grpc 1.53.0 → 1.54.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (695) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +80 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/impl/grpc_types.h +11 -2
  6. data/include/grpc/support/port_platform.h +4 -4
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  9. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  10. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  11. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  12. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  14. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  15. data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  18. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  19. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
  20. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  21. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  22. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  26. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  27. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  28. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  29. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  30. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  31. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  32. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  33. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  34. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  35. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  36. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  37. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  38. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  39. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  40. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  41. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  42. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  43. data/src/core/ext/gcp/metadata_query.cc +137 -0
  44. data/src/core/ext/gcp/metadata_query.h +87 -0
  45. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  46. data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +12 -8
  47. data/src/core/ext/transport/chttp2/transport/bin_encoder.h +5 -1
  48. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
  49. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  50. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  51. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  52. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +118 -222
  53. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +295 -113
  54. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +2 -0
  55. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +2 -0
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +466 -273
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +7 -3
  58. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +14 -12
  59. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +9 -1
  60. data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
  61. data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
  62. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  63. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  64. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  65. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  67. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  68. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  69. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  70. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  71. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  72. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  73. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  74. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  75. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  76. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  77. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  78. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  79. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  80. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  81. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  82. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  83. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  84. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  85. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  86. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  87. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  88. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  89. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  90. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  91. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  92. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  93. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  94. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  95. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  96. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  97. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  98. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  99. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  100. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  101. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  102. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  103. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  104. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  105. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  106. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  107. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  108. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  109. data/src/core/ext/xds/xds_client_stats.h +24 -20
  110. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  111. data/src/core/ext/xds/xds_endpoint.h +9 -1
  112. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  113. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  114. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  115. data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
  116. data/src/core/lib/backoff/random_early_detection.h +59 -0
  117. data/src/core/lib/channel/call_finalization.h +1 -1
  118. data/src/core/lib/channel/call_tracer.cc +51 -0
  119. data/src/core/lib/channel/call_tracer.h +101 -38
  120. data/src/core/lib/channel/connected_channel.cc +483 -1050
  121. data/src/core/lib/channel/context.h +8 -1
  122. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  123. data/src/core/lib/channel/promise_based_filter.h +27 -13
  124. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  125. data/src/core/lib/config/config_vars.cc +151 -0
  126. data/src/core/lib/config/config_vars.h +127 -0
  127. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  128. data/src/core/lib/config/load_config.cc +66 -0
  129. data/src/core/lib/config/load_config.h +49 -0
  130. data/src/core/lib/debug/trace.cc +5 -6
  131. data/src/core/lib/debug/trace.h +0 -5
  132. data/src/core/lib/event_engine/event_engine.cc +37 -2
  133. data/src/core/lib/event_engine/handle_containers.h +7 -22
  134. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  135. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  136. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  137. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  138. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  139. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  140. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
  141. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  142. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  143. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  144. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  145. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  146. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  147. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  148. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  149. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  150. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  151. data/src/core/lib/experiments/config.cc +3 -10
  152. data/src/core/lib/experiments/experiments.cc +7 -0
  153. data/src/core/lib/experiments/experiments.h +9 -1
  154. data/src/core/lib/gpr/log.cc +15 -28
  155. data/src/core/lib/gprpp/fork.cc +8 -14
  156. data/src/core/lib/gprpp/orphanable.h +4 -3
  157. data/src/core/lib/gprpp/per_cpu.h +9 -3
  158. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  159. data/src/core/lib/gprpp/ref_counted.h +33 -34
  160. data/src/core/lib/gprpp/thd.h +16 -0
  161. data/src/core/lib/gprpp/time.cc +1 -0
  162. data/src/core/lib/gprpp/time.h +4 -4
  163. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  164. data/src/core/lib/iomgr/call_combiner.h +2 -2
  165. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  166. data/src/core/lib/iomgr/endpoint_pair.h +2 -2
  167. data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
  168. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  169. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  170. data/src/core/lib/iomgr/ev_posix.h +0 -3
  171. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  172. data/src/core/lib/iomgr/iomgr.cc +4 -8
  173. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  174. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  175. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  176. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  177. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  178. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  179. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
  180. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  181. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  182. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  183. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  184. data/src/core/lib/promise/activity.cc +22 -6
  185. data/src/core/lib/promise/activity.h +61 -24
  186. data/src/core/lib/promise/cancel_callback.h +77 -0
  187. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  188. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  189. data/src/core/lib/promise/for_each.h +176 -0
  190. data/src/core/lib/promise/if.h +9 -0
  191. data/src/core/lib/promise/interceptor_list.h +23 -2
  192. data/src/core/lib/promise/latch.h +89 -3
  193. data/src/core/lib/promise/loop.h +13 -9
  194. data/src/core/lib/promise/map.h +7 -0
  195. data/src/core/lib/promise/party.cc +286 -0
  196. data/src/core/lib/promise/party.h +499 -0
  197. data/src/core/lib/promise/pipe.h +197 -57
  198. data/src/core/lib/promise/poll.h +48 -0
  199. data/src/core/lib/promise/promise.h +2 -2
  200. data/src/core/lib/resource_quota/arena.cc +19 -3
  201. data/src/core/lib/resource_quota/arena.h +119 -5
  202. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  203. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  204. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  205. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  206. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  207. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  208. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  209. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  210. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  211. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  212. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  213. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  214. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  215. data/src/core/lib/slice/slice.cc +1 -1
  216. data/src/core/lib/surface/builtins.cc +2 -0
  217. data/src/core/lib/surface/call.cc +926 -1024
  218. data/src/core/lib/surface/call.h +10 -0
  219. data/src/core/lib/surface/lame_client.cc +1 -0
  220. data/src/core/lib/surface/validate_metadata.cc +43 -42
  221. data/src/core/lib/surface/validate_metadata.h +9 -0
  222. data/src/core/lib/surface/version.cc +2 -2
  223. data/src/core/lib/transport/batch_builder.cc +179 -0
  224. data/src/core/lib/transport/batch_builder.h +468 -0
  225. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  226. data/src/core/lib/transport/bdp_estimator.h +10 -6
  227. data/src/core/lib/transport/custom_metadata.h +30 -0
  228. data/src/core/lib/transport/metadata_batch.cc +9 -6
  229. data/src/core/lib/transport/metadata_batch.h +168 -18
  230. data/src/core/lib/transport/parsed_metadata.h +19 -9
  231. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  232. data/src/core/lib/transport/transport.cc +30 -2
  233. data/src/core/lib/transport/transport.h +70 -14
  234. data/src/core/lib/transport/transport_impl.h +7 -0
  235. data/src/core/lib/transport/transport_op_string.cc +52 -42
  236. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  237. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  238. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  239. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  240. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  241. data/src/core/tsi/ssl_transport_security.cc +4 -2
  242. data/src/ruby/lib/grpc/version.rb +1 -1
