grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
@@ -1262,12 +1262,14 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
|
|
1262
1262
|
// values for d.
|
1263
1263
|
} while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
|
1264
1264
|
|
1265
|
+
assert(BN_num_bits(pm1) == (unsigned)prime_bits);
|
1266
|
+
assert(BN_num_bits(qm1) == (unsigned)prime_bits);
|
1265
1267
|
if (// Calculate n.
|
1266
1268
|
!bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
|
1267
1269
|
// Calculate d mod (p-1).
|
1268
|
-
!bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) ||
|
1270
|
+
!bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) ||
|
1269
1271
|
// Calculate d mod (q-1)
|
1270
|
-
!bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) {
|
1272
|
+
!bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, prime_bits, ctx)) {
|
1271
1273
|
goto bn_err;
|
1272
1274
|
}
|
1273
1275
|
bn_set_minimal_width(rsa->n);
|
@@ -324,22 +324,15 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) {
|
|
324
324
|
}
|
325
325
|
|
326
326
|
char *OPENSSL_strndup(const char *str, size_t size) {
|
327
|
-
char *ret;
|
328
|
-
size_t alloc_size;
|
329
|
-
|
330
|
-
if (str == NULL) {
|
331
|
-
return NULL;
|
332
|
-
}
|
333
|
-
|
334
327
|
size = OPENSSL_strnlen(str, size);
|
335
328
|
|
336
|
-
alloc_size = size + 1;
|
329
|
+
size_t alloc_size = size + 1;
|
337
330
|
if (alloc_size < size) {
|
338
331
|
// overflow
|
339
332
|
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
|
340
333
|
return NULL;
|
341
334
|
}
|
342
|
-
ret = OPENSSL_malloc(alloc_size);
|
335
|
+
char *ret = OPENSSL_malloc(alloc_size);
|
343
336
|
if (ret == NULL) {
|
344
337
|
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
|
345
338
|
return NULL;
|
@@ -387,3 +380,13 @@ void *OPENSSL_memdup(const void *data, size_t size) {
|
|
387
380
|
OPENSSL_memcpy(ret, data, size);
|
388
381
|
return ret;
|
389
382
|
}
|
383
|
+
|
384
|
+
void *CRYPTO_malloc(size_t size, const char *file, int line) {
|
385
|
+
return OPENSSL_malloc(size);
|
386
|
+
}
|
387
|
+
|
388
|
+
void *CRYPTO_realloc(void *ptr, size_t new_size, const char *file, int line) {
|
389
|
+
return OPENSSL_realloc(ptr, new_size);
|
390
|
+
}
|
391
|
+
|
392
|
+
void CRYPTO_free(void *ptr, const char *file, int line) { OPENSSL_free(ptr); }
|
@@ -157,8 +157,6 @@ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
|
|
157
157
|
return pkey_get_rsa(pktmp, rsa);
|
158
158
|
}
|
159
159
|
|
160
|
-
#ifndef OPENSSL_NO_FP_API
|
161
|
-
|
162
160
|
RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
|
163
161
|
{
|
164
162
|
EVP_PKEY *pktmp;
|
@@ -166,8 +164,6 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
|
|
166
164
|
return pkey_get_rsa(pktmp, rsa);
|
167
165
|
}
|
168
166
|
|
169
|
-
#endif
|
170
|
-
|
171
167
|
IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA,
|
172
168
|
RSAPrivateKey)
|
173
169
|
|
@@ -205,7 +201,6 @@ IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA,
|
|
205
201
|
DSAPrivateKey)
|
206
202
|
|
207
203
|
IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
|
208
|
-
# ifndef OPENSSL_NO_FP_API
|
209
204
|
DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u)
|
210
205
|
{
|
211
206
|
EVP_PKEY *pktmp;
|
@@ -213,8 +208,6 @@ DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u)
|
|
213
208
|
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
|
214
209
|
}
|
215
210
|
|
216
|
-
# endif
|
217
|
-
|
218
211
|
IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
|
219
212
|
#endif
|
220
213
|
static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey)
|
@@ -245,7 +238,6 @@ IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,
