grpc 1.36.0 → 1.37.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +65 -37
- data/include/grpc/grpc.h +15 -1
- data/include/grpc/impl/codegen/port_platform.h +2 -0
- data/src/core/ext/filters/client_channel/client_channel.cc +327 -305
- data/src/core/ext/filters/client_channel/client_channel_factory.h +2 -1
- data/src/core/ext/filters/client_channel/config_selector.h +8 -0
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -4
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -142
- data/src/core/ext/filters/client_channel/global_subchannel_pool.h +15 -10
- data/src/core/ext/filters/client_channel/lb_policy.cc +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +23 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +27 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +7 -22
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +2 -2
- data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +27 -67
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +10 -9
- data/src/core/ext/filters/client_channel/resolver.cc +3 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +3 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +5 -9
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +18 -3
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +295 -91
- data/src/core/ext/filters/client_channel/server_address.cc +3 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +69 -146
- data/src/core/ext/filters/client_channel/subchannel.h +63 -95
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +16 -2
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +10 -8
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +1 -1
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +495 -0
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +39 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +189 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.h +85 -0
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +1 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +3 -2
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -2
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +457 -170
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +39 -7
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +12 -1
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +5 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +406 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +1459 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +350 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1348 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +6 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +25 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +144 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +488 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +141 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +452 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +15 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +44 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +268 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +78 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +281 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +41 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +113 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +6 -5
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +13 -9
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +93 -0
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +323 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +90 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +124 -0
- data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.c +33 -0
- data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.h +77 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +354 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +140 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +383 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +115 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +10 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +13 -7
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +102 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +120 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +76 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +21 -20
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +130 -0
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.c +44 -0
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +1591 -279
- data/src/core/ext/xds/xds_api.h +279 -39
- data/src/core/ext/xds/xds_bootstrap.cc +21 -5
- data/src/core/ext/xds/xds_bootstrap.h +5 -1
- data/src/core/ext/xds/xds_client.cc +168 -23
- data/src/core/ext/xds/xds_client.h +26 -0
- data/src/core/ext/xds/xds_client_stats.h +2 -2
- data/src/core/ext/xds/xds_http_fault_filter.cc +226 -0
- data/src/core/ext/xds/xds_http_fault_filter.h +63 -0
- data/src/core/ext/xds/xds_http_filters.cc +114 -0
- data/src/core/ext/xds/xds_http_filters.h +130 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +391 -126
- data/src/core/lib/channel/channel_stack.cc +12 -0
- data/src/core/lib/channel/channel_stack.h +7 -0
- data/src/core/lib/channel/channelz.cc +92 -4
- data/src/core/lib/channel/channelz.h +30 -1
- data/src/core/lib/channel/channelz_registry.cc +14 -0
