RubyGems - grpc - Versions diffs - 1.43.1 → 1.44.0.pre2 - Mend

grpc 1.43.1 → 1.44.0.pre2

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (382) hide show

data/third_party/abseil-cpp/absl/random/zipf_distribution.h ADDED Viewed

@@ -0,0 +1,271 @@
+// Copyright 2017 The Abseil Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef ABSL_RANDOM_ZIPF_DISTRIBUTION_H_
+#define ABSL_RANDOM_ZIPF_DISTRIBUTION_H_
+#include <cassert>
+#include <cmath>
+#include <istream>
+#include <limits>
+#include <ostream>
+#include <type_traits>
+#include "absl/random/internal/iostream_state_saver.h"
+#include "absl/random/uniform_real_distribution.h"
+namespace absl {
+ABSL_NAMESPACE_BEGIN
+// absl::zipf_distribution produces random integer-values in the range [0, k],
+// distributed according to the discrete probability function:
+//
+//  P(x) = (v + x) ^ -q
+//
+// The parameter `v` must be greater than 0 and the parameter `q` must be
+// greater than 1. If either of these parameters take invalid values then the
+// behavior is undefined.
+//
+// IntType is the result_type generated by the generator. It must be of integral
+// type; a static_assert ensures this is the case.
+//
+// The implementation is based on W.Hormann, G.Derflinger:
+//
+// "Rejection-Inversion to Generate Variates from Monotone Discrete
+// Distributions"
+//
+// http://eeyore.wu-wien.ac.at/papers/96-04-04.wh-der.ps.gz
+//
+template <typename IntType = int>
+class zipf_distribution {
+ public:
+  using result_type = IntType;
+  class param_type {
+   public:
+    using distribution_type = zipf_distribution;
+    // Preconditions: k > 0, v > 0, q > 1
+    // The precondidtions are validated when NDEBUG is not defined via
+    // a pair of assert() directives.
+    // If NDEBUG is defined and either or both of these parameters take invalid
+    // values, the behavior of the class is undefined.
+    explicit param_type(result_type k = (std::numeric_limits<IntType>::max)(),
+                        double q = 2.0, double v = 1.0);
+    result_type k() const { return k_; }
+    double q() const { return q_; }
+    double v() const { return v_; }
+    friend bool operator==(const param_type& a, const param_type& b) {
+      return a.k_ == b.k_ && a.q_ == b.q_ && a.v_ == b.v_;
+    }
+    friend bool operator!=(const param_type& a, const param_type& b) {
+      return !(a == b);
+    }
+   private:
+    friend class zipf_distribution;
+    inline double h(double x) const;
+    inline double hinv(double x) const;
+    inline double compute_s() const;
+    inline double pow_negative_q(double x) const;
+    // Parameters here are exactly the same as the parameters of Algorithm ZRI
+    // in the paper.
+    IntType k_;
+    double q_;
+    double v_;
+    double one_minus_q_;  // 1-q
+    double s_;
+    double one_minus_q_inv_;  // 1 / 1-q
+    double hxm_;              // h(k + 0.5)
+    double hx0_minus_hxm_;    // h(x0) - h(k + 0.5)
+    static_assert(std::is_integral<IntType>::value,
+                  "Class-template absl::zipf_distribution<> must be "
+                  "parameterized using an integral type.");
+  };
+  zipf_distribution()
+      : zipf_distribution((std::numeric_limits<IntType>::max)()) {}
+  explicit zipf_distribution(result_type k, double q = 2.0, double v = 1.0)
+      : param_(k, q, v) {}
+  explicit zipf_distribution(const param_type& p) : param_(p) {}
+  void reset() {}
+  template <typename URBG>
+  result_type operator()(URBG& g) {  // NOLINT(runtime/references)
+    return (*this)(g, param_);
+  }
+  template <typename URBG>
+  result_type operator()(URBG& g,  // NOLINT(runtime/references)
+                         const param_type& p);
+  result_type k() const { return param_.k(); }
+  double q() const { return param_.q(); }
+  double v() const { return param_.v(); }
+  param_type param() const { return param_; }
+  void param(const param_type& p) { param_ = p; }
+  result_type(min)() const { return 0; }
+  result_type(max)() const { return k(); }
+  friend bool operator==(const zipf_distribution& a,
+                         const zipf_distribution& b) {
+    return a.param_ == b.param_;
+  }
+  friend bool operator!=(const zipf_distribution& a,
+                         const zipf_distribution& b) {
+    return a.param_ != b.param_;
+  }
+ private:
+  param_type param_;
+};
+// --------------------------------------------------------------------------
+// Implementation details follow
+// --------------------------------------------------------------------------
