grpc 1.53.0 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +80 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/impl/grpc_types.h +11 -2
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +1 -15
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +42 -23
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +5 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
- data/src/core/lib/backoff/random_early_detection.h +59 -0
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/endpoint_pair.h +2 -2
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +9 -6
- data/src/core/lib/transport/metadata_batch.h +58 -16
- data/src/core/lib/transport/parsed_metadata.h +3 -3
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +105 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -0,0 +1,89 @@
|
|
1
|
+
/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
|
16
|
+
#define OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
|
17
|
+
|
18
|
+
#include <openssl/base.h>
|
19
|
+
#include <openssl/service_indicator.h>
|
20
|
+
|
21
|
+
#if defined(BORINGSSL_FIPS)
|
22
|
+
|
23
|
+
// FIPS_service_indicator_update_state records that an approved service has been
|
24
|
+
// invoked.
|
25
|
+
void FIPS_service_indicator_update_state(void);
|
26
|
+
|
27
|
+
// FIPS_service_indicator_lock_state and |FIPS_service_indicator_unlock_state|
|
28
|
+
// stop |FIPS_service_indicator_update_state| from actually updating the service
|
29
|
+
// indicator. This is used when a primitive calls a potentially approved
|
30
|
+
// primitive to avoid false positives. For example, just because a key
|
31
|
+
// generation calls |RAND_bytes| (and thus the approved DRBG) doesn't mean that
|
32
|
+
// the key generation operation itself is approved.
|
33
|
+
//
|
34
|
+
// This lock nests: i.e. locking twice is fine so long as each lock is paired
|
35
|
+
// with an unlock. If the (64-bit) counter overflows, the process aborts.
|
36
|
+
void FIPS_service_indicator_lock_state(void);
|
37
|
+
void FIPS_service_indicator_unlock_state(void);
|
38
|
+
|
39
|
+
// The following functions may call |FIPS_service_indicator_update_state| if
|
40
|
+
// their parameter specifies an approved operation.
|
41
|
+
|
42
|
+
void AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);
|
43
|
+
void AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);
|
44
|
+
void EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey);
|
45
|
+
void ECDH_verify_service_indicator(const EC_KEY *ec_key);
|
46
|
+
void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx);
|
47
|
+
void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx);
|
48
|
+
void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx);
|
49
|
+
void HMAC_verify_service_indicator(const EVP_MD *evp_md);
|
50
|
+
void TLSKDF_verify_service_indicator(const EVP_MD *dgst);
|
51
|
+
|
52
|
+
#else
|
53
|
+
|
54
|
+
// Service indicator functions are no-ops in non-FIPS builds.
|
55
|
+
|
56
|
+
OPENSSL_INLINE void FIPS_service_indicator_update_state(void) {}
|
57
|
+
OPENSSL_INLINE void FIPS_service_indicator_lock_state(void) {}
|
58
|
+
OPENSSL_INLINE void FIPS_service_indicator_unlock_state(void) {}
|
59
|
+
|
60
|
+
OPENSSL_INLINE void AEAD_GCM_verify_service_indicator(
|
61
|
+
OPENSSL_UNUSED const EVP_AEAD_CTX *ctx) {}
|
62
|
+
|
63
|
+
OPENSSL_INLINE void AEAD_CCM_verify_service_indicator(
|
64
|
+
OPENSSL_UNUSED const EVP_AEAD_CTX *ctx) {}
|
65
|
+
|
66
|
+
OPENSSL_INLINE void EC_KEY_keygen_verify_service_indicator(
