grpc 1.53.0.pre2 → 1.54.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (685) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +80 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/impl/grpc_types.h +11 -2
  6. data/include/grpc/support/port_platform.h +4 -4
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  9. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  10. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  11. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  12. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  14. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  15. data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  18. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  19. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +1 -15
  20. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  21. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  22. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +13 -5
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  26. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  27. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  28. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  29. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  30. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  31. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  32. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  33. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  34. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  35. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  36. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  37. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  38. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  39. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  40. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  41. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  42. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  43. data/src/core/ext/gcp/metadata_query.cc +142 -0
  44. data/src/core/ext/gcp/metadata_query.h +82 -0
  45. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  46. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
  47. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  48. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  49. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  50. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +42 -23
  51. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +5 -3
  52. data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
  53. data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
  54. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  55. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  56. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  57. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  58. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  59. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  60. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  61. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  62. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  63. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  64. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  65. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  67. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  68. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  69. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  70. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  71. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  72. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  73. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  74. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  75. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  76. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  77. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  78. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  79. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  80. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  81. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  82. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  83. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  84. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  85. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  86. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  87. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  88. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  89. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  90. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  91. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  92. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  93. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  94. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  95. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  96. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  97. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  98. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  99. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  100. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  101. data/src/core/ext/xds/xds_client_stats.h +24 -20
  102. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  103. data/src/core/ext/xds/xds_endpoint.h +9 -1
  104. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  105. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  106. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  107. data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
  108. data/src/core/lib/backoff/random_early_detection.h +59 -0
  109. data/src/core/lib/channel/call_finalization.h +1 -1
  110. data/src/core/lib/channel/call_tracer.cc +51 -0
  111. data/src/core/lib/channel/call_tracer.h +101 -38
  112. data/src/core/lib/channel/connected_channel.cc +483 -1050
  113. data/src/core/lib/channel/context.h +8 -1
  114. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  115. data/src/core/lib/channel/promise_based_filter.h +27 -13
  116. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  117. data/src/core/lib/config/config_vars.cc +151 -0
  118. data/src/core/lib/config/config_vars.h +127 -0
  119. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  120. data/src/core/lib/config/load_config.cc +66 -0
  121. data/src/core/lib/config/load_config.h +49 -0
  122. data/src/core/lib/debug/trace.cc +5 -6
  123. data/src/core/lib/debug/trace.h +0 -5
  124. data/src/core/lib/event_engine/event_engine.cc +37 -2
  125. data/src/core/lib/event_engine/handle_containers.h +7 -22
  126. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  127. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  128. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  129. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  130. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  131. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  132. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
  133. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  134. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  135. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  136. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  137. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  138. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  139. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  140. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  141. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  142. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  143. data/src/core/lib/experiments/config.cc +3 -10
  144. data/src/core/lib/experiments/experiments.cc +7 -0
  145. data/src/core/lib/experiments/experiments.h +9 -1
  146. data/src/core/lib/gpr/log.cc +15 -28
  147. data/src/core/lib/gprpp/fork.cc +8 -14
  148. data/src/core/lib/gprpp/orphanable.h +4 -3
  149. data/src/core/lib/gprpp/per_cpu.h +9 -3
  150. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  151. data/src/core/lib/gprpp/ref_counted.h +33 -34
  152. data/src/core/lib/gprpp/thd.h +16 -0
  153. data/src/core/lib/gprpp/time.cc +1 -0
  154. data/src/core/lib/gprpp/time.h +4 -4
  155. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  156. data/src/core/lib/iomgr/call_combiner.h +2 -2
  157. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  158. data/src/core/lib/iomgr/endpoint_pair.h +2 -2
  159. data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
  160. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  161. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  162. data/src/core/lib/iomgr/ev_posix.h +0 -3
  163. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  164. data/src/core/lib/iomgr/iomgr.cc +4 -8
  165. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  166. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  167. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  168. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  169. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  170. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  171. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
  172. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  173. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  174. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  175. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  176. data/src/core/lib/promise/activity.cc +22 -6
  177. data/src/core/lib/promise/activity.h +61 -24
  178. data/src/core/lib/promise/cancel_callback.h +77 -0
  179. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  180. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  181. data/src/core/lib/promise/for_each.h +176 -0
  182. data/src/core/lib/promise/if.h +9 -0
  183. data/src/core/lib/promise/interceptor_list.h +23 -2
  184. data/src/core/lib/promise/latch.h +89 -3
  185. data/src/core/lib/promise/loop.h +13 -9
  186. data/src/core/lib/promise/map.h +7 -0
  187. data/src/core/lib/promise/party.cc +286 -0
  188. data/src/core/lib/promise/party.h +499 -0
  189. data/src/core/lib/promise/pipe.h +197 -57
  190. data/src/core/lib/promise/poll.h +48 -0
  191. data/src/core/lib/promise/promise.h +2 -2
  192. data/src/core/lib/resource_quota/arena.cc +19 -3
  193. data/src/core/lib/resource_quota/arena.h +119 -5
  194. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  195. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  196. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  197. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  198. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  199. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  200. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  201. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  202. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  203. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  204. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  205. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  206. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  207. data/src/core/lib/slice/slice.cc +1 -1
  208. data/src/core/lib/surface/builtins.cc +2 -0
  209. data/src/core/lib/surface/call.cc +926 -1024
  210. data/src/core/lib/surface/call.h +10 -0
  211. data/src/core/lib/surface/lame_client.cc +1 -0
  212. data/src/core/lib/surface/version.cc +2 -2
  213. data/src/core/lib/transport/batch_builder.cc +179 -0
  214. data/src/core/lib/transport/batch_builder.h +468 -0
  215. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  216. data/src/core/lib/transport/bdp_estimator.h +10 -6
  217. data/src/core/lib/transport/custom_metadata.h +30 -0
  218. data/src/core/lib/transport/metadata_batch.cc +9 -6
  219. data/src/core/lib/transport/metadata_batch.h +58 -16
  220. data/src/core/lib/transport/parsed_metadata.h +3 -3
  221. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  222. data/src/core/lib/transport/transport.cc +30 -2
  223. data/src/core/lib/transport/transport.h +70 -14
  224. data/src/core/lib/transport/transport_impl.h +7 -0
  225. data/src/core/lib/transport/transport_op_string.cc +52 -42
  226. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  227. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  228. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  229. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  230. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  231. data/src/core/tsi/ssl_transport_security.cc +4 -2
  232. data/src/ruby/lib/grpc/version.rb +1 -1
  233. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  234. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  235. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  236. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  237. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  238. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  239. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  240. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  241. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  242. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  243. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  244. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  245. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  246. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  247. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  248. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  249. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  250. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  251. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  252. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  253. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  254. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  255. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  256. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  257. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  258. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  259. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  260. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  261. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  262. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  263. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  264. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  265. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  266. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  267. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  268. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  269. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  288. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  289. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  290. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  291. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  292. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  293. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  294. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  295. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  296. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  297. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  298. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  299. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  300. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  301. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  302. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  303. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  304. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  305. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  306. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  307. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  308. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  309. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  310. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  311. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  312. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  313. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  314. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  315. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  316. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  317. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  318. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  319. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  320. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  321. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  322. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  323. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  324. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  325. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  326. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  327. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  328. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  329. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  330. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  331. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  332. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  333. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  334. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  335. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  336. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  337. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  338. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  339. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  340. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  341. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  342. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  343. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  344. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  345. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  346. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  347. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  349. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  350. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  351. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  352. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  353. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  354. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  355. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  363. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  364. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  365. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  366. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  367. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  368. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  369. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  370. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  371. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  372. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  373. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  393. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  395. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  400. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  405. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  407. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  410. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  446. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  447. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  448. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  449. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  451. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  452. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  453. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  454. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  455. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  456. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  457. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  458. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  459. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  460. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  461. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  463. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  464. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  465. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  466. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  467. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  468. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  469. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  470. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  471. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  472. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  473. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  474. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  475. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  476. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  477. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  478. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  479. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  480. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  481. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  482. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  483. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  484. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  485. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  486. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  487. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  488. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  489. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  490. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  491. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  532. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  533. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  534. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  535. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  536. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  537. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  538. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  539. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  540. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  541. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  557. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  558. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  559. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  560. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  561. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  562. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  563. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  564. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  565. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  566. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  567. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  568. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  569. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  570. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  571. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  572. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  573. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  574. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  575. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  576. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  577. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  578. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  579. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  581. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  582. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  583. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  584. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  585. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  586. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  587. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  588. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  589. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  591. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  592. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  593. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  594. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  595. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  596. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  597. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  598. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  599. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  600. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  601. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  602. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  603. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  604. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  605. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  606. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  607. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  608. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  609. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  610. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  611. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  612. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  613. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  614. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  615. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  616. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  617. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  618. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  619. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  620. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  621. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  622. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  623. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  624. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  625. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  627. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  628. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  629. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  630. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  631. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  632. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  633. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  634. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  635. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  636. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  637. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  638. metadata +107 -72
  639. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  640. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  641. data/src/core/lib/gprpp/global_config.h +0 -93
  642. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  643. data/src/core/lib/gprpp/global_config_env.h +0 -133
  644. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  645. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  646. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  647. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  648. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  649. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  650. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  651. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  652. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  653. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  654. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  655. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  656. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  657. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  658. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  659. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  660. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  661. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  662. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  663. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  664. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  665. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  666. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  667. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  668. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  669. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  670. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  671. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  672. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  673. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  674. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  675. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  676. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  677. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  678. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  679. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  680. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  681. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  682. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  683. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  684. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  685. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -1,4 +1,3 @@
1
- /* v3_ncons.c */
2
1
  /*
3
2
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4
3
  * project.
@@ -70,43 +69,50 @@
70
69
 
