|
|
4087
4106
|
OPENSSL_EXPORT void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx,
|
4088
4107
|
int allowed);
|
4089
4108
|
|
4090
|
-
// SSL_CTX_set_ignore_tls13_downgrade configures whether connections on |ctx|
|
4091
|
-
// ignore the downgrade signal in the server's random value.
|
4092
|
-
OPENSSL_EXPORT void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx,
|
4093
|
-
int ignore);
|
4094
|
-
|
4095
|
-
// SSL_set_ignore_tls13_downgrade configures whether |ssl| ignores the downgrade
|
4096
|
-
// signal in the server's random value.
|
4097
|
-
OPENSSL_EXPORT void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore);
|
4098
|
-
|
4099
|
-
// SSL_is_tls13_downgrade returns one if the TLS 1.3 anti-downgrade
|
4100
|
-
// mechanism would have aborted |ssl|'s handshake and zero otherwise.
|
4101
|
-
OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
|
4102
|
-
|
4103
4109
|
// SSL_used_hello_retry_request returns one if the TLS 1.3 HelloRetryRequest
|
4104
4110
|
// message has been either sent by the server or received by the client. It
|
4105
4111
|
// returns zero otherwise.
|
@@ -4776,6 +4782,18 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
|
|
4776
4782
|
// name and remove this one.
|
4777
4783
|
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
|
4778
4784
|
|
4785
|
+
// SSL_CTX_set_ignore_tls13_downgrade does nothing.
|
4786
|
+
OPENSSL_EXPORT void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx,
|
4787
|
+
int ignore);
|
4788
|
+
|
4789
|
+
// SSL_set_ignore_tls13_downgrade does nothing.
|
4790
|
+
OPENSSL_EXPORT void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore);
|
4791
|
+
|
4792
|
+
// SSL_is_tls13_downgrade returns zero. Historically, this function returned
|
4793
|
+
// whether the TLS 1.3 downgrade signal would have been enforced if not
|
4794
|
+
// disabled. The TLS 1.3 downgrade signal is now always enforced.
|
4795
|
+
OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
|
4796
|
+
|
4779
4797
|
|
4780
4798
|
// Nodejs compatibility section (hidden).
|
4781
4799
|
//
|
@@ -206,13 +206,27 @@ extern "C" {
|
|
206
206
|
// ExtensionType value from draft-ietf-tokbind-negotiation-10
|
207
207
|
#define TLSEXT_TYPE_token_binding 24
|
208
208
|
|
209
|
-
// ExtensionType value from draft-ietf-quic-tls.
|
210
|
-
//
|
211
|
-
//
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
209
|
+
// ExtensionType value from draft-ietf-quic-tls. Drafts 00 through 32 use
|
210
|
+
// 0xffa5 which is part of the Private Use section of the registry, and it
|
211
|
+
// collides with TLS-LTS and, based on scans, something else too (though this
|
212
|
+
// hasn't been a problem in practice since it's QUIC-only). Drafts 33 onward
|
213
|
+
// use the value 57 which was officially registered with IANA.
|
214
|
+
#define TLSEXT_TYPE_quic_transport_parameters_legacy 0xffa5
|
215
|
+
#define TLSEXT_TYPE_quic_transport_parameters_standard 57
|
216
|
+
|
217
|
+
// TLSEXT_TYPE_quic_transport_parameters is an alias for
|
218
|
+
// |TLSEXT_TYPE_quic_transport_parameters_legacy|. It will switch to
|
219
|
+
// |TLSEXT_TYPE_quic_transport_parameters_standard| at a later date.
|
220
|
+
//
|
221
|
+
// Callers using |SSL_set_quic_use_legacy_codepoint| should use
|
222
|
+
// |TLSEXT_TYPE_quic_transport_parameters_legacy| or
|
223
|
+
// |TLSEXT_TYPE_quic_transport_parameters_standard| rather than this constant.
|
224
|
+
// When the default code point is switched to the standard one, this value will
|
225
|
+
// be updated and we will transition callers back to the unsuffixed constant.