  243. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  244. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  245. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  246. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  247. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  248. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  249. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  250. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  251. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  252. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  253. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  254. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  255. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  256. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  257. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  258. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  259. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  260. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  261. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  262. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  263. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  264. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  265. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  266. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  267. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  268. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  269. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  288. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  289. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  290. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  291. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  292. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  293. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  294. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  295. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  296. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  297. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  298. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  299. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  300. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  301. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  302. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  303. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  304. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  305. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  306. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  307. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  308. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  309. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  310. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  311. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  312. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  313. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  314. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  315. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  316. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  317. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  318. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  319. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  320. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  321. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  322. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  323. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  324. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  325. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  326. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  327. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  328. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  329. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  330. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  331. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  332. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  333. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  334. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  335. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  336. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  337. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  338. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  339. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  340. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  341. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  342. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  343. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  344. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  345. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  346. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  347. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  349. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  350. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  351. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  352. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  353. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  354. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  355. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  363. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  364. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  365. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  366. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  367. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  368. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  369. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  370. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  371. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  372. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  373. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  395. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  400. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  403. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  405. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  407. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  410. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  446. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  447. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  448. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  449. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  451. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  452. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  453. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  454. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  455. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  456. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  457. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  458. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  459. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  460. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  461. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  463. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  464. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  465. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  466. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  467. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  468. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  469. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  470. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  471. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  472. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  473. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  474. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  475. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  476. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  477. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  478. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  479. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  480. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  481. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  482. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  483. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  484. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  485. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  486. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  487. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  488. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  489. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  490. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  491. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  532. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  533. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  534. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  535. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  536. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  537. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  538. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  539. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  540. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  541. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  557. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  558. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  559. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  560. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  561. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  562. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  563. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  564. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  565. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  566. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  567. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  568. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  569. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  570. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  571. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  572. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  573. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  574. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  575. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  576. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  577. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  578. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  579. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  581. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  582. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  583. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  584. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  585. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  586. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  587. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  588. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  589. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  591. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  592. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  593. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  594. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  595. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  596. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  597. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  598. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  599. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  600. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  601. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  602. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  603. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  604. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  605. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  606. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  607. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  608. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  609. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  610. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  611. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  612. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  613. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  614. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  615. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  616. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  617. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  618. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  619. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  620. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  621. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  622. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  623. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  624. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  625. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  627. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  628. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  629. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  630. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  631. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  632. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  633. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  634. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  635. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  636. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  637. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  638. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  639. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  640. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  641. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  642. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  643. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  644. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  645. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  646. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  647. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  648. metadata +105 -70
  649. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  650. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  651. data/src/core/lib/gprpp/global_config.h +0 -93
  652. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  653. data/src/core/lib/gprpp/global_config_env.h +0 -133
  654. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  655. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  656. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  657. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  658. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  659. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  660. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  661. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  662. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  663. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  664. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  665. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  666. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  667. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  668. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  669. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  670. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  671. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  672. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  673. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  674. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  675. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  676. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  677. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  678. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  679. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  680. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  681. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  682. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  683. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  684. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  685. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  686. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  687. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  688. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  689. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  690. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  691. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  692. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  693. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  694. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  695. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -140,7 +140,10 @@
140
140
 
