grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
@@ -102,8 +102,10 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
|
|
102
102
|
BIO_puts(out, "\n");
|
103
103
|
} else
|
104
104
|
BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
|
105
|
-
if (aux->alias)
|
106
|
-
BIO_printf(out, "%*sAlias:
|
105
|
+
if (aux->alias) {
|
106
|
+
BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length,
|
107
|
+
aux->alias->data);
|
108
|
+
}
|
107
109
|
if (aux->keyid) {
|
108
110
|
BIO_printf(out, "%*sKey Id: ", indent, "");
|
109
111
|
for (j = 0; j < aux->keyid->length; j++)
|
@@ -404,11 +404,6 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
|
|
404
404
|
return ret;
|
405
405
|
}
|
406
406
|
|
407
|
-
void X509_STORE_set0_additional_untrusted(X509_STORE *ctx,
|
408
|
-
STACK_OF(X509) *untrusted) {
|
409
|
-
ctx->additional_untrusted = untrusted;
|
410
|
-
}
|
411
|
-
|
412
407
|
int X509_OBJECT_up_ref_count(X509_OBJECT *a)
|
413
408
|
{
|
414
409
|
switch (a->type) {
|
@@ -222,8 +222,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|
222
222
|
X509_up_ref(ctx->cert);
|
223
223
|
ctx->last_untrusted = 1;
|
224
224
|
|
225
|
-
/* We use a temporary STACK so we can chop and hack at it.
|
226
|
-
* sktmp = ctx->untrusted ++ ctx->ctx->additional_untrusted */
|
225
|
+
/* We use a temporary STACK so we can chop and hack at it. */
|
227
226
|
if (ctx->untrusted != NULL
|
228
227
|
&& (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
|
229
228
|
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
@@ -231,28 +230,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|
231
230
|
goto end;
|
232
231
|
}
|
233
232
|
|
234
|
-
if (ctx->ctx->additional_untrusted != NULL) {
|
235
|
-
if (sktmp == NULL) {
|
236
|
-
sktmp = sk_X509_new_null();
|
237
|
-
if (sktmp == NULL) {
|
238
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
239
|
-
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
240
|
-
goto end;
|
241
|
-
}
|
242
|
-
}
|
243
|
-
|
244
|
-
for (size_t k = 0; k < sk_X509_num(ctx->ctx->additional_untrusted);
|
245
|
-
k++) {
|
246
|
-
if (!sk_X509_push(sktmp,
|
247
|
-
sk_X509_value(ctx->ctx->additional_untrusted,
|
248
|
-
k))) {
|
249
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
250
|
-
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
251
|
-
goto end;
|
252
|
-
}
|
253
|
-
}
|
254
|
-
}
|
255
|
-
|
256
233
|
num = sk_X509_num(ctx->chain);
|
257
234
|
x = sk_X509_value(ctx->chain, num - 1);
|
258
235
|
depth = param->depth;
|
@@ -1351,17 +1328,6 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
|
|
1351
1328
|
return;
|
1352
1329
|
}
|
1353
1330
|
}
|
1354
|
-
|
1355
|
-
for (i = 0; i < sk_X509_num(ctx->ctx->additional_untrusted); i++) {
|
1356
|
-
crl_issuer = sk_X509_value(ctx->ctx->additional_untrusted, i);
|
1357
|
-
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
1358
|
-
continue;
|
1359
|
-
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1360
|
-
*pissuer = crl_issuer;
|
1361
|
-
*pcrl_score |= CRL_SCORE_AKID;
|
1362
|
-
return;
|
1363
|
-
}
|
1364
|
-
}
|
1365
1331
|
}
|
1366
1332
|
|
1367
1333
|
/*
|
@@ -1403,12 +1369,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
|
|
1403
1369
|
}
|
1404
1370
|
|
1405
1371
|
/*
|
1406
|
-
*
|
1372
|
+
* RFC 3280 says nothing about the relationship between CRL path and
|
1407
1373
|
* certificate path, which could lead to situations where a certificate could
|
1408
|
-
* be revoked or validated by a CA not authorised to do so.