- data/src/core/lib/channel/handshaker.cc +0 -39
- data/src/core/lib/channel/handshaker.h +0 -17
- data/src/core/lib/channel/status_util.cc +12 -2
- data/src/core/lib/channel/status_util.h +5 -0
- data/src/core/lib/gpr/sync_abseil.cc +3 -6
- data/src/core/lib/gpr/sync_windows.cc +2 -2
- data/src/core/lib/gprpp/atomic.h +3 -3
- data/src/core/lib/gprpp/dual_ref_counted.h +3 -3
- data/src/core/lib/gprpp/ref_counted_ptr.h +2 -0
- data/src/core/lib/gprpp/thd.h +1 -1
- data/src/core/lib/iomgr/buffer_list.h +1 -1
- data/src/core/lib/iomgr/cfstream_handle.cc +2 -2
- data/src/core/lib/iomgr/error.h +1 -1
- data/src/core/lib/iomgr/ev_apple.cc +1 -1
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +3 -3
- data/src/core/lib/iomgr/ev_posix.cc +3 -3
- data/src/core/lib/iomgr/exec_ctx.cc +6 -2
- data/src/core/lib/iomgr/resource_quota.cc +1 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +120 -0
- data/src/core/lib/iomgr/sockaddr_utils.h +25 -0
- data/src/core/lib/iomgr/tcp_posix.cc +1 -4
- data/src/core/lib/iomgr/tcp_uv.cc +2 -2
- data/src/core/lib/iomgr/timer_generic.cc +2 -2
- data/src/core/lib/iomgr/timer_manager.cc +1 -1
- data/src/core/lib/iomgr/wakeup_fd_nospecial.cc +1 -1
- data/src/core/lib/{security/authorization → matchers}/matchers.cc +8 -8
- data/src/core/lib/{security/authorization → matchers}/matchers.h +14 -12
- data/src/core/lib/security/security_connector/ssl_utils.cc +6 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +6 -0
- data/src/core/lib/security/transport/security_handshaker.cc +32 -2
- data/src/core/lib/slice/slice_intern.cc +6 -7
- data/src/core/lib/surface/channel.h +3 -3
- data/src/core/lib/surface/completion_queue.cc +1 -1
- data/src/core/lib/surface/lame_client.cc +38 -19
- data/src/core/lib/surface/lame_client.h +4 -3
- data/src/core/lib/surface/server.cc +40 -33
- data/src/core/lib/surface/server.h +74 -15
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/lib/transport/metadata_batch.cc +27 -0
- data/src/core/lib/transport/metadata_batch.h +14 -0
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +1 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +1 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +1 -3
- data/src/core/tsi/fake_transport_security.cc +10 -1
- data/src/ruby/ext/grpc/extconf.rb +9 -1
- data/src/ruby/ext/grpc/rb_channel.c +10 -1
- data/src/ruby/ext/grpc/rb_channel_credentials.c +11 -1
- data/src/ruby/ext/grpc/rb_channel_credentials.h +4 -0
- data/src/ruby/ext/grpc/rb_compression_options.c +1 -1
- data/src/ruby/ext/grpc/rb_enable_cpp.cc +1 -1
- data/src/ruby/ext/grpc/rb_grpc.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +4 -1
- data/src/ruby/ext/grpc/rb_server.c +13 -1
- data/src/ruby/ext/grpc/rb_server_credentials.c +19 -3
- data/src/ruby/ext/grpc/rb_server_credentials.h +4 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +215 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.h +35 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.c +169 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.h +35 -0
- data/src/ruby/lib/grpc/generic/client_stub.rb +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/call_spec.rb +1 -1
- data/src/ruby/spec/channel_credentials_spec.rb +32 -0
- data/src/ruby/spec/channel_spec.rb +17 -6
- data/src/ruby/spec/client_auth_spec.rb +27 -1
- data/src/ruby/spec/errors_spec.rb +1 -1
- data/src/ruby/spec/generic/active_call_spec.rb +2 -2
- data/src/ruby/spec/generic/client_stub_spec.rb +4 -4
- data/src/ruby/spec/generic/rpc_server_spec.rb +1 -1
- data/src/ruby/spec/server_credentials_spec.rb +25 -0
- data/src/ruby/spec/server_spec.rb +22 -0
- data/third_party/boringssl-with-bazel/err_data.c +255 -255
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +21 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +7 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +0 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +22 -17
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +22 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +25 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +33 -19
- data/third_party/xxhash/xxhash.h +5443 -0
- metadata +93 -49
- data/src/core/lib/security/authorization/authorization_engine.cc +0 -177
- data/src/core/lib/security/authorization/authorization_engine.h +0 -84
- data/src/core/lib/security/authorization/evaluate_args.cc +0 -148
- data/src/core/lib/security/authorization/evaluate_args.h +0 -59
- data/src/core/lib/security/authorization/mock_cel/activation.h +0 -57
- data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h +0 -44
- data/src/core/lib/security/authorization/mock_cel/cel_expression.h +0 -69
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +0 -99
- data/src/core/lib/security/authorization/mock_cel/evaluator_core.h +0 -67
- data/src/core/lib/security/authorization/mock_cel/flat_expr_builder.h +0 -57
- data/third_party/abseil-cpp/absl/container/flat_hash_set.h +0 -504
- data/third_party/upb/upb/json_decode.c +0 -1443
- data/third_party/upb/upb/json_decode.h +0 -23
- data/third_party/upb/upb/json_encode.c +0 -713
- data/third_party/upb/upb/json_encode.h +0 -36
@@ -175,7 +175,13 @@ void OPENSSL_cpuid_setup(void) {
|
|
175
175
|
hwcap = crypto_get_arm_hwcap_from_cpuinfo(&cpuinfo);
|
176
176
|
}
|
177
177
|
|
178
|
-
// Clear NEON support if known broken.