141
141
  #include <openssl/ssl.h>
142
142
 
143
+ #include <algorithm>
144
+
143
145
  #include <assert.h>
146
+ #include <limits.h>
144
147
  #include <stdlib.h>
145
148
  #include <string.h>
146
149
 
@@ -164,6 +167,10 @@
164
167
 
165
168
  BSSL_NAMESPACE_BEGIN
166
169
 
170
+ static_assert(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
171
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
172
+ "max overheads are inconsistent");
173
+
167
174
  // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
168
175
  // to avoid downstream churn.
169
176
  OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
@@ -517,7 +524,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
517
524
  allow_unknown_alpn_protos(false),
518
525
  false_start_allowed_without_alpn(false),
519
526
  handoff(false),
520
- enable_early_data(false) {
527
+ enable_early_data(false),
528
+ only_fips_cipher_suites_in_tls13(false) {
521
529
  CRYPTO_MUTEX_init(&lock);
522
530
  CRYPTO_new_ex_data(&ex_data);
523
531
  }
@@ -637,6 +645,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
637
645
  ssl->config->retain_only_sha256_of_client_certs =
638
646
  ctx->retain_only_sha256_of_client_certs;
639
647
  ssl->config->permute_extensions = ctx->permute_extensions;
648
+ ssl->config->only_fips_cipher_suites_in_tls13 =
649
+ ctx->only_fips_cipher_suites_in_tls13;
640
650
 
641
651
  if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
642
652
  !ssl->config->alpn_client_proto_list.CopyFrom(
@@ -1053,6 +1063,7 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
1053
1063
  }
1054
1064
 
1055
1065
  int ret = 0;
1066
+ size_t bytes_written = 0;
1056
1067
  bool needs_handshake = false;
1057
1068
  do {
1058
1069
  // If necessary, complete the handshake implicitly.
@@ -1067,10 +1078,16 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
1067
1078
  }
1068
1079
  }
1069
1080
 
1070
- ret = ssl->method->write_app_data(ssl, &needs_handshake,
1071
- (const uint8_t *)buf, num);
1081
+ if (num < 0) {
1082
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
1083
+ return -1;
1084
+ }
1085
+ ret = ssl->method->write_app_data(
1086
+ ssl, &needs_handshake, &bytes_written,
1087
+ MakeConstSpan(static_cast<const uint8_t *>(buf),
1088
+ static_cast<size_t>(num)));
1072
1089
  } while (needs_handshake);
1073
- return ret;
1090
+ return ret <= 0 ? ret : static_cast<int>(bytes_written);
1074
1091
  }
1075
1092
 
1076
1093
  int SSL_key_update(SSL *ssl, int request_type) {
@@ -1234,7 +1251,7 @@ void SSL_reset_early_data_reject(SSL *ssl) {
1234
1251
  // Discard any unfinished writes from the perspective of |SSL_write|'s
1235
1252
  // retry. The handshake will transparently flush out the pending record
1236
1253
  // (discarded by the server) to keep the framing correct.
1237
- ssl->s3->wpend_pending = false;
1254
+ ssl->s3->pending_write = {};
1238
1255
  }
1239
1256
 
1240
1257
  enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) {
@@ -1303,7 +1320,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
1303
1320
  }
1304
1321
 
1305
1322
  if (ret_code == 0) {
1306
- if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
1323
+ if (ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN) {
1307
1324
  return SSL_ERROR_ZERO_RETURN;
1308
1325
  }
1309
1326
  // An EOF was observed which violates the protocol, and the underlying
@@ -1933,9 +1950,23 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
1933
1950
  return tls1_set_curves_list(&ssl->config->supported_group_list, curves);
1934
1951
  }
1935
1952
 