|
67
|
+
OPENSSL_UNUSED const EC_KEY *eckey) {}
|
68
|
+
|
69
|
+
OPENSSL_INLINE void ECDH_verify_service_indicator(
|
70
|
+
OPENSSL_UNUSED const EC_KEY *ec_key) {}
|
71
|
+
|
72
|
+
OPENSSL_INLINE void EVP_Cipher_verify_service_indicator(
|
73
|
+
OPENSSL_UNUSED const EVP_CIPHER_CTX *ctx) {}
|
74
|
+
|
75
|
+
OPENSSL_INLINE void EVP_DigestSign_verify_service_indicator(
|
76
|
+
OPENSSL_UNUSED const EVP_MD_CTX *ctx) {}
|
77
|
+
|
78
|
+
OPENSSL_INLINE void EVP_DigestVerify_verify_service_indicator(
|
79
|
+
OPENSSL_UNUSED const EVP_MD_CTX *ctx) {}
|
80
|
+
|
81
|
+
OPENSSL_INLINE void HMAC_verify_service_indicator(
|
82
|
+
OPENSSL_UNUSED const EVP_MD *evp_md) {}
|
83
|
+
|
84
|
+
OPENSSL_INLINE void TLSKDF_verify_service_indicator(
|
85
|
+
OPENSSL_UNUSED const EVP_MD *dgst) {}
|
86
|
+
|
87
|
+
#endif // BORINGSSL_FIPS
|
88
|
+
|
89
|
+
#endif // OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H
|
data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c
ADDED
@@ -0,0 +1,334 @@
|
|
1
|
+
/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
#include <openssl/crypto.h>
|
16
|
+
#include <openssl/ec.h>
|
17
|
+
#include <openssl/ec_key.h>
|
18
|
+
#include <openssl/err.h>
|
19
|
+
#include <openssl/evp.h>
|
20
|
+
#include <openssl/service_indicator.h>
|
21
|
+
|
22
|
+
#include "../../evp/internal.h"
|
23
|
+
#include "../../internal.h"
|
24
|
+
#include "internal.h"
|
25
|
+
|
26
|
+
#if defined(BORINGSSL_FIPS)
|
27
|
+
|
28
|
+
#define STATE_UNLOCKED 0
|
29
|
+
|
30
|
+
// fips_service_indicator_state is a thread-local structure that stores the
|
31
|
+
// state of the FIPS service indicator.
|
32
|
+
struct fips_service_indicator_state {
|
33
|
+
// lock_state records the number of times the indicator has been locked.
|
34
|
+
// When it is zero (i.e. |STATE_UNLOCKED|) then the indicator can be updated.
|
35
|
+
uint64_t lock_state;
|
36
|
+
// counter is the indicator state. It is incremented when an approved service
|
37
|
+
// completes.
|
38
|
+
uint64_t counter;
|
39
|
+
};
|
40
|
+
|
41
|
+
// service_indicator_get returns a pointer to the |fips_service_indicator_state|
|
42
|
+
// for the current thread. It returns NULL on error.
|
43
|
+
//
|
44
|
+
// FIPS 140-3 requires that the module should provide the service indicator
|
45
|
+
// for approved services irrespective of whether the user queries it or not.
|
46
|
+
// Hence, it is lazily initialized in any call to an approved service.
|
47
|
+
static struct fips_service_indicator_state *service_indicator_get(void) {
|
48
|
+
struct fips_service_indicator_state *indicator = CRYPTO_get_thread_local(
|
49
|
+
OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE);
|
50
|
+
|
51
|
+
if (indicator == NULL) {
|
52
|
+
indicator = OPENSSL_malloc(sizeof(struct fips_service_indicator_state));
|
53
|
+
if (indicator == NULL) {
|
54
|
+
return NULL;
|
55
|
+
}
|
56
|
+
|
57
|
+
indicator->lock_state = STATE_UNLOCKED;
|
58
|
+
indicator->counter = 0;
|
59
|
+
|
60
|
+
if (!CRYPTO_set_thread_local(
|
61
|
+
OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE, indicator,
|
62
|
+
OPENSSL_free)) {
|
63
|
+
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);
|
64
|
+
return NULL;
|
65
|
+
}
|
66
|
+
}
|
67
|
+
|
68
|
+
return indicator;
|
69
|
+
}
|
70
|
+
|
71
|
+
static uint64_t service_indicator_get_counter(void) {
|
72
|
+
struct fips_service_indicator_state *indicator = service_indicator_get();
|
73
|
+
if (indicator == NULL) {
|
74
|
+
return 0;
|
75
|
+
}
|