+template <typename IntType>
+zipf_distribution<IntType>::param_type::param_type(
+    typename zipf_distribution<IntType>::result_type k, double q, double v)
+    : k_(k), q_(q), v_(v), one_minus_q_(1 - q) {
+  assert(q > 1);
+  assert(v > 0);
+  assert(k > 0);
+  one_minus_q_inv_ = 1 / one_minus_q_;
+  // Setup for the ZRI algorithm (pg 17 of the paper).
+  // Compute: h(i max) => h(k + 0.5)
+  constexpr double kMax = 18446744073709549568.0;
+  double kd = static_cast<double>(k);
+  // TODO(absl-team): Determine if this check is needed, and if so, add a test
+  // that fails for k > kMax
+  if (kd > kMax) {
+    // Ensure that our maximum value is capped to a value which will
+    // round-trip back through double.
+    kd = kMax;
+  }
+  hxm_ = h(kd + 0.5);
+  // Compute: h(0)
+  const bool use_precomputed = (v == 1.0 && q == 2.0);
+  const double h0x5 = use_precomputed ? (-1.0 / 1.5)  // exp(-log(1.5))
+                                      : h(0.5);
+  const double elogv_q = (v_ == 1.0) ? 1 : pow_negative_q(v_);
+  // h(0) = h(0.5) - exp(log(v) * -q)
+  hx0_minus_hxm_ = (h0x5 - elogv_q) - hxm_;
+  // And s
+  s_ = use_precomputed ? 0.46153846153846123 : compute_s();
+}
+template <typename IntType>
+double zipf_distribution<IntType>::param_type::h(double x) const {
+  // std::exp(one_minus_q_ * std::log(v_ + x)) * one_minus_q_inv_;
+  x += v_;
+  return (one_minus_q_ == -1.0)
+             ? (-1.0 / x)  // -exp(-log(x))
+             : (std::exp(std::log(x) * one_minus_q_) * one_minus_q_inv_);
+}
+template <typename IntType>
+double zipf_distribution<IntType>::param_type::hinv(double x) const {
+  // std::exp(one_minus_q_inv_ * std::log(one_minus_q_ * x)) - v_;
+  return -v_ + ((one_minus_q_ == -1.0)
+                    ? (-1.0 / x)  // exp(-log(-x))
+                    : std::exp(one_minus_q_inv_ * std::log(one_minus_q_ * x)));
+}
+template <typename IntType>
+double zipf_distribution<IntType>::param_type::compute_s() const {
+  // 1 - hinv(h(1.5) - std::exp(std::log(v_ + 1) * -q_));
+  return 1.0 - hinv(h(1.5) - pow_negative_q(v_ + 1.0));
+}
+template <typename IntType>
+double zipf_distribution<IntType>::param_type::pow_negative_q(double x) const {
+  // std::exp(std::log(x) * -q_);
+  return q_ == 2.0 ? (1.0 / (x * x)) : std::exp(std::log(x) * -q_);
+}
+template <typename IntType>
+template <typename URBG>
+typename zipf_distribution<IntType>::result_type
+zipf_distribution<IntType>::operator()(
+    URBG& g, const param_type& p) {  // NOLINT(runtime/references)
+  absl::uniform_real_distribution<double> uniform_double;
+  double k;
+  for (;;) {
+    const double v = uniform_double(g);
+    const double u = p.hxm_ + v * p.hx0_minus_hxm_;
+    const double x = p.hinv(u);
+    k = rint(x);              // std::floor(x + 0.5);
+    if (k > p.k()) continue;  // reject k > max_k
+    if (k - x <= p.s_) break;
+    const double h = p.h(k + 0.5);
+    const double r = p.pow_negative_q(p.v_ + k);
+    if (u >= h - r) break;
+  }
+  IntType ki = static_cast<IntType>(k);
+  assert(ki <= p.k_);
+  return ki;
+}
+template <typename CharT, typename Traits, typename IntType>
+std::basic_ostream<CharT, Traits>& operator<<(
+    std::basic_ostream<CharT, Traits>& os,  // NOLINT(runtime/references)
+    const zipf_distribution<IntType>& x) {
+  using stream_type =
+      typename random_internal::stream_format_type<IntType>::type;
+  auto saver = random_internal::make_ostream_state_saver(os);
+  os.precision(random_internal::stream_precision_helper<double>::kPrecision);
+  os << static_cast<stream_type>(x.k()) << os.fill() << x.q() << os.fill()
+     << x.v();
+  return os;
+}
+template <typename CharT, typename Traits, typename IntType>
+std::basic_istream<CharT, Traits>& operator>>(
+    std::basic_istream<CharT, Traits>& is,  // NOLINT(runtime/references)
+    zipf_distribution<IntType>& x) {        // NOLINT(runtime/references)
+  using result_type = typename zipf_distribution<IntType>::result_type;
+  using param_type = typename zipf_distribution<IntType>::param_type;
+  using stream_type =
+      typename random_internal::stream_format_type<IntType>::type;
+  stream_type k;
+  double q;
+  double v;
+  auto saver = random_internal::make_istream_state_saver(is);
+  is >> k >> q >> v;
+  if (!is.fail()) {
+    x.param(param_type(static_cast<result_type>(k), q, v));
+  }
+  return is;
+}
+ABSL_NAMESPACE_END
+}  // namespace absl
+#endif  // ABSL_RANDOM_ZIPF_DISTRIBUTION_H_