1953
+ int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) {
1954
+ return SSL_CTX_set1_curves(ctx, groups, groups_len);
1955
+ }
1956
+
1957
+ int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len) {
1958
+ return SSL_set1_curves(ssl, groups, groups_len);
1959
+ }
1960
+
1961
+ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) {
1962
+ return SSL_CTX_set1_curves_list(ctx, groups);
1963
+ }
1964
+
1965
+ int SSL_set1_groups_list(SSL *ssl, const char *groups) {
1966
+ return SSL_set1_curves_list(ssl, groups);
1967
+ }
1968
+
1936
1969
  uint16_t SSL_get_curve_id(const SSL *ssl) {
1937
- // TODO(davidben): This checks the wrong session if there is a renegotiation
1938
- // in progress.
1939
1970
  SSL_SESSION *session = SSL_get_session(ssl);
1940
1971
  if (session == NULL) {
1941
1972
  return 0;
@@ -2117,7 +2148,6 @@ int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
2117
2148
  }
2118
2149
  ssl->hostname.reset(OPENSSL_strdup(name));
2119
2150
  if (ssl->hostname == nullptr) {
2120
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
2121
2151
  return 0;
2122
2152
  }
2123
2153
  return 1;
@@ -2169,8 +2199,10 @@ found:
2169
2199
 
2170
2200
  void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
2171
2201
  unsigned *out_len) {
2202
+ // NPN protocols have one-byte lengths, so they must fit in |unsigned|.
2203
+ assert(ssl->s3->next_proto_negotiated.size() <= UINT_MAX);
2172
2204
  *out_data = ssl->s3->next_proto_negotiated.data();
2173
- *out_len = ssl->s3->next_proto_negotiated.size();
2205
+ *out_len = static_cast<unsigned>(ssl->s3->next_proto_negotiated.size());
2174
2206
  }
2175
2207
 
2176
2208
  void SSL_CTX_set_next_protos_advertised_cb(
@@ -2190,7 +2222,7 @@ void SSL_CTX_set_next_proto_select_cb(
2190
2222
  }
2191
2223
 
2192
2224
  int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2193
- unsigned protos_len) {
2225
+ size_t protos_len) {
2194
2226
  // Note this function's return value is backwards.
2195
2227
  auto span = MakeConstSpan(protos, protos_len);
2196
2228
  if (!span.empty() && !ssl_is_valid_alpn_list(span)) {
@@ -2200,7 +2232,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2200
2232
  return ctx->alpn_client_proto_list.CopyFrom(span) ? 0 : 1;
2201
2233
  }
2202
2234
 
2203
- int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
2235
+ int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, size_t protos_len) {
2204
2236
  // Note this function's return value is backwards.
2205
2237
  if (!ssl->config) {
2206
2238
  return 1;
@@ -2224,13 +2256,16 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
2224
2256
 
2225
2257
  void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
2226
2258
  unsigned *out_len) {
2259
+ Span<const uint8_t> protocol;
2227
2260
  if (SSL_in_early_data(ssl) && !ssl->server) {
2228
- *out_data = ssl->s3->hs->early_session->early_alpn.data();
2229
- *out_len = ssl->s3->hs->early_session->early_alpn.size();
2261
+ protocol = ssl->s3->hs->early_session->early_alpn;
2230
2262
  } else {
2231
- *out_data = ssl->s3->alpn_selected.data();
2232
- *out_len = ssl->s3->alpn_selected.size();
2263
+ protocol = ssl->s3->alpn_selected;
2233
2264
  }
2265
+ // ALPN protocols have one-byte lengths, so they must fit in |unsigned|.
2266
+ assert(protocol.size() < UINT_MAX);
2267
+ *out_data = protocol.data();
2268
+ *out_len = static_cast<unsigned>(protocol.size());
2234
2269
  }
2235
2270
 
2236
2271
  void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {
@@ -2562,7 +2597,13 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
2562
2597
  return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2563
2598
  }
2564
2599
 
2565
- int SSL_want(const SSL *ssl) { return ssl->s3->rwstate; }
2600
+ int SSL_want(const SSL *ssl) {
2601
+ // Historically, OpenSSL did not track |SSL_ERROR_ZERO_RETURN| as an |rwstate|
2602
+ // value. We do, but map it back to |SSL_ERROR_NONE| to preserve the original
2603
+ // behavior.
2604
+ return ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN ? SSL_ERROR_NONE
2605
+ : ssl->s3->rwstate;
2606
+ }
2566
2607
 
2567
2608
  void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
2568
2609
  RSA *(*cb)(SSL *ssl, int is_export,
@@ -2765,6 +2806,10 @@ void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) {
2765
2806
  ssl->config->enforce_rsa_key_usage = !!enabled;
2766
2807
  }
2767
2808
 