|
1374
|
+
* be revoked or validated by a CA not authorised to do so. RFC 5280 is more
|
1409
1375
|
* strict and states that the two paths must end in the same trust anchor,
|
1410
1376
|
* though some discussions remain... until this is resolved we use the
|
1411
|
-
*
|
1377
|
+
* RFC 5280 version
|
1412
1378
|
*/
|
1413
1379
|
|
1414
1380
|
static int check_crl_chain(X509_STORE_CTX *ctx,
|
@@ -1919,8 +1885,8 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
|
1919
1885
|
int i, day, sec, ret = 0;
|
1920
1886
|
|
1921
1887
|
/*
|
1922
|
-
* Note that ASN.1 allows much more slack in the time format than
|
1923
|
-
* In
|
1888
|
+
* Note that ASN.1 allows much more slack in the time format than RFC 5280.
|
1889
|
+
* In RFC 5280, the representation is fixed:
|
1924
1890
|
* UTCTime: YYMMDDHHMMSSZ
|
1925
1891
|
* GeneralizedTime: YYYYMMDDHHMMSSZ
|
1926
1892
|
*
|
@@ -1976,9 +1942,9 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
|
1976
1942
|
return ret;
|
1977
1943
|
}
|
1978
1944
|
|
1979
|
-
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long
|
1945
|
+
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
|
1980
1946
|
{
|
1981
|
-
return X509_time_adj(s,
|
1947
|
+
return X509_time_adj(s, offset_sec, NULL);
|
1982
1948
|
}
|
1983
1949
|
|
1984
1950
|
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
|
@@ -1991,17 +1957,12 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
|
|
1991
1957
|
{
|
1992
1958
|
time_t t = 0;
|
1993
1959
|
|
1994
|
-
if (in_tm)
|
1960
|
+
if (in_tm) {
|
1995
1961
|
t = *in_tm;
|
1996
|
-
else
|
1962
|
+
} else {
|
1997
1963
|
time(&t);
|
1998
|
-
|
1999
|
-
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
|
2000
|
-
if (s->type == V_ASN1_UTCTIME)
|
2001
|
-
return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
|
2002
|
-
if (s->type == V_ASN1_GENERALIZEDTIME)
|
2003
|
-
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
|
2004
1964
|
}
|
1965
|
+
|
2005
1966
|
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
|
2006
1967
|
}
|
2007
1968
|
|
@@ -528,7 +528,7 @@ static const X509_VERIFY_PARAM default_table[] = {
|
|
528
528
|
(char *)"default", /* X509 default parameters */
|
529
529
|
0, /* Check time */
|
530
530
|
0, /* internal flags */
|
531
|
-
|
531
|
+
X509_V_FLAG_TRUSTED_FIRST, /* flags */
|
532
532
|
0, /* purpose */
|
533
533
|
0, /* trust */
|
534
534
|
100, /* depth */
|
@@ -64,6 +64,7 @@
|
|
64
64
|
#include <openssl/x509.h>
|
65
65
|
|
66
66
|
#include "../internal.h"
|
67
|
+
#include "internal.h"
|
67
68
|
|
68
69
|
|
69
70
|
int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf,
|
@@ -367,10 +368,7 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
|
|
367
368
|
if (!i)
|
368
369
|
return (0);
|
369
370
|
if (type != V_ASN1_UNDEF) {
|
370
|
-
|
371
|
-
ne->value->type = ASN1_PRINTABLE_type(bytes, len);
|
372
|
-
else
|
373
|
-
ne->value->type = type;
|
371
|
+
ne->value->type = type;
|
374
372
|
}
|
375
373
|
return (1);
|
376
374
|
}
|
@@ -140,7 +140,6 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey)
|
|
140
140
|
spki->signature, spki->spkac, pkey));
|
141
141
|
}
|
142
142
|
|
143
|
-
#ifndef OPENSSL_NO_FP_API
|
144
143
|
X509 *d2i_X509_fp(FILE *fp, X509 **x509)
|
145
144
|
{
|
146
145
|
return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