|
|
245
238
|
ECPrivateKey)
|
246
239
|
|
247
240
|
IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
|
248
|
-
#ifndef OPENSSL_NO_FP_API
|
249
241
|
EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
|
250
242
|
void *u)
|
251
243
|
{
|
@@ -254,7 +246,6 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
|
|
254
246
|
return pkey_get_eckey(pktmp, eckey); /* will free pktmp */
|
255
247
|
}
|
256
248
|
|
257
|
-
#endif
|
258
249
|
|
259
250
|
IMPLEMENT_PEM_write_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
|
260
251
|
|
@@ -70,7 +70,6 @@
|
|
70
70
|
#include <openssl/rsa.h>
|
71
71
|
#include <openssl/x509.h>
|
72
72
|
|
73
|
-
#ifndef OPENSSL_NO_FP_API
|
74
73
|
STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
|
75
74
|
pem_password_cb *cb, void *u)
|
76
75
|
{
|
@@ -83,7 +82,6 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
|
|
83
82
|
BIO_free(b);
|
84
83
|
return ret;
|
85
84
|
}
|
86
|
-
#endif
|
87
85
|
|
88
86
|
enum parse_result_t {
|
89
87
|
parse_ok,
|
@@ -117,7 +117,6 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
|
|
117
117
|
buf[j + i * 2 + 1] = '\0';
|
118
118
|
}
|
119
119
|
|
120
|
-
#ifndef OPENSSL_NO_FP_API
|
121
120
|
void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
|
122
121
|
pem_password_cb *cb, void *u)
|
123
122
|
{
|
@@ -130,7 +129,6 @@ void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
|
|
130
129
|
BIO_free(b);
|
131
130
|
return ret;
|
132
131
|
}
|
133
|
-
#endif
|
134
132
|
|
135
133
|
static int check_pem(const char *nm, const char *name)
|
136
134
|
{
|
@@ -252,7 +250,6 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm,
|
|
252
250
|
return ret;
|
253
251
|
}
|
254
252
|
|
255
|
-
#ifndef OPENSSL_NO_FP_API
|
256
253
|
int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
|
257
254
|
void *x, const EVP_CIPHER *enc, unsigned char *kstr,
|
258
255
|
int klen, pem_password_cb *callback, void *u)
|
@@ -266,7 +263,6 @@ int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
|
|
266
263
|
BIO_free(b);
|
267
264
|
return ret;
|
268
265
|
}
|
269
|
-
#endif
|
270
266
|
|
271
267
|
int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
|
272
268
|
void *x, const EVP_CIPHER *enc, unsigned char *kstr,
|
@@ -507,7 +503,6 @@ static int load_iv(char **fromp, unsigned char *to, int num)
|
|
507
503
|
return (1);
|
508
504
|
}
|
509
505
|
|
510
|
-
#ifndef OPENSSL_NO_FP_API
|
511
506
|
int PEM_write(FILE *fp, const char *name, const char *header,
|
512
507
|
const unsigned char *data, long len)
|
513
508
|
{
|
@@ -520,7 +515,6 @@ int PEM_write(FILE *fp, const char *name, const char *header,
|
|
520
515
|
BIO_free(b);
|
521
516
|
return (ret);
|
522
517
|
}
|
523
|
-
#endif
|
524
518
|
|
525
519
|
int PEM_write_bio(BIO *bp, const char *name, const char *header,
|
526
520
|
const unsigned char *data, long len)
|
@@ -578,7 +572,6 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
|
|
578
572
|
return (0);
|
579
573
|
}
|
580
574
|
|
581
|
-
#ifndef OPENSSL_NO_FP_API
|
582
575
|
int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
|
583
576
|
long *len)
|
584
577
|
{
|
@@ -591,7 +584,6 @@ int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
|
|
591
584
|
BIO_free(b);
|
592
585
|
return (ret);
|
593
586
|
}
|
594
|
-
#endif
|
595
587
|
|
596
588
|
int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
|
597
589
|
long *len)
|
@@ -190,7 +190,6 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
|
|
190
190
|
return ret;
|
191
191
|
}
|
192
192
|
|
193
|
-
#ifndef OPENSSL_NO_FP_API
|
194
193
|
|
195
194
|
int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
|
196
195
|
char *kstr, int klen, pem_password_cb *cb, void *u)