2809
+ int SSL_was_key_usage_invalid(const SSL *ssl) {
2810
+ return ssl->s3->was_key_usage_invalid;
2811
+ }
2812
+
2768
2813
  void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
2769
2814
  ssl->renegotiate_mode = mode;
2770
2815
 
@@ -2786,35 +2831,25 @@ int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
2786
2831
  return 1;
2787
2832
  }
2788
2833
 
2789
- static uint64_t be_to_u64(const uint8_t in[8]) {
2790
- return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) |
2791
- (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) |
2792
- (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) |
2793
- (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]);
2794
- }
2795
-
2796
2834
  uint64_t SSL_get_read_sequence(const SSL *ssl) {
2797
- // TODO(davidben): Internally represent sequence numbers as uint64_t.
2798
2835
  if (SSL_is_dtls(ssl)) {
2799
2836
  // max_seq_num already includes the epoch.
2800
2837
  assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
2801
2838
  return ssl->d1->bitmap.max_seq_num;
2802
2839
  }
2803
- return be_to_u64(ssl->s3->read_sequence);
2840
+ return ssl->s3->read_sequence;
2804
2841
  }
2805
2842
 
2806
2843
  uint64_t SSL_get_write_sequence(const SSL *ssl) {
2807
- uint64_t ret = be_to_u64(ssl->s3->write_sequence);
2844
+ uint64_t ret = ssl->s3->write_sequence;
2808
2845
  if (SSL_is_dtls(ssl)) {
2809
2846
  assert((ret >> 48) == 0);
2810
- ret |= ((uint64_t)ssl->d1->w_epoch) << 48;
2847
+ ret |= uint64_t{ssl->d1->w_epoch} << 48;
2811
2848
  }
2812
2849
  return ret;
2813
2850
  }
2814
2851
 
2815
2852
  uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
2816
- // TODO(davidben): This checks the wrong session if there is a renegotiation
2817
- // in progress.
2818
2853
  SSL_SESSION *session = SSL_get_session(ssl);
2819
2854
  if (session == NULL) {
2820
2855
  return 0;
@@ -3025,6 +3060,15 @@ SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
3025
3060
  return session.release();
3026
3061
  }
3027
3062
 
3063
+ int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) {
3064
+ num_tickets = std::min(num_tickets, kMaxTickets);
3065
+ static_assert(kMaxTickets <= 0xff, "Too many tickets.");
3066
+ ctx->num_tickets = static_cast<uint8_t>(num_tickets);
3067
+ return 1;
3068
+ }
3069
+
3070
+ size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { return ctx->num_tickets; }
3071
+
3028
3072
  int SSL_set_tlsext_status_type(SSL *ssl, int type) {
3029
3073
  if (!ssl->config) {
3030
3074
  return 0;
@@ -3070,3 +3114,93 @@ int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {
3070
3114
  ctx->legacy_ocsp_callback_arg = arg;
3071
3115
  return 1;
3072
3116
  }
3117
+
3118
+ namespace fips202205 {
3119
+
3120
+ // (References are to SP 800-52r2):
3121
+
3122
+ // Section 3.4.2.2
3123
+ // "at least one of the NIST-approved curves, P-256 (secp256r1) and P384
3124
+ // (secp384r1), shall be supported as described in RFC 8422."
3125
+ //
3126
+ // Section 3.3.1
3127
+ // "The server shall be configured to only use cipher suites that are
3128
+ // composed entirely of NIST approved algorithms"
3129
+ static const int kCurves[] = {NID_X9_62_prime256v1, NID_secp384r1};
3130
+
3131
+ static const uint16_t kSigAlgs[] = {
3132
+ SSL_SIGN_RSA_PKCS1_SHA256,
3133
+ SSL_SIGN_RSA_PKCS1_SHA384,
3134
+ SSL_SIGN_RSA_PKCS1_SHA512,
3135
+ // Table 4.1:
3136
+ // "The curve should be P-256 or P-384"
3137
+ SSL_SIGN_ECDSA_SECP256R1_SHA256,
3138
+ SSL_SIGN_ECDSA_SECP384R1_SHA384,
3139
+ SSL_SIGN_RSA_PSS_RSAE_SHA256,
3140
+ SSL_SIGN_RSA_PSS_RSAE_SHA384,
3141
+ SSL_SIGN_RSA_PSS_RSAE_SHA512,
3142
+ };
3143
+
3144
+ static const char kTLS12Ciphers[] =
3145
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:"
3146
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:"
3147
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:"
3148
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
3149
+
3150
+ static int Configure(SSL_CTX *ctx) {
3151
+ ctx->only_fips_cipher_suites_in_tls13 = true;
3152
+
3153
+ return
3154
+ // Section 3.1:
3155
+ // "Servers that support government-only applications shall be
3156
+ // configured to use TLS 1.2 and should be configured to use TLS 1.3
3157
+ // as well. These servers should not be configured to use TLS 1.1 and
3158
+ // shall not use TLS 1.0, SSL 3.0, or SSL 2.0.
3159
+ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
3160
+ SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
3161
+ // Sections 3.3.1.1.1 and 3.3.1.1.2 are ambiguous about whether
3162
+ // HMAC-SHA-1 cipher suites are permitted with TLS 1.2. However, later the
3163
+ // Encrypt-then-MAC extension is required for all CBC cipher suites and so
3164
+ // it's easier to drop them.
3165
+ SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&
3166
+ SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
3167
+ SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,
3168
+ OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
3169
+ SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,
3170
+ OPENSSL_ARRAY_SIZE(kSigAlgs));
3171
+ }
3172
+
3173
+ static int Configure(SSL *ssl) {
3174
+ ssl->config->only_fips_cipher_suites_in_tls13 = true;
3175
+
3176
+ // See |Configure(SSL_CTX)|, above, for reasoning.
3177
+ return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
3178
+ SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
3179
+ SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&
3180
+ SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
3181
+ SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,
3182
+ OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
3183
+ SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,
3184
+ OPENSSL_ARRAY_SIZE(kSigAlgs));
3185
+ }
3186
+
3187
+ } // namespace fips202205
3188
+
3189
+ int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
3190
+ enum ssl_compliance_policy_t policy) {
3191
+ switch (policy) {
3192
+ case ssl_compliance_policy_fips_202205:
3193
+ return fips202205::Configure(ctx);
3194
+ default:
3195
+ return 0;
3196
+ }
3197
+ }
3198
+
3199
+ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
3200
+ switch (policy) {
3201
+ case ssl_compliance_policy_fips_202205:
3202
+ return fips202205::Configure(ssl);
3203
+ default:
3204
+ return 0;
3205
+ }
3206
+ }
@@ -77,7 +77,7 @@ bool ssl_is_key_type_supported(int key_type) {
77
77
  }
78
78
 