|
226
|
+
#define TLSEXT_TYPE_quic_transport_parameters \
|
227
|
+
TLSEXT_TYPE_quic_transport_parameters_legacy
|
228
|
+
|
229
|
+
// ExtensionType value from RFC8879
|
216
230
|
#define TLSEXT_TYPE_cert_compression 27
|
217
231
|
|
218
232
|
// ExtensionType value from RFC4507
|
@@ -239,6 +253,11 @@ extern "C" {
|
|
239
253
|
// extension number.
|
240
254
|
#define TLSEXT_TYPE_application_settings 17513
|
241
255
|
|
256
|
+
// ExtensionType values from draft-ietf-tls-esni-09. This is not an IANA defined
|
257
|
+
// extension number.
|
258
|
+
#define TLSEXT_TYPE_encrypted_client_hello 0xfe09
|
259
|
+
#define TLSEXT_TYPE_ech_is_inner 0xda09
|
260
|
+
|
242
261
|
// ExtensionType value from RFC6962
|
243
262
|
#define TLSEXT_TYPE_certificate_timestamp 18
|
244
263
|
|
@@ -271,7 +290,7 @@ extern "C" {
|
|
271
290
|
#define TLSEXT_hash_sha384 5
|
272
291
|
#define TLSEXT_hash_sha512 6
|
273
292
|
|
274
|
-
// From https://
|
293
|
+
// From https://www.rfc-editor.org/rfc/rfc8879.html#section-3
|
275
294
|
#define TLSEXT_cert_compression_zlib 1
|
276
295
|
#define TLSEXT_cert_compression_brotli 2
|
277
296
|
|
@@ -143,7 +143,7 @@ DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
|
|
143
143
|
|
144
144
|
// we always keep X509_NAMEs in 2 forms.
|
145
145
|
struct X509_name_st {
|
146
|
-
STACK_OF(X509_NAME_ENTRY) *
|
146
|
+
STACK_OF(X509_NAME_ENTRY) *entries;
|
147
147
|
int modified; // true if 'bytes' needs to be built
|
148
148
|
BUF_MEM *bytes;
|
149
149
|
// unsigned long hash; Keep the hash around for lookups
|
@@ -170,7 +170,7 @@ struct x509_attributes_st {
|
|
170
170
|
int single; // 0 for a set, 1 for a single item (which is wrong)
|
171
171
|
union {
|
172
172
|
char *ptr;
|
173
|
-
/* 0 */ STACK_OF(ASN1_TYPE) *
|
173
|
+
/* 0 */ STACK_OF(ASN1_TYPE) *set;
|
174
174
|
/* 1 */ ASN1_TYPE *single;
|
175
175
|
} value;
|
176
176
|
} /* X509_ATTRIBUTE */;
|
@@ -185,7 +185,7 @@ struct X509_req_info_st {
|
|
185
185
|
X509_NAME *subject;
|
186
186
|
X509_PUBKEY *pubkey;
|
187
187
|
// d=2 hl=2 l= 0 cons: cont: 00
|
188
|
-
STACK_OF(X509_ATTRIBUTE) *
|
188
|
+
STACK_OF(X509_ATTRIBUTE) *attributes; // [ 0 ]
|
189
189
|
} /* X509_REQ_INFO */;
|
190
190
|
|
191
191
|
struct X509_req_st {
|
@@ -203,9 +203,9 @@ struct x509_cinf_st {
|
|
203
203
|
X509_VAL *validity;
|
204
204
|
X509_NAME *subject;
|
205
205
|
X509_PUBKEY *key;
|
206
|
-
ASN1_BIT_STRING *issuerUID;
|
207
|
-
ASN1_BIT_STRING *subjectUID;
|
208
|
-
STACK_OF(X509_EXTENSION) *
|
206
|
+
ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2
|
207
|
+
ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2
|
208
|
+
STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3
|
209
209
|
ASN1_ENCODING enc;
|
210
210
|
} /* X509_CINF */;
|
211
211
|
|
@@ -215,11 +215,11 @@ struct x509_cinf_st {
|
|
215
215
|
// the end of the certificate itself
|
216
216
|
|
217
217
|
struct x509_cert_aux_st {
|
218
|
-
STACK_OF(ASN1_OBJECT) *
|
219
|
-
STACK_OF(ASN1_OBJECT) *
|
220
|
-
ASN1_UTF8STRING *alias;
|
221
|
-
ASN1_OCTET_STRING *keyid;