71
70
 
72
71
  static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
73
- X509V3_CTX *ctx,
74
- STACK_OF(CONF_VALUE) *nval);
72
+ const X509V3_CTX *ctx,
73
+ const STACK_OF(CONF_VALUE) *nval);
75
74
  static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
76
75
  BIO *bp, int ind);
77
76
  static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
78
77
  STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
79
78
  int ind, const char *name);
80
- static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
79
+ static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip);
81
80
 
82
81
  static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
83
82
  static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
84
83
  static int nc_dn(X509_NAME *sub, X509_NAME *nm);
85
- static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
86
- static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
87
- static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
84
+ static int nc_dns(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *dns);
85
+ static int nc_email(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *eml);
86
+ static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base);
88
87
 
89
88
  const X509V3_EXT_METHOD v3_name_constraints = {
90
- NID_name_constraints, 0,
89
+ NID_name_constraints,
90
+ 0,
91
91
  ASN1_ITEM_ref(NAME_CONSTRAINTS),
92
- 0, 0, 0, 0,
93
- 0, 0,
94
- 0, v2i_NAME_CONSTRAINTS,
95
- i2r_NAME_CONSTRAINTS, 0,
96
- NULL
92
+ 0,
93
+ 0,
94
+ 0,
95
+ 0,
96
+ 0,
97
+ 0,
98
+ 0,
99
+ v2i_NAME_CONSTRAINTS,
100
+ i2r_NAME_CONSTRAINTS,
101
+ 0,
102
+ NULL,
97
103
  };
98
104
 
99
105
  ASN1_SEQUENCE(GENERAL_SUBTREE) = {
100
- ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
101
- ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
102
- ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
106
+ ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
107
+ ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
108
+ ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1),
103
109
  } ASN1_SEQUENCE_END(GENERAL_SUBTREE)
104
110
 
105
111
  ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
106
- ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
107
- GENERAL_SUBTREE, 0),
108
- ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
109
- GENERAL_SUBTREE, 1),
112
+ ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
113
+ GENERAL_SUBTREE, 0),
114
+ ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
115
+ GENERAL_SUBTREE, 1),
110
116
  } ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
111
117
 
112
118
 
@@ -114,445 +120,436 @@ IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
114
120
  IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
115
121
 
116
122
  static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
117
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
118
- {
119
- size_t i;
120
- CONF_VALUE tval, *val;
121
- STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
122
- NAME_CONSTRAINTS *ncons = NULL;
123
- GENERAL_SUBTREE *sub = NULL;
124
- ncons = NAME_CONSTRAINTS_new();
125
- if (!ncons)
126
- goto memerr;
127
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
128
- val = sk_CONF_VALUE_value(nval, i);
129
- if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
130
- ptree = &ncons->permittedSubtrees;
131
- tval.name = val->name + 10;
132
- } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
133
- ptree = &ncons->excludedSubtrees;
134
- tval.name = val->name + 9;
135
- } else {
136
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX);
137
- goto err;
138
- }
139
- tval.value = val->value;
140
- sub = GENERAL_SUBTREE_new();
141
- if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
142
- goto err;
143
- if (!*ptree)
144
- *ptree = sk_GENERAL_SUBTREE_new_null();
145
- if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
146
- goto memerr;
147
- sub = NULL;
123
+ const X509V3_CTX *ctx,
124
+ const STACK_OF(CONF_VALUE) *nval) {
125
+ STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
126
+ NAME_CONSTRAINTS *ncons = NULL;
127
+ GENERAL_SUBTREE *sub = NULL;
128
+ ncons = NAME_CONSTRAINTS_new();
129
+ if (!ncons) {
130
+ goto err;
131
+ }
132
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
133
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
134
+ CONF_VALUE tval;
135
+ if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
136
+ ptree = &ncons->permittedSubtrees;
137
+ tval.name = val->name + 10;
138
+ } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
139
+ ptree = &ncons->excludedSubtrees;
140
+ tval.name = val->name + 9;
141
+ } else {
142
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX);
143
+ goto err;
148
144
  }
145
+ tval.value = val->value;
146
+ sub = GENERAL_SUBTREE_new();
147
+ if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) {
148
+ goto err;
149
+ }
150
+ if (!*ptree) {
151
+ *ptree = sk_GENERAL_SUBTREE_new_null();
152
+ }
153
+ if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) {
154
+ goto err;
155
+ }
156
+ sub = NULL;
157
+ }
149
158
 
150
- return ncons;
151
-
152
- memerr:
153
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
154
- err:
155
- if (ncons)
156
- NAME_CONSTRAINTS_free(ncons);
157
- if (sub)
158
- GENERAL_SUBTREE_free(sub);
159
+ return ncons;
159
160
 
160
- return NULL;
161
+ err:
162
+ NAME_CONSTRAINTS_free(ncons);
163
+ GENERAL_SUBTREE_free(sub);
164
+ return NULL;
161
165
  }
162
166
 
163
167
  static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
164
- BIO *bp, int ind)
165
- {
166
- NAME_CONSTRAINTS *ncons = a;
167
- do_i2r_name_constraints(method, ncons->permittedSubtrees,
168
- bp, ind, "Permitted");
169
- do_i2r_name_constraints(method, ncons->excludedSubtrees,
170
- bp, ind, "Excluded");
171
- return 1;
168
+ BIO *bp, int ind) {
169
+ NAME_CONSTRAINTS *ncons = a;
170
+ do_i2r_name_constraints(method, ncons->permittedSubtrees, bp, ind,
171
+ "Permitted");
172
+ do_i2r_name_constraints(method, ncons->excludedSubtrees, bp, ind, "Excluded");
173
+ return 1;
172
174
  }
173
175
 