79
79
  static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {
80
- if (!ssl_is_key_type_supported(pkey->type)) {
80
+ if (!ssl_is_key_type_supported(EVP_PKEY_id(pkey))) {
81
81
  OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
82
82
  return false;
83
83
  }
@@ -151,6 +151,20 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
151
151
  return false;
152
152
  }
153
153
 
154
+ if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
155
+ // TLS 1.0 and 1.1 do not negotiate algorithms and always sign one of two
156
+ // hardcoded algorithms.
157
+ return sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
158
+ sigalg == SSL_SIGN_ECDSA_SHA1;
159
+ }
160
+
161
+ // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| is not a real SignatureScheme for TLS 1.2 and
162
+ // higher. It is an internal value we use to represent TLS 1.0/1.1's MD5/SHA1
163
+ // concatenation.
164
+ if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
165
+ return false;
166
+ }
167
+
154
168
  if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
155
169
  // RSA keys may only be used with RSA-PSS.
156
170
  if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
@@ -201,6 +215,31 @@ enum ssl_private_key_result_t ssl_private_key_sign(
201
215
  SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
202
216
  uint16_t sigalg, Span<const uint8_t> in) {
203
217
  SSL *const ssl = hs->ssl;
218
+ SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
219
+ Array<uint8_t> spki;
220
+ if (hints) {
221
+ ScopedCBB spki_cbb;
222
+ if (!CBB_init(spki_cbb.get(), 64) ||
223
+ !EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) ||
224
+ !CBBFinishArray(spki_cbb.get(), &spki)) {
225
+ ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
226
+ return ssl_private_key_failure;
227
+ }
228
+ }
229
+
230
+ // Replay the signature from handshake hints if available.
231
+ if (hints && !hs->hints_requested && //
232
+ sigalg == hints->signature_algorithm && //
233
+ in == hints->signature_input &&
234
+ MakeConstSpan(spki) == hints->signature_spki &&
235
+ !hints->signature.empty() && //
236
+ hints->signature.size() <= max_out) {
237
+ // Signature algorithm and input both match. Reuse the signature from hints.
238
+ *out_len = hints->signature.size();
239
+ OPENSSL_memcpy(out, hints->signature.data(), hints->signature.size());
240
+ return ssl_private_key_success;
241
+ }
242
+
204
243
  const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method;
205
244
  EVP_PKEY *privatekey = hs->config->cert->privatekey.get();
206
245
  assert(!hs->can_release_private_key);
@@ -214,21 +253,33 @@ enum ssl_private_key_result_t ssl_private_key_sign(
214
253
  if (hs->pending_private_key_op) {
215
254
  ret = key_method->complete(ssl, out, out_len, max_out);
216
255
  } else {
217
- ret = key_method->sign(ssl, out, out_len, max_out,
218
- sigalg, in.data(), in.size());
256
+ ret = key_method->sign(ssl, out, out_len, max_out, sigalg, in.data(),
257
+ in.size());
219
258
  }
220
259
  if (ret == ssl_private_key_failure) {
221
260
  OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
222
261
  }
223
262
  hs->pending_private_key_op = ret == ssl_private_key_retry;
224
- return ret;
263
+ if (ret != ssl_private_key_success) {
264
+ return ret;
265
+ }
266
+ } else {
267
+ *out_len = max_out;
268
+ ScopedEVP_MD_CTX ctx;
269
+ if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) ||
270
+ !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
271
+ return ssl_private_key_failure;
272
+ }
225
273
  }
226
274
 