data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c CHANGED Viewed

@@ -56,6 +56,7 @@
 #include <openssl/asn1.h>
+#include <assert.h>
 #include <limits.h>
 #include <string.h>

data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c CHANGED Viewed

@@ -122,6 +122,19 @@ int EVP_EncodedLength(size_t *out_len, size_t len) {
   return 1;
 }
+EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) {
+  EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX));
+  if (ret == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX));
+  return ret;
+}
+void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) {
+  OPENSSL_free(ctx);
+}
 void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {
   OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
 }

data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c CHANGED Viewed

@@ -550,6 +550,27 @@ void DSA_SIG_free(DSA_SIG *sig) {
   OPENSSL_free(sig);
 }
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,
+                  const BIGNUM **out_s) {
+  if (out_r != NULL) {
+    *out_r = sig->r;
+  }
+  if (out_s != NULL) {
+    *out_s = sig->s;
+  }
+}
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
+  if (r == NULL || s == NULL) {
+    return 0;
+  }
+  BN_free(sig->r);
+  BN_free(sig->s);
+  sig->r = r;
+  sig->s = s;
+  return 1;
+}
 // mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and
 // |b| as secret. This function internally uses Montgomery reduction, but
 // neither inputs nor outputs are in Montgomery form.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c CHANGED Viewed

@@ -629,6 +629,18 @@ int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
   return EVP_CipherInit(ctx, cipher, key, iv, 0);
 }
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_CipherFinal_ex(ctx, out, out_len);
+}
+int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_EncryptFinal_ex(ctx, out, out_len);
+}
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_DecryptFinal_ex(ctx, out, out_len);
+}
 int EVP_add_cipher_alias(const char *a, const char *b) {
   return 1;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c CHANGED Viewed

@@ -68,8 +68,7 @@
 // digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for
-// ECDSA. Note this value is not fully reduced modulo the order, only the
-// correct number of bits.
+// ECDSA.
 static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
                              const uint8_t *digest, size_t digest_len) {
   const BIGNUM *order = &group->order;

data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c CHANGED Viewed

@@ -30,7 +30,7 @@
 #include "../internal.h"
-// This file implements draft-irtf-cfrg-hpke-08.
+// This file implements draft-irtf-cfrg-hpke-12.
 #define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN
 #define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH
@@ -115,7 +115,7 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
 // KEM implementations.
 // dhkem_extract_and_expand implements the ExtractAndExpand operation in the
-// DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-08.
+// DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-12.
 static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
                                     uint8_t *out_key, size_t out_len,
                                     const uint8_t *dh, size_t dh_len,

data/third_party/boringssl-with-bazel/src/crypto/mem.c CHANGED Viewed

@@ -132,7 +132,7 @@ static const uint8_t kBoringSSLBinaryTag[18] = {
     0x8c, 0x62, 0x20, 0x0b, 0xd2, 0xa0, 0x72, 0x58,
     0x44, 0xa8, 0x96, 0x69, 0xad, 0x55, 0x7e, 0xec,
     // Current source iteration. Incremented ~monthly.
-    1, 0,
+    2, 0,
 };
 void *OPENSSL_malloc(size_t size) {