76
|
+
return indicator->counter;
|
77
|
+
}
|
78
|
+
|
79
|
+
uint64_t FIPS_service_indicator_before_call(void) {
|
80
|
+
return service_indicator_get_counter();
|
81
|
+
}
|
82
|
+
|
83
|
+
uint64_t FIPS_service_indicator_after_call(void) {
|
84
|
+
return service_indicator_get_counter();
|
85
|
+
}
|
86
|
+
|
87
|
+
void FIPS_service_indicator_update_state(void) {
|
88
|
+
struct fips_service_indicator_state *indicator = service_indicator_get();
|
89
|
+
if (indicator && indicator->lock_state == STATE_UNLOCKED) {
|
90
|
+
indicator->counter++;
|
91
|
+
}
|
92
|
+
}
|
93
|
+
|
94
|
+
void FIPS_service_indicator_lock_state(void) {
|
95
|
+
struct fips_service_indicator_state *indicator = service_indicator_get();
|
96
|
+
if (indicator == NULL) {
|
97
|
+
return;
|
98
|
+
}
|
99
|
+
|
100
|
+
// |FIPS_service_indicator_lock_state| and
|
101
|
+
// |FIPS_service_indicator_unlock_state| should not under/overflow in normal
|
102
|
+
// operation. They are still checked and errors added to facilitate testing in
|
103
|
+
// service_indicator_test.cc. This should only happen if lock/unlock are
|
104
|
+
// called in an incorrect order or multiple times in the same function.
|
105
|
+
const uint64_t new_state = indicator->lock_state + 1;
|
106
|
+
if (new_state < indicator->lock_state) {
|
107
|
+
// Overflow. This would imply that our call stack length has exceeded a
|
108
|
+
// |uint64_t| which impossible on a 64-bit system.
|
109
|
+
abort();
|
110
|
+
}
|
111
|
+
|
112
|
+
indicator->lock_state = new_state;
|
113
|
+
}
|
114
|
+
|
115
|
+
void FIPS_service_indicator_unlock_state(void) {
|
116
|
+
struct fips_service_indicator_state *indicator = service_indicator_get();
|
117
|
+
if (indicator == NULL) {
|
118
|
+
return;
|
119
|
+
}
|
120
|
+
|
121
|
+
if (indicator->lock_state == 0) {
|
122
|
+
abort();
|
123
|
+
}
|
124
|
+
|
125
|
+
indicator->lock_state--;
|
126
|
+
}
|
127
|
+
|
128
|
+
void AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {
|
129
|
+
const size_t key_len = EVP_AEAD_key_length(ctx->aead);
|
130
|
+
if (key_len == 16 || key_len == 32) {
|
131
|
+
FIPS_service_indicator_update_state();
|
132
|
+
}
|
133
|
+
}
|
134
|
+
|
135
|
+
void AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {
|
136
|
+
if (EVP_AEAD_key_length(ctx->aead) == 16 && ctx->tag_len == 4) {
|
137
|
+
FIPS_service_indicator_update_state();
|
138
|
+
}
|
139
|
+
}
|
140
|
+
|
141
|
+
// is_ec_fips_approved returns one if the curve corresponding to the given NID
|
142
|
+
// is FIPS approved, and zero otherwise.
|
143
|
+
static int is_ec_fips_approved(int curve_nid) {
|
144
|
+
switch (curve_nid) {
|
145
|
+
case NID_secp224r1:
|
146
|
+
case NID_X9_62_prime256v1:
|
147
|
+
case NID_secp384r1:
|
148
|
+
case NID_secp521r1:
|
149
|
+
return 1;
|
150
|
+
default:
|
151
|
+
return 0;
|
152
|
+
}
|
153
|
+
}
|
154
|
+
|
155
|
+
// is_md_fips_approved_for_signing returns one if the given message digest type
|
156
|
+
// is FIPS approved for signing, and zero otherwise.
|
157
|
+
static int is_md_fips_approved_for_signing(int md_type) {
|
158
|
+
switch (md_type) {
|
159
|
+
case NID_sha224:
|
160
|
+
case NID_sha256:
|
161
|
+
case NID_sha384:
|
162
|
+
case NID_sha512:
|
163
|
+
case NID_sha512_256:
|
164
|
+
return 1;
|
165
|
+
default:
|
166
|
+
return 0;
|
167
|
+
}
|
168
|
+
}
|
169
|
+
|
170
|
+
// is_md_fips_approved_for_verifying returns one if the given message digest
|
171
|
+
// type is FIPS approved for verifying, and zero otherwise.