|
@@ -150,7 +149,6 @@ int i2d_X509_fp(FILE *fp, X509 *x509)
|
|
150
149
|
{
|
151
150
|
return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
|
152
151
|
}
|
153
|
-
#endif
|
154
152
|
|
155
153
|
X509 *d2i_X509_bio(BIO *bp, X509 **x509)
|
156
154
|
{
|
@@ -162,7 +160,6 @@ int i2d_X509_bio(BIO *bp, X509 *x509)
|
|
162
160
|
return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
|
163
161
|
}
|
164
162
|
|
165
|
-
#ifndef OPENSSL_NO_FP_API
|
166
163
|
X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
|
167
164
|
{
|
168
165
|
return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
|
@@ -172,7 +169,6 @@ int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
|
|
172
169
|
{
|
173
170
|
return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
|
174
171
|
}
|
175
|
-
#endif
|
176
172
|
|
177
173
|
X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
|
178
174
|
{
|
@@ -184,7 +180,6 @@ int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
|
|
184
180
|
return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
|
185
181
|
}
|
186
182
|
|
187
|
-
#ifndef OPENSSL_NO_FP_API
|
188
183
|
X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
|
189
184
|
{
|
190
185
|
return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
|
@@ -194,7 +189,6 @@ int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
|
|
194
189
|
{
|
195
190
|
return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
|
196
191
|
}
|
197
|
-
#endif
|
198
192
|
|
199
193
|
X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
|
200
194
|
{
|
@@ -206,7 +200,6 @@ int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
|
|
206
200
|
return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
|
207
201
|
}
|
208
202
|
|
209
|
-
#ifndef OPENSSL_NO_FP_API
|
210
203
|
|
211
204
|
#define IMPLEMENT_D2I_FP(type, name, bio_func) \
|
212
205
|
type *name(FILE *fp, type **obj) { \
|
@@ -238,7 +231,6 @@ IMPLEMENT_I2D_FP(RSA, i2d_RSAPublicKey_fp, i2d_RSAPublicKey_bio)
|
|
238
231
|
|
239
232
|
IMPLEMENT_D2I_FP(RSA, d2i_RSA_PUBKEY_fp, d2i_RSA_PUBKEY_bio)
|
240
233
|
IMPLEMENT_I2D_FP(RSA, i2d_RSA_PUBKEY_fp, i2d_RSA_PUBKEY_bio)
|
241
|
-
#endif
|
242
234
|
|
243
235
|
#define IMPLEMENT_D2I_BIO(type, name, d2i_func) \
|
244
236
|
type *name(BIO *bio, type **obj) { \
|
@@ -275,13 +267,11 @@ IMPLEMENT_D2I_BIO(RSA, d2i_RSA_PUBKEY_bio, d2i_RSA_PUBKEY)
|
|
275
267
|
IMPLEMENT_I2D_BIO(RSA, i2d_RSA_PUBKEY_bio, i2d_RSA_PUBKEY)
|
276
268
|
|
277
269
|
#ifndef OPENSSL_NO_DSA
|
278
|
-
# ifndef OPENSSL_NO_FP_API
|
279
270
|
IMPLEMENT_D2I_FP(DSA, d2i_DSAPrivateKey_fp, d2i_DSAPrivateKey_bio)
|
280
271
|
IMPLEMENT_I2D_FP(DSA, i2d_DSAPrivateKey_fp, i2d_DSAPrivateKey_bio)
|
281
272
|
|
282
273
|
IMPLEMENT_D2I_FP(DSA, d2i_DSA_PUBKEY_fp, d2i_DSA_PUBKEY_bio)
|
283
274
|
IMPLEMENT_I2D_FP(DSA, i2d_DSA_PUBKEY_fp, i2d_DSA_PUBKEY_bio)
|
284
|
-
# endif
|
285
275
|
|
286
276
|
IMPLEMENT_D2I_BIO(DSA, d2i_DSAPrivateKey_bio, d2i_DSAPrivateKey)
|
287
277
|
IMPLEMENT_I2D_BIO(DSA, i2d_DSAPrivateKey_bio, i2d_DSAPrivateKey)
|
@@ -290,13 +280,11 @@ IMPLEMENT_D2I_BIO(DSA, d2i_DSA_PUBKEY_bio, d2i_DSA_PUBKEY)
|
|
290
280
|
IMPLEMENT_I2D_BIO(DSA, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY)
|
291
281
|
#endif
|
292
282
|
|
293
|
-
#ifndef OPENSSL_NO_FP_API