|
222
|
-
STACK_OF(X509_ALGOR) *
|
218
|
+
STACK_OF(ASN1_OBJECT) *trust; // trusted uses
|
219
|
+
STACK_OF(ASN1_OBJECT) *reject; // rejected uses
|
220
|
+
ASN1_UTF8STRING *alias; // "friendly name"
|
221
|
+
ASN1_OCTET_STRING *keyid; // key id of private key
|
222
|
+
STACK_OF(X509_ALGOR) *other; // other unspecified info
|
223
223
|
} /* X509_CERT_AUX */;
|
224
224
|
|
225
225
|
DECLARE_STACK_OF(DIST_POINT)
|
@@ -241,8 +241,8 @@ struct x509_st {
|
|
241
241
|
ASN1_OCTET_STRING *skid;
|
242
242
|
AUTHORITY_KEYID *akid;
|
243
243
|
X509_POLICY_CACHE *policy_cache;
|
244
|
-
STACK_OF(DIST_POINT) *
|
245
|
-
STACK_OF(GENERAL_NAME) *
|
244
|
+
STACK_OF(DIST_POINT) *crldp;
|
245
|
+
STACK_OF(GENERAL_NAME) *altname;
|
246
246
|
NAME_CONSTRAINTS *nc;
|
247
247
|
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
|
248
248
|
X509_CERT_AUX *aux;
|
@@ -364,9 +364,9 @@ DEFINE_STACK_OF(X509_TRUST)
|
|
364
364
|
struct x509_revoked_st {
|
365
365
|
ASN1_INTEGER *serialNumber;
|
366
366
|
ASN1_TIME *revocationDate;
|
367
|
-
STACK_OF(X509_EXTENSION) /* optional */ *
|
367
|
+
STACK_OF(X509_EXTENSION) /* optional */ *extensions;
|
368
368
|
// Set up if indirect CRL
|
369
|
-
STACK_OF(GENERAL_NAME) *
|
369
|
+
STACK_OF(GENERAL_NAME) *issuer;
|
370
370
|
// Revocation reason
|
371
371
|
int reason;
|
372
372
|
int sequence; // load sequence
|
@@ -381,8 +381,8 @@ struct X509_crl_info_st {
|
|
381
381
|
X509_NAME *issuer;
|
382
382
|
ASN1_TIME *lastUpdate;
|
383
383
|
ASN1_TIME *nextUpdate;
|
384
|
-
STACK_OF(X509_REVOKED) *
|
385
|
-
STACK_OF(X509_EXTENSION) /* [0] */ *
|
384
|
+
STACK_OF(X509_REVOKED) *revoked;
|
385
|
+
STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
|
386
386
|
ASN1_ENCODING enc;
|
387
387
|
} /* X509_CRL_INFO */;
|
388
388
|
|
@@ -405,7 +405,7 @@ struct X509_crl_st {
|
|
405
405
|
ASN1_INTEGER *crl_number;
|
406
406
|
ASN1_INTEGER *base_crl_number;
|
407
407
|
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
|
408
|
-
STACK_OF(GENERAL_NAMES) *
|
408
|
+
STACK_OF(GENERAL_NAMES) *issuers;
|
409
409
|
const X509_CRL_METHOD *meth;
|
410
410
|
void *meth_data;
|
411
411
|
} /* X509_CRL */;
|
@@ -610,8 +610,8 @@ OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
|
|
610
610
|
OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
|
611
611
|
|
612
612
|
// X509_CRL_get0_extensions returns |crl|'s extension list.
|
613
|
-
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *
|
614
|
-
|
613
|
+
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(
|
614
|
+
const X509_CRL *crl);
|
615
615
|
|
616
616
|
// X509_CINF_set_modified marks |cinf| as modified so that changes will be
|
617
617
|
// reflected in serializing the structure.
|
@@ -697,9 +697,8 @@ OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,
|
|
697
697
|
OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);
|
698
698
|
|
699
699
|
// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an
|
700
|
-
// |EVP_PKEY|, or NULL on error. The
|
701
|
-
//
|
702
|
-
// |EVP_PKEY_up_ref| to extend the lifetime.