|
@@ -248,7 +247,6 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
|
|
248
247
|
return ret;
|
249
248
|
}
|
250
249
|
|
251
|
-
#endif
|
252
250
|
|
253
251
|
IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
|
254
252
|
|
@@ -150,7 +150,6 @@ int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
|
|
150
150
|
return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, (char *)kstr, klen, cb, u);
|
151
151
|
}
|
152
152
|
|
153
|
-
#ifndef OPENSSL_NO_FP_API
|
154
153
|
EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
|
155
154
|
void *u)
|
156
155
|
{
|
@@ -178,7 +177,6 @@ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
|
|
178
177
|
return ret;
|
179
178
|
}
|
180
179
|
|
181
|
-
#endif
|
182
180
|
|
183
181
|
/* Transparently read in PKCS#3 or X9.42 DH parameters */
|
184
182
|
|
@@ -203,7 +201,6 @@ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u)
|
|
203
201
|
return ret;
|
204
202
|
}
|
205
203
|
|
206
|
-
#ifndef OPENSSL_NO_FP_API
|
207
204
|
DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u)
|
208
205
|
{
|
209
206
|
BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);
|
@@ -215,4 +212,3 @@ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u)
|
|
215
212
|
BIO_free(b);
|
216
213
|
return ret;
|
217
214
|
}
|
218
|
-
#endif
|
@@ -32,14 +32,23 @@ extern "C" {
|
|
32
32
|
// NULL.
|
33
33
|
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);
|
34
34
|
|
35
|
-
//
|
36
|
-
//
|
37
|
-
//
|
38
|
-
// error.
|
35
|
+
// pkcs7_add_signed_data writes a PKCS#7, SignedData structure to |out|. While
|
36
|
+
// doing so it makes callbacks to let the caller fill in parts of the structure.
|
37
|
+
// All callbacks are ignored if NULL and return one on success or zero on error.
|
39
38
|
//
|
40
|
-
//
|
41
|
-
|
42
|
-
|
39
|
+
// digest_algos_cb: may write AlgorithmIdentifiers into the given CBB, which
|
40
|
+
// is a SET of digest algorithms.
|
41
|
+
// cert_crl_cb: may write the |certificates| or |crls| fields.
|
42
|
+
// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)
|
43
|
+
// signer_infos_cb: may write the contents of the |signerInfos| field.
|
44
|
+
// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)
|
45
|
+
//
|
46
|
+
// pkcs7_add_signed_data returns one on success or zero on error.
|
47
|
+
int pkcs7_add_signed_data(CBB *out,
|
48
|
+
int (*digest_algos_cb)(CBB *out, const void *arg),
|
49
|
+
int (*cert_crl_cb)(CBB *out, const void *arg),
|
50
|
+
int (*signer_infos_cb)(CBB *out, const void *arg),
|
51
|
+
const void *arg);
|
43
52
|
|
44
53
|
|
45
54
|
#if defined(__cplusplus)
|
@@ -131,8 +131,11 @@ err:
|
|
131
131
|
return ret;
|
132
132
|
}
|
133
133
|
|
134
|
-
int
|
135
|
-
|
134
|
+
int pkcs7_add_signed_data(CBB *out,
|
135
|
+
int (*digest_algos_cb)(CBB *out, const void *arg),
|
136
|
+
int (*cert_crl_cb)(CBB *out, const void *arg),
|
137
|
+
int (*signer_infos_cb)(CBB *out, const void *arg),
|
138
|
+
const void *arg) {
|
136
139
|
CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
|
137
140
|
content_info, signer_infos;
|
138
141
|
|
@@ -147,11 +150,13 @@ int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
|
|
147
150
|
!CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||
|
148
151
|
!CBB_add_u8(&version_bytes, 1) ||
|
149
152
|
!CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||
|
153
|
+
(digest_algos_cb != NULL && !digest_algos_cb(&digest_algos_set, arg)) ||
|
150
154
|
!CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||
|
151
155
|
!CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||
|
152
156
|
!CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||
|
153
|
-
!
