grpc 1.53.0.pre2 → 1.54.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (685) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +80 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/impl/grpc_types.h +11 -2
  6. data/include/grpc/support/port_platform.h +4 -4
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  9. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  10. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  11. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  12. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  14. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  15. data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  18. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  19. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +1 -15
  20. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  21. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  22. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +13 -5
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  26. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  27. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  28. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  29. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  30. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  31. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  32. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  33. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  34. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  35. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  36. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  37. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  38. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  39. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  40. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  41. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  42. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  43. data/src/core/ext/gcp/metadata_query.cc +142 -0
  44. data/src/core/ext/gcp/metadata_query.h +82 -0
  45. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  46. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
  47. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  48. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  49. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  50. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +42 -23
  51. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +5 -3
  52. data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
  53. data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
  54. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  55. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  56. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  57. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  58. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  59. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  60. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  61. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  62. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  63. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  64. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  65. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  67. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  68. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  69. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  70. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  71. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  72. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  73. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  74. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  75. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  76. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  77. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  78. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  79. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  80. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  81. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  82. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  83. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  84. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  85. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  86. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  87. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  88. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  89. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  90. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  91. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  92. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  93. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  94. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  95. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  96. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  97. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  98. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  99. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  100. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  101. data/src/core/ext/xds/xds_client_stats.h +24 -20
  102. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  103. data/src/core/ext/xds/xds_endpoint.h +9 -1
  104. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  105. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  106. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  107. data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
  108. data/src/core/lib/backoff/random_early_detection.h +59 -0
  109. data/src/core/lib/channel/call_finalization.h +1 -1
  110. data/src/core/lib/channel/call_tracer.cc +51 -0
  111. data/src/core/lib/channel/call_tracer.h +101 -38
  112. data/src/core/lib/channel/connected_channel.cc +483 -1050
  113. data/src/core/lib/channel/context.h +8 -1
  114. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  115. data/src/core/lib/channel/promise_based_filter.h +27 -13
  116. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  117. data/src/core/lib/config/config_vars.cc +151 -0
  118. data/src/core/lib/config/config_vars.h +127 -0
  119. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  120. data/src/core/lib/config/load_config.cc +66 -0
  121. data/src/core/lib/config/load_config.h +49 -0
  122. data/src/core/lib/debug/trace.cc +5 -6
  123. data/src/core/lib/debug/trace.h +0 -5
  124. data/src/core/lib/event_engine/event_engine.cc +37 -2
  125. data/src/core/lib/event_engine/handle_containers.h +7 -22
  126. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  127. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  128. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  129. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  130. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  131. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  132. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
  133. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  134. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  135. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  136. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  137. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  138. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  139. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  140. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  141. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  142. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  143. data/src/core/lib/experiments/config.cc +3 -10
  144. data/src/core/lib/experiments/experiments.cc +7 -0
  145. data/src/core/lib/experiments/experiments.h +9 -1
  146. data/src/core/lib/gpr/log.cc +15 -28
  147. data/src/core/lib/gprpp/fork.cc +8 -14
  148. data/src/core/lib/gprpp/orphanable.h +4 -3
  149. data/src/core/lib/gprpp/per_cpu.h +9 -3
  150. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  151. data/src/core/lib/gprpp/ref_counted.h +33 -34
  152. data/src/core/lib/gprpp/thd.h +16 -0
  153. data/src/core/lib/gprpp/time.cc +1 -0
  154. data/src/core/lib/gprpp/time.h +4 -4
  155. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  156. data/src/core/lib/iomgr/call_combiner.h +2 -2
  157. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  158. data/src/core/lib/iomgr/endpoint_pair.h +2 -2
  159. data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
  160. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  161. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  162. data/src/core/lib/iomgr/ev_posix.h +0 -3
  163. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  164. data/src/core/lib/iomgr/iomgr.cc +4 -8
  165. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  166. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  167. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  168. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  169. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  170. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  171. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
  172. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  173. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  174. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  175. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  176. data/src/core/lib/promise/activity.cc +22 -6
  177. data/src/core/lib/promise/activity.h +61 -24
  178. data/src/core/lib/promise/cancel_callback.h +77 -0
  179. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  180. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  181. data/src/core/lib/promise/for_each.h +176 -0
  182. data/src/core/lib/promise/if.h +9 -0
  183. data/src/core/lib/promise/interceptor_list.h +23 -2
  184. data/src/core/lib/promise/latch.h +89 -3
  185. data/src/core/lib/promise/loop.h +13 -9
  186. data/src/core/lib/promise/map.h +7 -0
  187. data/src/core/lib/promise/party.cc +286 -0
  188. data/src/core/lib/promise/party.h +499 -0
  189. data/src/core/lib/promise/pipe.h +197 -57
  190. data/src/core/lib/promise/poll.h +48 -0
  191. data/src/core/lib/promise/promise.h +2 -2
  192. data/src/core/lib/resource_quota/arena.cc +19 -3
  193. data/src/core/lib/resource_quota/arena.h +119 -5
  194. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  195. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  196. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  197. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  198. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  199. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  200. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  201. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  202. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  203. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  204. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  205. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  206. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  207. data/src/core/lib/slice/slice.cc +1 -1
  208. data/src/core/lib/surface/builtins.cc +2 -0
  209. data/src/core/lib/surface/call.cc +926 -1024
  210. data/src/core/lib/surface/call.h +10 -0
  211. data/src/core/lib/surface/lame_client.cc +1 -0
  212. data/src/core/lib/surface/version.cc +2 -2
  213. data/src/core/lib/transport/batch_builder.cc +179 -0
  214. data/src/core/lib/transport/batch_builder.h +468 -0
  215. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  216. data/src/core/lib/transport/bdp_estimator.h +10 -6
  217. data/src/core/lib/transport/custom_metadata.h +30 -0
  218. data/src/core/lib/transport/metadata_batch.cc +9 -6
  219. data/src/core/lib/transport/metadata_batch.h +58 -16
  220. data/src/core/lib/transport/parsed_metadata.h +3 -3
  221. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  222. data/src/core/lib/transport/transport.cc +30 -2
  223. data/src/core/lib/transport/transport.h +70 -14
  224. data/src/core/lib/transport/transport_impl.h +7 -0
  225. data/src/core/lib/transport/transport_op_string.cc +52 -42
  226. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  227. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  228. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  229. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  230. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  231. data/src/core/tsi/ssl_transport_security.cc +4 -2
  232. data/src/ruby/lib/grpc/version.rb +1 -1
  233. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  234. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  235. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  236. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  237. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  238. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  239. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  240. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  241. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  242. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  243. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  244. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  245. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  246. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  247. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  248. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  249. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  250. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  251. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  252. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  253. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  254. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  255. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  256. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  257. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  258. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  259. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  260. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  261. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  262. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  263. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  264. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  265. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  266. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  267. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  268. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  269. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  288. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  289. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  290. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  291. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  292. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  293. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  294. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  295. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  296. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  297. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  298. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  299. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  300. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  301. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  302. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  303. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  304. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  305. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  306. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  307. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  308. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  309. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  310. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  311. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  312. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  313. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  314. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  315. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  316. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  317. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  318. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  319. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  320. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  321. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  322. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  323. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  324. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  325. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  326. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  327. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  328. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  329. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  330. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  331. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  332. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  333. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  334. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  335. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  336. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  337. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  338. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  339. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  340. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  341. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  342. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  343. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  344. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  345. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  346. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  347. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  349. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  350. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  351. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  352. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  353. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  354. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  355. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  363. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  364. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  365. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  366. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  367. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  368. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  369. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  370. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  371. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  372. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  373. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  393. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  395. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  400. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  405. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  407. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  410. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  446. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  447. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  448. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  449. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  451. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  452. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  453. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  454. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  455. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  456. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  457. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  458. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  459. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  460. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  461. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  463. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  464. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  465. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  466. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  467. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  468. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  469. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  470. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  471. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  472. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  473. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  474. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  475. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  476. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  477. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  478. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  479. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  480. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  481. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  482. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  483. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  484. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  485. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  486. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  487. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  488. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  489. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  490. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  491. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  532. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  533. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  534. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  535. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  536. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  537. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  538. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  539. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  540. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  541. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  557. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  558. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  559. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  560. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  561. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  562. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  563. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  564. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  565. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  566. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  567. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  568. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  569. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  570. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  571. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  572. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  573. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  574. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  575. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  576. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  577. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  578. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  579. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  581. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  582. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  583. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  584. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  585. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  586. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  587. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  588. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  589. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  591. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  592. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  593. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  594. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  595. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  596. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  597. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  598. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  599. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  600. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  601. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  602. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  603. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  604. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  605. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  606. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  607. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  608. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  609. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  610. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  611. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  612. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  613. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  614. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  615. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  616. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  617. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  618. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  619. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  620. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  621. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  622. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  623. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  624. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  625. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  627. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  628. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  629. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  630. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  631. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  632. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  633. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  634. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  635. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  636. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  637. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  638. metadata +107 -72
  639. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  640. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  641. data/src/core/lib/gprpp/global_config.h +0 -93
  642. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  643. data/src/core/lib/gprpp/global_config_env.h +0 -133
  644. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  645. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  646. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  647. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  648. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  649. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  650. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  651. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  652. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  653. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  654. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  655. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  656. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  657. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  658. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  659. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  660. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  661. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  662. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  663. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  664. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  665. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  666. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  667. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  668. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  669. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  670. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  671. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  672. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  673. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  674. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  675. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  676. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  677. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  678. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  679. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  680. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  681. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  682. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  683. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  684. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  685. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -1,4 +1,3 @@
1
- /* v3_utl.c */
2
1
  /*
3
2
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4
3
  * project.
@@ -63,6 +62,7 @@
63
62
  #include <string.h>
64
63
 
65
64
  #include <openssl/bn.h>
65
+ #include <openssl/bytestring.h>
66
66
  #include <openssl/conf.h>
67
67
  #include <openssl/err.h>
68
68
  #include <openssl/mem.h>
@@ -75,1363 +75,1279 @@
75
75
 
76
76
 
77
77
  static char *strip_spaces(char *name);
78
- static int sk_strcmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b);
79
- static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
80
- GENERAL_NAMES *gens);
78
+ static int sk_strcmp(const char **a, const char **b);
79
+ static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
80
+ const GENERAL_NAMES *gens);
81
81
  static void str_free(OPENSSL_STRING str);
82
- static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
82
+ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
83
+ const ASN1_IA5STRING *email);
83
84
 
84
85
  static int ipv4_from_asc(unsigned char v4[4], const char *in);
85
86
  static int ipv6_from_asc(unsigned char v6[16], const char *in);
86
- static int ipv6_cb(const char *elem, int len, void *usr);
87
- static int ipv6_hex(unsigned char *out, const char *in, int inlen);
87
+ static int ipv6_cb(const char *elem, size_t len, void *usr);
88
+ static int ipv6_hex(unsigned char *out, const char *in, size_t inlen);
88
89
 
89
- /* Add a CONF_VALUE name value pair to stack */
90
+ // Add a CONF_VALUE name value pair to stack
90
91
 