|
178
|
+
// Clear NEON support if known broken. Note, if NEON is available statically,
|
179
|
+
// the non-NEON code is dropped and this workaround is a no-op.
|
180
|
+
//
|
181
|
+
// TODO(davidben): The Android NDK now builds with NEON statically available
|
182
|
+
// by default. Cronet still has some consumers that support NEON-less devices
|
183
|
+
// (b/150371744). Get metrics on whether they still see this CPU and, if not,
|
184
|
+
// remove this check entirely.
|
179
185
|
g_has_broken_neon = crypto_cpuinfo_has_broken_neon(&cpuinfo);
|
180
186
|
if (g_has_broken_neon) {
|
181
187
|
hwcap &= ~HWCAP_NEON;
|
@@ -186,7 +192,10 @@ void OPENSSL_cpuid_setup(void) {
|
|
186
192
|
OPENSSL_armcap_P |= ARMV7_NEON;
|
187
193
|
|
188
194
|
// Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
|
189
|
-
// /proc/cpuinfo. See https://crbug.com/
|
195
|
+
// /proc/cpuinfo. See https://crbug.com/boringssl/46. As of February 2021,
|
196
|
+
// this is now rare (see Chrome's Net.NeedsHWCAP2Workaround metric), but AES
|
197
|
+
// and PMULL extensions are very useful, so we still carry the workaround
|
198
|
+
// for now.
|
190
199
|
unsigned long hwcap2 = 0;
|
191
200
|
if (getauxval != NULL) {
|
192
201
|
hwcap2 = getauxval(AT_HWCAP2);
|
@@ -22,15 +22,15 @@
|
|
22
22
|
|
23
23
|
extern uint32_t OPENSSL_armcap_P;
|
24
24
|
|
25
|
-
|
25
|
+
int CRYPTO_is_NEON_capable_at_runtime(void) {
|
26
26
|
return (OPENSSL_armcap_P & ARMV7_NEON) != 0;
|
27
27
|
}
|
28
28
|
|
29
|
-
int
|
29
|
+
int CRYPTO_is_ARMv8_AES_capable_at_runtime(void) {
|
30
30
|
return (OPENSSL_armcap_P & ARMV8_AES) != 0;
|
31
31
|
}
|
32
32
|
|
33
|
-
int
|
33
|
+
int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void) {
|
34
34
|
return (OPENSSL_armcap_P & ARMV8_PMULL) != 0;
|
35
35
|
}
|
36
36
|
|
@@ -57,6 +57,7 @@
|
|
57
57
|
#include <openssl/cipher.h>
|
58
58
|
|
59
59
|
#include <assert.h>
|
60
|
+
#include <limits.h>
|
60
61
|
#include <string.h>
|
61
62
|
|
62
63
|
#include <openssl/err.h>
|
@@ -240,14 +241,20 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
|
240
241
|
|
241
242
|
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
|
242
243
|
const uint8_t *in, int in_len) {
|
243
|
-
|
244
|
+
// Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output
|
245
|
+
// does not overflow |*out_len|.