|
172
|
+
static int is_md_fips_approved_for_verifying(int md_type) {
|
173
|
+
switch (md_type) {
|
174
|
+
case NID_sha1:
|
175
|
+
case NID_sha224:
|
176
|
+
case NID_sha256:
|
177
|
+
case NID_sha384:
|
178
|
+
case NID_sha512:
|
179
|
+
case NID_sha512_256:
|
180
|
+
return 1;
|
181
|
+
default:
|
182
|
+
return 0;
|
183
|
+
}
|
184
|
+
}
|
185
|
+
|
186
|
+
static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,
|
187
|
+
int rsa_1024_ok,
|
188
|
+
int (*md_ok)(int md_type)) {
|
189
|
+
if (EVP_MD_CTX_md(ctx) == NULL) {
|
190
|
+
// Signature schemes without a prehash are currently never FIPS approved.
|
191
|
+
goto err;
|
192
|
+
}
|
193
|
+
|
194
|
+
EVP_PKEY_CTX *const pctx = ctx->pctx;
|
195
|
+
const EVP_PKEY *const pkey = EVP_PKEY_CTX_get0_pkey(pctx);
|
196
|
+
const int pkey_type = EVP_PKEY_id(pkey);
|
197
|
+
const int md_type = EVP_MD_CTX_type(ctx);
|
198
|
+
|
199
|
+
// EVP_PKEY_RSA_PSS SPKIs aren't supported.
|
200
|
+
if (pkey_type == EVP_PKEY_RSA) {
|
201
|
+
// Message digest used in the private key should be of the same type
|
202
|
+
// as the given one, so we extract the MD type from the |EVP_PKEY|
|
203
|
+
// and compare it with the type in |ctx|.
|
204
|
+
const EVP_MD *pctx_md;
|
205
|
+
if (!EVP_PKEY_CTX_get_signature_md(pctx, &pctx_md)) {
|
206
|
+
goto err;
|
207
|
+
}
|
208
|
+
if (EVP_MD_type(pctx_md) != md_type) {
|
209
|
+
goto err;
|
210
|
+
}
|
211
|
+
|
212
|
+
int padding;
|
213
|
+
if (!EVP_PKEY_CTX_get_rsa_padding(pctx, &padding)) {
|
214
|
+
goto err;
|
215
|
+
}
|
216
|
+
if (padding == RSA_PKCS1_PSS_PADDING) {
|
217
|
+
int salt_len;
|
218
|
+
const EVP_MD *mgf1_md;
|
219
|
+
if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pctx, &salt_len) ||
|
220
|
+
!EVP_PKEY_CTX_get_rsa_mgf1_md(pctx, &mgf1_md) ||
|
221
|
+
(salt_len != -1 && salt_len != (int)EVP_MD_size(pctx_md)) ||
|
222
|
+
EVP_MD_type(mgf1_md) != md_type) {
|
223
|
+
// Only PSS where saltLen == hashLen is tested with ACVP. Cases with
|
224
|
+
// non-standard padding functions are also excluded.
|
225
|
+
goto err;
|
226
|
+
}
|
227
|
+
}
|
228
|
+
|
229
|
+
// The approved RSA key sizes for signing are 2048, 3072 and 4096 bits.
|
230
|
+
// Note: |EVP_PKEY_size| returns the size in bytes.
|
231
|
+
size_t pkey_size = EVP_PKEY_size(ctx->pctx->pkey);
|
232
|
+
|
233
|
+
// Check if the MD type and the RSA key size are approved.
|
234
|
+
if (md_ok(md_type) &&
|
235
|
+
((rsa_1024_ok && pkey_size == 128) || pkey_size == 256 ||
|
236
|
+
pkey_size == 384 || pkey_size == 512)) {
|
237
|
+
FIPS_service_indicator_update_state();
|
238
|
+
}
|
239
|
+
} else if (pkey_type == EVP_PKEY_EC) {
|
240
|
+
// Check if the MD type and the elliptic curve are approved.