91
92
  static int x509V3_add_len_value(const char *name, const char *value,
92
93
  size_t value_len, int omit_value,
93
- STACK_OF(CONF_VALUE) **extlist)
94
- {
95
- CONF_VALUE *vtmp = NULL;
96
- char *tname = NULL, *tvalue = NULL;
97
- int extlist_was_null = *extlist == NULL;
98
- if (name && !(tname = OPENSSL_strdup(name)))
99
- goto malloc_err;
100
- if (!omit_value) {
101
- /* |CONF_VALUE| cannot represent strings with NULs. */
102
- if (OPENSSL_memchr(value, 0, value_len)) {
103
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);
104
- goto err;
105
- }
106
- tvalue = OPENSSL_strndup(value, value_len);
107
- if (tvalue == NULL) {
108
- goto malloc_err;
109
- }
94
+ STACK_OF(CONF_VALUE) **extlist) {
95
+ CONF_VALUE *vtmp = NULL;
96
+ char *tname = NULL, *tvalue = NULL;
97
+ int extlist_was_null = *extlist == NULL;
98
+ if (name && !(tname = OPENSSL_strdup(name))) {
99
+ goto err;
100
+ }
101
+ if (!omit_value) {
102
+ // |CONF_VALUE| cannot represent strings with NULs.
103
+ if (OPENSSL_memchr(value, 0, value_len)) {
104
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);
105
+ goto err;
110
106
  }
111
- if (!(vtmp = CONF_VALUE_new()))
112
- goto malloc_err;
113
- if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
114
- goto malloc_err;
115
- vtmp->section = NULL;
116
- vtmp->name = tname;
117
- vtmp->value = tvalue;
118
- if (!sk_CONF_VALUE_push(*extlist, vtmp))
119
- goto malloc_err;
120
- return 1;
121
- malloc_err:
122
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
123
- err:
124
- if (extlist_was_null) {
125
- sk_CONF_VALUE_free(*extlist);
126
- *extlist = NULL;
107
+ tvalue = OPENSSL_strndup(value, value_len);
108
+ if (tvalue == NULL) {
109
+ goto err;
127
110
  }
128
- OPENSSL_free(vtmp);
129
- OPENSSL_free(tname);
130
- OPENSSL_free(tvalue);
131
- return 0;
111
+ }
112
+ if (!(vtmp = CONF_VALUE_new())) {
113
+ goto err;
114
+ }
115
+ if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) {
116
+ goto err;
117
+ }
118
+ vtmp->section = NULL;
119
+ vtmp->name = tname;
120
+ vtmp->value = tvalue;
121
+ if (!sk_CONF_VALUE_push(*extlist, vtmp)) {
122
+ goto err;
123
+ }
124
+ return 1;
125
+ err:
126
+ if (extlist_was_null) {
127
+ sk_CONF_VALUE_free(*extlist);
128
+ *extlist = NULL;
129
+ }
130
+ OPENSSL_free(vtmp);
131
+ OPENSSL_free(tname);
132
+ OPENSSL_free(tvalue);
133
+ return 0;
132
134
  }
133
135
 
134
136
  int X509V3_add_value(const char *name, const char *value,
135
- STACK_OF(CONF_VALUE) **extlist)
136
- {
137
- return x509V3_add_len_value(name, value, value != NULL ? strlen(value) : 0,
138
- /*omit_value=*/value == NULL, extlist);
139
- }
140
-
141
- int X509V3_add_value_uchar(const char *name, const unsigned char *value,
142
- STACK_OF(CONF_VALUE) **extlist)
143
- {
144
- return X509V3_add_value(name, (const char *)value, extlist);
137
+ STACK_OF(CONF_VALUE) **extlist) {
138
+ return x509V3_add_len_value(name, value, value != NULL ? strlen(value) : 0,
139
+ /*omit_value=*/value == NULL, extlist);
145
140
  }
146
141
 
147
142
  int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
148
- STACK_OF(CONF_VALUE) **extlist)
149
- {
150
- return x509V3_add_len_value(name, (const char *)value->data, value->length,
151
- /*omit_value=*/0, extlist);
143
+ STACK_OF(CONF_VALUE) **extlist) {
144
+ return x509V3_add_len_value(name, (const char *)value->data, value->length,
145
+ /*omit_value=*/0, extlist);
152
146
  }
153
147
 
154
- /* Free function for STACK_OF(CONF_VALUE) */
155
-
156
- void X509V3_conf_free(CONF_VALUE *conf)
157
- {
158
- if (!conf)
159
- return;
160
- if (conf->name)
161
- OPENSSL_free(conf->name);
162
- if (conf->value)
163
- OPENSSL_free(conf->value);
164
- if (conf->section)
165
- OPENSSL_free(conf->section);
166
- OPENSSL_free(conf);
167
- }
148
+ // Free function for STACK_OF(CONF_VALUE)
168
149
 
169
- int X509V3_add_value_bool(const char *name, int asn1_bool,
170
- STACK_OF(CONF_VALUE) **extlist)
171
- {
172
- if (asn1_bool)
173
- return X509V3_add_value(name, "TRUE", extlist);
174
- return X509V3_add_value(name, "FALSE", extlist);
150
+ void X509V3_conf_free(CONF_VALUE *conf) {
151
+ if (!conf) {
152
+ return;
153
+ }
154
+ OPENSSL_free(conf->name);
155
+ OPENSSL_free(conf->value);
156
+ OPENSSL_free(conf->section);
157
+ OPENSSL_free(conf);
175
158
  }
176
159
 
177
- int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
178
- STACK_OF(CONF_VALUE) **extlist)
179
- {
180
- if (asn1_bool)
181
- return X509V3_add_value(name, "TRUE", extlist);
182
- return 1;
160
+ int X509V3_add_value_bool(const char *name, int asn1_bool,
161
+ STACK_OF(CONF_VALUE) **extlist) {
162
+ if (asn1_bool) {
163
+ return X509V3_add_value(name, "TRUE", extlist);
164
+ }
165
+ return X509V3_add_value(name, "FALSE", extlist);
183
166
  }
184
167
 
185
- static char *bignum_to_string(const BIGNUM *bn)
186
- {
187
- char *tmp, *ret;
188
- size_t len;
189
-
190
- /*
191
- * Display large numbers in hex and small numbers in decimal. Converting to
192
- * decimal takes quadratic time and is no more useful than hex for large
193
- * numbers.
194
- */
195
- if (BN_num_bits(bn) < 32) {
196
- return BN_bn2dec(bn);
197
- }
168
+ static char *bignum_to_string(const BIGNUM *bn) {
169
+ char *tmp, *ret;
170
+ size_t len;
198
171
 
199
- tmp = BN_bn2hex(bn);
200
- if (tmp == NULL) {
201
- return NULL;
202
- }
172
+ // Display large numbers in hex and small numbers in decimal. Converting to
173
+ // decimal takes quadratic time and is no more useful than hex for large
174
+ // numbers.
175
+ if (BN_num_bits(bn) < 32) {
176
+ return BN_bn2dec(bn);
177
+ }
203
178
 
204
- len = strlen(tmp) + 3;
205
- ret = OPENSSL_malloc(len);
206
- if (ret == NULL) {
207
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
208
- OPENSSL_free(tmp);
209
- return NULL;
210
- }
179
+ tmp = BN_bn2hex(bn);
180
+ if (tmp == NULL) {
181
+ return NULL;
182
+ }
211
183
 
212
- /* Prepend "0x", but place it after the "-" if negative. */
213
- if (tmp[0] == '-') {
214
- OPENSSL_strlcpy(ret, "-0x", len);
215
- OPENSSL_strlcat(ret, tmp + 1, len);
216
- } else {
217
- OPENSSL_strlcpy(ret, "0x", len);
218
- OPENSSL_strlcat(ret, tmp, len);
219
- }
184
+ len = strlen(tmp) + 3;
185
+ ret = OPENSSL_malloc(len);
186
+ if (ret == NULL) {
220
187
  OPENSSL_free(tmp);
221
- return ret;
188
+ return NULL;
189
+ }
190
+
191
+ // Prepend "0x", but place it after the "-" if negative.
192
+ if (tmp[0] == '-') {
193
+ OPENSSL_strlcpy(ret, "-0x", len);
194
+ OPENSSL_strlcat(ret, tmp + 1, len);
195
+ } else {
196
+ OPENSSL_strlcpy(ret, "0x", len);
197
+ OPENSSL_strlcat(ret, tmp, len);
198
+ }
199
+ OPENSSL_free(tmp);
200
+ return ret;
222
201
  }
223
202
 
224
- char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
225
- {
226
- BIGNUM *bntmp = NULL;
227
- char *strtmp = NULL;
228
- if (!a)
229
- return NULL;
230
- if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
231
- !(strtmp = bignum_to_string(bntmp)))
232
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
233
- BN_free(bntmp);
234
- return strtmp;
203
+ char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method,
204
+ const ASN1_ENUMERATED *a) {
205
+ BIGNUM *bntmp = NULL;
206
+ char *strtmp = NULL;
207
+ if (!a) {
208
+ return NULL;
209
+ }
210
+ if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
211
+ !(strtmp = bignum_to_string(bntmp))) {
212
+ }
213
+ BN_free(bntmp);
214
+ return strtmp;
235
215
  }
236
216
 
237
- char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
238
- {
239
- BIGNUM *bntmp = NULL;
240
- char *strtmp = NULL;
241
- if (!a)
242
- return NULL;
243
- if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
244
- !(strtmp = bignum_to_string(bntmp)))
245
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
246
- BN_free(bntmp);
247
- return strtmp;
217
+ char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) {
218
+ BIGNUM *bntmp = NULL;
219
+ char *strtmp = NULL;
220
+ if (!a) {
221
+ return NULL;
222
+ }
223
+ if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
224
+ !(strtmp = bignum_to_string(bntmp))) {
225
+ }
226
+ BN_free(bntmp);
227
+ return strtmp;
248
228
  }
249
229
 
250
- ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
251
- {
252
- BIGNUM *bn = NULL;
253
- ASN1_INTEGER *aint;
254
- int isneg, ishex;
255
- int ret;
256
- if (!value) {
257
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
258
- return 0;
259
- }
260
- bn = BN_new();
261
- if (value[0] == '-') {
262
- value++;
263
- isneg = 1;
264
- } else
265
- isneg = 0;
266
-
267
- if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
268
- value += 2;
269
- ishex = 1;
270
- } else
271
- ishex = 0;
272
-
273
- if (ishex)
274
- ret = BN_hex2bn(&bn, value);
275
- else
276
- ret = BN_dec2bn(&bn, value);
277
-
278
- if (!ret || value[ret]) {
279
- BN_free(bn);
280
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_DEC2BN_ERROR);
281
- return 0;
230
+ ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method,
231
+ const char *value) {
232
+ BIGNUM *bn = NULL;
233
+ ASN1_INTEGER *aint;
234
+ int isneg, ishex;
235
+ int ret;
236
+ if (!value) {
237
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
238
+ return 0;
239
+ }
240
+ bn = BN_new();
241
+ if (value[0] == '-') {
242
+ value++;
243
+ isneg = 1;
244
+ } else {
245
+ isneg = 0;
246
+ }
247
+
248
+ if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
249
+ value += 2;
250
+ ishex = 1;
251
+ } else {
252
+ ishex = 0;
253
+ }
254
+
255
+ if (ishex) {
256
+ ret = BN_hex2bn(&bn, value);
257
+ } else {
258
+ // Decoding from decimal scales quadratically in the input length. Bound the
259
+ // largest decimal input we accept in the config parser. 8,192 decimal
260
+ // digits allows values up to 27,213 bits. Ths exceeds the largest RSA, DSA,
261
+ // or DH modulus we support, and those are not usefully represented in
262
+ // decimal.
263
+ if (strlen(value) > 8192) {
264
+ BN_free(bn);
265
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);
266
+ return 0;
282
267
  }
268
+ ret = BN_dec2bn(&bn, value);
269
+ }
283
270
 