|
294
283
|
IMPLEMENT_D2I_FP(EC_KEY, d2i_ECPrivateKey_fp, d2i_ECPrivateKey_bio)
|
295
284
|
IMPLEMENT_I2D_FP(EC_KEY, i2d_ECPrivateKey_fp, i2d_ECPrivateKey_bio)
|
296
285
|
|
297
286
|
IMPLEMENT_D2I_FP(EC_KEY, d2i_EC_PUBKEY_fp, d2i_EC_PUBKEY_bio)
|
298
287
|
IMPLEMENT_I2D_FP(EC_KEY, i2d_EC_PUBKEY_fp, i2d_EC_PUBKEY_bio)
|
299
|
-
#endif
|
300
288
|
|
301
289
|
IMPLEMENT_D2I_BIO(EC_KEY, d2i_ECPrivateKey_bio, d2i_ECPrivateKey)
|
302
290
|
IMPLEMENT_I2D_BIO(EC_KEY, i2d_ECPrivateKey_bio, i2d_ECPrivateKey)
|
@@ -342,15 +330,12 @@ int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
|
|
342
330
|
(ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len));
|
343
331
|
}
|
344
332
|
|
345
|
-
#ifndef OPENSSL_NO_FP_API
|
346
333
|
IMPLEMENT_D2I_FP(X509_SIG, d2i_PKCS8_fp, d2i_PKCS8_bio)
|
347
334
|
IMPLEMENT_I2D_FP(X509_SIG, i2d_PKCS8_fp, i2d_PKCS8_bio)
|
348
|
-
#endif
|
349
335
|
|
350
336
|
IMPLEMENT_D2I_BIO(X509_SIG, d2i_PKCS8_bio, d2i_X509_SIG)
|
351
337
|
IMPLEMENT_I2D_BIO(X509_SIG, i2d_PKCS8_bio, i2d_X509_SIG)
|
352
338
|
|
353
|
-
#ifndef OPENSSL_NO_FP_API
|
354
339
|
IMPLEMENT_D2I_FP(PKCS8_PRIV_KEY_INFO, d2i_PKCS8_PRIV_KEY_INFO_fp,
|
355
340
|
d2i_PKCS8_PRIV_KEY_INFO_bio)
|
356
341
|
IMPLEMENT_I2D_FP(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO_fp,
|
@@ -390,7 +375,6 @@ int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
|
|
390
375
|
PKCS8_PRIV_KEY_INFO_free(p8inf);
|
391
376
|
return ret;
|
392
377
|
}
|
393
|
-
#endif
|
394
378
|
|
395
379
|
IMPLEMENT_D2I_BIO(EVP_PKEY, d2i_PrivateKey_bio, d2i_AutoPrivateKey)
|
396
380
|
IMPLEMENT_I2D_BIO(EVP_PKEY, i2d_PrivateKey_bio, i2d_PrivateKey)
|
@@ -68,6 +68,7 @@
|
|
68
68
|
|
69
69
|
#include "../asn1/internal.h"
|
70
70
|
#include "../internal.h"
|
71
|
+
#include "internal.h"
|
71
72
|
|
72
73
|
|
73
74
|
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
|
@@ -260,17 +261,13 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
|
|
260
261
|
static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
|
261
262
|
const ASN1_ITEM *it, int tag, int aclass)
|
262
263
|
{
|
263
|
-
int ret;
|
264
264
|
X509_NAME *a = (X509_NAME *)*val;
|
265
|
-
if (a->modified
|
266
|
-
|
267
|
-
|
268
|
-
|
269
|
-
ret = x509_name_canon(a);
|
270
|
-
if (ret < 0)
|
271
|
-
return ret;
|
265
|
+
if (a->modified &&
|
266
|
+
(!x509_name_encode(a) ||
|
267
|
+
!x509_name_canon(a))) {
|
268
|
+
return -1;
|
272
269
|
}
|
273
|
-
ret = a->bytes->length;
|
270
|
+
int ret = a->bytes->length;
|
274
271
|
if (out != NULL) {
|
275
272
|
OPENSSL_memcpy(*out, a->bytes->data, ret);
|
276
273
|
*out += ret;
|
@@ -306,22 +303,29 @@ static int x509_name_encode(X509_NAME *a)
|
|
306
303
|
goto memerr;
|
307
304
|
}
|
308
305
|
ASN1_VALUE *intname_val = (ASN1_VALUE *)intname;
|
309
|
-
len =
|
310
|
-
|
306
|
+
len =
|
307
|
+
ASN1_item_ex_i2d(&intname_val, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
|
308
|
+
/*tag=*/-1, /*aclass=*/0);
|
309
|
+
if (len <= 0) {
|
310
|
+
goto err;
|
311
|
+
}
|
311
312
|
if (!BUF_MEM_grow(a->bytes, len))
|
312
313
|
goto memerr;
|
313
314
|
p = (unsigned char *)a->bytes->data;
|
314
|
-
ASN1_item_ex_i2d(&intname_val,
|
315
|
-
|
315
|
+
if (ASN1_item_ex_i2d(&intname_val, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
|
316
|
+