174
176
  static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
175
- STACK_OF(GENERAL_SUBTREE) *trees,
176
- BIO *bp, int ind, const char *name)
177
- {
178
- GENERAL_SUBTREE *tree;
179
- size_t i;
180
- if (sk_GENERAL_SUBTREE_num(trees) > 0)
181
- BIO_printf(bp, "%*s%s:\n", ind, "", name);
182
- for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
183
- tree = sk_GENERAL_SUBTREE_value(trees, i);
184
- BIO_printf(bp, "%*s", ind + 2, "");
185
- if (tree->base->type == GEN_IPADD)
186
- print_nc_ipadd(bp, tree->base->d.ip);
187
- else
188
- GENERAL_NAME_print(bp, tree->base);
189
- BIO_puts(bp, "\n");
177
+ STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
178
+ int ind, const char *name) {
179
+ GENERAL_SUBTREE *tree;
180
+ size_t i;
181
+ if (sk_GENERAL_SUBTREE_num(trees) > 0) {
182
+ BIO_printf(bp, "%*s%s:\n", ind, "", name);
183
+ }
184
+ for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
185
+ tree = sk_GENERAL_SUBTREE_value(trees, i);
186
+ BIO_printf(bp, "%*s", ind + 2, "");
187
+ if (tree->base->type == GEN_IPADD) {
188
+ print_nc_ipadd(bp, tree->base->d.ip);
189
+ } else {
190
+ GENERAL_NAME_print(bp, tree->base);
190
191
  }
191
- return 1;
192
+ BIO_puts(bp, "\n");
193
+ }
194
+ return 1;
192
195
  }
193
196
 
194
- static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
195
- {
196
- int i, len;
197
- unsigned char *p;
198
- p = ip->data;
199
- len = ip->length;
200
- BIO_puts(bp, "IP:");
201
- if (len == 8) {
202
- BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
203
- p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
204
- } else if (len == 32) {
205
- for (i = 0; i < 16; i++) {
206
- BIO_printf(bp, "%X", p[0] << 8 | p[1]);
207
- p += 2;
208
- if (i == 7)
209
- BIO_puts(bp, "/");
210
- else if (i != 15)
211
- BIO_puts(bp, ":");
212
- }
213
- } else
214
- BIO_printf(bp, "IP Address:<invalid>");
215
- return 1;
197
+ static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip) {
198
+ int i, len;
199
+ unsigned char *p;
200
+ p = ip->data;
201
+ len = ip->length;
202
+ BIO_puts(bp, "IP:");
203
+ if (len == 8) {
204
+ BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d", p[0], p[1], p[2], p[3], p[4],
205
+ p[5], p[6], p[7]);
206
+ } else if (len == 32) {
207
+ for (i = 0; i < 16; i++) {
208
+ uint16_t v = ((uint16_t)p[0] << 8) | p[1];
209
+ BIO_printf(bp, "%X", v);
210
+ p += 2;
211
+ if (i == 7) {
212
+ BIO_puts(bp, "/");
213
+ } else if (i != 15) {
214
+ BIO_puts(bp, ":");
215
+ }
216
+ }
217
+ } else {
218
+ BIO_printf(bp, "IP Address:<invalid>");
219
+ }
220
+ return 1;
216
221
  }
217
222
 
218
- /*-
219
- * Check a certificate conforms to a specified set of constraints.
220
- * Return values:
221
- * X509_V_OK: All constraints obeyed.
222
- * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
223
- * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
224
- * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
225
- * X509_V_ERR_UNSPECIFIED: Unspecified error.
226
- * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
227
- * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint
228
- * syntax.
229
- * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name.
230
- */
231
-
232
- int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
233
- {
234
- int r, i;
235
- size_t j;
236
- X509_NAME *nm;
237
-
238
- nm = X509_get_subject_name(x);
239
-
240
- /* Guard against certificates with an excessive number of names or
241
- * constraints causing a computationally expensive name constraints
242
- * check. */
243
- size_t name_count =
244
- X509_NAME_entry_count(nm) + sk_GENERAL_NAME_num(x->altname);
245
- size_t constraint_count = sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) +
246
- sk_GENERAL_SUBTREE_num(nc->excludedSubtrees);
247
- size_t check_count = constraint_count * name_count;
248
- if (name_count < (size_t)X509_NAME_entry_count(nm) ||
249
- constraint_count < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) ||
250
- (constraint_count && check_count / constraint_count != name_count) ||
251
- check_count > 1 << 20) {
252
- return X509_V_ERR_UNSPECIFIED;
223
+ //-
224
+ // Check a certificate conforms to a specified set of constraints.
225
+ // Return values:
226
+ // X509_V_OK: All constraints obeyed.
227
+ // X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
228
+ // X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
229
+ // X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
230
+ // X509_V_ERR_UNSPECIFIED: Unspecified error.
231
+ // X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
232
+ // X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint
233
+ // syntax.
234
+ // X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name.
235
+
236
+ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) {
237
+ int r, i;
238
+ size_t j;
239
+ X509_NAME *nm;
240
+
241
+ nm = X509_get_subject_name(x);
242
+
243
+ // Guard against certificates with an excessive number of names or
244
+ // constraints causing a computationally expensive name constraints
245
+ // check.
246
+ size_t name_count =
247
+ X509_NAME_entry_count(nm) + sk_GENERAL_NAME_num(x->altname);
248
+ size_t constraint_count = sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) +
249
+ sk_GENERAL_SUBTREE_num(nc->excludedSubtrees);
250
+ size_t check_count = constraint_count * name_count;
251
+ if (name_count < (size_t)X509_NAME_entry_count(nm) ||
252
+ constraint_count < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) ||
253
+ (constraint_count && check_count / constraint_count != name_count) ||
254
+ check_count > 1 << 20) {
255
+ return X509_V_ERR_UNSPECIFIED;
256
+ }
257
+
258
+ if (X509_NAME_entry_count(nm) > 0) {
259
+ GENERAL_NAME gntmp;
260
+ gntmp.type = GEN_DIRNAME;
261
+ gntmp.d.directoryName = nm;
262
+
263
+ r = nc_match(&gntmp, nc);
264
+
265
+ if (r != X509_V_OK) {
266
+ return r;
253
267
  }
254
268
 