284
- if (isneg && BN_is_zero(bn))
285
- isneg = 0;
286
-
287
- aint = BN_to_ASN1_INTEGER(bn, NULL);
271
+ if (!ret || value[ret]) {
288
272
  BN_free(bn);
289
- if (!aint) {
290
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
291
- return 0;
292
- }
293
- if (isneg)
294
- aint->type |= V_ASN1_NEG;
295
- return aint;
296
- }
273
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_DEC2BN_ERROR);
274
+ return 0;
275
+ }
297
276
 
298
- int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
299
- STACK_OF(CONF_VALUE) **extlist)
300
- {
301
- char *strtmp;
302
- int ret;
303
- if (!aint)
304
- return 1;
305
- if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
306
- return 0;
307
- ret = X509V3_add_value(name, strtmp, extlist);
308
- OPENSSL_free(strtmp);
309
- return ret;
277
+ if (isneg && BN_is_zero(bn)) {
278
+ isneg = 0;
279
+ }
280
+
281
+ aint = BN_to_ASN1_INTEGER(bn, NULL);
282
+ BN_free(bn);
283
+ if (!aint) {
284
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
285
+ return 0;
286
+ }
287
+ if (isneg) {
288
+ aint->type |= V_ASN1_NEG;
289
+ }
290
+ return aint;
310
291
  }
311
292
 
312
- int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
313
- {
314
- char *btmp;
315
- if (!(btmp = value->value))
316
- goto err;
317
- if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
318
- || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
319
- || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
320
- *asn1_bool = 0xff;
321
- return 1;
322
- } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
323
- || !strcmp(btmp, "N") || !strcmp(btmp, "n")
324
- || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
325
- *asn1_bool = 0;
326
- return 1;
327
- }
328
- err:
329
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
330
- X509V3_conf_err(value);
293
+ int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
294
+ STACK_OF(CONF_VALUE) **extlist) {
295
+ char *strtmp;
296
+ int ret;
297
+ if (!aint) {
298
+ return 1;
299
+ }
300
+ if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) {
331
301
  return 0;
302
+ }
303
+ ret = X509V3_add_value(name, strtmp, extlist);
304
+ OPENSSL_free(strtmp);
305
+ return ret;
332
306
  }
333
307
 
334
- int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
335
- {
336
- ASN1_INTEGER *itmp;
337
- if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
338
- X509V3_conf_err(value);
339
- return 0;
340
- }
341
- *aint = itmp;
308
+ int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool) {
309
+ if (!strcmp(str, "TRUE") || !strcmp(str, "true") || !strcmp(str, "Y") ||
310
+ !strcmp(str, "y") || !strcmp(str, "YES") || !strcmp(str, "yes")) {
311
+ *out_bool = ASN1_BOOLEAN_TRUE;
312
+ return 1;
313
+ }
314
+ if (!strcmp(str, "FALSE") || !strcmp(str, "false") || !strcmp(str, "N") ||
315
+ !strcmp(str, "n") || !strcmp(str, "NO") || !strcmp(str, "no")) {
316
+ *out_bool = ASN1_BOOLEAN_FALSE;
342
317
  return 1;
318
+ }
319
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
320
+ return 0;
343
321
  }
344
322
 
345
- #define HDR_NAME 1
346
- #define HDR_VALUE 2
323
+ int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool) {
324
+ const char *btmp = value->value;
325
+ if (btmp == NULL) {
326
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
327
+ goto err;
328
+ }
329
+ if (!X509V3_bool_from_string(btmp, out_bool)) {
330
+ goto err;
331
+ }
332
+ return 1;
347
333
 
348
- /*
349
- * #define DEBUG
350
- */
334
+ err:
335
+ X509V3_conf_err(value);
336
+ return 0;
337
+ }
351
338
 
352
- STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
353
- {
354
- char *p, *q, c;
355
- char *ntmp, *vtmp;
356
- STACK_OF(CONF_VALUE) *values = NULL;
357
- char *linebuf;
358
- int state;
359
- /* We are going to modify the line so copy it first */
360
- linebuf = OPENSSL_strdup(line);
361
- if (linebuf == NULL) {
362
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
363
- goto err;
364
- }
365
- state = HDR_NAME;
366
- ntmp = NULL;
367
- /* Go through all characters */
368
- for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
369
- p++) {
370
-
371
- switch (state) {
372
- case HDR_NAME:
373
- if (c == ':') {
374
- state = HDR_VALUE;
375
- *p = 0;
376
- ntmp = strip_spaces(q);
377
- if (!ntmp) {
378
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
379
- goto err;
380
- }
381
- q = p + 1;
382
- } else if (c == ',') {
383
- *p = 0;
384
- ntmp = strip_spaces(q);
385
- q = p + 1;
339
+ int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) {
340
+ ASN1_INTEGER *itmp;
341
+ if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
342
+ X509V3_conf_err(value);
343
+ return 0;
344
+ }
345
+ ASN1_INTEGER_free(*aint);
346
+ *aint = itmp;
347
+ return 1;
348
+ }
349
+
350
+ #define HDR_NAME 1
351
+ #define HDR_VALUE 2
352
+
353
+ // #define DEBUG
354
+
355
+ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) {
356
+ char *p, *q, c;
357
+ char *ntmp, *vtmp;
358
+ STACK_OF(CONF_VALUE) *values = NULL;
359
+ char *linebuf;
360
+ int state;
361
+ // We are going to modify the line so copy it first
362
+ linebuf = OPENSSL_strdup(line);
363
+ if (linebuf == NULL) {
364
+ goto err;
365
+ }
366
+ state = HDR_NAME;
367
+ ntmp = NULL;
368
+ // Go through all characters
369
+ for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n'); p++) {
370
+ switch (state) {
371
+ case HDR_NAME:
372
+ if (c == ':') {
373
+ state = HDR_VALUE;
374
+ *p = 0;
375
+ ntmp = strip_spaces(q);
376
+ if (!ntmp) {
377
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
378
+ goto err;
379
+ }
380
+ q = p + 1;
381
+ } else if (c == ',') {
382
+ *p = 0;
383
+ ntmp = strip_spaces(q);
384
+ q = p + 1;
386
385
  #if 0
387
386
  printf("%s\n", ntmp);
388
387
  #endif
389
- if (!ntmp) {
390
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
391
- goto err;
392
- }
393
- X509V3_add_value(ntmp, NULL, &values);
394
- }
395
- break;
396
-
397
- case HDR_VALUE:
398
- if (c == ',') {
399
- state = HDR_NAME;
400
- *p = 0;
401
- vtmp = strip_spaces(q);
388
+ if (!ntmp) {
389
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
390
+ goto err;
391
+ }
392
+ X509V3_add_value(ntmp, NULL, &values);
393
+ }
394
+ break;
395
+
396
+ case HDR_VALUE:
397
+ if (c == ',') {
398
+ state = HDR_NAME;
399
+ *p = 0;
400
+ vtmp = strip_spaces(q);
402
401
  #if 0
403
402
  printf("%s\n", ntmp);
404
403
  #endif
405
- if (!vtmp) {
406
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
407
- goto err;
408
- }
409
- X509V3_add_value(ntmp, vtmp, &values);
410
- ntmp = NULL;
411
- q = p + 1;
412
- }
413
-
404
+ if (!vtmp) {
405
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
406
+ goto err;
407
+ }
408
+ X509V3_add_value(ntmp, vtmp, &values);
409
+ ntmp = NULL;
410
+ q = p + 1;
414
411
  }
415
412
  }
413
+ }
416
414
 
417
- if (state == HDR_VALUE) {
418
- vtmp = strip_spaces(q);
415
+ if (state == HDR_VALUE) {
416
+ vtmp = strip_spaces(q);
419
417
  #if 0
420
418
  printf("%s=%s\n", ntmp, vtmp);
421
419
  #endif
422
- if (!vtmp) {
423
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
424
- goto err;
425
- }
426
- X509V3_add_value(ntmp, vtmp, &values);
427
- } else {
428
- ntmp = strip_spaces(q);
420
+ if (!vtmp) {
421
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
422
+ goto err;
423
+ }
424
+ X509V3_add_value(ntmp, vtmp, &values);
425
+ } else {
426
+ ntmp = strip_spaces(q);
429
427
  #if 0
430
428
  printf("%s\n", ntmp);
431
429
  #endif
432
- if (!ntmp) {
433
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
434
- goto err;
435
- }
436
- X509V3_add_value(ntmp, NULL, &values);
430
+ if (!ntmp) {
431
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
432
+ goto err;
437
433
  }
438
- OPENSSL_free(linebuf);
439
- return values;
440
-
441
- err:
442
- OPENSSL_free(linebuf);
443
- sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
444
- return NULL;
434
+ X509V3_add_value(ntmp, NULL, &values);
435
+ }
436
+ OPENSSL_free(linebuf);
437
+ return values;
445
438
 
439
+ err:
440
+ OPENSSL_free(linebuf);
441
+ sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
442
+ return NULL;
446
443
  }
447
444
 
448
- /* Delete leading and trailing spaces from a string */
449
- static char *strip_spaces(char *name)
450
- {
451
- char *p, *q;
452
- /* Skip over leading spaces */
453
- p = name;
454
- while (*p && isspace((unsigned char)*p))
455
- p++;
456
- if (!*p)
457
- return NULL;
458
- q = p + strlen(p) - 1;
459
- while ((q != p) && isspace((unsigned char)*q))
460
- q--;
461
- if (p != q)
462
- q[1] = 0;
463
- if (!*p)
464
- return NULL;
465
- return p;
445
+ // Delete leading and trailing spaces from a string
446
+ static char *strip_spaces(char *name) {
447
+ char *p, *q;
448
+ // Skip over leading spaces
449
+ p = name;
450
+ while (*p && OPENSSL_isspace((unsigned char)*p)) {
451
+ p++;
452
+ }
453
+ if (!*p) {
454
+ return NULL;
455
+ }
456
+ q = p + strlen(p) - 1;
457
+ while ((q != p) && OPENSSL_isspace((unsigned char)*q)) {
458
+ q--;
459
+ }
460
+ if (p != q) {
461
+ q[1] = 0;
462
+ }
463
+ if (!*p) {
464
+ return NULL;
465
+ }
466
+ return p;
466
467
  }
467
468
 
468
- /* hex string utilities */
469
-
470
- /*
471
- * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
472
- * hex representation @@@ (Contents of buffer are always kept in ASCII, also
473
- * on EBCDIC machines)
474
- */
475
-
476
- char *x509v3_bytes_to_hex(const unsigned char *buffer, long len)
477
- {
478
- char *tmp, *q;
479
- const unsigned char *p;
480
- int i;
481
- static const char hexdig[] = "0123456789ABCDEF";
482
- if (!buffer || !len)
483
- return NULL;
484
- if (!(tmp = OPENSSL_malloc(len * 3 + 1))) {
485
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
486
- return NULL;
487
- }
488
- q = tmp;
489
- for (i = 0, p = buffer; i < len; i++, p++) {
490
- *q++ = hexdig[(*p >> 4) & 0xf];
491
- *q++ = hexdig[*p & 0xf];
492
- *q++ = ':';
469
+ // hex string utilities
470
+
471
+ char *x509v3_bytes_to_hex(const uint8_t *in, size_t len) {
472
+ CBB cbb;
473
+ if (!CBB_init(&cbb, len * 3 + 1)) {
474
+ goto err;
475
+ }
476
+ for (size_t i = 0; i < len; i++) {
477
+ static const char hex[] = "0123456789ABCDEF";
478
+ if ((i > 0 && !CBB_add_u8(&cbb, ':')) ||
479
+ !CBB_add_u8(&cbb, hex[in[i] >> 4]) ||
480
+ !CBB_add_u8(&cbb, hex[in[i] & 0xf])) {
481
+ goto err;
493
482
  }
494
- q[-1] = 0;
483
+ }
484
+ uint8_t *ret;
485
+ size_t unused_len;
486
+ if (!CBB_add_u8(&cbb, 0) || !CBB_finish(&cbb, &ret, &unused_len)) {
487
+ goto err;
488
+ }
495
489
 