/*tag=*/-1, /*aclass=*/0) <= 0) {
|
317
|
+
goto err;
|
318
|
+
}
|
316
319
|
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
317
320
|
local_sk_X509_NAME_ENTRY_free);
|
318
321
|
a->modified = 0;
|
319
|
-
return
|
322
|
+
return 1;
|
320
323
|
memerr:
|
324
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
325
|
+
err:
|
321
326
|
sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
|
322
327
|
local_sk_X509_NAME_ENTRY_free);
|
323
|
-
|
324
|
-
return -1;
|
328
|
+
return 0;
|
325
329
|
}
|
326
330
|
|
327
331
|
/*
|
@@ -503,8 +507,8 @@ static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
|
|
503
507
|
len = 0;
|
504
508
|
for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) {
|
505
509
|
v = sk_ASN1_VALUE_value(intname, i);
|
506
|
-
ltmp = ASN1_item_ex_i2d(&v, in,
|
507
|
-
|
510
|
+
ltmp = ASN1_item_ex_i2d(&v, in, ASN1_ITEM_rptr(X509_NAME_ENTRIES),
|
511
|
+
/*tag=*/-1, /*aclass=*/0);
|
508
512
|
if (ltmp < 0)
|
509
513
|
return ltmp;
|
510
514
|
len += ltmp;
|
@@ -69,6 +69,7 @@
|
|
69
69
|
#include <openssl/x509v3.h>
|
70
70
|
|
71
71
|
#include "../internal.h"
|
72
|
+
#include "internal.h"
|
72
73
|
|
73
74
|
static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
|
74
75
|
|
@@ -128,14 +129,14 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|
128
129
|
}
|
129
130
|
}
|
130
131
|
|
131
|
-
/* Per
|
132
|
+
/* Per RFC 5280, section 4.1.2.8, these fields require v2 or v3. */
|
132
133
|
if (version == 0 && (ret->cert_info->issuerUID != NULL ||
|
133
134
|
ret->cert_info->subjectUID != NULL)) {
|
134
135
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
|
135
136
|
return 0;
|
136
137
|
}
|
137
138
|
|
138
|
-
/* Per
|
139
|
+
/* Per RFC 5280, section 4.1.2.9, extensions require v3. */
|
139
140
|
if (version != 2 && ret->cert_info->extensions != NULL) {
|
140
141
|
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
|
141
142
|
return 0;
|
@@ -288,13 +289,15 @@ static int i2d_x509_aux_internal(X509 *a, unsigned char **pp)
|
|
288
289
|
return length;
|
289
290
|
}
|
290
291
|
|
291
|
-
|
292
|
-
|
293
|
-
if (
|
294
|
-
|
295
|
-
|
292
|
+
if (a->aux != NULL) {
|
293
|
+
tmplen = i2d_X509_CERT_AUX(a->aux, pp);
|
294
|
+
if (tmplen < 0) {
|
295
|
+
if (start != NULL)
|
296
|
+
*pp = start;
|
297
|
+
return tmplen;
|
298
|
+
}
|
299
|
+
length += tmplen;
|
296
300
|
}
|
297
|
-
length += tmplen;
|
298
301
|
|
299
302
|
return length;
|
300
303
|
}
|
@@ -17,6 +17,8 @@
|
|
17
17
|
|
18
18
|
#include <openssl/base.h>
|
19
19
|
|
20
|
+
#include <openssl/conf.h>
|
21
|
+
|
20
22
|
#if defined(__cplusplus)
|
21
23
|
extern "C" {
|
22
24
|
#endif
|
@@ -60,6 +62,20 @@ int x509v3_cache_extensions(X509 *x);
|
|
60
62
|
// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero.
|
61
63
|
int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc);
|
62
64
|
|
65
|
+
// A |BIT_STRING_BITNAME| is used to contain a list of bit names.
|
66
|
+
typedef struct {
|
67
|
+
int bitnum;
|
68
|
+
const char *lname;
|
69
|
+
const char *sname;
|
70
|
+
} BIT_STRING_BITNAME;
|
71
|
+
|
72
|
+
// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name
|
73
|
+
// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a
|
74
|
+
// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and
|
75
|
+
// zero on error.