|
154
|
-
!CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET)
|
157
|
+
(cert_crl_cb != NULL && !cert_crl_cb(&seq, arg)) ||
|
158
|
+
!CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) ||
|
159
|
+
(signer_infos_cb != NULL && !signer_infos_cb(&signer_infos, arg))) {
|
155
160
|
return 0;
|
156
161
|
}
|
157
162
|
|
@@ -20,6 +20,7 @@
|
|
20
20
|
#include <openssl/bytestring.h>
|
21
21
|
#include <openssl/err.h>
|
22
22
|
#include <openssl/mem.h>
|
23
|
+
#include <openssl/obj.h>
|
23
24
|
#include <openssl/pem.h>
|
24
25
|
#include <openssl/pool.h>
|
25
26
|
#include <openssl/stack.h>
|
@@ -197,7 +198,9 @@ static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
|
|
197
198
|
}
|
198
199
|
|
199
200
|
int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
|
200
|
-
return
|
201
|
+
return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
|
202
|
+
pkcs7_bundle_certificates_cb,
|
203
|
+
/*signer_infos_cb=*/NULL, certs);
|
201
204
|
}
|
202
205
|
|
203
206
|
static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
|
@@ -228,7 +231,9 @@ static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
|
|
228
231
|
}
|
229
232
|
|
230
233
|
int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
|
231
|
-
return
|
234
|
+
return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
|
235
|
+
pkcs7_bundle_crls_cb,
|
236
|
+
/*signer_infos_cb=*/NULL, crls);
|
232
237
|
}
|
233
238
|
|
234
239
|
static PKCS7 *pkcs7_new(CBS *cbs) {
|
@@ -362,26 +367,160 @@ int PKCS7_type_is_enveloped(const PKCS7 *p7) { return 0; }
|
|
362
367
|
int PKCS7_type_is_signed(const PKCS7 *p7) { return 1; }
|
363
368
|
int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7) { return 0; }
|
364
369
|
|
370
|
+
// write_sha256_ai writes an AlgorithmIdentifier for SHA-256 to
|
371
|
+
// |digest_algos_set|.
|
372
|
+
static int write_sha256_ai(CBB *digest_algos_set, const void *arg) {
|
373
|
+
CBB seq;
|
374
|
+
return CBB_add_asn1(digest_algos_set, &seq, CBS_ASN1_SEQUENCE) &&
|
375
|
+
OBJ_nid2cbb(&seq, NID_sha256) && //
|
376
|
+
// https://datatracker.ietf.org/doc/html/rfc5754#section-2
|
377
|
+
// "Implementations MUST generate SHA2 AlgorithmIdentifiers with absent
|
378
|
+
// parameters."
|
379
|
+
CBB_flush(digest_algos_set);
|
380
|
+
}
|
381
|
+
|
382
|
+
// sign_sha256 writes at most |max_out_sig| bytes of the signature of |data| by
|
383
|
+
// |pkey| to |out_sig| and sets |*out_sig_len| to the number of bytes written.
|
384
|
+
// It returns one on success or zero on error.