|
700
|
+
// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting
|
701
|
+
// pointer and must call |EVP_PKEY_free| when done.
|
703
702
|
OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki);
|
704
703
|
|
705
704
|
// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one
|
@@ -718,25 +717,95 @@ OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,
|
|
718
717
|
OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,
|
719
718
|
const ASN1_STRING *sig);
|
720
719
|
|
721
|
-
|
722
|
-
|
723
|
-
|
724
|
-
|
725
|
-
OPENSSL_EXPORT int
|
726
|
-
|
727
|
-
|
720
|
+
// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
|
721
|
+
// signature fields. It returns one on success and zero on error. This function
|
722
|
+
// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
|
723
|
+
// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
|
724
|
+
OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
|
725
|
+
|
726
|
+
// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
|
727
|
+
// and signature fields. It returns one on success and zero on error. The
|
728
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
729
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
730
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
731
|
+
OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
|
732
|
+
|
733
|
+
// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
|
734
|
+
// and signature fields. It returns one on success and zero on error. This
|
735
|
+
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
736
|
+
// signing parameters use |pkey|'s defaults. To customize them, use
|
737
|
+
// |X509_REQ_sign_ctx|.
|
738
|
+
OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
|
739
|
+
const EVP_MD *md);
|
740
|
+
|
741
|
+
// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
|
742
|
+
// and signature fields. It returns one on success and zero on error. The
|
743
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
744
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
745
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
746
|
+
OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
|
747
|
+
|
748
|
+
// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
|
749
|
+
// and signature fields. It returns one on success and zero on error. This
|
750
|
+
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
751
|
+
// signing parameters use |pkey|'s defaults. To customize them, use
|
752
|
+
// |X509_CRL_sign_ctx|.
|
753
|
+
OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
|
754
|
+
const EVP_MD *md);
|
755
|
+
|
756
|
+
// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
|
757
|
+
// and signature fields. It returns one on success and zero on error. The
|
758
|
+
// signature algorithm and parameters come from |ctx|, which must have been
|
759
|
+
// initialized with |EVP_DigestSignInit|. The caller should configure the
|
760
|
+
// corresponding |EVP_PKEY_CTX| before calling this function.
|
761
|
+
OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
|
762
|
+
|
763
|
+
// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
|
764
|
+
// algorithm and signature fields. It returns one on success and zero on error.
|
765
|
+
// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
|
766
|
+
// signing parameters use |pkey|'s defaults.
|
767
|
+
OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
|
728
768
|
const EVP_MD *md);
|
729
769
|
|
730
|
-
|
731
|
-
|
732
|
-
|
733
|
-
|
734
|
-
|
735
|
-
|
736
|
-
|
737
|
-
|
738
|
-
|
739
|
-
|
770
|
+
// X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo
|
771
|
+
// field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are
|
772
|
+
// written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL,
|
773
|
+
// |*out_len| is set to the number of bytes written. This function returns one
|
774
|
+
// on success and zero on error.
|
775
|
+
OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
|
776
|
+
uint8_t *out, unsigned *out_len);
|
777
|
+
|
778
|
+
// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to
|
779
|
+
// |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
780
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
781
|
+
// of bytes written. This function returns one on success and zero on error.
|
782
|
+
// Note this digest covers the entire certificate, not just the signed portion.
|
783
|
+
OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,
|
784
|
+
unsigned *out_len);
|
785
|
+
|
786
|
+
// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result
|
787
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
788
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
789
|
+
// of bytes written. This function returns one on success and zero on error.
|
790
|
+
// Note this digest covers the entire CRL, not just the signed portion.
|
791
|
+
OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,
|
792
|
+
uint8_t *out, unsigned *out_len);
|
793
|
+
|
794
|
+
// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result
|
795
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
796
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
797
|
+
// of bytes written. This function returns one on success and zero on error.
|
798
|
+
// Note this digest covers the entire certificate request, not just the signed
|
799
|
+
// portion.