|
241
|
+
if (md_ok(md_type) &&
|
242
|
+
is_ec_fips_approved(EC_GROUP_get_curve_name(
|
243
|
+
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(ctx->pctx->pkey))))) {
|
244
|
+
FIPS_service_indicator_update_state();
|
245
|
+
}
|
246
|
+
}
|
247
|
+
|
248
|
+
err:
|
249
|
+
// Ensure that junk errors aren't left on the queue.
|
250
|
+
ERR_clear_error();
|
251
|
+
}
|
252
|
+
|
253
|
+
void EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey) {
|
254
|
+
if (is_ec_fips_approved(EC_GROUP_get_curve_name(eckey->group))) {
|
255
|
+
FIPS_service_indicator_update_state();
|
256
|
+
}
|
257
|
+
}
|
258
|
+
|
259
|
+
void ECDH_verify_service_indicator(const EC_KEY *ec_key) {
|
260
|
+
if (is_ec_fips_approved(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)))) {
|
261
|
+
FIPS_service_indicator_update_state();
|
262
|
+
}
|
263
|
+
}
|
264
|
+
|
265
|
+
void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx) {
|
266
|
+
switch (EVP_CIPHER_CTX_nid(ctx)) {
|
267
|
+
case NID_aes_128_ecb:
|
268
|
+
case NID_aes_192_ecb:
|
269
|
+
case NID_aes_256_ecb:
|
270
|
+
|
271
|
+
case NID_aes_128_cbc:
|
272
|
+
case NID_aes_192_cbc:
|
273
|
+
case NID_aes_256_cbc:
|
274
|
+
|
275
|
+
case NID_aes_128_ctr:
|
276
|
+
case NID_aes_192_ctr:
|
277
|
+
case NID_aes_256_ctr:
|
278
|
+
FIPS_service_indicator_update_state();
|
279
|
+
}
|
280
|
+
}
|
281
|
+
|
282
|
+
void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx) {
|
283
|
+
return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/1,
|
284
|
+
is_md_fips_approved_for_verifying);
|
285
|
+
}
|
286
|
+
|
287
|
+
void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx) {
|
288
|
+
return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/0,
|
289
|
+
is_md_fips_approved_for_signing);
|
290
|
+
}
|
291
|
+
|
292
|
+
void HMAC_verify_service_indicator(const EVP_MD *evp_md) {
|
293
|
+
switch (evp_md->type) {
|
294
|
+
case NID_sha1:
|
295
|
+
case NID_sha224:
|
296
|
+
case NID_sha256:
|
297
|
+
case NID_sha384:
|
298
|
+
case NID_sha512:
|
299
|
+
case NID_sha512_256:
|
300
|
+
FIPS_service_indicator_update_state();
|
301
|
+
break;
|
302
|
+
}
|
303
|
+
}
|
304
|
+
|
305
|
+
void TLSKDF_verify_service_indicator(const EVP_MD *md) {
|
306
|
+
// HMAC-MD5, HMAC-SHA1, and HMAC-MD5/HMAC-SHA1 (both used concurrently) are
|
307
|
+
// approved for use in the KDF in TLS 1.0/1.1.
|
308
|
+
// HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2.
|
309
|
+
// These Key Derivation functions are to be used in the context of the TLS
|
310
|
+
// protocol.
|
311
|
+
switch (EVP_MD_type(md)) {
|
312
|
+
case NID_md5:
|
313
|
+
case NID_sha1:
|
314
|
+
case NID_md5_sha1:
|
315
|
+
case NID_sha256:
|
316
|
+
case NID_sha384:
|
317
|
+
case NID_sha512:
|
318
|
+
FIPS_service_indicator_update_state();
|
319
|
+
break;
|
320
|
+
}
|
321
|
+
}
|
322
|
+
|
323
|
+
#else
|
324
|
+
|
325
|
+
uint64_t FIPS_service_indicator_before_call(void) { return 0; }
|
326
|
+
|
327
|
+
uint64_t FIPS_service_indicator_after_call(void) {
|
328
|
+
// One is returned so that the return value is always greater than zero, the
|
329
|
+
// return value of |FIPS_service_indicator_before_call|. This makes everything
|
330
|
+
// report as "approved" in non-FIPS builds.