|
246
|
+
int bl = ctx->cipher->block_size;
|
247
|
+
if (bl > 1 && in_len > INT_MAX - bl) {
|
248
|
+
OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW);
|
249
|
+
return 0;
|
250
|
+
}
|
244
251
|
|
245
252
|
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
246
|
-
|
247
|
-
if (
|
253
|
+
int ret = ctx->cipher->cipher(ctx, out, in, in_len);
|
254
|
+
if (ret < 0) {
|
248
255
|
return 0;
|
249
256
|
} else {
|
250
|
-
*out_len =
|
257
|
+
*out_len = ret;
|
251
258
|
}
|
252
259
|
return 1;
|
253
260
|
}
|
@@ -267,8 +274,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
|
|
267
274
|
}
|
268
275
|
}
|
269
276
|
|
270
|
-
i = ctx->buf_len;
|
271
|
-
bl = ctx->cipher->block_size;
|
277
|
+
int i = ctx->buf_len;
|
272
278
|
assert(bl <= (int)sizeof(ctx->buf));
|
273
279
|
if (i != 0) {
|
274
280
|
if (bl - i > in_len) {
|
@@ -277,7 +283,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
|
|
277
283
|
*out_len = 0;
|
278
284
|
return 1;
|
279
285
|
} else {
|
280
|
-
j = bl - i;
|
286
|
+
int j = bl - i;
|
281
287
|
OPENSSL_memcpy(&ctx->buf[i], in, j);
|
282
288
|
if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) {
|
283
289
|
return 0;
|
@@ -353,8 +359,13 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
|
|
353
359
|
|
354
360
|
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
|
355
361
|
const uint8_t *in, int in_len) {
|
356
|
-
|
357
|
-
|
362
|
+
// Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output
|
363
|
+
// does not overflow |*out_len|.
|
364
|
+
unsigned int b = ctx->cipher->block_size;
|
365
|
+
if (b > 1 && in_len > INT_MAX - (int)b) {
|
366
|
+
OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW);
|
367
|
+
return 0;
|
368
|
+
}
|
358
369
|
|
359
370
|
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
360
371
|
int r = ctx->cipher->cipher(ctx, out, in, in_len);
|
@@ -376,15 +387,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
|
|
376
387
|
return EVP_EncryptUpdate(ctx, out, out_len, in, in_len);
|
377
388
|
}
|
378
389
|
|
379
|
-
b = ctx->cipher->block_size;
|
380
390
|
assert(b <= sizeof(ctx->final));
|
381
|
-
|
391
|
+
int fix_len = 0;
|
382
392
|
if (ctx->final_used) {
|
383
393
|
OPENSSL_memcpy(out, ctx->final, b);
|
384
394
|
out += b;
|
385
395
|
fix_len = 1;
|
386
|
-
} else {
|
387
|
-
fix_len = 0;
|
388
396
|
}
|
389
397
|
|
390
398
|
if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) {
|
@@ -83,16 +83,18 @@ struct rand_thread_state {
|
|
83
83
|
// called when the whole process is exiting.
|
84
84
|
DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list);
|
85
85
|
DEFINE_STATIC_MUTEX(thread_states_list_lock);
|
86
|
+
DEFINE_STATIC_MUTEX(state_clear_all_lock);
|
86
87
|
|
87
88
|
static void rand_thread_state_clear_all(void) __attribute__((destructor));
|
88
89
|
static void rand_thread_state_clear_all(void) {
|
89
90
|
CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
|
91
|
+
CRYPTO_STATIC_MUTEX_lock_write(state_clear_all_lock_bss_get());
|
90
92
|
for (struct rand_thread_state *cur = *thread_states_list_bss_get();
|
91
93
|
cur != NULL; cur = cur->next) {
|
92
94
|
CTR_DRBG_clear(&cur->drbg);
|
93
95
|
}
|
94
|
-
//
|
95
|
-
//
|
96
|
+
// The locks are deliberately left locked so that any threads that are still
|
97
|
+
// running will hang if they try to call |RAND_bytes|.
|
96
98
|
}
|
97
99
|
#endif
|
98
100
|
|
@@ -415,7 +417,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
|
|
415
417
|
// bug on ppc64le. glibc may implement pthread locks by wrapping user code
|
416
418
|
// in a hardware transaction, but, on some older versions of glibc and the
|
417
419
|
// kernel, syscalls made with |syscall| did not abort the transaction.
