grpc 1.53.1 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +78 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
- data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
- data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/validate_metadata.cc +42 -43
- data/src/core/lib/surface/validate_metadata.h +0 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +5 -2
- data/src/core/lib/transport/metadata_batch.h +17 -113
- data/src/core/lib/transport/parsed_metadata.h +6 -16
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +103 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -1,4 +1,3 @@
|
|
1
|
-
/* v3_utl.c */
|
2
1
|
/*
|
3
2
|
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
4
3
|
* project.
|
@@ -63,6 +62,7 @@
|
|
63
62
|
#include <string.h>
|
64
63
|
|
65
64
|
#include <openssl/bn.h>
|
65
|
+
#include <openssl/bytestring.h>
|
66
66
|
#include <openssl/conf.h>
|
67
67
|
#include <openssl/err.h>
|
68
68
|
#include <openssl/mem.h>
|
@@ -75,1363 +75,1279 @@
|
|
75
75
|
|
76
76
|
|
77
77
|
static char *strip_spaces(char *name);
|
78
|
-
static int sk_strcmp(const
|
79
|
-
static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
|
80
|
-
GENERAL_NAMES *gens);
|
78
|
+
static int sk_strcmp(const char **a, const char **b);
|
79
|
+
static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
|
80
|
+
const GENERAL_NAMES *gens);
|
81
81
|
static void str_free(OPENSSL_STRING str);
|
82
|
-
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
|
82
|
+
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
|
83
|
+
const ASN1_IA5STRING *email);
|
83
84
|
|
84
85
|
static int ipv4_from_asc(unsigned char v4[4], const char *in);
|
85
86
|
static int ipv6_from_asc(unsigned char v6[16], const char *in);
|
86
|
-
static int ipv6_cb(const char *elem,
|
87
|
-
static int ipv6_hex(unsigned char *out, const char *in,
|
87
|
+
static int ipv6_cb(const char *elem, size_t len, void *usr);
|
88
|
+
static int ipv6_hex(unsigned char *out, const char *in, size_t inlen);
|
88
89
|
|
89
|
-
|
90
|
+
// Add a CONF_VALUE name value pair to stack
|
90
91
|
|
91
92
|
static int x509V3_add_len_value(const char *name, const char *value,
|
92
93
|
size_t value_len, int omit_value,
|
93
|
-
STACK_OF(CONF_VALUE) **extlist)
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
}
|
106
|
-
tvalue = OPENSSL_strndup(value, value_len);
|
107
|
-
if (tvalue == NULL) {
|
108
|
-
goto malloc_err;
|
109
|
-
}
|
94
|
+
STACK_OF(CONF_VALUE) **extlist) {
|
95
|
+
CONF_VALUE *vtmp = NULL;
|
96
|
+
char *tname = NULL, *tvalue = NULL;
|
97
|
+
int extlist_was_null = *extlist == NULL;
|
98
|
+
if (name && !(tname = OPENSSL_strdup(name))) {
|
99
|
+
goto err;
|
100
|
+
}
|
101
|
+
if (!omit_value) {
|
102
|
+
// |CONF_VALUE| cannot represent strings with NULs.
|
103
|
+
if (OPENSSL_memchr(value, 0, value_len)) {
|
104
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);
|
105
|
+
goto err;
|
110
106
|
}
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
goto malloc_err;
|
115
|
-
vtmp->section = NULL;
|
116
|
-
vtmp->name = tname;
|
117
|
-
vtmp->value = tvalue;
|
118
|
-
if (!sk_CONF_VALUE_push(*extlist, vtmp))
|
119
|
-
goto malloc_err;
|
120
|
-
return 1;
|
121
|
-
malloc_err:
|
122
|
-
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
|
123
|
-
err:
|
124
|
-
if (extlist_was_null) {
|
125
|
-
sk_CONF_VALUE_free(*extlist);
|
126
|
-
*extlist = NULL;
|
107
|
+
tvalue = OPENSSL_strndup(value, value_len);
|
108
|
+
if (tvalue == NULL) {
|
109
|
+
goto err;
|
127
110
|
}
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
111
|
+
}
|
112
|
+
if (!(vtmp = CONF_VALUE_new())) {
|
113
|
+
goto err;
|
114
|
+
}
|
115
|
+
if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) {
|
116
|
+
goto err;
|
117
|
+
}
|
118
|
+
vtmp->section = NULL;
|
119
|
+
vtmp->name = tname;
|
120
|
+
vtmp->value = tvalue;
|
121
|
+
if (!sk_CONF_VALUE_push(*extlist, vtmp)) {
|
122
|
+
goto err;
|
123
|
+
}
|
124
|
+
return 1;
|
125
|
+
err:
|
126
|
+
if (extlist_was_null) {
|