|
331
|
+
return 1;
|
332
|
+
}
|
333
|
+
|
334
|
+
#endif // BORINGSSL_FIPS
|
@@ -22,23 +22,14 @@ extern "C" {
|
|
22
22
|
#endif
|
23
23
|
|
24
24
|
|
25
|
-
#if defined(OPENSSL_PPC64LE) || \
|
26
|
-
(!defined(OPENSSL_NO_ASM) && \
|
27
|
-
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
|
28
|
-
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)))
|
29
|
-
// POWER has an intrinsics-based implementation of SHA-1 and thus the functions
|
30
|
-
// normally defined in assembly are available even with |OPENSSL_NO_ASM| in
|
31
|
-
// this case.
|
32
|
-
#define SHA1_ASM
|
33
|
-
void sha1_block_data_order(uint32_t *state, const uint8_t *in,
|
34
|
-
size_t num_blocks);
|
35
|
-
#endif
|
36
|
-
|
37
25
|
#if !defined(OPENSSL_NO_ASM) && \
|
38
26
|
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
|
39
27
|
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
|
28
|
+
#define SHA1_ASM
|
40
29
|
#define SHA256_ASM
|
41
30
|
#define SHA512_ASM
|
31
|
+
void sha1_block_data_order(uint32_t *state, const uint8_t *in,
|
32
|
+
size_t num_blocks);
|
42
33
|
void sha256_block_data_order(uint32_t *state, const uint8_t *in,
|
43
34
|
size_t num_blocks);
|
44
35
|
void sha512_block_data_order(uint64_t *state, const uint8_t *in,
|
@@ -62,6 +62,7 @@
|
|
62
62
|
|
63
63
|
#include "../../internal.h"
|
64
64
|
#include "../digest/md32_common.h"
|
65
|
+
#include "../service_indicator/internal.h"
|
65
66
|
#include "internal.h"
|
66
67
|
|
67
68
|
|
@@ -108,6 +109,7 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
|
|
108
109
|
CRYPTO_store_u32_be(out + 8, c->h[2]);
|
109
110
|
CRYPTO_store_u32_be(out + 12, c->h[3]);
|
110
111
|
CRYPTO_store_u32_be(out + 16, c->h[4]);
|
112
|
+
FIPS_service_indicator_update_state();
|
111
113
|
return 1;
|
112
114
|
}
|
113
115
|
|
@@ -62,6 +62,7 @@
|
|
62
62
|
|
63
63
|
#include "../../internal.h"
|
64
64
|
#include "../digest/md32_common.h"
|
65
|
+
#include "../service_indicator/internal.h"
|
65
66
|
#include "internal.h"
|
66
67
|
|
67
68
|
|
@@ -132,7 +133,7 @@ int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
|
|
132
133
|
return SHA256_Update(ctx, data, len);
|
133
134
|
}
|
134
135
|
|
135
|
-
static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) {
|
136
|
+
static int sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) {
|
136
137
|
crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
|
137
138
|
&c->num, c->Nh, c->Nl, /*is_big_endian=*/1);
|
138
139
|
|
@@ -140,16 +141,18 @@ static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) {
|
|
140
141
|
// 'final' function can fail. SHA-512 does not have a corresponding check.
|
141
142
|
// These functions already misbehave if the caller arbitrarily mutates |c|, so
|
142
143
|
// can we assume one of |SHA256_Init| or |SHA224_Init| was used?