|
418
|
-
CRYPTO_STATIC_MUTEX_lock_read(
|
420
|
+
CRYPTO_STATIC_MUTEX_lock_read(state_clear_all_lock_bss_get());
|
419
421
|
#endif
|
420
422
|
if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) {
|
421
423
|
abort();
|
@@ -424,7 +426,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
|
|
424
426
|
state->fork_generation = fork_generation;
|
425
427
|
} else {
|
426
428
|
#if defined(BORINGSSL_FIPS)
|
427
|
-
CRYPTO_STATIC_MUTEX_lock_read(
|
429
|
+
CRYPTO_STATIC_MUTEX_lock_read(state_clear_all_lock_bss_get());
|
428
430
|
#endif
|
429
431
|
}
|
430
432
|
|
@@ -453,7 +455,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
|
|
453
455
|
}
|
454
456
|
|
455
457
|
#if defined(BORINGSSL_FIPS)
|
456
|
-
CRYPTO_STATIC_MUTEX_unlock_read(
|
458
|
+
CRYPTO_STATIC_MUTEX_unlock_read(state_clear_all_lock_bss_get());
|
457
459
|
#endif
|
458
460
|
}
|
459
461
|
|
@@ -83,34 +83,6 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
|
|
83
83
|
return (X509_NAME_cmp(ai->issuer, bi->issuer));
|
84
84
|
}
|
85
85
|
|
86
|
-
unsigned long X509_issuer_and_serial_hash(X509 *a)
|
87
|
-
{
|
88
|
-
unsigned long ret = 0;
|
89
|
-
EVP_MD_CTX ctx;
|
90
|
-
unsigned char md[16];
|
91
|
-
char *f;
|
92
|
-
|
93
|
-
EVP_MD_CTX_init(&ctx);
|
94
|
-
f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
|
95
|
-
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
96
|
-
goto err;
|
97
|
-
if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))
|
98
|
-
goto err;
|
99
|
-
OPENSSL_free(f);
|
100
|
-
if (!EVP_DigestUpdate
|
101
|
-
(&ctx, (unsigned char *)a->cert_info->serialNumber->data,
|
102
|
-
(unsigned long)a->cert_info->serialNumber->length))
|
103
|
-
goto err;
|
104
|
-
if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL))
|
105
|
-
goto err;
|
106
|
-
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
|
107
|
-
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
|
108
|
-
) & 0xffffffffL;
|
109
|
-
err:
|
110
|
-
EVP_MD_CTX_cleanup(&ctx);
|
111
|
-
return (ret);
|
112
|
-
}
|
113
|
-
|
114
86
|
int X509_issuer_name_cmp(const X509 *a, const X509 *b)
|
115
87
|
{
|
116
88
|
return (X509_NAME_cmp(a->cert_info->issuer, b->cert_info->issuer));
|
@@ -85,27 +85,32 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_ATTRIBUTE)
|
|
85
85
|
|
86
86
|
X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
|
87
87
|
{
|
88
|
-
|
89
|
-
|
88
|
+
const ASN1_OBJECT *obj = OBJ_nid2obj(nid);
|
89
|
+
if (obj == NULL) {
|
90
|
+
return NULL;
|
91
|
+
}
|
90
92
|
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
ret->object = (ASN1_OBJECT *)OBJ_nid2obj(nid);
|
95
|
-
ret->single = 0;
|
96
|
-
if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
|
97
|
-
goto err;
|
98
|
-
if ((val = ASN1_TYPE_new()) == NULL)
|
93
|
+
X509_ATTRIBUTE *ret = X509_ATTRIBUTE_new();
|
94
|
+
ASN1_TYPE *val = ASN1_TYPE_new();
|
95
|
+
if (ret == NULL || val == NULL) {
|
99
96
|
goto err;
|
100
|
-
|
97
|
+
}
|
98
|
+
|
99
|
+
/* TODO(fork): const correctness. |ASN1_OBJECT| is messy because static
|
100
|
+
* objects are const but freeable with a no-op |ASN1_OBJECT_free|. */
|
101
|
+
ret->object = (ASN1_OBJECT *)obj;
|
102
|
+
ret->single = 0;
|
103
|
+
ret->value.set = sk_ASN1_TYPE_new_null();
|
104
|
+
if (ret->value.set == NULL ||
|
105
|
+
!sk_ASN1_TYPE_push(ret->value.set, val)) {
|
101
106
|
goto err;
|
107
|
+
}
|
102
108
|
|
103
109
|
ASN1_TYPE_set(val, atrtype, value);
|
104
|
-
return
|
110
|
+
return ret;
|
111
|
+
|
105
112
|
err:
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
ASN1_TYPE_free(val);
|
110
|
-
return (NULL);
|
113
|
+
X509_ATTRIBUTE_free(ret);
|
114
|
+
ASN1_TYPE_free(val);
|
115
|
+
return NULL;
|
111
116
|
}
|
@@ -136,10 +136,12 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|
136
136
|
}
|
137
137
|
|
138
138
|
/* Per RFC5280, section 4.1.2.9, extensions require v3. */
|
139
|
+
/* Check disabled. TODO re-enable in April 2021.