data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c CHANGED Viewed

@@ -131,6 +131,35 @@ err:
   return ret;
 }
+static int pkcs7_bundle_raw_certificates_cb(CBB *out, const void *arg) {
+  const STACK_OF(CRYPTO_BUFFER) *certs = arg;
+  CBB certificates;
+  // See https://tools.ietf.org/html/rfc2315#section-9.1
+  if (!CBB_add_asn1(out, &certificates,
+                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
+    return 0;
+  }
+  for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(certs); i++) {
+    CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(certs, i);
+    if (!CBB_add_bytes(&certificates, CRYPTO_BUFFER_data(cert),
+                       CRYPTO_BUFFER_len(cert))) {
+      return 0;
+    }
+  }
+  // |certificates| is a implicitly-tagged SET OF.
+  return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);
+}
+int PKCS7_bundle_raw_certificates(CBB *out,
+                                  const STACK_OF(CRYPTO_BUFFER) *certs) {
+  return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
+                               pkcs7_bundle_raw_certificates_cb,
+                               /*signer_infos_cb=*/NULL, certs);
+}
 int pkcs7_add_signed_data(CBB *out,
                           int (*digest_algos_cb)(CBB *out, const void *arg),
                           int (*cert_crl_cb)(CBB *out, const void *arg),

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h CHANGED Viewed

@@ -112,7 +112,6 @@ struct pbe_suite {
                       const char *pass, size_t pass_len, CBS *param);
 };
-#define PKCS5_DEFAULT_ITERATIONS 2048
 #define PKCS5_SALT_LEN 8
 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c CHANGED Viewed

@@ -469,7 +469,7 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid,
   }
   if (iterations <= 0) {
-    iterations = PKCS5_DEFAULT_ITERATIONS;
+    iterations = PKCS12_DEFAULT_ITER;
   }
   // Serialize the input key.

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c CHANGED Viewed

@@ -1161,7 +1161,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name,
     cert_nid = NID_pbe_WithSHA1And40BitRC2_CBC;
   }
   if (iterations == 0) {
-    iterations = PKCS5_DEFAULT_ITERATIONS;
+    iterations = PKCS12_DEFAULT_ITER;
   }
   if (mac_iterations == 0) {
     mac_iterations = 1;

data/third_party/boringssl-with-bazel/src/include/openssl/base64.h CHANGED Viewed

@@ -111,6 +111,14 @@ OPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len,
 // very specific to PEM. It is also very lenient of invalid input. Use of any of
 // these functions is thus deprecated.
+// EVP_ENCODE_CTX_new returns a newly-allocated |EVP_ENCODE_CTX| or NULL on
+// error. The caller must release the result with |EVP_ENCODE_CTX_free|  when
+// done.
+OPENSSL_EXPORT EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);
+// EVP_ENCODE_CTX_free releases memory associated with |ctx|.
+OPENSSL_EXPORT void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);
 // EVP_EncodeInit initialises |*ctx|, which is typically stack
 // allocated, for an encoding operation.
 //

data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h CHANGED Viewed

@@ -201,7 +201,7 @@ OPENSSL_EXPORT int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,
 //
 // WARNING: it is unsafe to call this function with unauthenticated
 // ciphertext if padding is enabled.
-OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
+OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,
                                        int *out_len);
 // EVP_Cipher performs a one-shot encryption/decryption operation. No partial
@@ -408,6 +408,18 @@ OPENSSL_EXPORT int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,
                                    const EVP_CIPHER *cipher, const uint8_t *key,
                                    const uint8_t *iv);
+// EVP_CipherFinal calls |EVP_CipherFinal_ex|.
+OPENSSL_EXPORT int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                   int *out_len);
+// EVP_EncryptFinal calls |EVP_EncryptFinal_ex|.
+OPENSSL_EXPORT int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                    int *out_len);
+// EVP_DecryptFinal calls |EVP_DecryptFinal_ex|.
+OPENSSL_EXPORT int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                    int *out_len);
 // EVP_add_cipher_alias does nothing and returns one.
 OPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b);

data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h CHANGED Viewed

@@ -189,6 +189,16 @@ OPENSSL_EXPORT DSA_SIG *DSA_SIG_new(void);
 // DSA_SIG_free frees the contents of |sig| and then frees |sig| itself.
 OPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig);
+// DSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two components
+// of |sig|.
+OPENSSL_EXPORT void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,
+                                 const BIGNUM **out_s);
+// DSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may be
+// NULL. On success, it takes ownership of each argument and returns one.
+// Otherwise, it returns zero.
+OPENSSL_EXPORT int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 // DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
 // and returns an allocated, DSA_SIG structure, or NULL on error.
 OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,

data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h CHANGED Viewed

@@ -30,7 +30,7 @@ extern "C" {
 // Hybrid Public Key Encryption (HPKE) enables a sender to encrypt messages to a
 // receiver with a public key.
 //
-// See https://tools.ietf.org/html/draft-irtf-cfrg-hpke-08.
+// See https://tools.ietf.org/html/draft-irtf-cfrg-hpke-12.
 // Parameters.