|
143
|
-
if (
|
144
|
+
if (md_len > SHA256_DIGEST_LENGTH) {
|
144
145
|
return 0;
|
145
146
|
}
|
146
147
|
|
147
|
-
assert(
|
148
|
-
const size_t out_words =
|
148
|
+
assert(md_len % 4 == 0);
|
149
|
+
const size_t out_words = md_len / 4;
|
149
150
|
for (size_t i = 0; i < out_words; i++) {
|
150
151
|
CRYPTO_store_u32_be(out, c->h[i]);
|
151
152
|
out += 4;
|
152
153
|
}
|
154
|
+
|
155
|
+
FIPS_service_indicator_update_state();
|
153
156
|
return 1;
|
154
157
|
}
|
155
158
|
|
@@ -159,13 +162,14 @@ int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) {
|
|
159
162
|
// |SHA256_Final| and expects |sha->md_len| to carry the size over.
|
160
163
|
//
|
161
164
|
// TODO(davidben): Add an assert and fix code to match them up.
|
162
|
-
return sha256_final_impl(out, c);
|
165
|
+
return sha256_final_impl(out, c->md_len, c);
|
163
166
|
}
|
167
|
+
|
164
168
|
int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
|
165
|
-
// SHA224_Init sets |ctx->md_len|
|
166
|
-
//
|
169
|
+
// This function must be paired with |SHA224_Init|, which sets |ctx->md_len|
|
170
|
+
// to |SHA224_DIGEST_LENGTH|.
|
167
171
|
assert(ctx->md_len == SHA224_DIGEST_LENGTH);
|
168
|
-
return sha256_final_impl(out, ctx);
|
172
|
+
return sha256_final_impl(out, SHA224_DIGEST_LENGTH, ctx);
|
169
173
|
}
|
170
174
|
|
171
175
|
#ifndef SHA256_ASM
|
@@ -60,8 +60,9 @@
|
|
60
60
|
|
61
61
|
#include <openssl/mem.h>
|
62
62
|
|
63
|
-
#include "internal.h"
|
64
63
|
#include "../../internal.h"
|
64
|
+
#include "../service_indicator/internal.h"
|
65
|
+
#include "internal.h"
|
65
66
|
|
66
67
|
|
67
68
|
// The 32-bit hash algorithms share a common byte-order neutral collector and
|
@@ -70,7 +71,7 @@
|
|
70
71
|
// this writing, so there is no need for a common collector/padding
|
71
72
|
// implementation yet.
|
72
73
|
|
73
|
-
static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha);
|
74
|
+
static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha);
|
74
75
|
|
75
76
|
int SHA384_Init(SHA512_CTX *sha) {
|
76
77
|
sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
|
@@ -161,10 +162,10 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in,
|
|
161
162
|
|
162
163
|
|
163
164
|
int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
|
164
|
-
// |SHA384_Init
|
165
|
-
//
|
165
|
+
// This function must be paired with |SHA384_Init|, which sets |sha->md_len|
|
166
|
+
// to |SHA384_DIGEST_LENGTH|.
|
166
167
|
assert(sha->md_len == SHA384_DIGEST_LENGTH);
|
167
|
-
return sha512_final_impl(out, sha);
|
168
|
+
return sha512_final_impl(out, SHA384_DIGEST_LENGTH, sha);
|
168
169
|
}
|
169
170
|
|
170
171
|
int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
|
@@ -176,10 +177,10 @@ int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {
|
|
176
177
|
}
|
177
178
|
|
178
179
|
int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
|
179
|
-
//
|
180
|
-
//
|
180
|
+
// This function must be paired with |SHA512_256_Init|, which sets
|
181
|
+
// |sha->md_len| to |SHA512_256_DIGEST_LENGTH|.
|
181
182
|
assert(sha->md_len == SHA512_256_DIGEST_LENGTH);
|
182
|
-
return sha512_final_impl(out, sha);
|
183
|
+
return sha512_final_impl(out, SHA512_256_DIGEST_LENGTH, sha);
|
183
184
|
}
|
184
185
|
|
185
186
|
void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
|
@@ -240,10 +241,10 @@ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
|
|
240
241
|
// |SHA512_Final| and expects |sha->md_len| to carry the size over.
|
241
242
|
//
|
242
243
|
// TODO(davidben): Add an assert and fix code to match them up.