255
- if (X509_NAME_entry_count(nm) > 0) {
256
- GENERAL_NAME gntmp;
257
- gntmp.type = GEN_DIRNAME;
258
- gntmp.d.directoryName = nm;
259
-
260
- r = nc_match(&gntmp, nc);
269
+ gntmp.type = GEN_EMAIL;
261
270
 
262
- if (r != X509_V_OK)
263
- return r;
271
+ // Process any email address attributes in subject name
264
272
 
265
- gntmp.type = GEN_EMAIL;
266
-
267
- /* Process any email address attributes in subject name */
268
-
269
- for (i = -1;;) {
270
- X509_NAME_ENTRY *ne;
271
- i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
272
- if (i == -1)
273
- break;
274
- ne = X509_NAME_get_entry(nm, i);
275
- gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
276
- if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
277
- return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
278
-
279
- r = nc_match(&gntmp, nc);
273
+ for (i = -1;;) {
274
+ i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
275
+ if (i == -1) {
276
+ break;
277
+ }
278
+ const X509_NAME_ENTRY *ne = X509_NAME_get_entry(nm, i);
279
+ gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
280
+ if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING) {
281
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
282
+ }
280
283
 
281
- if (r != X509_V_OK)
282
- return r;
283
- }
284
+ r = nc_match(&gntmp, nc);
284
285
 
286
+ if (r != X509_V_OK) {
287
+ return r;
288
+ }
285
289
  }
290
+ }
286
291
 
287
- for (j = 0; j < sk_GENERAL_NAME_num(x->altname); j++) {
288
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, j);
289
- r = nc_match(gen, nc);
290
- if (r != X509_V_OK)
291
- return r;
292
+ for (j = 0; j < sk_GENERAL_NAME_num(x->altname); j++) {
293
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, j);
294
+ r = nc_match(gen, nc);
295
+ if (r != X509_V_OK) {
296
+ return r;
292
297
  }
298
+ }
293
299
 
294
- return X509_V_OK;
295
-
300
+ return X509_V_OK;
296
301
  }
297
302
 
298
- static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
299
- {
300
- GENERAL_SUBTREE *sub;
301
- int r, match = 0;
302
- size_t i;
303
-
304
- /*
305
- * Permitted subtrees: if any subtrees exist of matching the type at
306
- * least one subtree must match.
307
- */
308
-
309
- for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
310
- sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
311
- if (gen->type != sub->base->type)
312
- continue;
313
- if (sub->minimum || sub->maximum)
314
- return X509_V_ERR_SUBTREE_MINMAX;
315
- /* If we already have a match don't bother trying any more */
316
- if (match == 2)
317
- continue;
318
- if (match == 0)
319
- match = 1;
320
- r = nc_match_single(gen, sub->base);
321
- if (r == X509_V_OK)
322
- match = 2;
323
- else if (r != X509_V_ERR_PERMITTED_VIOLATION)
324
- return r;
325
- }
303
+ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) {
304
+ GENERAL_SUBTREE *sub;
305
+ int r, match = 0;
306
+ size_t i;
326
307
 
327
- if (match == 1)
328
- return X509_V_ERR_PERMITTED_VIOLATION;
308
+ // Permitted subtrees: if any subtrees exist of matching the type at
309
+ // least one subtree must match.
329
310
 
330
- /* Excluded subtrees: must not match any of these */
311
+ for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
312
+ sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
313
+ if (gen->type != sub->base->type) {
314
+ continue;
315
+ }
316
+ if (sub->minimum || sub->maximum) {
317
+ return X509_V_ERR_SUBTREE_MINMAX;
318
+ }
319
+ // If we already have a match don't bother trying any more
320
+ if (match == 2) {
321
+ continue;
322
+ }
323
+ if (match == 0) {
324
+ match = 1;
325
+ }
326
+ r = nc_match_single(gen, sub->base);
327
+ if (r == X509_V_OK) {
328
+ match = 2;
329
+ } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {
330
+ return r;
331
+ }
332
+ }
331
333
 
332
- for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
333
- sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
334
- if (gen->type != sub->base->type)
335
- continue;
336
- if (sub->minimum || sub->maximum)
337
- return X509_V_ERR_SUBTREE_MINMAX;
334
+ if (match == 1) {
335
+ return X509_V_ERR_PERMITTED_VIOLATION;
336
+ }
338
337
 
339
- r = nc_match_single(gen, sub->base);
340
- if (r == X509_V_OK)
341
- return X509_V_ERR_EXCLUDED_VIOLATION;
342
- else if (r != X509_V_ERR_PERMITTED_VIOLATION)
343
- return r;
338
+ // Excluded subtrees: must not match any of these
344
339
 