|
140
|
+
https://crbug.com/boringssl/375
|
139
141
|
if (version != 2 && ret->cert_info->extensions != NULL) {
|
140
142
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
|
141
143
|
return 0;
|
142
|
-
}
|
144
|
+
}*/
|
143
145
|
|
144
146
|
break;
|
145
147
|
}
|
@@ -558,6 +558,10 @@ struct evp_cipher_ctx_st {
|
|
558
558
|
|
559
559
|
// block_mask contains |cipher->block_size| minus one. (The block size
|
560
560
|
// assumed to be a power of two.)
|
561
|
+
//
|
562
|
+
// TODO(davidben): This is redundant with |cipher->block_size| and constant
|
563
|
+
// for the whole |EVP_CIPHER|. Move it there, or possibly even remove it and
|
564
|
+
// do the subtraction on demand.
|
561
565
|
int block_mask;
|
562
566
|
|
563
567
|
uint8_t final[EVP_MAX_BLOCK_LENGTH]; // possible final block
|
@@ -111,26 +111,18 @@ OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) {
|
|
111
111
|
#endif
|
112
112
|
|
113
113
|
#if !defined(OPENSSL_STATIC_ARMCAP)
|
114
|
-
|
115
114
|
// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON
|
116
115
|
// unit. Note that |OPENSSL_armcap_P| also exists and contains the same
|
117
116
|
// information in a form that's easier for assembly to use.
|
118
|
-
OPENSSL_EXPORT
|
117
|
+
OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void);
|
119
118
|
|
120
|
-
//
|
121
|
-
//
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
// https://crbug.com/341598 and https://crbug.com/606629.
|
128
|
-
#if (defined(__ARM_NEON__) || defined(__ARM_NEON)) && !defined(OPENSSL_ARM)
|
129
|
-
return 1;
|
130
|
-
#else
|
131
|
-
return CRYPTO_is_NEON_capable_at_runtime();
|
132
|
-
#endif
|
133
|
-
}
|
119
|
+
// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU
|
120
|
+
// supports the ARMv8 AES instruction.
|
121
|
+
int CRYPTO_is_ARMv8_AES_capable_at_runtime(void);
|
122
|
+
|
123
|
+
// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU
|
124
|
+
// supports the ARMv8 PMULL instruction.
|
125
|
+
int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void);
|
134
126
|
|
135
127
|
#if defined(OPENSSL_ARM)
|
136
128
|
// CRYPTO_has_broken_NEON returns one if the current CPU is known to have a
|
@@ -141,43 +133,41 @@ OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void);
|
|
141
133
|
// workaround was needed. See https://crbug.com/boringssl/46.
|
142
134
|
OPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void);
|
143
135
|
#endif
|
136
|
+
#endif // !OPENSSL_STATIC_ARMCAP
|
144
137
|
|
145
|
-
//
|
146
|
-
//
|
147
|
-
int CRYPTO_is_ARMv8_AES_capable(void);
|
148
|
-
|
149
|
-
// CRYPTO_is_ARMv8_PMULL_capable returns true if the current CPU supports the
|
150
|
-
// ARMv8 PMULL instruction.
|
151
|
-
int CRYPTO_is_ARMv8_PMULL_capable(void);
|
152
|
-
|
153
|
-
#else
|
154
|
-
|
138
|
+
// CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If
|
139
|
+
// this is known statically, it is a constant inline function.