496
- return tmp;
490
+ return (char *)ret;
491
+
492
+ err:
493
+ CBB_cleanup(&cbb);
494
+ return NULL;
497
495
  }
498
496
 
499
- unsigned char *x509v3_hex_to_bytes(const char *str, long *len)
500
- {
501
- unsigned char *hexbuf, *q;
502
- unsigned char ch, cl, *p;
503
- if (!str) {
504
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
505
- return NULL;
497
+ unsigned char *x509v3_hex_to_bytes(const char *str, long *len) {
498
+ unsigned char *hexbuf, *q;
499
+ unsigned char ch, cl, *p;
500
+ uint8_t high, low;
501
+ if (!str) {
502
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
503
+ return NULL;
504
+ }
505
+ if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) {
506
+ goto err;
507
+ }
508
+ for (p = (unsigned char *)str, q = hexbuf; *p;) {
509
+ ch = *p++;
510
+ if (ch == ':') {
511
+ continue;
506
512
  }
507
- if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1)))
508
- goto err;
509
- for (p = (unsigned char *)str, q = hexbuf; *p;) {
510
- ch = *p++;
511
- if (ch == ':')
512
- continue;
513
- cl = *p++;
514
- if (!cl) {
515
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);
516
- OPENSSL_free(hexbuf);
517
- return NULL;
518
- }
519
-
520
- if ((ch >= '0') && (ch <= '9'))
521
- ch -= '0';
522
- else if ((ch >= 'a') && (ch <= 'f'))
523
- ch -= 'a' - 10;
524
- else if ((ch >= 'A') && (ch <= 'F'))
525
- ch -= 'A' - 10;
526
- else
527
- goto badhex;
528
-
529
- if ((cl >= '0') && (cl <= '9'))
530
- cl -= '0';
531
- else if ((cl >= 'a') && (cl <= 'f'))
532
- cl -= 'a' - 10;
533
- else if ((cl >= 'A') && (cl <= 'F'))
534
- cl -= 'A' - 10;
535
- else
536
- goto badhex;
537
-
538
- *q++ = (ch << 4) | cl;
513
+ cl = *p++;
514
+ if (!cl) {
515
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);
516
+ OPENSSL_free(hexbuf);
517
+ return NULL;
539
518
  }
519
+ if (!OPENSSL_fromxdigit(&high, ch)) {
520
+ goto badhex;
521
+ }
522
+ if (!OPENSSL_fromxdigit(&low, cl)) {
523
+ goto badhex;
524
+ }
525
+ *q++ = (high << 4) | low;
526
+ }
540
527
 
541
- if (len)
542
- *len = q - hexbuf;
543
-
544
- return hexbuf;
528
+ if (len) {
529
+ *len = q - hexbuf;
530
+ }
545
531
 
546
- err:
547
- if (hexbuf)
548
- OPENSSL_free(hexbuf);
549
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
550
- return NULL;
532
+ return hexbuf;
551
533
 
552
- badhex:
553
- OPENSSL_free(hexbuf);
554
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_HEX_DIGIT);
555
- return NULL;
534
+ err:
535
+ OPENSSL_free(hexbuf);
536
+ return NULL;
556
537
 
538
+ badhex:
539
+ OPENSSL_free(hexbuf);
540
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_HEX_DIGIT);
541
+ return NULL;
557
542
  }
558
543
 
559
- int x509v3_name_cmp(const char *name, const char *cmp)
560
- {
561
- int len, ret;
562
- char c;
563
- len = strlen(cmp);
564
- if ((ret = strncmp(name, cmp, len)))
565
- return ret;
566
- c = name[len];
567
- if (!c || (c == '.'))
568
- return 0;
569
- return 1;
544
+ int x509v3_conf_name_matches(const char *name, const char *cmp) {
545
+ // |name| must begin with |cmp|.
546
+ size_t len = strlen(cmp);
547
+ if (strncmp(name, cmp, len) != 0) {
548
+ return 0;
549
+ }
550
+ // |name| must either be equal to |cmp| or begin with |cmp|, followed by '.'.
551
+ return name[len] == '\0' || name[len] == '.';
570
552
  }
571
553
 
572
- static int sk_strcmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b)
573
- {
574
- return strcmp(*a, *b);
575
- }
554
+ static int sk_strcmp(const char **a, const char **b) { return strcmp(*a, *b); }
576
555
 
577
- STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
578
- {
579
- GENERAL_NAMES *gens;
580
- STACK_OF(OPENSSL_STRING) *ret;
556
+ STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) {
557
+ GENERAL_NAMES *gens;
558
+ STACK_OF(OPENSSL_STRING) *ret;
581
559
 
582
- gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
583
- ret = get_email(X509_get_subject_name(x), gens);
584
- sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
585
- return ret;
560
+ gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
561
+ ret = get_email(X509_get_subject_name(x), gens);
562
+ sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
563
+ return ret;
586
564
  }
587
565
 
588
- STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
589
- {
590
- AUTHORITY_INFO_ACCESS *info;
591
- STACK_OF(OPENSSL_STRING) *ret = NULL;
592
- size_t i;
566
+ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) {
567
+ AUTHORITY_INFO_ACCESS *info;
568
+ STACK_OF(OPENSSL_STRING) *ret = NULL;
569
+ size_t i;
593
570
 
594
- info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
595
- if (!info)
596
- return NULL;
597
- for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
598
- ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
599
- if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
600
- if (ad->location->type == GEN_URI) {
601
- if (!append_ia5
602
- (&ret, ad->location->d.uniformResourceIdentifier))
603
- break;
604
- }
571
+ info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
572
+ if (!info) {
573
+ return NULL;
574
+ }
575
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
576
+ ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
577
+ if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
578
+ if (ad->location->type == GEN_URI) {
579
+ if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier)) {
580
+ break;
605
581
  }
582
+ }
606
583
  }
607
- AUTHORITY_INFO_ACCESS_free(info);
608
- return ret;
584
+ }
585
+ AUTHORITY_INFO_ACCESS_free(info);
586
+ return ret;
609
587
  }
610
588
 
611
- STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
612
- {
613
- GENERAL_NAMES *gens;
614
- STACK_OF(X509_EXTENSION) *exts;
615
- STACK_OF(OPENSSL_STRING) *ret;
616
-
617
- exts = X509_REQ_get_extensions(x);
618
- gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
619
- ret = get_email(X509_REQ_get_subject_name(x), gens);
620
- sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
621
- sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
622
- return ret;
589
+ STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) {
590
+ GENERAL_NAMES *gens;
591
+ STACK_OF(X509_EXTENSION) *exts;
592
+ STACK_OF(OPENSSL_STRING) *ret;
593
+
594
+ exts = X509_REQ_get_extensions(x);
595
+ gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
596
+ ret = get_email(X509_REQ_get_subject_name(x), gens);
597
+ sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
598
+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
599
+ return ret;
623
600
  }
624
601
 
625
- static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
626
- GENERAL_NAMES *gens)
627
- {
628
- STACK_OF(OPENSSL_STRING) *ret = NULL;
629
- X509_NAME_ENTRY *ne;
630
- ASN1_IA5STRING *email;
631
- GENERAL_NAME *gen;
632
- int i;
633
- size_t j;
634
- /* Now add any email address(es) to STACK */
635
- i = -1;
636
- /* First supplied X509_NAME */
637
- while ((i = X509_NAME_get_index_by_NID(name,
638
- NID_pkcs9_emailAddress, i)) >= 0) {
639
- ne = X509_NAME_get_entry(name, i);
640
- email = X509_NAME_ENTRY_get_data(ne);
641
- if (!append_ia5(&ret, email))
642
- return NULL;
602
+ static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
603
+ const GENERAL_NAMES *gens) {
604
+ STACK_OF(OPENSSL_STRING) *ret = NULL;
605
+ // Now add any email address(es) to STACK
606
+ int i = -1;
607
+ // First supplied X509_NAME
608
+ while ((i = X509_NAME_get_index_by_NID(name, NID_pkcs9_emailAddress, i)) >=
609
+ 0) {
610
+ const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
611
+ const ASN1_IA5STRING *email = X509_NAME_ENTRY_get_data(ne);
612
+ if (!append_ia5(&ret, email)) {
613
+ return NULL;
643
614
  }
644
- for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
645
- gen = sk_GENERAL_NAME_value(gens, j);
646
- if (gen->type != GEN_EMAIL)
647
- continue;
648
- if (!append_ia5(&ret, gen->d.ia5))
649
- return NULL;
615
+ }
616
+ for (size_t j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
617
+ const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, j);
618
+ if (gen->type != GEN_EMAIL) {
619
+ continue;
650
620
  }
651
- return ret;
652
- }
653
-
654
- static void str_free(OPENSSL_STRING str)
655
- {
656
- OPENSSL_free(str);
621
+ if (!append_ia5(&ret, gen->d.ia5)) {
622
+ return NULL;
623
+ }
624
+ }
625
+ return ret;
657
626
  }
658
627
 
659
- static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
660
- {
661
- /* First some sanity checks */
662
- if (email->type != V_ASN1_IA5STRING)
663
- return 1;
664
- if (email->data == NULL || email->length == 0)
665
- return 1;
666
- /* |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
667
- * report them as outputs. */
668
- if (OPENSSL_memchr(email->data, 0, email->length) != NULL)
669
- return 1;
670
-
671
- char *emtmp = NULL;
672
- if (!*sk)
673
- *sk = sk_OPENSSL_STRING_new(sk_strcmp);
674
- if (!*sk)
675
- goto err;
676
-
677
- emtmp = OPENSSL_strndup((char *)email->data, email->length);
678
- if (emtmp == NULL) {
679
- goto err;
680
- }
628
+ static void str_free(OPENSSL_STRING str) { OPENSSL_free(str); }
681
629
 
682
- /* Don't add duplicates */
683
- sk_OPENSSL_STRING_sort(*sk);
684
- if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) {
685
- OPENSSL_free(emtmp);
686
- return 1;
687
- }
688
- if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
689
- goto err;
690
- }
630
+ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
631
+ const ASN1_IA5STRING *email) {
632
+ // First some sanity checks
633
+ if (email->type != V_ASN1_IA5STRING) {
634
+ return 1;
635
+ }
636
+ if (email->data == NULL || email->length == 0) {
637
+ return 1;
638
+ }
639
+ // |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
640
+ // report them as outputs.
641
+ if (OPENSSL_memchr(email->data, 0, email->length) != NULL) {
691
642
  return 1;
643
+ }
644
+
645
+ char *emtmp = NULL;
646
+ if (!*sk) {
647
+ *sk = sk_OPENSSL_STRING_new(sk_strcmp);
648
+ }
649
+ if (!*sk) {
650
+ goto err;
651
+ }
652
+
653
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
654
+ if (emtmp == NULL) {
655
+ goto err;
656
+ }
657
+
658
+ // Don't add duplicates
659
+ sk_OPENSSL_STRING_sort(*sk);
660
+ if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) {
661
+ OPENSSL_free(emtmp);
662
+ return 1;
663
+ }
664
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
665
+ goto err;
666
+ }
667
+ return 1;
692
668
 