data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h CHANGED Viewed

@@ -49,10 +49,15 @@ OPENSSL_EXPORT int PKCS7_get_raw_certificates(
 // them into |X509| objects.
 OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
-// PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
-// |certs| to |out|. It returns one on success and zero on error. Note that
-// certificates in SignedData structures are unordered. The order in |certs|
-// will not be preserved.
+// PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure
+// containing |certs| to |out|. It returns one on success and zero on error.
+// Note that certificates in SignedData structures are unordered. The order in
+// |certs| will not be preserved.
+OPENSSL_EXPORT int PKCS7_bundle_raw_certificates(
+    CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs);
+// PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but
+// takes |X509| objects as input.
 OPENSSL_EXPORT int PKCS7_bundle_certificates(
     CBB *out, const STACK_OF(X509) *certs);

data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h CHANGED Viewed

@@ -197,6 +197,10 @@ OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,
 OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
                                      int password_len);
+// PKCS12_DEFAULT_ITER is the default number of KDF iterations used when
+// creating a |PKCS12| object.
+#define PKCS12_DEFAULT_ITER 2048
 // PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|,
 // |cert|, and |chain|, encrypted with the specified password. |name|, if not
 // NULL, specifies a user-friendly name to encode with the key and
@@ -207,7 +211,8 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
 //
 // Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero
 // to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,
-// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively.
+// |NID_pbe_WithSHA1And40BitRC2_CBC|, |PKCS12_DEFAULT_ITER|, and one,
+// respectively.
 //
 // |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or
 // certificate, respectively. This option is not recommended and is only

data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h CHANGED Viewed

@@ -362,10 +362,31 @@ OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
 // SSL_peek behaves like |SSL_read| but does not consume any bytes returned.
 OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
-// SSL_pending returns the number of bytes available in |ssl|. It does not read
-// from the transport.
+// SSL_pending returns the number of buffered, decrypted bytes available for
+// read in |ssl|. It does not read from the transport.
+//
+// In DTLS, it is possible for this function to return zero while there is
+// buffered, undecrypted data from the transport in |ssl|. For example,
+// |SSL_read| may read a datagram with two records, decrypt the first, and leave
+// the second buffered for a subsequent call to |SSL_read|. Callers that wish to
+// detect this case can use |SSL_has_pending|.
 OPENSSL_EXPORT int SSL_pending(const SSL *ssl);
+// SSL_has_pending returns one if |ssl| has buffered, decrypted bytes available
+// for read, or if |ssl| has buffered data from the transport that has not yet
+// been decrypted. If |ssl| has neither, this function returns zero.
+//
+// In TLS, BoringSSL does not implement read-ahead, so this function returns one
+// if and only if |SSL_pending| would return a non-zero value. In DTLS, it is
+// possible for this function to return one while |SSL_pending| returns zero.
+// For example, |SSL_read| may read a datagram with two records, decrypt the
+// first, and leave the second buffered for a subsequent call to |SSL_read|.
+//
+// As a result, if this function returns one, the next call to |SSL_read| may
+// still fail, read from the transport, or both. The buffered, undecrypted data
+// may be invalid or incomplete.
+OPENSSL_EXPORT int SSL_has_pending(const SSL *ssl);
 // SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs
 // any pending handshakes, including renegotiations when enabled. On success, it
 // returns the number of bytes written. Otherwise, it returns <= 0. The caller

data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc CHANGED Viewed

@@ -1697,6 +1697,10 @@ int SSL_pending(const SSL *ssl) {
   return static_cast<int>(ssl->s3->pending_app_data.size());
 }
+int SSL_has_pending(const SSL *ssl) {
+  return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty();
+}
 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
   return ssl_cert_check_private_key(ctx->cert.get(),
                                     ctx->cert->privatekey.get());