|
800
|
+
OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,
|
801
|
+
uint8_t *out, unsigned *out_len);
|
802
|
+
|
803
|
+
// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result
|
804
|
+
// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most
|
805
|
+
// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number
|
806
|
+
// of bytes written. This function returns one on success and zero on error.
|
807
|
+
OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,
|
808
|
+
uint8_t *out, unsigned *out_len);
|
740
809
|
|
741
810
|
// X509_parse_from_buffer parses an X.509 structure from |buf| and returns a
|
742
811
|
// fresh X509 or NULL on error. There must not be any trailing data in |buf|.
|
@@ -899,14 +968,58 @@ OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp);
|
|
899
968
|
OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp,
|
900
969
|
long length);
|
901
970
|
|
902
|
-
|
971
|
+
// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is
|
972
|
+
// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is
|
973
|
+
// written to |*outp|, which must have enough space available, and |*outp| is
|
974
|
+
// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it
|
975
|
+
// sets |*outp| to a newly-allocated buffer containing the result. The caller is
|
976
|
+
// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this
|
977
|
+
// function returns the number of bytes in the result, whether written or not,
|
978
|
+
// or a negative value on error.
|
979
|
+
//
|
980
|
+
// This function re-encodes the TBSCertificate and may not reflect |x509|'s
|
981
|
+
// original encoding. It may be used to manually generate a signature for a new
|
982
|
+
// certificate. To verify certificates, use |i2d_X509_tbs| instead.
|
983
|
+
OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);
|
984
|
+
|
985
|
+
// i2d_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is
|
986
|
+
// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is
|
987
|
+
// written to |*outp|, which must have enough space available, and |*outp| is
|
988
|
+
// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it
|
989
|
+
// sets |*outp| to a newly-allocated buffer containing the result. The caller is
|
990
|
+
// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this
|
991
|
+
// function returns the number of bytes in the result, whether written or not,
|
992
|
+
// or a negative value on error.
|
993
|
+
//
|
994
|
+
// This function preserves the original encoding of the TBSCertificate and may
|
995
|
+
// not reflect modifications made to |x509|. It may be used to manually verify
|
996
|
+
// the signature of an existing certificate. To generate certificates, use
|
997
|
+
// |i2d_re_X509_tbs| instead.
|
998
|
+
OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);
|
999
|
+
|
1000
|
+
// X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and
|
1001
|
+
// returns one on success or zero on error. It updates both the signature field
|
1002
|
+
// of the TBSCertificate structure, and the signatureAlgorithm field of the
|
1003
|
+
// Certificate.
|
1004
|
+
OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);
|
1005
|
+
|
1006
|
+
// X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|
|
1007
|
+
// bytes pointed by |sig|. It returns one on success and zero on error.
|
1008
|
+
//
|
1009
|
+
// Due to a specification error, X.509 certificates store signatures in ASN.1
|
1010
|
+
// BIT STRINGs, but signature algorithms return byte strings rather than bit
|
1011
|
+
// strings. This function creates a BIT STRING containing a whole number of
|
1012
|
+
// bytes, with the bit order matching the DER encoding. This matches the
|
1013
|
+
// encoding used by all X.509 signature algorithms.