693
669
  err:
694
- /* TODO(davidben): Fix the error-handling in this file. It currently relies
695
- * on |append_ia5| leaving |*sk| at NULL on error. */
696
- OPENSSL_free(emtmp);
697
- X509_email_free(*sk);
698
- *sk = NULL;
699
- return 0;
670
+ // TODO(davidben): Fix the error-handling in this file. It currently relies
671
+ // on |append_ia5| leaving |*sk| at NULL on error.
672
+ OPENSSL_free(emtmp);
673
+ X509_email_free(*sk);
674
+ *sk = NULL;
675
+ return 0;
700
676
  }
701
677
 
702
- void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
703
- {
704
- sk_OPENSSL_STRING_pop_free(sk, str_free);
678
+ void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) {
679
+ sk_OPENSSL_STRING_pop_free(sk, str_free);
705
680
  }
706
681
 
707
- typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
708
- const unsigned char *subject, size_t subject_len,
709
- unsigned int flags);
710
-
711
- /* Skip pattern prefix to match "wildcard" subject */
712
- static void skip_prefix(const unsigned char **p, size_t *plen,
682
+ typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
713
683
  const unsigned char *subject, size_t subject_len,
714
- unsigned int flags)
715
- {
716
- const unsigned char *pattern = *p;
717
- size_t pattern_len = *plen;
718
-
719
- /*
720
- * If subject starts with a leading '.' followed by more octets, and
721
- * pattern is longer, compare just an equal-length suffix with the
722
- * full subject (starting at the '.'), provided the prefix contains
723
- * no NULs.
724
- */
725
- if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
726
- return;
727
-
728
- while (pattern_len > subject_len && *pattern) {
729
- if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
730
- *pattern == '.')
731
- break;
732
- ++pattern;
733
- --pattern_len;
734
- }
735
-
736
- /* Skip if entire prefix acceptable */
737
- if (pattern_len == subject_len) {
738
- *p = pattern;
739
- *plen = pattern_len;
740
- }
741
- }
684
+ unsigned int flags);
742
685
 
743
- /* Compare while ASCII ignoring case. */
686
+ // Compare while ASCII ignoring case.
744
687
  static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
745
688
  const unsigned char *subject, size_t subject_len,
746
- unsigned int flags)
747
- {
748
- skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
749
- if (pattern_len != subject_len)
689
+ unsigned int flags) {
690
+ if (pattern_len != subject_len) {
691
+ return 0;
692
+ }
693
+ while (pattern_len) {
694
+ unsigned char l = *pattern;
695
+ unsigned char r = *subject;
696
+ // The pattern must not contain NUL characters.
697
+ if (l == 0) {
698
+ return 0;
699
+ }
700
+ if (l != r) {
701
+ if (OPENSSL_tolower(l) != OPENSSL_tolower(r)) {
750
702
  return 0;
751
- while (pattern_len) {
752
- unsigned char l = *pattern;
753
- unsigned char r = *subject;
754
- /* The pattern must not contain NUL characters. */
755
- if (l == 0)
756
- return 0;
757
- if (l != r) {
758
- if ('A' <= l && l <= 'Z')
759
- l = (l - 'A') + 'a';
760
- if ('A' <= r && r <= 'Z')
761
- r = (r - 'A') + 'a';
762
- if (l != r)
763
- return 0;
764
- }
765
- ++pattern;
766
- ++subject;
767
- --pattern_len;
703
+ }
768
704
  }
769
- return 1;
705
+ ++pattern;
706
+ ++subject;
707
+ --pattern_len;
708
+ }
709
+ return 1;
770
710
  }
771
711
 
772
- /* Compare using OPENSSL_memcmp. */
712
+ // Compare using OPENSSL_memcmp.
773
713
  static int equal_case(const unsigned char *pattern, size_t pattern_len,
774
714
  const unsigned char *subject, size_t subject_len,
775
- unsigned int flags)
776
- {
777
- skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
778
- if (pattern_len != subject_len)
779
- return 0;
780
- return !OPENSSL_memcmp(pattern, subject, pattern_len);
715
+ unsigned int flags) {
716
+ if (pattern_len != subject_len) {
717
+ return 0;
718
+ }
719
+ return !OPENSSL_memcmp(pattern, subject, pattern_len);
781
720
  }
782
721
 
783
- /*
784
- * RFC 5280, section 7.5, requires that only the domain is compared in a
785
- * case-insensitive manner.
786
- */
722
+ // RFC 5280, section 7.5, requires that only the domain is compared in a
723
+ // case-insensitive manner.
787
724
  static int equal_email(const unsigned char *a, size_t a_len,
788
725
  const unsigned char *b, size_t b_len,
789
- unsigned int unused_flags)
790
- {
791
- size_t i = a_len;
792
- if (a_len != b_len)
726
+ unsigned int unused_flags) {
727
+ size_t i = a_len;
728
+ if (a_len != b_len) {
729
+ return 0;
730
+ }
731
+ // We search backwards for the '@' character, so that we do not have to
732
+ // deal with quoted local-parts. The domain part is compared in a
733
+ // case-insensitive manner.
734
+ while (i > 0) {
735
+ --i;
736
+ if (a[i] == '@' || b[i] == '@') {
737
+ if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0)) {
793
738
  return 0;
794
- /*
795
- * We search backwards for the '@' character, so that we do not have to
796
- * deal with quoted local-parts. The domain part is compared in a
797
- * case-insensitive manner.
798
- */
799
- while (i > 0) {
800
- --i;
801
- if (a[i] == '@' || b[i] == '@') {
802
- if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
803
- return 0;
804
- break;
805
- }
739
+ }
740
+ break;
806
741
  }
807
- if (i == 0)
808
- i = a_len;
809
- return equal_case(a, i, b, i, 0);
742
+ }
743
+ if (i == 0) {
744
+ i = a_len;
745
+ }
746
+ return equal_case(a, i, b, i, 0);
810
747
  }
811
748
 
812
- /*
813
- * Compare the prefix and suffix with the subject, and check that the
814
- * characters in-between are valid.
815
- */
749
+ // Compare the prefix and suffix with the subject, and check that the
750
+ // characters in-between are valid.
816
751
  static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
817
752
  const unsigned char *suffix, size_t suffix_len,
818
753
  const unsigned char *subject, size_t subject_len,
819
- unsigned int flags)
820
- {
821
- const unsigned char *wildcard_start;
822
- const unsigned char *wildcard_end;
823
- const unsigned char *p;
824
- int allow_multi = 0;
825
- int allow_idna = 0;
826
-
827
- if (subject_len < prefix_len + suffix_len)
828
- return 0;
829
- if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
830
- return 0;
831
- wildcard_start = subject + prefix_len;
832
- wildcard_end = subject + (subject_len - suffix_len);
833
- if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
834
- return 0;
835
- /*
836
- * If the wildcard makes up the entire first label, it must match at
837
- * least one character.
838
- */
839
- if (prefix_len == 0 && *suffix == '.') {
840
- if (wildcard_start == wildcard_end)
841
- return 0;
842
- allow_idna = 1;
843
- if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
844
- allow_multi = 1;
754
+ unsigned int flags) {
755
+ const unsigned char *wildcard_start;
756
+ const unsigned char *wildcard_end;
757
+ const unsigned char *p;
758
+ int allow_idna = 0;
759
+
760
+ if (subject_len < prefix_len + suffix_len) {
761
+ return 0;
762
+ }
763
+ if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags)) {
764
+ return 0;
765
+ }
766
+ wildcard_start = subject + prefix_len;
767
+ wildcard_end = subject + (subject_len - suffix_len);
768
+ if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags)) {
769
+ return 0;
770
+ }
771
+ // If the wildcard makes up the entire first label, it must match at
772
+ // least one character.
773
+ if (prefix_len == 0 && *suffix == '.') {
774
+ if (wildcard_start == wildcard_end) {
775
+ return 0;
845
776
  }
846
- /* IDNA labels cannot match partial wildcards */
847
- if (!allow_idna &&
848
- subject_len >= 4
849
- && OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0)
850
- return 0;
851
- /* The wildcard may match a literal '*' */
852
- if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
853
- return 1;
854
- /*
855
- * Check that the part matched by the wildcard contains only
856
- * permitted characters and only matches a single label unless
857
- * allow_multi is set.
858
- */
859
- for (p = wildcard_start; p != wildcard_end; ++p)
860
- if (!(('0' <= *p && *p <= '9') ||
861
- ('A' <= *p && *p <= 'Z') ||
862
- ('a' <= *p && *p <= 'z') ||
863
- *p == '-' || (allow_multi && *p == '.')))
864
- return 0;
777
+ allow_idna = 1;
778
+ }
779
+ // IDNA labels cannot match partial wildcards
780
+ if (!allow_idna && subject_len >= 4 &&
781
+ OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0) {
782
+ return 0;
783
+ }
784
+ // The wildcard may match a literal '*'
785
+ if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') {
865
786
  return 1;
787
+ }
788
+ // Check that the part matched by the wildcard contains only
789
+ // permitted characters and only matches a single label.
790
+ for (p = wildcard_start; p != wildcard_end; ++p) {
791
+ if (!OPENSSL_isalnum(*p) && *p != '-') {
792
+ return 0;
793
+ }
794
+ }
795
+ return 1;
866
796
  }
867
797
 
868
- #define LABEL_START (1 << 0)
869
- #define LABEL_END (1 << 1)
870
- #define LABEL_HYPHEN (1 << 2)
871
- #define LABEL_IDNA (1 << 3)
798
+ #define LABEL_START (1 << 0)
799
+ #define LABEL_END (1 << 1)
800
+ #define LABEL_HYPHEN (1 << 2)
801
+ #define LABEL_IDNA (1 << 3)
872
802
 
873
803
  static const unsigned char *valid_star(const unsigned char *p, size_t len,
874
- unsigned int flags)
875
- {
876
- const unsigned char *star = 0;
877
- size_t i;
878
- int state = LABEL_START;
879
- int dots = 0;
880
- for (i = 0; i < len; ++i) {
881
- /*
882
- * Locate first and only legal wildcard, either at the start
883
- * or end of a non-IDNA first and not final label.
884
- */
885
- if (p[i] == '*') {
886
- int atstart = (state & LABEL_START);
887
- int atend = (i == len - 1 || p[i + 1] == '.');
888
- /*
889
- * At most one wildcard per pattern.
890
- * No wildcards in IDNA labels.
891
- * No wildcards after the first label.
892
- */
893
- if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
894
- return NULL;
895
- /* Only full-label '*.example.com' wildcards? */
896
- if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
897
- && (!atstart || !atend))
898
- return NULL;
899
- /* No 'foo*bar' wildcards */
900
- if (!atstart && !atend)
901
- return NULL;
902
- star = &p[i];
903
- state &= ~LABEL_START;
904
- } else if (('a' <= p[i] && p[i] <= 'z')
905
- || ('A' <= p[i] && p[i] <= 'Z')
906
- || ('0' <= p[i] && p[i] <= '9')) {
907
- if ((state & LABEL_START) != 0
908
- && len - i >= 4
909
- && OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0)
910
- state |= LABEL_IDNA;
911
- state &= ~(LABEL_HYPHEN | LABEL_START);
912
- } else if (p[i] == '.') {
913
- if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
914
- return NULL;
915
- state = LABEL_START;
916
- ++dots;
917
- } else if (p[i] == '-') {
918
- /* no domain/subdomain starts with '-' */
919
- if ((state & LABEL_START) != 0)
920
- return NULL;
921
- state |= LABEL_HYPHEN;
922
- } else
923
- return NULL;
804
+ unsigned int flags) {
805
+ const unsigned char *star = 0;
806
+ size_t i;
807
+ int state = LABEL_START;
808
+ int dots = 0;
809
+ for (i = 0; i < len; ++i) {
810
+ // Locate first and only legal wildcard, either at the start
811
+ // or end of a non-IDNA first and not final label.
812
+ if (p[i] == '*') {
813
+ int atstart = (state & LABEL_START);
814
+ int atend = (i == len - 1 || p[i + 1] == '.');
815
+ // At most one wildcard per pattern.
816
+ // No wildcards in IDNA labels.
817
+ // No wildcards after the first label.
818
+ if (star != NULL || (state & LABEL_IDNA) != 0 || dots) {
819
+ return NULL;
820
+ }
821
+ // Only full-label '*.example.com' wildcards.
822
+ if (!atstart || !atend) {
823
+ return NULL;
824
+ }
825
+ star = &p[i];
826
+ state &= ~LABEL_START;
827
+ } else if (OPENSSL_isalnum(p[i])) {
828
+ if ((state & LABEL_START) != 0 && len - i >= 4 &&
829
+ OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0) {
830
+ state |= LABEL_IDNA;
831
+ }
832
+ state &= ~(LABEL_HYPHEN | LABEL_START);
833
+ } else if (p[i] == '.') {
834
+ if ((state & (LABEL_HYPHEN | LABEL_START)) != 0) {
835
+ return NULL;
836
+ }
837
+ state = LABEL_START;
838
+ ++dots;
839
+ } else if (p[i] == '-') {
840
+ // no domain/subdomain starts with '-'
841
+ if ((state & LABEL_START) != 0) {
842
+ return NULL;
843
+ }
844
+ state |= LABEL_HYPHEN;
845
+ } else {
846
+ return NULL;
924
847
  }
848
+ }
925
849
 