340
+ for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
341
+ sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
342
+ if (gen->type != sub->base->type) {
343
+ continue;
344
+ }
345
+ if (sub->minimum || sub->maximum) {
346
+ return X509_V_ERR_SUBTREE_MINMAX;
345
347
  }
346
348
 
347
- return X509_V_OK;
349
+ r = nc_match_single(gen, sub->base);
350
+ if (r == X509_V_OK) {
351
+ return X509_V_ERR_EXCLUDED_VIOLATION;
352
+ } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {
353
+ return r;
354
+ }
355
+ }
348
356
 
357
+ return X509_V_OK;
349
358
  }
350
359
 
351
- static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
352
- {
353
- switch (base->type) {
360
+ static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) {
361
+ switch (base->type) {
354
362
  case GEN_DIRNAME:
355
- return nc_dn(gen->d.directoryName, base->d.directoryName);
363
+ return nc_dn(gen->d.directoryName, base->d.directoryName);
356
364
 
357
365
  case GEN_DNS:
358
- return nc_dns(gen->d.dNSName, base->d.dNSName);
366
+ return nc_dns(gen->d.dNSName, base->d.dNSName);
359
367
 
360
368
  case GEN_EMAIL:
361
- return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
369
+ return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
362
370
 
363
371
  case GEN_URI:
364
- return nc_uri(gen->d.uniformResourceIdentifier,
365
- base->d.uniformResourceIdentifier);
372
+ return nc_uri(gen->d.uniformResourceIdentifier,
373
+ base->d.uniformResourceIdentifier);
366
374
 
367
375
  default:
368
- return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
369
- }
370
-
376
+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
377
+ }
371
378
  }
372
379
 
373
- /*
374
- * directoryName name constraint matching. The canonical encoding of
375
- * X509_NAME makes this comparison easy. It is matched if the subtree is a
376
- * subset of the name.
377
- */
378
-
379
- static int nc_dn(X509_NAME *nm, X509_NAME *base)
380
- {
381
- /* Ensure canonical encodings are up to date. */
382
- if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
383
- return X509_V_ERR_OUT_OF_MEM;
384
- if (base->modified && i2d_X509_NAME(base, NULL) < 0)
385
- return X509_V_ERR_OUT_OF_MEM;
386
- if (base->canon_enclen > nm->canon_enclen)
387
- return X509_V_ERR_PERMITTED_VIOLATION;
388
- if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
389
- return X509_V_ERR_PERMITTED_VIOLATION;
390
- return X509_V_OK;
380
+ // directoryName name constraint matching. The canonical encoding of
381
+ // X509_NAME makes this comparison easy. It is matched if the subtree is a
382
+ // subset of the name.
383
+
384
+ static int nc_dn(X509_NAME *nm, X509_NAME *base) {
385
+ // Ensure canonical encodings are up to date.
386
+ if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) {
387
+ return X509_V_ERR_OUT_OF_MEM;
388
+ }
389
+ if (base->modified && i2d_X509_NAME(base, NULL) < 0) {
390
+ return X509_V_ERR_OUT_OF_MEM;
391
+ }
392
+ if (base->canon_enclen > nm->canon_enclen) {
393
+ return X509_V_ERR_PERMITTED_VIOLATION;
394
+ }
395
+ if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) {
396
+ return X509_V_ERR_PERMITTED_VIOLATION;
397
+ }
398
+ return X509_V_OK;
391
399
  }
392
400
 
393
- static int starts_with(const CBS *cbs, uint8_t c)
394
- {
395
- return CBS_len(cbs) > 0 && CBS_data(cbs)[0] == c;
401
+ static int starts_with(const CBS *cbs, uint8_t c) {
402
+ return CBS_len(cbs) > 0 && CBS_data(cbs)[0] == c;
396
403
  }
397
404
 
398
- static int equal_case(const CBS *a, const CBS *b)
399
- {
400
- if (CBS_len(a) != CBS_len(b)) {
401
- return 0;
405
+ static int equal_case(const CBS *a, const CBS *b) {
406
+ if (CBS_len(a) != CBS_len(b)) {
407
+ return 0;
408
+ }
409
+ // Note we cannot use |OPENSSL_strncasecmp| because that would stop
410
+ // iterating at NUL.
411
+ const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b);
412
+ for (size_t i = 0; i < CBS_len(a); i++) {
413
+ if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) {
414
+ return 0;
402
415
  }
403
- /* Note we cannot use |OPENSSL_strncasecmp| because that would stop
404
- * iterating at NUL. */
405
- const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b);
406
- for (size_t i = 0; i < CBS_len(a); i++) {
407
- if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) {
408
- return 0;
409
- }
410
- }
411
- return 1;
416
+ }
417
+ return 1;
412
418
  }
413
419
 
414
- static int has_suffix_case(const CBS *a, const CBS *b)
415
- {
416
- if (CBS_len(a) < CBS_len(b)) {
417
- return 0;
418
- }
419
- CBS copy = *a;
420
- CBS_skip(&copy, CBS_len(a) - CBS_len(b));
421
- return equal_case(&copy, b);
420
+ static int has_suffix_case(const CBS *a, const CBS *b) {
421
+ if (CBS_len(a) < CBS_len(b)) {
422
+ return 0;
423
+ }
424
+ CBS copy = *a;
425
+ CBS_skip(&copy, CBS_len(a) - CBS_len(b));
426
+ return equal_case(&copy, b);
422
427
  }
423
428
 