|
1014
|
+
OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,
|
1015
|
+
size_t sig_len);
|
903
1016
|
|
904
1017
|
OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **psig,
|
905
1018
|
const X509_ALGOR **palg, const X509 *x);
|
906
1019
|
OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x);
|
907
1020
|
|
908
|
-
OPENSSL_EXPORT int X509_alias_set1(X509 *x, unsigned char *name, int len);
|
909
|
-
OPENSSL_EXPORT int X509_keyid_set1(X509 *x, unsigned char *id, int len);
|
1021
|
+
OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len);
|
1022
|
+
OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
|
910
1023
|
OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len);
|
911
1024
|
OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len);
|
912
1025
|
OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *,
|
@@ -968,8 +1081,8 @@ OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *a);
|
|
968
1081
|
OPENSSL_EXPORT int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
|
969
1082
|
OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x);
|
970
1083
|
OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
|
971
|
-
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *
|
972
|
-
|
1084
|
+
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(
|
1085
|
+
const X509 *x);
|
973
1086
|
OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
|
974
1087
|
|
975
1088
|
OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *x, long version);
|
@@ -984,13 +1097,12 @@ OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
|
|
984
1097
|
OPENSSL_EXPORT int X509_REQ_extension_nid(int nid);
|
985
1098
|
OPENSSL_EXPORT const int *X509_REQ_get_extension_nids(void);
|
986
1099
|
OPENSSL_EXPORT void X509_REQ_set_extension_nids(const int *nids);
|
987
|
-
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *
|
988
|
-
X509_REQ_get_extensions(X509_REQ *req);
|
1100
|
+
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
|
989
1101
|
OPENSSL_EXPORT int X509_REQ_add_extensions_nid(X509_REQ *req,
|
990
|
-
STACK_OF(X509_EXTENSION) *
|
1102
|
+
STACK_OF(X509_EXTENSION) *exts,
|
991
1103
|
int nid);
|
992
1104
|
OPENSSL_EXPORT int X509_REQ_add_extensions(X509_REQ *req,
|
993
|
-
STACK_OF(X509_EXTENSION) *
|
1105
|
+
STACK_OF(X509_EXTENSION) *exts);
|
994
1106
|
OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req);
|
995
1107
|
OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
|
996
1108
|
int lastpos);
|
@@ -1020,20 +1132,59 @@ OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,
|
|
1020
1132
|
const ASN1_BIT_STRING **psig,
|
1021
1133
|
const X509_ALGOR **palg);
|
1022
1134
|
OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);
|
1023
|
-
OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *req, unsigned char **pp);
|
1024
1135
|
|
1136
|
+
// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is
|
1137
|
+
// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is
|
1138
|
+
// written to |*outp|, which must have enough space available, and |*outp| is
|
1139
|
+
// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it
|
1140
|
+
// sets |*outp| to a newly-allocated buffer containing the result. The caller is
|
1141
|
+
// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this
|
1142
|
+
// function returns the number of bytes in the result, whether written or not,
|
1143
|
+
// or a negative value on error.
|
1144
|
+
//
|
1145
|
+
// This function re-encodes the TBSCertList and may not reflect |crl|'s original
|
1146
|
+
// encoding. It may be used to manually generate a signature for a new CRL. To
|
1147
|
+
// verify CRLs, use |i2d_X509_CRL_tbs| instead.
|
1148
|
+
OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
1149
|
+
|
1150
|
+
// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is
|
1151
|
+
// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is
|
1152
|
+
// written to |*outp|, which must have enough space available, and |*outp| is
|
1153
|
+
// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it
|
1154
|
+
// sets |*outp| to a newly-allocated buffer containing the result. The caller is
|
1155
|
+
// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this
|
1156
|
+
// function returns the number of bytes in the result, whether written or not,
|
1157
|
+
// or a negative value on error.
|
1158
|
+
//
|
1159
|
+
// This function preserves the original encoding of the TBSCertList and may not
|
1160
|
+
// reflect modifications made to |crl|. It may be used to manually verify the
|
1161
|
+
// signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|
|
1162
|
+
// instead.
|
1163
|
+
OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);
|
1164
|
+
|
1165
|
+
// X509_REVOKED_get0_serialNumber returns the serial number of the certificate
|
1166
|
+
// revoked by |revoked|.
|
1025
1167
|
OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(
|
1026
|
-
const X509_REVOKED *
|
1027
|
-
|
1028
|
-
|
1168
|
+
const X509_REVOKED *revoked);
|
1169
|
+
|
1170
|
+
// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It
|
1171
|
+
// returns one on success or zero on error.
|
1172
|
+
OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked,
|
1173
|
+
const ASN1_INTEGER *serial);
|
1174
|
+
|
1175
|
+
// X509_REVOKED_get0_revocationDate returns the revocation time of the
|
1176
|
+
// certificate revoked by |revoked|.
|
1029
1177
|
OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate(
|
1030
|
-
const X509_REVOKED *
|
1031
|
-
|
1032
|
-
|
1178
|
+
const X509_REVOKED *revoked);
|
1179
|
+
|
1180
|
+
// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It
|
1181
|
+
// returns one on success or zero on error.