926
- /*
927
- * The final label must not end in a hyphen or ".", and
928
- * there must be at least two dots after the star.
929
- */
930
- if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
931
- return NULL;
932
- return star;
850
+ // The final label must not end in a hyphen or ".", and
851
+ // there must be at least two dots after the star.
852
+ if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2) {
853
+ return NULL;
854
+ }
855
+ return star;
933
856
  }
934
857
 
935
- /* Compare using wildcards. */
858
+ // Compare using wildcards.
936
859
  static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
937
860
  const unsigned char *subject, size_t subject_len,
938
- unsigned int flags)
939
- {
940
- const unsigned char *star = NULL;
941
-
942
- /*
943
- * Subject names starting with '.' can only match a wildcard pattern
944
- * via a subject sub-domain pattern suffix match.
945
- */
946
- if (!(subject_len > 1 && subject[0] == '.'))
947
- star = valid_star(pattern, pattern_len, flags);
948
- if (star == NULL)
949
- return equal_nocase(pattern, pattern_len,
950
- subject, subject_len, flags);
951
- return wildcard_match(pattern, star - pattern,
952
- star + 1, (pattern + pattern_len) - star - 1,
953
- subject, subject_len, flags);
861
+ unsigned int flags) {
862
+ const unsigned char *star = NULL;
863
+
864
+ // Subject names starting with '.' can only match a wildcard pattern
865
+ // via a subject sub-domain pattern suffix match.
866
+ if (!(subject_len > 1 && subject[0] == '.')) {
867
+ star = valid_star(pattern, pattern_len, flags);
868
+ }
869
+ if (star == NULL) {
870
+ return equal_nocase(pattern, pattern_len, subject, subject_len, flags);
871
+ }
872
+ return wildcard_match(pattern, star - pattern, star + 1,
873
+ (pattern + pattern_len) - star - 1, subject,
874
+ subject_len, flags);
954
875
  }
955
876
 
956
877
  int x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {
957
- /* This function is used as a heuristic for whether a common name is a
958
- * hostname to be matched, or merely a decorative name to describe the
959
- * subject. This heuristic must be applied to both name constraints and the
960
- * common name fallback, so it must be loose enough to accept hostname
961
- * common names, and tight enough to reject decorative common names. */
962
-
963
- if (len > 0 && in[len - 1] == '.') {
964
- len--;
965
- }
966
-
967
- /* Wildcards are allowed in front. */
968
- if (len >= 2 && in[0] == '*' && in[1] == '.') {
969
- in += 2;
970
- len -= 2;
878
+ // This function is used as a heuristic for whether a common name is a
879
+ // hostname to be matched, or merely a decorative name to describe the
880
+ // subject. This heuristic must be applied to both name constraints and the
881
+ // common name fallback, so it must be loose enough to accept hostname
882
+ // common names, and tight enough to reject decorative common names.
883
+
884
+ if (len > 0 && in[len - 1] == '.') {
885
+ len--;
886
+ }
887
+
888
+ // Wildcards are allowed in front.
889
+ if (len >= 2 && in[0] == '*' && in[1] == '.') {
890
+ in += 2;
891
+ len -= 2;
892
+ }
893
+
894
+ if (len == 0) {
895
+ return 0;
896
+ }
897
+
898
+ size_t label_start = 0;
899
+ for (size_t i = 0; i < len; i++) {
900
+ unsigned char c = in[i];
901
+ if (OPENSSL_isalnum(c) || (c == '-' && i > label_start) ||
902
+ // These are not valid characters in hostnames, but commonly found
903
+ // in deployments outside the Web PKI.
904
+ c == '_' || c == ':') {
905
+ continue;
971
906
  }
972
907
 
973
- if (len == 0) {
974
- return 0;
908
+ // Labels must not be empty.
909
+ if (c == '.' && i > label_start && i < len - 1) {
910
+ label_start = i + 1;
911
+ continue;
975
912
  }
976
913
 
977
- size_t label_start = 0;
978
- for (size_t i = 0; i < len; i++) {
979
- unsigned char c = in[i];
980
- if ((c >= 'a' && c <= 'z') ||
981
- (c >= '0' && c <= '9') ||
982
- (c >= 'A' && c <= 'Z') ||
983
- (c == '-' && i > label_start) ||
984
- /* These are not valid characters in hostnames, but commonly found
985
- * in deployments outside the Web PKI. */
986
- c == '_' ||
987
- c == ':') {
988
- continue;
989
- }
990
-
991
- /* Labels must not be empty. */
992
- if (c == '.' && i > label_start && i < len - 1) {
993
- label_start = i + 1;
994
- continue;
995
- }
996
-
997
- return 0;
998
- }
914
+ return 0;
915
+ }
999
916
 
1000
- return 1;
917
+ return 1;
1001
918
  }
1002
919
 
1003
- /*
1004
- * Compare an ASN1_STRING to a supplied string. If they match return 1. If
1005
- * cmp_type > 0 only compare if string matches the type, otherwise convert it
1006
- * to UTF8.
1007
- */
920
+ // Compare an ASN1_STRING to a supplied string. If they match return 1. If
921
+ // cmp_type > 0 only compare if string matches the type, otherwise convert it
922
+ // to UTF8.
1008
923
 
1009
- static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
924
+ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
1010
925
  unsigned int flags, int check_type, const char *b,
1011
- size_t blen, char **peername)
1012
- {
1013
- int rv = 0;
926
+ size_t blen, char **peername) {
927
+ int rv = 0;
1014
928
 
1015
- if (!a->data || !a->length)
1016
- return 0;
1017
- if (cmp_type > 0) {
1018
- if (cmp_type != a->type)
1019
- return 0;
1020
- if (cmp_type == V_ASN1_IA5STRING)
1021
- rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
1022
- else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen))
1023
- rv = 1;
1024
- if (rv > 0 && peername)
1025
- *peername = OPENSSL_strndup((char *)a->data, a->length);
929
+ if (!a->data || !a->length) {
930
+ return 0;
931
+ }
932
+ if (cmp_type > 0) {
933
+ if (cmp_type != a->type) {
934
+ return 0;
935
+ }
936
+ if (cmp_type == V_ASN1_IA5STRING) {
937
+ rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
938
+ } else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen)) {
939
+ rv = 1;
940
+ }
941
+ if (rv > 0 && peername) {
942
+ *peername = OPENSSL_strndup((char *)a->data, a->length);
943
+ }
944
+ } else {
945
+ int astrlen;
946
+ unsigned char *astr;
947
+ astrlen = ASN1_STRING_to_UTF8(&astr, a);
948
+ if (astrlen < 0) {
949
+ return -1;
950
+ }
951
+ // We check the common name against DNS name constraints if it passes
952
+ // |x509v3_looks_like_dns_name|. Thus we must not consider common names
953
+ // for DNS fallbacks if they fail this check.
954
+ if (check_type == GEN_DNS && !x509v3_looks_like_dns_name(astr, astrlen)) {
955
+ rv = 0;
1026
956
  } else {
1027
- int astrlen;
1028
- unsigned char *astr;
1029
- astrlen = ASN1_STRING_to_UTF8(&astr, a);
1030
- if (astrlen < 0)
1031
- return -1;
1032
- /*
1033
- * We check the common name against DNS name constraints if it passes
1034
- * |x509v3_looks_like_dns_name|. Thus we must not consider common names
1035
- * for DNS fallbacks if they fail this check.
1036
- */
1037
- if (check_type == GEN_DNS &&
1038
- !x509v3_looks_like_dns_name(astr, astrlen)) {
1039
- rv = 0;
1040
- } else {
1041
- rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
1042
- }
1043
- if (rv > 0 && peername)
1044
- *peername = OPENSSL_strndup((char *)astr, astrlen);
1045
- OPENSSL_free(astr);
957
+ rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
1046
958
  }
1047
- return rv;
959
+ if (rv > 0 && peername) {
960
+ *peername = OPENSSL_strndup((char *)astr, astrlen);
961
+ }
962
+ OPENSSL_free(astr);
963
+ }
964
+ return rv;
1048
965
  }
1049
966
 
1050
967
  static int do_x509_check(X509 *x, const char *chk, size_t chklen,
1051
- unsigned int flags, int check_type, char **peername)
1052
- {
1053
- GENERAL_NAMES *gens = NULL;
1054
- X509_NAME *name = NULL;
1055
- size_t i;
1056
- int j;
1057
- int cnid = NID_undef;
1058
- int alt_type;
1059
- int rv = 0;
1060
- equal_fn equal;
1061
-
1062
- /* See below, this flag is internal-only */
1063
- flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
1064
- if (check_type == GEN_EMAIL) {
1065
- cnid = NID_pkcs9_emailAddress;
1066
- alt_type = V_ASN1_IA5STRING;
1067
- equal = equal_email;
1068
- } else if (check_type == GEN_DNS) {
1069
- cnid = NID_commonName;
1070
- /* Implicit client-side DNS sub-domain pattern */
1071
- if (chklen > 1 && chk[0] == '.')
1072
- flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
1073
- alt_type = V_ASN1_IA5STRING;
1074
- if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
1075
- equal = equal_nocase;
1076
- else
1077
- equal = equal_wildcard;
968
+ unsigned int flags, int check_type, char **peername) {
969
+ int cnid = NID_undef;
970
+ int alt_type;
971
+ int rv = 0;
972
+ equal_fn equal;
973
+ if (check_type == GEN_EMAIL) {
974
+ cnid = NID_pkcs9_emailAddress;
975
+ alt_type = V_ASN1_IA5STRING;
976
+ equal = equal_email;
977
+ } else if (check_type == GEN_DNS) {
978
+ cnid = NID_commonName;
979
+ alt_type = V_ASN1_IA5STRING;
980
+ if (flags & X509_CHECK_FLAG_NO_WILDCARDS) {
981
+ equal = equal_nocase;
1078
982
  } else {
1079
- alt_type = V_ASN1_OCTET_STRING;
1080
- equal = equal_case;
983
+ equal = equal_wildcard;
1081
984
  }
1082
-
1083
- gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
1084
- if (gens) {
1085
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1086
- GENERAL_NAME *gen;
1087
- ASN1_STRING *cstr;
1088
- gen = sk_GENERAL_NAME_value(gens, i);
1089
- if (gen->type != check_type)
1090
- continue;
1091
- if (check_type == GEN_EMAIL)
1092
- cstr = gen->d.rfc822Name;
1093
- else if (check_type == GEN_DNS)
1094
- cstr = gen->d.dNSName;
1095
- else
1096
- cstr = gen->d.iPAddress;
1097
- /* Positive on success, negative on error! */
1098
- if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type,
1099
- chk, chklen, peername)) != 0)
1100
- break;
1101
- }
1102
- GENERAL_NAMES_free(gens);
1103
- return rv;
985
+ } else {
986
+ alt_type = V_ASN1_OCTET_STRING;
987
+ equal = equal_case;
988
+ }
989
+
990
+ GENERAL_NAMES *gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
991
+ if (gens) {
992
+ for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
993
+ const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
994
+ if (gen->type != check_type) {
995
+ continue;
996
+ }
997
+ const ASN1_STRING *cstr;
998
+ if (check_type == GEN_EMAIL) {
999
+ cstr = gen->d.rfc822Name;
1000
+ } else if (check_type == GEN_DNS) {
1001
+ cstr = gen->d.dNSName;
1002
+ } else {
1003
+ cstr = gen->d.iPAddress;
1004
+ }
1005
+ // Positive on success, negative on error!
1006
+ if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type, chk,
1007
+ chklen, peername)) != 0) {
1008
+ break;
1009
+ }
1104
1010
  }
1011
+ GENERAL_NAMES_free(gens);
1012
+ return rv;
1013
+ }
1105
1014
 