424
- static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
425
- {
426
- CBS dns_cbs, base_cbs;
427
- CBS_init(&dns_cbs, dns->data, dns->length);
428
- CBS_init(&base_cbs, base->data, base->length);
429
-
430
- /* Empty matches everything */
431
- if (CBS_len(&base_cbs) == 0) {
432
- return X509_V_OK;
433
- }
434
-
435
- /* If |base_cbs| begins with a '.', do a simple suffix comparison. This is
436
- * not part of RFC5280, but is part of OpenSSL's original behavior. */
437
- if (starts_with(&base_cbs, '.')) {
438
- if (has_suffix_case(&dns_cbs, &base_cbs)) {
439
- return X509_V_OK;
440
- }
441
- return X509_V_ERR_PERMITTED_VIOLATION;
442
- }
443
-
444
- /*
445
- * Otherwise can add zero or more components on the left so compare RHS
446
- * and if dns is longer and expect '.' as preceding character.
447
- */
448
- if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) {
449
- uint8_t dot;
450
- if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) ||
451
- !CBS_get_u8(&dns_cbs, &dot) ||
452
- dot != '.') {
453
- return X509_V_ERR_PERMITTED_VIOLATION;
454
- }
455
- }
456
-
457
- if (!equal_case(&dns_cbs, &base_cbs)) {
458
- return X509_V_ERR_PERMITTED_VIOLATION;
459
- }
429
+ static int nc_dns(const ASN1_IA5STRING *dns, const ASN1_IA5STRING *base) {
430
+ CBS dns_cbs, base_cbs;
431
+ CBS_init(&dns_cbs, dns->data, dns->length);
432
+ CBS_init(&base_cbs, base->data, base->length);
460
433
 
434
+ // Empty matches everything
435
+ if (CBS_len(&base_cbs) == 0) {
461
436
  return X509_V_OK;
437
+ }
462
438
 
463
- }
464
-
465
- static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
466
- {
467
- CBS eml_cbs, base_cbs;
468
- CBS_init(&eml_cbs, eml->data, eml->length);
469
- CBS_init(&base_cbs, base->data, base->length);
470
-
471
- /* TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the
472
- * last one. Match them here, or perhaps do an actual parse. Looks like
473
- * multiple '@'s may be allowed in quoted strings. */
474
- CBS eml_local, base_local;
475
- if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) {
476
- return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
477
- }
478
- int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@');
479
-
480
- /* Special case: inital '.' is RHS match */
481
- if (!base_has_at && starts_with(&base_cbs, '.')) {
482
- if (has_suffix_case(&eml_cbs, &base_cbs)) {
483
- return X509_V_OK;
484
- }
485
- return X509_V_ERR_PERMITTED_VIOLATION;
439
+ // If |base_cbs| begins with a '.', do a simple suffix comparison. This is
440
+ // not part of RFC5280, but is part of OpenSSL's original behavior.
441
+ if (starts_with(&base_cbs, '.')) {
442
+ if (has_suffix_case(&dns_cbs, &base_cbs)) {
443
+ return X509_V_OK;
486
444
  }
487
-
488
- /* If we have anything before '@' match local part */
489
- if (base_has_at) {
490
- /* TODO(davidben): This interprets a constraint of "@example.com" as
491
- * "example.com", which is not part of RFC5280. */
492
- if (CBS_len(&base_local) > 0) {
493
- /* Case sensitive match of local part */
494
- if (!CBS_mem_equal(&base_local, CBS_data(&eml_local),
495
- CBS_len(&eml_local))) {
496
- return X509_V_ERR_PERMITTED_VIOLATION;
497
- }
498
- }
499
- /* Position base after '@' */
500
- assert(starts_with(&base_cbs, '@'));
501
- CBS_skip(&base_cbs, 1);
445
+ return X509_V_ERR_PERMITTED_VIOLATION;
446
+ }
447
+
448
+ // Otherwise can add zero or more components on the left so compare RHS
449
+ // and if dns is longer and expect '.' as preceding character.
450
+ if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) {
451
+ uint8_t dot;
452
+ if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) ||
453
+ !CBS_get_u8(&dns_cbs, &dot) || dot != '.') {
454
+ return X509_V_ERR_PERMITTED_VIOLATION;
502
455
  }
456
+ }
503
457
 
504
- /* Just have hostname left to match: case insensitive */
505
- assert(starts_with(&eml_cbs, '@'));
506
- CBS_skip(&eml_cbs, 1);
507
- if (!equal_case(&base_cbs, &eml_cbs)) {
508
- return X509_V_ERR_PERMITTED_VIOLATION;
509
- }
458
+ if (!equal_case(&dns_cbs, &base_cbs)) {
459
+ return X509_V_ERR_PERMITTED_VIOLATION;
460
+ }
510
461
 