|
155
140
|
OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) {
|
156
|
-
#if defined(
|
157
|
-
|
141
|
+
#if defined(__ARM_NEON__) || defined(__ARM_NEON) || \
|
142
|
+
defined(OPENSSL_STATIC_ARMCAP_NEON)
|
158
143
|
return 1;
|
159
|
-
#
|
144
|
+
#elif defined(OPENSSL_STATIC_ARMCAP)
|
160
145
|
return 0;
|
146
|
+
#else
|
147
|
+
return CRYPTO_is_NEON_capable_at_runtime();
|
161
148
|
#endif
|
162
149
|
}
|
163
150
|
|
164
151
|
OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) {
|
165
152
|
#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO)
|
166
153
|
return 1;
|
167
|
-
#
|
154
|
+
#elif defined(OPENSSL_STATIC_ARMCAP)
|
168
155
|
return 0;
|
156
|
+
#else
|
157
|
+
return CRYPTO_is_ARMv8_AES_capable_at_runtime();
|
169
158
|
#endif
|
170
159
|
}
|
171
160
|
|
172
161
|
OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) {
|
173
162
|
#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_CRYPTO)
|
174
163
|
return 1;
|
175
|
-
#
|
164
|
+
#elif defined(OPENSSL_STATIC_ARMCAP)
|
176
165
|
return 0;
|
166
|
+
#else
|
167
|
+
return CRYPTO_is_ARMv8_PMULL_capable_at_runtime();
|
177
168
|
#endif
|
178
169
|
}
|
179
170
|
|
180
|
-
#endif // OPENSSL_STATIC_ARMCAP
|
181
171
|
#endif // OPENSSL_ARM || OPENSSL_AARCH64
|
182
172
|
|
183
173
|
#if defined(OPENSSL_PPC64LE)
|
@@ -2743,18 +2743,34 @@ OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
|
|
2743
2743
|
|
2744
2744
|
// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
|
2745
2745
|
// during ClientHello processing in order to select an ALPN protocol from the
|
2746
|
-
// client's list of offered protocols.
|
2747
|
-
// a server.
|
2746
|
+
// client's list of offered protocols.
|
2748
2747
|
//
|
2749
2748
|
// The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
|
2750
|
-
// length-prefixed strings) ALPN protocol list in |in|.
|
2751
|
-
// |*out_len| to the selected protocol and
|
2752
|
-
// success. It does not pass ownership of the
|
2753
|
-
//
|
2754
|
-
//
|
2749
|
+
// length-prefixed strings) ALPN protocol list in |in|. To select a protocol,
|
2750
|
+
// the callback should set |*out| and |*out_len| to the selected protocol and
|
2751
|
+
// return |SSL_TLSEXT_ERR_OK| on success. It does not pass ownership of the
|
2752
|
+
// buffer, so |*out| should point to a static string, a buffer that outlives the
|
2753
|
+
// callback call, or the corresponding entry in |in|.
|
2754
|
+
//
|
2755
|
+
// If the server supports ALPN, but there are no protocols in common, the
|
2756
|
+
// callback should return |SSL_TLSEXT_ERR_ALERT_FATAL| to abort the connection
|
2757
|
+
// with a no_application_protocol alert.
|
2758
|
+
//
|
2759
|
+
// If the server does not support ALPN, it can return |SSL_TLSEXT_ERR_NOACK| to
|
2760
|
+
// continue the handshake without negotiating a protocol. This may be useful if
|
2761
|
+
// multiple server configurations share an |SSL_CTX|, only some of which have
|
2762
|
+
// ALPN protocols configured.
|
2763
|
+
//
|
2764
|
+
// |SSL_TLSEXT_ERR_ALERT_WARNING| is ignored and will be treated as
|
2765
|
+
// |SSL_TLSEXT_ERR_NOACK|.
|
2766
|
+
//
|
2767
|
+
// The callback will only be called if the client supports ALPN. Callers that
|
2768
|
+
// wish to require ALPN for all clients must check |SSL_get0_alpn_selected|
|
2769
|
+
// after the handshake. In QUIC connections, this is done automatically.
|
2755
2770
|
//
|
2756
2771
|
// The cipher suite is selected before negotiating ALPN. The callback may use
|
2757
|
-
// |SSL_get_pending_cipher| to query the cipher suite.
|
2772
|
+
// |SSL_get_pending_cipher| to query the cipher suite. This may be used to
|
2773
|
+
// implement HTTP/2's cipher suite constraints.