1106
- /* We're done if CN-ID is not pertinent */
1107
- if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
1108
- return 0;
1109
-
1110
- j = -1;
1111
- name = X509_get_subject_name(x);
1112
- while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
1113
- X509_NAME_ENTRY *ne;
1114
- ASN1_STRING *str;
1115
- ne = X509_NAME_get_entry(name, j);
1116
- str = X509_NAME_ENTRY_get_data(ne);
1117
- /* Positive on success, negative on error! */
1118
- if ((rv = do_check_string(str, -1, equal, flags, check_type,
1119
- chk, chklen, peername)) != 0)
1120
- return rv;
1121
- }
1015
+ // We're done if CN-ID is not pertinent
1016
+ if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) {
1122
1017
  return 0;
1018
+ }
1019
+
1020
+ int j = -1;
1021
+ const X509_NAME *name = X509_get_subject_name(x);
1022
+ while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
1023
+ const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, j);
1024
+ const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
1025
+ // Positive on success, negative on error!
1026
+ if ((rv = do_check_string(str, -1, equal, flags, check_type, chk, chklen,
1027
+ peername)) != 0) {
1028
+ return rv;
1029
+ }
1030
+ }
1031
+ return 0;
1123
1032
  }
1124
1033
 
1125
- int X509_check_host(X509 *x, const char *chk, size_t chklen,
1126
- unsigned int flags, char **peername)
1127
- {
1128
- if (chk == NULL)
1129
- return -2;
1130
- if (OPENSSL_memchr(chk, '\0', chklen))
1131
- return -2;
1132
- return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
1034
+ int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
1035
+ char **peername) {
1036
+ if (chk == NULL) {
1037
+ return -2;
1038
+ }
1039
+ if (OPENSSL_memchr(chk, '\0', chklen)) {
1040
+ return -2;
1041
+ }
1042
+ return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
1133
1043
  }
1134
1044
 
1135
1045
  int X509_check_email(X509 *x, const char *chk, size_t chklen,
1136
- unsigned int flags)
1137
- {
1138
- if (chk == NULL)
1139
- return -2;
1140
- if (OPENSSL_memchr(chk, '\0', chklen))
1141
- return -2;
1142
- return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
1046
+ unsigned int flags) {
1047
+ if (chk == NULL) {
1048
+ return -2;
1049
+ }
1050
+ if (OPENSSL_memchr(chk, '\0', chklen)) {
1051
+ return -2;
1052
+ }
1053
+ return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
1143
1054
  }
1144
1055
 
1145
1056
  int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
1146
- unsigned int flags)
1147
- {
1148
- if (chk == NULL)
1149
- return -2;
1150
- return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
1057
+ unsigned int flags) {
1058
+ if (chk == NULL) {
1059
+ return -2;
1060
+ }
1061
+ return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
1151
1062
  }
1152
1063
 
1153
- int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
1154
- {
1155
- unsigned char ipout[16];
1156
- size_t iplen;
1157
-
1158
- if (ipasc == NULL)
1159
- return -2;
1160
- iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);
1161
- if (iplen == 0)
1162
- return -2;
1163
- return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
1064
+ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) {
1065
+ unsigned char ipout[16];
1066
+ size_t iplen;
1067
+
1068
+ if (ipasc == NULL) {
1069
+ return -2;
1070
+ }
1071
+ iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);
1072
+ if (iplen == 0) {
1073
+ return -2;
1074
+ }
1075
+ return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
1164
1076
  }
1165
1077
 
1166
- /*
1167
- * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
1168
- * with RFC 3280.
1169
- */
1078
+ // Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
1079
+ // with RFC 3280.
1170
1080
 
1171
- ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
1172
- {
1173
- unsigned char ipout[16];
1174
- ASN1_OCTET_STRING *ret;
1175
- int iplen;
1081
+ ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) {
1082
+ unsigned char ipout[16];
1083
+ ASN1_OCTET_STRING *ret;
1084
+ int iplen;
1176
1085
 
1177
- iplen = x509v3_a2i_ipadd(ipout, ipasc);
1178
- if (!iplen)
1179
- return NULL;
1086
+ iplen = x509v3_a2i_ipadd(ipout, ipasc);
1087
+ if (!iplen) {
1088
+ return NULL;
1089
+ }
1180
1090
 
1181
- ret = ASN1_OCTET_STRING_new();
1182
- if (!ret)
1183
- return NULL;
1184
- if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
1185
- ASN1_OCTET_STRING_free(ret);
1186
- return NULL;
1187
- }
1188
- return ret;
1091
+ ret = ASN1_OCTET_STRING_new();
1092
+ if (!ret) {
1093
+ return NULL;
1094
+ }
1095
+ if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
1096
+ ASN1_OCTET_STRING_free(ret);
1097
+ return NULL;
1098
+ }
1099
+ return ret;
1189
1100
  }
1190
1101
 
1191
- ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
1192
- {
1193
- ASN1_OCTET_STRING *ret = NULL;
1194
- unsigned char ipout[32];
1195
- char *iptmp = NULL, *p;
1196
- int iplen1, iplen2;
1197
- p = strchr(ipasc, '/');
1198
- if (!p)
1199
- return NULL;
1200
- iptmp = OPENSSL_strdup(ipasc);
1201
- if (!iptmp)
1202
- return NULL;
1203
- p = iptmp + (p - ipasc);
1204
- *p++ = 0;
1102
+ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) {
1103
+ ASN1_OCTET_STRING *ret = NULL;
1104
+ unsigned char ipout[32];
1105
+ char *iptmp = NULL, *p;
1106
+ int iplen1, iplen2;
1107
+ p = strchr(ipasc, '/');
1108
+ if (!p) {
1109
+ return NULL;
1110
+ }
1111
+ iptmp = OPENSSL_strdup(ipasc);
1112
+ if (!iptmp) {
1113
+ return NULL;
1114
+ }
1115
+ p = iptmp + (p - ipasc);
1116
+ *p++ = 0;
1205
1117
 
1206
- iplen1 = x509v3_a2i_ipadd(ipout, iptmp);
1118
+ iplen1 = x509v3_a2i_ipadd(ipout, iptmp);
1207
1119
 
1208
- if (!iplen1)
1209
- goto err;
1120
+ if (!iplen1) {
1121
+ goto err;
1122
+ }
1210
1123
 
1211
- iplen2 = x509v3_a2i_ipadd(ipout + iplen1, p);
1124
+ iplen2 = x509v3_a2i_ipadd(ipout + iplen1, p);
1212
1125
 
1213
- OPENSSL_free(iptmp);
1214
- iptmp = NULL;
1126
+ OPENSSL_free(iptmp);
1127
+ iptmp = NULL;
1215
1128
 
1216
- if (!iplen2 || (iplen1 != iplen2))
1217
- goto err;
1129
+ if (!iplen2 || (iplen1 != iplen2)) {
1130
+ goto err;
1131
+ }
1218
1132
 
1219
- ret = ASN1_OCTET_STRING_new();
1220
- if (!ret)
1221
- goto err;
1222
- if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
1223
- goto err;
1133
+ ret = ASN1_OCTET_STRING_new();
1134
+ if (!ret) {
1135
+ goto err;
1136
+ }
1137
+ if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) {
1138
+ goto err;
1139
+ }
1224
1140
 
1225
- return ret;
1141
+ return ret;
1226
1142
 
1227
- err:
1228
- if (iptmp)
1229
- OPENSSL_free(iptmp);
1230
- if (ret)
1231
- ASN1_OCTET_STRING_free(ret);
1232
- return NULL;
1143
+ err:
1144
+ if (iptmp) {
1145
+ OPENSSL_free(iptmp);
1146
+ }
1147
+ if (ret) {
1148
+ ASN1_OCTET_STRING_free(ret);
1149
+ }
1150
+ return NULL;
1233
1151
  }
1234
1152
 
1235
- int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc)
1236
- {
1237
- /* If string contains a ':' assume IPv6 */
1153
+ int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc) {
1154
+ // If string contains a ':' assume IPv6
1238
1155
 
1239
- if (strchr(ipasc, ':')) {
1240
- if (!ipv6_from_asc(ipout, ipasc))
1241
- return 0;
1242
- return 16;
1243
- } else {
1244
- if (!ipv4_from_asc(ipout, ipasc))
1245
- return 0;
1246
- return 4;
1156
+ if (strchr(ipasc, ':')) {
1157
+ if (!ipv6_from_asc(ipout, ipasc)) {
1158
+ return 0;
1159
+ }
1160
+ return 16;
1161
+ } else {
1162
+ if (!ipv4_from_asc(ipout, ipasc)) {
1163
+ return 0;
1247
1164
  }
1165
+ return 4;
1166
+ }
1248
1167
  }
1249
1168
 
1250
- static int ipv4_from_asc(unsigned char v4[4], const char *in)
1251
- {
1252
- int a0, a1, a2, a3;
1253
- if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
1254
- return 0;
1255
- if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
1256
- || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
1257
- return 0;
1258
- v4[0] = a0;
1259
- v4[1] = a1;
1260
- v4[2] = a2;
1261
- v4[3] = a3;
1262
- return 1;
1169
+ static int ipv4_from_asc(unsigned char v4[4], const char *in) {
1170
+ int a0, a1, a2, a3;
1171
+ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) {
1172
+ return 0;
1173
+ }
1174
+ if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) ||
1175
+ (a2 > 255) || (a3 < 0) || (a3 > 255)) {
1176
+ return 0;
1177
+ }
1178
+ v4[0] = a0;
1179
+ v4[1] = a1;
1180
+ v4[2] = a2;
1181
+ v4[3] = a3;
1182
+ return 1;
1263
1183
  }
1264
1184
 