|
1182
|
+
OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked,
|
1183
|
+
const ASN1_TIME *tm);
|
1033
1184
|
|
1034
1185
|
// X509_REVOKED_get0_extensions returns |r|'s extensions.
|
1035
|
-
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *
|
1036
|
-
|
1186
|
+
OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(
|
1187
|
+
const X509_REVOKED *r);
|
1037
1188
|
|
1038
1189
|
OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
|
1039
1190
|
EVP_PKEY *skey, const EVP_MD *md,
|
@@ -1043,11 +1194,11 @@ OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
|
|
1043
1194
|
|
1044
1195
|
OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);
|
1045
1196
|
OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x,
|
1046
|
-
STACK_OF(X509) *
|
1197
|
+
STACK_OF(X509) *chain,
|
1047
1198
|
unsigned long flags);
|
1048
1199
|
OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
|
1049
1200
|
unsigned long flags);
|
1050
|
-
OPENSSL_EXPORT STACK_OF(X509) *
|
1201
|
+
OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
|
1051
1202
|
|
1052
1203
|
OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
|
1053
1204
|
OPENSSL_EXPORT unsigned long X509_issuer_and_serial_hash(X509 *a);
|
@@ -1141,21 +1292,19 @@ OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(
|
|
1141
1292
|
const X509_NAME_ENTRY *ne);
|
1142
1293
|
OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
|
1143
1294
|
|
1144
|
-
OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *
|
1145
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *
|
1295
|
+
OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
|
1296
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
|
1146
1297
|
int nid, int lastpos);
|
1147
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *
|
1298
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
|
1148
1299
|
const ASN1_OBJECT *obj, int lastpos);
|
1149
|
-
OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *
|
1150
|
-
x,
|
1300
|
+
OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
|
1151
1301
|
int crit, int lastpos);
|
1152
|
-
OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *
|
1153
|
-
x,
|
1302
|
+
OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,
|
1154
1303
|
int loc);
|
1155
|
-
OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *
|
1304
|
+
OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,
|
1156
1305
|
int loc);
|
1157
|
-
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *
|
1158
|
-
|
1306
|
+
OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(
|
1307
|
+
STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc);
|
1159
1308
|
|
1160
1309
|
OPENSSL_EXPORT int X509_get_ext_count(const X509 *x);
|
1161
1310
|
OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
|
@@ -1166,12 +1315,27 @@ OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,
|
|
1166
1315
|
OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
|
1167
1316
|
OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
|
1168
1317
|
OPENSSL_EXPORT int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
|
1169
|
-
|
1318
|
+
|
1319
|
+
// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in
|
1320
|
+
// |x509|'s extension list.
|
1321
|
+
//
|
1322
|
+
// WARNING: This function is difficult to use correctly. See the documentation
|
1323
|
+
// for |X509V3_get_d2i| for details.
|
1324
|
+
OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,
|
1325
|
+
int *out_critical, int *out_idx);
|
1326
|
+
|
1327
|
+
// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to
|
1328
|
+
// |x|'s extension list.
|
1329
|
+
//
|
1330
|
+
// WARNING: This function may return zero or -1 on error. The caller must also
|
1331
|
+
// ensure |value|'s type matches |nid|. See the documentation for
|
1332
|
+
// |X509V3_add1_i2d| for details.
|
1170
1333
|
OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
|
1171
1334
|
unsigned long flags);
|
1172
1335
|
|
1173
1336
|
OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);
|
1174
|
-
OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
|
1337
|
+
OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
|
1338
|
+
int lastpos);
|
1175
1339
|
OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
|
1176
1340
|
const ASN1_OBJECT *obj, int lastpos);
|
1177
1341
|
OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
|
@@ -1179,8 +1343,21 @@ OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
|
|
1179
1343
|
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
|
1180
1344
|
OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
|
1181
1345
|
OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
|
1182
|
-
|
1183
|
-
|
1346
|
+
|
1347
|
+
// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
|
1348
|
+
// extension in |crl|'s extension list.
|
1349
|
+
//
|
1350
|
+
// WARNING: This function is difficult to use correctly. See the documentation
|
1351
|
+
// for |X509V3_get_d2i| for details.