|
76
|
+
int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
|
77
|
+
STACK_OF(CONF_VALUE) **extlist);
|
78
|
+
|
63
79
|
|
64
80
|
#if defined(__cplusplus)
|
65
81
|
} /* extern C */
|
@@ -79,7 +79,7 @@ void policy_data_free(X509_POLICY_DATA *data)
|
|
79
79
|
/*
|
80
80
|
* Create a data based on an existing policy. If 'id' is NULL use the oid in
|
81
81
|
* the policy, otherwise use 'id'. This behaviour covers the two types of
|
82
|
-
* data in
|
82
|
+
* data in RFC 3280: data with from a CertificatePolcies extension and
|
83
83
|
* additional data with just the qualifiers of anyPolicy and ID from another
|
84
84
|
* source.
|
85
85
|
*/
|
@@ -65,7 +65,7 @@ DEFINE_STACK_OF(X509_POLICY_DATA)
|
|
65
65
|
|
66
66
|
/*
|
67
67
|
* This structure and the field names correspond to the Policy 'node' of
|
68
|
-
*
|
68
|
+
* RFC 3280. NB this structure contains no pointers to parent or child data:
|
69
69
|
* X509_POLICY_NODE contains that. This means that the main policy data can
|
70
70
|
* be kept static and cached with the certificate.
|
71
71
|
*/
|
@@ -67,6 +67,7 @@
|
|
67
67
|
|
68
68
|
#include "pcy_int.h"
|
69
69
|
#include "../internal.h"
|
70
|
+
#include "../x509/internal.h"
|
70
71
|
|
71
72
|
/*
|
72
73
|
* Enable this to print out the complete policy tree at various point during
|
@@ -332,7 +333,7 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
|
332
333
|
}
|
333
334
|
|
334
335
|
/*
|
335
|
-
* This corresponds to
|
336
|
+
* This corresponds to RFC 3280 6.1.3(d)(1): link any data from
|
336
337
|
* CertificatePolicies onto matching parent or anyPolicy if no match.
|
337
338
|
*/
|
338
339
|
|
@@ -365,7 +366,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
|
365
366
|
}
|
366
367
|
|
367
368
|
/*
|
368
|
-
* This corresponds to
|
369
|
+
* This corresponds to RFC 3280 6.1.3(d)(2): Create new data for any unmatched
|
369
370
|
* policies in the parent and link to anyPolicy.
|
370
371
|
*/
|
371
372
|
|
@@ -500,7 +501,7 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
|
|
500
501
|
if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
|
501
502
|
for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
|
502
503
|
node = sk_X509_POLICY_NODE_value(nodes, i);
|
503
|
-
/* Delete any mapped data: see
|
504
|
+
/* Delete any mapped data: see RFC 3280 XXXX */
|
504
505
|
if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
|
505
506
|
node->parent->nchild--;
|
506
507
|
OPENSSL_free(node);
|
@@ -93,20 +93,39 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
|
|
93
93
|
STACK_OF(CONF_VALUE)
|
94
94
|
*extlist)
|
95
95
|
{
|
96
|
-
char *tmp;
|
96
|
+
char *tmp = NULL;
|
97
|
+
int extlist_was_null = extlist == NULL;
|
97
98
|
if (akeyid->keyid) {
|
98
99
|
tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);
|
99
|
-
X509V3_add_value("keyid", tmp, &extlist);
|
100
|
+
int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist);
|
100
101
|
OPENSSL_free(tmp);
|
102
|
+
if (!ok) {
|
103
|
+
goto err;
|
104
|
+
}
|
105
|
+
}
|
106
|
+
if (akeyid->issuer) {
|
107
|
+
STACK_OF(CONF_VALUE) *tmpextlist =
|
108
|
+
i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
|
109
|
+
if (tmpextlist == NULL) {
|
110
|
+
goto err;
|
111
|
+
}
|
112
|
+
extlist = tmpextlist;
|
101
113
|
}
|
102
|
-
if (akeyid->issuer)
|
103
|
-
extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
|
104
114
|
if (akeyid->serial) {
|
105
115
|
tmp = x509v3_bytes_to_hex(akeyid->serial->data, akeyid->serial->length);
|
106
|
-
X509V3_add_value("serial", tmp, &extlist);
|
116
|
+
int ok = tmp != NULL && X509V3_add_value("serial", tmp, &extlist);
|
107
117
|
OPENSSL_free(tmp);