1265
1185
  typedef struct {
1266
- /* Temporary store for IPV6 output */
1267
- unsigned char tmp[16];
1268
- /* Total number of bytes in tmp */
1269
- int total;
1270
- /* The position of a zero (corresponding to '::') */
1271
- int zero_pos;
1272
- /* Number of zeroes */
1273
- int zero_cnt;
1186
+ // Temporary store for IPV6 output
1187
+ unsigned char tmp[16];
1188
+ // Total number of bytes in tmp
1189
+ int total;
1190
+ // The position of a zero (corresponding to '::')
1191
+ int zero_pos;
1192
+ // Number of zeroes
1193
+ int zero_cnt;
1274
1194
  } IPV6_STAT;
1275
1195
 
1276
- static int ipv6_from_asc(unsigned char v6[16], const char *in)
1277
- {
1278
- IPV6_STAT v6stat;
1279
- v6stat.total = 0;
1280
- v6stat.zero_pos = -1;
1281
- v6stat.zero_cnt = 0;
1282
- /*
1283
- * Treat the IPv6 representation as a list of values separated by ':'.
1284
- * The presence of a '::' will parse as one, two or three zero length
1285
- * elements.
1286
- */
1287
- if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
1288
- return 0;
1289
-
1290
- /* Now for some sanity checks */
1196
+ static int ipv6_from_asc(unsigned char v6[16], const char *in) {
1197
+ IPV6_STAT v6stat;
1198
+ v6stat.total = 0;
1199
+ v6stat.zero_pos = -1;
1200
+ v6stat.zero_cnt = 0;
1201
+ // Treat the IPv6 representation as a list of values separated by ':'.
1202
+ // The presence of a '::' will parse as one, two or three zero length
1203
+ // elements.
1204
+ if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) {
1205
+ return 0;
1206
+ }
1291
1207
 
1292
- if (v6stat.zero_pos == -1) {
1293
- /* If no '::' must have exactly 16 bytes */
1294
- if (v6stat.total != 16)
1295
- return 0;
1208
+ if (v6stat.zero_pos == -1) {
1209
+ // If no '::' must have exactly 16 bytes
1210
+ if (v6stat.total != 16) {
1211
+ return 0;
1212
+ }
1213
+ } else {
1214
+ // If '::' must have less than 16 bytes
1215
+ if (v6stat.total >= 16) {
1216
+ return 0;
1217
+ }
1218
+ if (v6stat.zero_cnt > 3) {
1219
+ // More than three zeroes is an error
1220
+ return 0;
1221
+ } else if (v6stat.zero_cnt == 3) {
1222
+ // Can only have three zeroes if nothing else present
1223
+ if (v6stat.total > 0) {
1224
+ return 0;
1225
+ }
1226
+ } else if (v6stat.zero_cnt == 2) {
1227
+ // Can only have two zeroes if at start or end
1228
+ if (v6stat.zero_pos != 0 && v6stat.zero_pos != v6stat.total) {
1229
+ return 0;
1230
+ }
1296
1231
  } else {
1297
- /* If '::' must have less than 16 bytes */
1298
- if (v6stat.total == 16)
1299
- return 0;
1300
- /* More than three zeroes is an error */
1301
- if (v6stat.zero_cnt > 3)
1302
- return 0;
1303
- /* Can only have three zeroes if nothing else present */
1304
- else if (v6stat.zero_cnt == 3) {
1305
- if (v6stat.total > 0)
1306
- return 0;
1307
- }
1308
- /* Can only have two zeroes if at start or end */
1309
- else if (v6stat.zero_cnt == 2) {
1310
- if ((v6stat.zero_pos != 0)
1311
- && (v6stat.zero_pos != v6stat.total))
1312
- return 0;
1313
- } else
1314
- /* Can only have one zero if *not* start or end */
1315
- {
1316
- if ((v6stat.zero_pos == 0)
1317
- || (v6stat.zero_pos == v6stat.total))
1318
- return 0;
1319
- }
1232
+ // Can only have one zero if *not* start or end
1233
+ if (v6stat.zero_pos == 0 || v6stat.zero_pos == v6stat.total) {
1234
+ return 0;
1235
+ }
1320
1236
  }
1237
+ }
1238
+
1239
+ // Format the result.
1240
+ if (v6stat.zero_pos >= 0) {
1241
+ // Copy initial part
1242
+ OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);
1243
+ // Zero middle
1244
+ OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
1245
+ // Copy final part
1246
+ if (v6stat.total != v6stat.zero_pos) {
1247
+ OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
1248
+ v6stat.tmp + v6stat.zero_pos,
1249
+ v6stat.total - v6stat.zero_pos);
1250
+ }
1251
+ } else {
1252
+ OPENSSL_memcpy(v6, v6stat.tmp, 16);
1253
+ }
1321
1254
 
1322
- /* Format result */
1323
-
1324
- if (v6stat.zero_pos >= 0) {
1325
- /* Copy initial part */
1326
- OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);
1327
- /* Zero middle */
1328
- OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
1329
- /* Copy final part */
1330
- if (v6stat.total != v6stat.zero_pos)
1331
- OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
1332
- v6stat.tmp + v6stat.zero_pos,
1333
- v6stat.total - v6stat.zero_pos);
1334
- } else
1335
- OPENSSL_memcpy(v6, v6stat.tmp, 16);
1336
-
1337
- return 1;
1255
+ return 1;
1338
1256
  }
1339
1257
 
1340
- static int ipv6_cb(const char *elem, int len, void *usr)
1341
- {
1342
- IPV6_STAT *s = usr;
1343
- /* Error if 16 bytes written */
1344
- if (s->total == 16)
1258
+ static int ipv6_cb(const char *elem, size_t len, void *usr) {
1259
+ IPV6_STAT *s = usr;
1260
+ // Error if 16 bytes written
1261
+ if (s->total == 16) {
1262
+ return 0;
1263
+ }
1264
+ if (len == 0) {
1265
+ // Zero length element, corresponds to '::'
1266
+ if (s->zero_pos == -1) {
1267
+ s->zero_pos = s->total;
1268
+ } else if (s->zero_pos != s->total) {
1269
+ // If we've already got a :: its an error
1270
+ return 0;
1271
+ }
1272
+ if (s->zero_cnt >= 3) {
1273
+ // More than three zeros is an error.
1274
+ return 0;
1275
+ }
1276
+ s->zero_cnt++;
1277
+ } else {
1278
+ // If more than 4 characters could be final a.b.c.d form
1279
+ if (len > 4) {
1280
+ // Need at least 4 bytes left
1281
+ if (s->total > 12) {
1282
+ return 0;
1283
+ }
1284
+ // Must be end of string
1285
+ if (elem[len]) {
1286
+ return 0;
1287
+ }
1288
+ if (!ipv4_from_asc(s->tmp + s->total, elem)) {
1345
1289
  return 0;
1346
- if (len == 0) {
1347
- /* Zero length element, corresponds to '::' */
1348
- if (s->zero_pos == -1)
1349
- s->zero_pos = s->total;
1350
- /* If we've already got a :: its an error */
1351
- else if (s->zero_pos != s->total)
1352
- return 0;
1353
- s->zero_cnt++;
1290
+ }
1291
+ s->total += 4;
1354
1292
  } else {
1355
- /* If more than 4 characters could be final a.b.c.d form */
1356
- if (len > 4) {
1357
- /* Need at least 4 bytes left */
1358
- if (s->total > 12)
1359
- return 0;
1360
- /* Must be end of string */
1361
- if (elem[len])
1362
- return 0;
1363
- if (!ipv4_from_asc(s->tmp + s->total, elem))
1364
- return 0;
1365
- s->total += 4;
1366
- } else {
1367
- if (!ipv6_hex(s->tmp + s->total, elem, len))
1368
- return 0;
1369
- s->total += 2;
1370
- }
1293
+ if (!ipv6_hex(s->tmp + s->total, elem, len)) {
1294
+ return 0;
1295
+ }
1296
+ s->total += 2;
1371
1297
  }
1372
- return 1;
1298
+ }
1299
+ return 1;
1373
1300
  }
1374
1301
 
1375
- /*
1376
- * Convert a string of up to 4 hex digits into the corresponding IPv6 form.
1377
- */
1302
+ // Convert a string of up to 4 hex digits into the corresponding IPv6 form.
1378
1303
 
1379
- static int ipv6_hex(unsigned char *out, const char *in, int inlen)
1380
- {
1381
- unsigned char c;
1382
- unsigned int num = 0;
1383
- if (inlen > 4)
1384
- return 0;
1385
- while (inlen--) {
1386
- c = *in++;
1387
- num <<= 4;
1388
- if ((c >= '0') && (c <= '9'))
1389
- num |= c - '0';
1390
- else if ((c >= 'A') && (c <= 'F'))
1391
- num |= c - 'A' + 10;
1392
- else if ((c >= 'a') && (c <= 'f'))
1393
- num |= c - 'a' + 10;
1394
- else
1395
- return 0;
1304
+ static int ipv6_hex(unsigned char *out, const char *in, size_t inlen) {
1305
+ if (inlen > 4) {
1306
+ return 0;
1307
+ }
1308
+ uint16_t num = 0;
1309
+ while (inlen--) {
1310
+ uint8_t val;
1311
+ if (!OPENSSL_fromxdigit(&val, *in++)) {
1312
+ return 0;
1396
1313
  }
1397
- out[0] = num >> 8;
1398
- out[1] = num & 0xff;
1399
- return 1;
1314
+ num = (num << 4) | val;
1315
+ }
1316
+ out[0] = num >> 8;
1317
+ out[1] = num & 0xff;
1318
+ return 1;
1400
1319
  }
1401
1320
 
1402
- int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF (CONF_VALUE) * dn_sk,
1403
- unsigned long chtype)
1404
- {
1405
- CONF_VALUE *v;
1321
+ int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk,
1322
+ int chtype) {
1323
+ if (!nm) {
1324
+ return 0;
1325
+ }
1326
+
1327
+ for (size_t i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1328
+ const CONF_VALUE *v = sk_CONF_VALUE_value(dn_sk, i);
1329
+ const char *type = v->name;
1330
+ // Skip past any leading X. X: X, etc to allow for multiple instances
1331
+ for (const char *p = type; *p; p++) {
1332
+ if ((*p == ':') || (*p == ',') || (*p == '.')) {
1333
+ p++;
1334
+ if (*p) {
1335
+ type = p;
1336
+ }
1337
+ break;
1338
+ }
1339
+ }
1406
1340
  int mval;
1407
- size_t i;
1408
- char *p, *type;
1409
- if (!nm)
1410
- return 0;
1411
-
1412
- for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1413
- v = sk_CONF_VALUE_value(dn_sk, i);
1414
- type = v->name;
1415
- /*
1416
- * Skip past any leading X. X: X, etc to allow for multiple instances
1417
- */
1418
- for (p = type; *p; p++)
1419
- if ((*p == ':') || (*p == ',') || (*p == '.')) {
1420
- p++;
1421
- if (*p)
1422
- type = p;
1423
- break;
1424
- }
1425
- if (*type == '+') {
1426
- mval = -1;
1427
- type++;
1428
- } else
1429
- mval = 0;
1430
- if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
1431
- (unsigned char *)v->value, -1, -1,
1432
- mval))
1433
- return 0;
1434
-
1341
+ if (*type == '+') {
1342
+ mval = -1;
1343
+ type++;
1344
+ } else {
1345
+ mval = 0;
1435
1346
  }
1436
- return 1;
1347
+ if (!X509_NAME_add_entry_by_txt(nm, type, chtype, (unsigned char *)v->value,
1348
+ -1, -1, mval)) {
1349
+ return 0;
1350
+ }
1351
+ }
1352
+ return 1;
1437
1353
  }