227
- *out_len = max_out;
228
- ScopedEVP_MD_CTX ctx;
229
- if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) ||
230
- !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
231
- return ssl_private_key_failure;
275
+ // Save the hint if applicable.
276
+ if (hints && hs->hints_requested) {
277
+ hints->signature_algorithm = sigalg;
278
+ hints->signature_spki = std::move(spki);
279
+ if (!hints->signature_input.CopyFrom(in) ||
280
+ !hints->signature.CopyFrom(MakeConstSpan(out, *out_len))) {
281
+ return ssl_private_key_failure;
282
+ }
232
283
  }
233
284
  return ssl_private_key_success;
234
285
  }
@@ -494,9 +545,83 @@ int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {
494
545
  return alg != nullptr && alg->is_rsa_pss;
495
546
  }
496
547
 
548
+ static int compare_uint16_t(const void *p1, const void *p2) {
549
+ uint16_t u1 = *((const uint16_t *)p1);
550
+ uint16_t u2 = *((const uint16_t *)p2);
551
+ if (u1 < u2) {
552
+ return -1;
553
+ } else if (u1 > u2) {
554
+ return 1;
555
+ } else {
556
+ return 0;
557
+ }
558
+ }
559
+
560
+ static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
561
+ if (in_sigalgs.size() < 2) {
562
+ return true;
563
+ }
564
+
565
+ Array<uint16_t> sigalgs;
566
+ if (!sigalgs.CopyFrom(in_sigalgs)) {
567
+ return false;
568
+ }
569
+
570
+ qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
571
+
572
+ for (size_t i = 1; i < sigalgs.size(); i++) {
573
+ if (sigalgs[i - 1] == sigalgs[i]) {
574
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
575
+ return false;
576
+ }
577
+ }
578
+
579
+ return true;
580
+ }
581
+
582
+ static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
583
+ if (!sigalgs_unique(prefs)) {
584
+ return false;
585
+ }
586
+
587
+ // Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
588
+ Array<uint16_t> filtered;
589
+ if (!filtered.Init(prefs.size())) {
590
+ return false;
591
+ }
592
+ size_t added = 0;
593
+ for (uint16_t pref : prefs) {
594
+ if (pref == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
595
+ // Though not intended to be used with this API, we treat
596
+ // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| as a real signature algorithm in
597
+ // |SSL_PRIVATE_KEY_METHOD|. Not accepting it here makes for a confusing
598
+ // abstraction.
599
+ continue;
600
+ }
601
+ if (get_signature_algorithm(pref) == nullptr) {
602
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
603
+ return false;
604
+ }
605
+ filtered[added] = pref;
606
+ added++;
607
+ }
608
+ filtered.Shrink(added);
609
+
610
+ // This can happen if |prefs| contained only |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
611
+ // Leaving it empty would revert to the default, so treat this as an error
612
+ // condition.
613
+ if (!prefs.empty() && filtered.empty()) {
614
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
615
+ return false;
616
+ }
617
+
618
+ *out = std::move(filtered);
619
+ return true;
620
+ }
621
+
497
622
  int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
498
623
  size_t num_prefs) {
499
- return ctx->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
624
+ return set_sigalg_prefs(&ctx->cert->sigalgs, MakeConstSpan(prefs, num_prefs));
500
625
  }
501
626
 
502
627
  int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
@@ -504,7 +629,8 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
504
629
  if (!ssl->config) {
505
630
  return 0;
506
631
  }
507
- return ssl->config->cert->sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
632
+ return set_sigalg_prefs(&ssl->config->cert->sigalgs,
633
+ MakeConstSpan(prefs, num_prefs));
508
634
  }
509
635
 