|
2758
2774
|
OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(
|
2759
2775
|
SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,
|
2760
2776
|
const uint8_t *in, unsigned in_len, void *arg),
|
@@ -5286,7 +5302,7 @@ BSSL_NAMESPACE_END
|
|
5286
5302
|
#define SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA 304
|
5287
5303
|
#define SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED 305
|
5288
5304
|
#define SSL_R_UNEXPECTED_COMPATIBILITY_MODE 306
|
5289
|
-
#define
|
5305
|
+
#define SSL_R_NO_APPLICATION_PROTOCOL 307
|
5290
5306
|
#define SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN 308
|
5291
5307
|
#define SSL_R_ALPS_MISMATCH_ON_EARLY_DATA 309
|
5292
5308
|
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
|
@@ -1201,7 +1201,6 @@ OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
|
|
1201
1201
|
OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
|
1202
1202
|
|
1203
1203
|
OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
|
1204
|
-
OPENSSL_EXPORT unsigned long X509_issuer_and_serial_hash(X509 *a);
|
1205
1204
|
|
1206
1205
|
OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b);
|
1207
1206
|
OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a);
|
@@ -1428,7 +1428,7 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1428
1428
|
SSL *const ssl = hs->ssl;
|
1429
1429
|
if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) {
|
1430
1430
|
// ALPN MUST be used with QUIC.
|
1431
|
-
OPENSSL_PUT_ERROR(SSL,
|
1431
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1432
1432
|
return false;
|
1433
1433
|
}
|
1434
1434
|
|
@@ -1456,7 +1456,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1456
1456
|
if (contents == NULL) {
|
1457
1457
|
if (ssl->quic_method) {
|
1458
1458
|
// ALPN is required when QUIC is used.
|
1459
|
-
OPENSSL_PUT_ERROR(SSL,
|
1459
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1460
1460
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1461
1461
|
return false;
|
1462
1462
|
}
|
@@ -1537,7 +1537,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1537
1537
|
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
|
1538
1538
|
if (ssl->quic_method) {
|
1539
1539
|
// ALPN is required when QUIC is used.
|
1540
|
-
OPENSSL_PUT_ERROR(SSL,
|
1540
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1541
1541
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1542
1542
|
return false;
|
1543
1543
|
}
|
@@ -1572,25 +1572,39 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1572
1572
|
|
1573
1573
|
const uint8_t *selected;
|
1574
1574
|
uint8_t selected_len;
|
1575
|
-
|
1576
|
-
|
1577
|
-
|
1578
|
-
|
1579
|
-
|
1580
|
-
|
1581
|
-
|
1575
|
+
int ret = ssl->ctx->alpn_select_cb(
|
1576
|
+
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
1577
|
+
CBS_len(&protocol_name_list), ssl->ctx->alpn_select_cb_arg);
|
1578
|
+
// ALPN is required when QUIC is used.
|
1579
|
+
if (ssl->quic_method &&
|
1580
|
+
(ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {
|
1581
|
+
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
1582
|
+
}
|
1583
|
+
switch (ret) {
|
1584
|
+
case SSL_TLSEXT_ERR_OK:
|
1585
|
+
if (selected_len == 0) {
|
1586
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
1587
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1588
|
+
return false;
|
1589
|
+
}
|
1590
|
+
if (!ssl->s3->alpn_selected.CopyFrom(
|
1591
|
+
MakeConstSpan(selected, selected_len))) {
|
1592
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1593
|
+
return false;
|
1594
|
+
}
|
1595
|
+
break;
|
1596
|
+
case SSL_TLSEXT_ERR_NOACK:
|
1597
|
+
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
1598
|
+
break;
|
1599
|
+
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
1600
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1601
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1582
1602
|
return false;
|
1583
|
-
|
1584
|
-
|
1585
|
-
MakeConstSpan(selected, selected_len))) {
|
1603
|
+
default:
|
1604
|
+
// Invalid return value.
|
1586
1605
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1606
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
1587
1607
|
return false;
|
1588
|
-
}
|
1589
|
-
} else if (ssl->quic_method) {
|
1590
|
-
// ALPN is required when QUIC is used.
|
1591
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
|
1592
|
-
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1593
|
-
return false;
|
1594
1608
|
}
|
1595
1609
|
|
1596
1610
|
return true;
|