|
1352
|
+
OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid,
|
1353
|
+
int *out_critical, int *out_idx);
|
1354
|
+
|
1355
|
+
// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension
|
1356
|
+
// to |x|'s extension list.
|
1357
|
+
//
|
1358
|
+
// WARNING: This function may return zero or -1 on error. The caller must also
|
1359
|
+
// ensure |value|'s type matches |nid|. See the documentation for
|
1360
|
+
// |X509V3_add1_i2d| for details.
|
1184
1361
|
OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,
|
1185
1362
|
int crit, unsigned long flags);
|
1186
1363
|
|
@@ -1198,8 +1375,22 @@ OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,
|
|
1198
1375
|
int loc);
|
1199
1376
|
OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex,
|
1200
1377
|
int loc);
|
1201
|
-
|
1202
|
-
|
1378
|
+
|
1379
|
+
// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the
|
1380
|
+
// extension in |revoked|'s extension list.
|
1381
|
+
//
|
1382
|
+
// WARNING: This function is difficult to use correctly. See the documentation
|
1383
|
+
// for |X509V3_get_d2i| for details.
|
1384
|
+
OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked,
|
1385
|
+
int nid, int *out_critical,
|
1386
|
+
int *out_idx);
|
1387
|
+
|
1388
|
+
// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the
|
1389
|
+
// extension to |x|'s extension list.
|
1390
|
+
//
|
1391
|
+
// WARNING: This function may return zero or -1 on error. The caller must also
|
1392
|
+
// ensure |value|'s type matches |nid|. See the documentation for
|
1393
|
+
// |X509V3_add1_i2d| for details.
|
1203
1394
|
OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,
|
1204
1395
|
void *value, int crit,
|
1205
1396
|
unsigned long flags);
|
@@ -1218,29 +1409,27 @@ OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
|
|
1218
1409
|
OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
|
1219
1410
|
OPENSSL_EXPORT int X509_EXTENSION_get_critical(X509_EXTENSION *ex);
|
1220
1411
|
|
1221
|
-
OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *
|
1222
|
-
OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *
|
1412
|
+
OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
|
1413
|
+
OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x,
|
1223
1414
|
int nid, int lastpos);
|
1224
|
-
OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *
|
1415
|
+
OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
|
1225
1416
|
const ASN1_OBJECT *obj, int lastpos);
|
1226
|
-
OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr(
|
1227
|
-
|
1228
|
-
|
1229
|
-
OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) * x,
|
1417
|
+
OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr(
|
1418
|
+
const STACK_OF(X509_ATTRIBUTE) *x, int loc);
|
1419
|
+
OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x,
|
1230
1420
|
int loc);
|
1231
|
-
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *
|
1232
|
-
|
1233
|
-
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *
|
1234
|
-
|
1235
|
-
|
1236
|
-
|
1237
|
-
|
1238
|
-
|
1239
|
-
|
1240
|
-
|
1241
|
-
|
1242
|
-
|
1243
|
-
OPENSSL_EXPORT void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) * x,
|
1421
|
+
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(
|
1422
|
+
STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr);
|
1423
|
+
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(
|
1424
|
+
STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type,
|
1425
|
+
const unsigned char *bytes, int len);
|
1426
|
+
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(
|
1427
|
+
STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes,
|
1428
|
+
int len);
|
1429
|
+
OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(
|
1430
|
+
STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type,
|
1431
|
+
const unsigned char *bytes, int len);
|
1432
|
+
OPENSSL_EXPORT void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
|
1244
1433
|
ASN1_OBJECT *obj, int lastpos,
|
1245
1434
|
int type);
|
1246
1435
|
OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(
|
@@ -1265,10 +1454,10 @@ OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,
|
|
1265
1454
|
OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
|
1266
1455
|
|
1267
1456
|
// lookup a cert from a X509 STACK
|
1268
|
-
OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *
|
1457
|
+
OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,
|
1269
1458
|
X509_NAME *name,
|
1270
1459
|
ASN1_INTEGER *serial);
|
1271
|
-
OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *
|
1460
|
+
OPENSSL_EXPORT X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name);
|
1272
1461
|
|
1273
1462
|
// PKCS#8 utilities
|
1274
1463
|
|