510
636
  static constexpr struct {
@@ -560,50 +686,16 @@ static bool parse_sigalg_pairs(Array<uint16_t> *out, const int *values,
560
686
  return true;
561
687
  }
562
688
 
563
- static int compare_uint16_t(const void *p1, const void *p2) {
564
- uint16_t u1 = *((const uint16_t *)p1);
565
- uint16_t u2 = *((const uint16_t *)p2);
566
- if (u1 < u2) {
567
- return -1;
568
- } else if (u1 > u2) {
569
- return 1;
570
- } else {
571
- return 0;
572
- }
573
- }
574
-
575
- static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
576
- if (in_sigalgs.size() < 2) {
577
- return true;
578
- }
579
-
580
- Array<uint16_t> sigalgs;
581
- if (!sigalgs.CopyFrom(in_sigalgs)) {
582
- return false;
583
- }
584
-
585
- qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
586
-
587
- for (size_t i = 1; i < sigalgs.size(); i++) {
588
- if (sigalgs[i - 1] == sigalgs[i]) {
589
- OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
590
- return false;
591
- }
592
- }
593
-
594
- return true;
595
- }
596
-
597
689
  int SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values, size_t num_values) {
598
690
  Array<uint16_t> sigalgs;
599
- if (!parse_sigalg_pairs(&sigalgs, values, num_values) ||
600
- !sigalgs_unique(sigalgs)) {
691
+ if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
601
692
  return 0;
602
693
  }
603
694
 
604
695
  if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
605
696
  sigalgs.size()) ||
606
- !ctx->verify_sigalgs.CopyFrom(sigalgs)) {
697
+ !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
698
+ sigalgs.size())) {
607
699
  return 0;
608
700
  }
609
701
 
@@ -617,13 +709,12 @@ int SSL_set1_sigalgs(SSL *ssl, const int *values, size_t num_values) {
617
709
  }
618
710
 
619
711
  Array<uint16_t> sigalgs;
620
- if (!parse_sigalg_pairs(&sigalgs, values, num_values) ||
621
- !sigalgs_unique(sigalgs)) {
712
+ if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
622
713
  return 0;
623
714
  }
624
715
 
625
716
  if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
626
- !ssl->config->verify_sigalgs.CopyFrom(sigalgs)) {
717
+ !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
627
718
  return 0;
628
719
  }
629
720
 
@@ -663,7 +754,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
663
754
 
664
755
  // Note that the loop runs to len+1, i.e. it'll process the terminating NUL.
665
756
  for (size_t offset = 0; offset < len+1; offset++) {
666
- const char c = str[offset];
757
+ const unsigned char c = str[offset];
667
758
 
668
759
  switch (c) {
669
760
  case '+':
@@ -768,8 +859,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
768
859
  return false;
769
860
  }
770
861
 
771
- if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') ||
772
- (c >= 'A' && c <= 'Z') || c == '-' || c == '_') {
862
+ if (OPENSSL_isalnum(c) || c == '-' || c == '_') {
773
863
  buf[buf_used++] = c;
774
864
  } else {
775
865
  OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
@@ -786,8 +876,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
786
876
 
787
877
  int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {
788
878
  Array<uint16_t> sigalgs;
789
- if (!parse_sigalgs_list(&sigalgs, str) ||
790
- !sigalgs_unique(sigalgs)) {
879
+ if (!parse_sigalgs_list(&sigalgs, str)) {
791
880
  return 0;
792
881
  }
793
882
 
@@ -808,8 +897,7 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
808
897
  }
809
898
 
810
899
  Array<uint16_t> sigalgs;
811
- if (!parse_sigalgs_list(&sigalgs, str) ||
812
- !sigalgs_unique(sigalgs)) {
900
+ if (!parse_sigalgs_list(&sigalgs, str)) {
813
901
  return 0;
814
902
  }
815
903
 
@@ -823,7 +911,8 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
823
911
 
824
912
  int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
825
913
  size_t num_prefs) {
826
- return ctx->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
914
+ return set_sigalg_prefs(&ctx->verify_sigalgs,
915
+ MakeConstSpan(prefs, num_prefs));
827
916
  }
828
917
 
829
918
  int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
@@ -833,5 +922,6 @@ int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
833
922
  return 0;
834
923
  }
835
924
 
836
- return ssl->config->verify_sigalgs.CopyFrom(MakeConstSpan(prefs, num_prefs));
925
+ return set_sigalg_prefs(&ssl->config->verify_sigalgs,
926
+ MakeConstSpan(prefs, num_prefs));
837
927
  }