|
385
|
+
static int sign_sha256(uint8_t *out_sig, size_t *out_sig_len,
|
386
|
+
size_t max_out_sig, EVP_PKEY *pkey, BIO *data) {
|
387
|
+
static const size_t kBufSize = 4096;
|
388
|
+
uint8_t *buffer = OPENSSL_malloc(kBufSize);
|
389
|
+
if (!buffer) {
|
390
|
+
return 0;
|
391
|
+
}
|
392
|
+
|
393
|
+
EVP_MD_CTX ctx;
|
394
|
+
EVP_MD_CTX_init(&ctx);
|
395
|
+
|
396
|
+
int ret = 0;
|
397
|
+
if (!EVP_DigestSignInit(&ctx, NULL, EVP_sha256(), NULL, pkey)) {
|
398
|
+
goto out;
|
399
|
+
}
|
400
|
+
|
401
|
+
for (;;) {
|
402
|
+
const int n = BIO_read(data, buffer, kBufSize);
|
403
|
+
if (n == 0) {
|
404
|
+
break;
|
405
|
+
} else if (n < 0 || !EVP_DigestSignUpdate(&ctx, buffer, n)) {
|
406
|
+
goto out;
|
407
|
+
}
|
408
|
+
}
|
409
|
+
|
410
|
+
*out_sig_len = max_out_sig;
|
411
|
+
if (!EVP_DigestSignFinal(&ctx, out_sig, out_sig_len)) {
|
412
|
+
goto out;
|
413
|
+
}
|
414
|
+
|
415
|
+
ret = 1;
|
416
|
+
|
417
|
+
out:
|
418
|
+
EVP_MD_CTX_cleanup(&ctx);
|
419
|
+
OPENSSL_free(buffer);
|
420
|
+
return ret;
|
421
|
+
}
|
422
|
+
|
423
|
+
struct signer_info_data {
|
424
|
+
const X509 *sign_cert;
|
425
|
+
uint8_t *signature;
|
426
|
+
size_t signature_len;
|
427
|
+
};
|
428
|
+
|
429
|
+
// write_signer_info writes the SignerInfo structure from
|
430
|
+
// https://datatracker.ietf.org/doc/html/rfc2315#section-9.2 to |out|. It
|
431
|
+
// returns one on success or zero on error.
|
432
|
+
static int write_signer_info(CBB *out, const void *arg) {
|
433
|
+
const struct signer_info_data *const si_data = arg;
|
434
|
+
|
435
|
+
int ret = 0;
|
436
|
+
uint8_t *subject_bytes = NULL;
|
437
|
+
uint8_t *serial_bytes = NULL;
|
438
|
+
|
439
|
+
const int subject_len =
|
440
|
+
i2d_X509_NAME(X509_get_subject_name(si_data->sign_cert), &subject_bytes);
|
441
|
+
const int serial_len = i2d_ASN1_INTEGER(
|
442
|
+
(ASN1_INTEGER *)X509_get0_serialNumber(si_data->sign_cert),
|
443
|
+
&serial_bytes);
|
444
|
+
|
445
|
+
CBB seq, issuer_and_serial, signing_algo, null, signature;
|
446
|
+
if (subject_len < 0 ||
|
447
|
+
serial_len < 0 ||
|
448
|
+
!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
|
449
|
+
// version
|
450
|
+
!CBB_add_asn1_uint64(&seq, 1) ||
|
451
|
+
!CBB_add_asn1(&seq, &issuer_and_serial, CBS_ASN1_SEQUENCE) ||
|
452
|
+
!CBB_add_bytes(&issuer_and_serial, subject_bytes, subject_len) ||
|
453
|
+
!CBB_add_bytes(&issuer_and_serial, serial_bytes, serial_len) ||
|
454
|
+
!write_sha256_ai(&seq, NULL) ||
|
455
|
+
!CBB_add_asn1(&seq, &signing_algo, CBS_ASN1_SEQUENCE) ||
|
456
|
+
!OBJ_nid2cbb(&signing_algo, NID_rsaEncryption) ||
|
457
|
+
!CBB_add_asn1(&signing_algo, &null, CBS_ASN1_NULL) ||
|
458
|
+
!CBB_add_asn1(&seq, &signature, CBS_ASN1_OCTETSTRING) ||
|
459
|
+
!CBB_add_bytes(&signature, si_data->signature, si_data->signature_len) ||