511
- return X509_V_OK;
462
+ return X509_V_OK;
512
463
  }
513
464
 
514
- static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
515
- {
516
- CBS uri_cbs, base_cbs;
517
- CBS_init(&uri_cbs, uri->data, uri->length);
518
- CBS_init(&base_cbs, base->data, base->length);
519
-
520
- /* Check for foo:// and skip past it */
521
- CBS scheme;
522
- uint8_t byte;
523
- if (!CBS_get_until_first(&uri_cbs, &scheme, ':') ||
524
- !CBS_skip(&uri_cbs, 1) || // Skip the colon
525
- !CBS_get_u8(&uri_cbs, &byte) || byte != '/' ||
526
- !CBS_get_u8(&uri_cbs, &byte) || byte != '/') {
527
- return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
528
- }
529
-
530
- /* Look for a port indicator as end of hostname first. Otherwise look for
531
- * trailing slash, or the end of the string.
532
- * TODO(davidben): This is not a correct URI parser and mishandles IPv6
533
- * literals. */
534
- CBS host;
535
- if (!CBS_get_until_first(&uri_cbs, &host, ':') &&
536
- !CBS_get_until_first(&uri_cbs, &host, '/')) {
537
- host = uri_cbs;
538
- }
539
-
540
- if (CBS_len(&host) == 0) {
541
- return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
465
+ static int nc_email(const ASN1_IA5STRING *eml, const ASN1_IA5STRING *base) {
466
+ CBS eml_cbs, base_cbs;
467
+ CBS_init(&eml_cbs, eml->data, eml->length);
468
+ CBS_init(&base_cbs, base->data, base->length);
469
+
470
+ // TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the
471
+ // last one. Match them here, or perhaps do an actual parse. Looks like
472
+ // multiple '@'s may be allowed in quoted strings.
473
+ CBS eml_local, base_local;
474
+ if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) {
475
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
476
+ }
477
+ int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@');
478
+
479
+ // Special case: initial '.' is RHS match
480
+ if (!base_has_at && starts_with(&base_cbs, '.')) {
481
+ if (has_suffix_case(&eml_cbs, &base_cbs)) {
482
+ return X509_V_OK;
542
483
  }
543
-
544
- /* Special case: inital '.' is RHS match */
545
- if (starts_with(&base_cbs, '.')) {
546
- if (has_suffix_case(&host, &base_cbs)) {
547
- return X509_V_OK;
548
- }
484
+ return X509_V_ERR_PERMITTED_VIOLATION;
485
+ }
486
+
487
+ // If we have anything before '@' match local part
488
+ if (base_has_at) {
489
+ // TODO(davidben): This interprets a constraint of "@example.com" as
490
+ // "example.com", which is not part of RFC5280.
491
+ if (CBS_len(&base_local) > 0) {
492
+ // Case sensitive match of local part
493
+ if (!CBS_mem_equal(&base_local, CBS_data(&eml_local),
494
+ CBS_len(&eml_local))) {
549
495
  return X509_V_ERR_PERMITTED_VIOLATION;
496
+ }
550
497
  }
498
+ // Position base after '@'
499
+ assert(starts_with(&base_cbs, '@'));
500
+ CBS_skip(&base_cbs, 1);
501
+ }
502
+
503
+ // Just have hostname left to match: case insensitive
504
+ assert(starts_with(&eml_cbs, '@'));
505
+ CBS_skip(&eml_cbs, 1);
506
+ if (!equal_case(&base_cbs, &eml_cbs)) {
507
+ return X509_V_ERR_PERMITTED_VIOLATION;
508
+ }
509
+
510
+ return X509_V_OK;
511
+ }
551
512
 
552
- if (!equal_case(&base_cbs, &host)) {
553
- return X509_V_ERR_PERMITTED_VIOLATION;
513
+ static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) {
514
+ CBS uri_cbs, base_cbs;
515
+ CBS_init(&uri_cbs, uri->data, uri->length);
516
+ CBS_init(&base_cbs, base->data, base->length);
517
+
518
+ // Check for foo:// and skip past it
519
+ CBS scheme;
520
+ uint8_t byte;
521
+ if (!CBS_get_until_first(&uri_cbs, &scheme, ':') ||
522
+ !CBS_skip(&uri_cbs, 1) || // Skip the colon
523
+ !CBS_get_u8(&uri_cbs, &byte) || byte != '/' ||
524
+ !CBS_get_u8(&uri_cbs, &byte) || byte != '/') {
525
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
526
+ }
527
+
528
+ // Look for a port indicator as end of hostname first. Otherwise look for
529
+ // trailing slash, or the end of the string.
530
+ // TODO(davidben): This is not a correct URI parser and mishandles IPv6
531
+ // literals.
532
+ CBS host;
533
+ if (!CBS_get_until_first(&uri_cbs, &host, ':') &&
534
+ !CBS_get_until_first(&uri_cbs, &host, '/')) {
535
+ host = uri_cbs;
536
+ }
537
+
538
+ if (CBS_len(&host) == 0) {
539
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
540
+ }
541
+
542
+ // Special case: initial '.' is RHS match
543
+ if (starts_with(&base_cbs, '.')) {
544
+ if (has_suffix_case(&host, &base_cbs)) {
545
+ return X509_V_OK;
554
546
  }
547
+ return X509_V_ERR_PERMITTED_VIOLATION;
548
+ }
555
549
 
556
- return X509_V_OK;
550
+ if (!equal_case(&base_cbs, &host)) {
551
+ return X509_V_ERR_PERMITTED_VIOLATION;
552
+ }
557
553
 
554
+ return X509_V_OK;
558
555
  }