|
118
|
+
if (!ok) {
|
119
|
+
goto err;
|
120
|
+
}
|
108
121
|
}
|
109
122
|
return extlist;
|
123
|
+
|
124
|
+
err:
|
125
|
+
if (extlist_was_null) {
|
126
|
+
sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
|
127
|
+
}
|
128
|
+
return NULL;
|
110
129
|
}
|
111
130
|
|
112
131
|
/*
|
@@ -104,11 +104,17 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
|
|
104
104
|
GENERAL_NAMES *gens,
|
105
105
|
STACK_OF(CONF_VALUE) *ret)
|
106
106
|
{
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
107
|
+
int ret_was_null = ret == NULL;
|
108
|
+
for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
109
|
+
GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
|
110
|
+
STACK_OF(CONF_VALUE) *tmp = i2v_GENERAL_NAME(method, gen, ret);
|
111
|
+
if (tmp == NULL) {
|
112
|
+
if (ret_was_null) {
|
113
|
+
sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
|
114
|
+
}
|
115
|
+
return NULL;
|
116
|
+
}
|
117
|
+
ret = tmp;
|
112
118
|
}
|
113
119
|
if (!ret)
|
114
120
|
return sk_CONF_VALUE_new_null();
|
@@ -119,6 +125,9 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
|
|
119
125
|
GENERAL_NAME *gen,
|
120
126
|
STACK_OF(CONF_VALUE) *ret)
|
121
127
|
{
|
128
|
+
/* Note the error-handling for this function relies on there being at most
|
129
|
+
* one |X509V3_add_value| call. If there were two and the second failed, we
|
130
|
+
* would need to sometimes free the first call's result. */
|
122
131
|
unsigned char *p;
|
123
132
|
char oline[256], htmp[5];
|
124
133
|
int i;
|
@@ -139,17 +148,17 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
|
|
139
148
|
break;
|
140
149
|
|
141
150
|
case GEN_EMAIL:
|
142
|
-
if (!
|
151
|
+
if (!x509V3_add_value_asn1_string("email", gen->d.ia5, &ret))
|
143
152
|
return NULL;
|
144
153
|
break;
|
145
154
|
|
146
155
|
case GEN_DNS:
|
147
|
-
if (!
|
156
|
+
if (!x509V3_add_value_asn1_string("DNS", gen->d.ia5, &ret))
|
148
157
|
return NULL;
|
149
158
|
break;
|
150
159
|
|
151
160
|
case GEN_URI:
|
152
|
-
if (!
|
161
|
+
if (!x509V3_add_value_asn1_string("URI", gen->d.ia5, &ret))
|
153
162
|
return NULL;
|
154
163
|
break;
|
155
164
|
|
@@ -432,8 +432,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
|
|
432
432
|
qualinfo = sk_POLICYQUALINFO_value(quals, i);
|
433
433
|
switch (OBJ_obj2nid(qualinfo->pqualid)) {
|
434
434
|
case NID_id_qt_cps:
|
435
|
-
BIO_printf(out, "%*sCPS:
|
436
|
-
qualinfo->d.cpsuri->data);
|
435
|
+
BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
|
436
|
+
qualinfo->d.cpsuri->length, qualinfo->d.cpsuri->data);
|
437
437
|
break;
|
438
438
|
|
439
439
|
case NID_id_qt_unotice:
|
@@ -457,8 +457,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
|
|
457
457
|
if (notice->noticeref) {
|
458
458
|
NOTICEREF *ref;
|
459
459
|
ref = notice->noticeref;
|
460
|
-
BIO_printf(out, "%*sOrganization:
|
461
|
-
ref->organization->data);
|
460
|
+
BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
|
461
|
+
ref->organization->length, ref->organization->data);
|
462
462
|
BIO_printf(out, "%*sNumber%s: ", indent, "",
|
463
463
|
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
|
464
464
|
for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
|
@@ -480,8 +480,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
|
|
480
480
|
BIO_puts(out, "\n");
|
481
481
|
}
|
482
482
|
if (notice->exptext)
|
483
|
-
BIO_printf(out, "%*sExplicit Text:
|
484
|
-
notice->exptext->data);
|
483
|
+
BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
|
484
|
+
notice->exptext->length, notice->exptext->data);
|
485
485
|
}
|
486
486
|
|
487
487
|
void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
|