|
460
|
+
!CBB_flush(out)) {
|
461
|
+
goto out;
|
462
|
+
}
|
463
|
+
|
464
|
+
ret = 1;
|
465
|
+
|
466
|
+
out:
|
467
|
+
OPENSSL_free(subject_bytes);
|
468
|
+
OPENSSL_free(serial_bytes);
|
469
|
+
return ret;
|
470
|
+
}
|
471
|
+
|
365
472
|
PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
|
366
473
|
BIO *data, int flags) {
|
367
|
-
|
368
|
-
|
474
|
+
CBB cbb;
|
475
|
+
if (!CBB_init(&cbb, 2048)) {
|
369
476
|
return NULL;
|
370
477
|
}
|
371
478
|
|
372
|
-
uint8_t *der;
|
479
|
+
uint8_t *der = NULL;
|
373
480
|
size_t len;
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
|
481
|
+
PKCS7 *ret = NULL;
|
482
|
+
|
483
|
+
if (sign_cert == NULL && pkey == NULL && flags == PKCS7_DETACHED) {
|
484
|
+
// Caller just wants to bundle certificates.
|
485
|
+
if (!PKCS7_bundle_certificates(&cbb, certs)) {
|
486
|
+
goto out;
|
487
|
+
}
|
488
|
+
} else if (sign_cert != NULL && pkey != NULL && certs == NULL &&
|
489
|
+
data != NULL &&
|
490
|
+
flags == (PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS |
|
491
|
+
PKCS7_DETACHED) &&
|
492
|
+
EVP_PKEY_id(pkey) == NID_rsaEncryption) {
|
493
|
+
// sign-file.c from the Linux kernel.
|
494
|
+
const size_t signature_max_len = EVP_PKEY_size(pkey);
|
495
|
+
struct signer_info_data si_data = {
|
496
|
+
.sign_cert = sign_cert,
|
497
|
+
.signature = OPENSSL_malloc(signature_max_len),
|
498
|
+
};
|
499
|
+
|
500
|
+
if (!si_data.signature ||
|
501
|
+
!sign_sha256(si_data.signature, &si_data.signature_len,
|
502
|
+
signature_max_len, pkey, data) ||
|
503
|
+
!pkcs7_add_signed_data(&cbb, write_sha256_ai, /*cert_crl_cb=*/NULL,
|
504
|
+
write_signer_info, &si_data)) {
|
505
|
+
OPENSSL_free(si_data.signature);
|
506
|
+
goto out;
|
507
|
+
}
|
508
|
+
OPENSSL_free(si_data.signature);
|
509
|
+
} else {
|
510
|
+
OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
511
|
+
goto out;
|
512
|
+
}
|
513
|
+
|
514
|
+
if (!CBB_finish(&cbb, &der, &len)) {
|
515
|
+
goto out;
|
380
516
|
}
|
381
517
|
|
382
518
|
CBS cbs;
|
383
519
|
CBS_init(&cbs, der, len);
|
384
|
-
|
520
|
+
ret = pkcs7_new(&cbs);
|
521
|
+
|
522
|
+
out:
|
523
|
+
CBB_cleanup(&cbb);
|
385
524
|
OPENSSL_free(der);
|
386
525
|
return ret;
|
387
526
|
}
|
@@ -1180,7 +1180,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name,
|
|
1180
1180
|
}
|
1181
1181
|
|
1182
1182
|
// PKCS#12 is a very confusing recursive data format, built out of another
|
1183
|
-
// recursive data format. Section 5.1 of
|
1183
|
+
// recursive data format. Section 5.1 of RFC 7292 describes the encoding
|
1184
1184
|
// algorithm, but there is no clear overview. A quick summary:
|
1185
1185
|
//
|
1186
1186
|
// PKCS#7 defines a ContentInfo structure, which is a overgeneralized typed
|