|
243
|
-
return sha512_final_impl(out, sha);
|
244
|
+
return sha512_final_impl(out, sha->md_len, sha);
|
244
245
|
}
|
245
246
|
|
246
|
-
static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
|
247
|
+
static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
|
247
248
|
uint8_t *p = sha->p;
|
248
249
|
size_t n = sha->num;
|
249
250
|
|
@@ -267,13 +268,14 @@ static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
|
|
267
268
|
return 0;
|
268
269
|
}
|
269
270
|
|
270
|
-
assert(
|
271
|
-
const size_t out_words =
|
271
|
+
assert(md_len % 8 == 0);
|
272
|
+
const size_t out_words = md_len / 8;
|
272
273
|
for (size_t i = 0; i < out_words; i++) {
|
273
274
|
CRYPTO_store_u64_be(out, sha->h[i]);
|
274
275
|
out += 8;
|
275
276
|
}
|
276
277
|
|
278
|
+
FIPS_service_indicator_update_state();
|
277
279
|
return 1;
|
278
280
|
}
|
279
281
|
|
@@ -58,6 +58,7 @@
|
|
58
58
|
|
59
59
|
#include "internal.h"
|
60
60
|
#include "../../internal.h"
|
61
|
+
#include "../service_indicator/internal.h"
|
61
62
|
|
62
63
|
|
63
64
|
// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
|
@@ -90,7 +91,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len,
|
|
90
91
|
}
|
91
92
|
|
92
93
|
for (;;) {
|
93
|
-
unsigned
|
94
|
+
unsigned len_u;
|
94
95
|
uint8_t hmac[EVP_MAX_MD_SIZE];
|
95
96
|
if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||
|
96
97
|
!HMAC_Update(&ctx, A1, A1_len) ||
|
@@ -99,16 +100,17 @@ static int tls1_P_hash(uint8_t *out, size_t out_len,
|
|
99
100
|
!HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||
|
100
101
|
!HMAC_Update(&ctx, seed1, seed1_len) ||
|
101
102
|
!HMAC_Update(&ctx, seed2, seed2_len) ||
|
102
|
-
!HMAC_Final(&ctx, hmac, &
|
103
|
+
!HMAC_Final(&ctx, hmac, &len_u)) {
|
103
104
|
goto err;
|
104
105
|
}
|
106
|
+
size_t len = len_u;
|
105
107
|
assert(len == chunk);
|
106
108
|
|
107
109
|
// XOR the result into |out|.
|
108
110
|
if (len > out_len) {
|
109
111
|
len = out_len;
|
110
112
|
}
|
111
|
-
for (
|
113
|
+
for (size_t i = 0; i < len; i++) {
|
112
114
|
out[i] ^= hmac[i];
|
113
115
|
}
|
114
116
|
out += len;
|
@@ -146,12 +148,16 @@ int CRYPTO_tls1_prf(const EVP_MD *digest,
|
|
146
148
|
|
147
149
|
OPENSSL_memset(out, 0, out_len);
|
148
150
|
|
151
|
+
const EVP_MD *const original_digest = digest;
|
152
|
+
FIPS_service_indicator_lock_state();
|
153
|
+
int ret = 0;
|
154
|
+
|
149
155
|
if (digest == EVP_md5_sha1()) {
|
150
156
|
// If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
|
151
157
|
size_t secret_half = secret_len - (secret_len / 2);
|
152
158
|
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label,
|
153
159
|
label_len, seed1, seed1_len, seed2, seed2_len)) {
|
154
|
-
|
160
|
+
goto end;
|
155
161
|
}
|
156
162
|
|
157
163
|
// Note that, if |secret_len| is odd, the two halves share a byte.
|
@@ -160,6 +166,13 @@ int CRYPTO_tls1_prf(const EVP_MD *digest,
|
|
160
166
|
digest = EVP_sha1();
|
161
167
|
}
|
162
168
|
|
163
|
-
|
164
|
-
|
169
|
+
ret = tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,
|
170
|
+
seed1, seed1_len, seed2, seed2_len);
|
171
|
+
|
172
|
+
end:
|
173
|
+
FIPS_service_indicator_unlock_state();
|
174
|
+
if (ret) {
|
175
|
+
TLSKDF_verify_service_indicator(original_digest);
|
176
|
+
}
|
177
|
+
return ret;
|
165
178
|
}
|