127
|
+
sk_CONF_VALUE_free(*extlist);
|
128
|
+
*extlist = NULL;
|
129
|
+
}
|
130
|
+
OPENSSL_free(vtmp);
|
131
|
+
OPENSSL_free(tname);
|
132
|
+
OPENSSL_free(tvalue);
|
133
|
+
return 0;
|
132
134
|
}
|
133
135
|
|
134
136
|
int X509V3_add_value(const char *name, const char *value,
|
135
|
-
STACK_OF(CONF_VALUE) **extlist)
|
136
|
-
|
137
|
-
|
138
|
-
/*omit_value=*/value == NULL, extlist);
|
139
|
-
}
|
140
|
-
|
141
|
-
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
|
142
|
-
STACK_OF(CONF_VALUE) **extlist)
|
143
|
-
{
|
144
|
-
return X509V3_add_value(name, (const char *)value, extlist);
|
137
|
+
STACK_OF(CONF_VALUE) **extlist) {
|
138
|
+
return x509V3_add_len_value(name, value, value != NULL ? strlen(value) : 0,
|
139
|
+
/*omit_value=*/value == NULL, extlist);
|
145
140
|
}
|
146
141
|
|
147
142
|
int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
|
148
|
-
STACK_OF(CONF_VALUE) **extlist)
|
149
|
-
|
150
|
-
|
151
|
-
/*omit_value=*/0, extlist);
|
143
|
+
STACK_OF(CONF_VALUE) **extlist) {
|
144
|
+
return x509V3_add_len_value(name, (const char *)value->data, value->length,
|
145
|
+
/*omit_value=*/0, extlist);
|
152
146
|
}
|
153
147
|
|
154
|
-
|
155
|
-
|
156
|
-
void X509V3_conf_free(CONF_VALUE *conf)
|
157
|
-
{
|
158
|
-
if (!conf)
|
159
|
-
return;
|
160
|
-
if (conf->name)
|
161
|
-
OPENSSL_free(conf->name);
|
162
|
-
if (conf->value)
|
163
|
-
OPENSSL_free(conf->value);
|
164
|
-
if (conf->section)
|
165
|
-
OPENSSL_free(conf->section);
|
166
|
-
OPENSSL_free(conf);
|
167
|
-
}
|
148
|
+
// Free function for STACK_OF(CONF_VALUE)
|
168
149
|
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
150
|
+
void X509V3_conf_free(CONF_VALUE *conf) {
|
151
|
+
if (!conf) {
|
152
|
+
return;
|
153
|
+
}
|
154
|
+
OPENSSL_free(conf->name);
|
155
|
+
OPENSSL_free(conf->value);
|
156
|
+
OPENSSL_free(conf->section);
|
157
|
+
OPENSSL_free(conf);
|
175
158
|
}
|
176
159
|
|
177
|
-
int
|
178
|
-
|
179
|
-
{
|
180
|
-
|
181
|
-
|
182
|
-
|
160
|
+
int X509V3_add_value_bool(const char *name, int asn1_bool,
|
161
|
+
STACK_OF(CONF_VALUE) **extlist) {
|
162
|
+
if (asn1_bool) {
|
163
|
+
return X509V3_add_value(name, "TRUE", extlist);
|
164
|
+
}
|
165
|
+
return X509V3_add_value(name, "FALSE", extlist);
|
183
166
|
}
|
184
167
|
|
185
|
-
static char *bignum_to_string(const BIGNUM *bn)
|
186
|
-
|
187
|
-
|
188
|
-
size_t len;
|
189
|
-
|
190
|
-
/*
|
191
|
-
* Display large numbers in hex and small numbers in decimal. Converting to
|
192
|
-
* decimal takes quadratic time and is no more useful than hex for large
|
193
|
-
* numbers.
|
194
|
-
*/
|
195
|
-
if (BN_num_bits(bn) < 32) {
|
196
|
-
return BN_bn2dec(bn);
|
197
|
-
}
|
168
|
+
static char *bignum_to_string(const BIGNUM *bn) {
|
169
|
+
char *tmp, *ret;
|
170
|
+
size_t len;
|
198
171
|
|
199
|
-
|
200
|
-
|
201
|
-
|
202
|
-
|
172
|
+
// Display large numbers in hex and small numbers in decimal. Converting to
|
173
|
+
// decimal takes quadratic time and is no more useful than hex for large
|
174
|
+
// numbers.
|
175
|
+
if (BN_num_bits(bn) < 32) {
|
176
|
+
return BN_bn2dec(bn);
|
177
|
+
}
|
203
178
|
|
204
|
-
|
205
|
-
|
206
|
-
|
207
|
-
|
208
|
-
OPENSSL_free(tmp);
|
209
|
-
return NULL;
|
210
|
-
}
|
179
|
+
tmp = BN_bn2hex(bn);
|
180
|
+
if (tmp == NULL) {
|
181
|
+
return NULL;
|
182
|
+
}
|
211
183
|
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
OPENSSL_strlcat(ret, tmp + 1, len);
|
216
|
-
} else {
|
217
|
-
OPENSSL_strlcpy(ret, "0x", len);
|
218
|
-
OPENSSL_strlcat(ret, tmp, len);
|
219
|
-
}
|
184
|
+
len = strlen(tmp) + 3;
|
185
|
+
ret = OPENSSL_malloc(len);
|
186
|
+
if (ret == NULL) {
|
220
187
|
OPENSSL_free(tmp);
|
221
|
-
return
|
188
|
+
return NULL;
|
189
|
+
}
|
190
|
+
|
191
|
+
// Prepend "0x", but place it after the "-" if negative.
|
192
|
+
if (tmp[0] == '-') {
|
193
|
+
OPENSSL_strlcpy(ret, "-0x", len);
|
194
|
+
OPENSSL_strlcat(ret, tmp + 1, len);
|
195
|
+
} else {
|
196
|
+
OPENSSL_strlcpy(ret, "0x", len);
|
197
|
+
OPENSSL_strlcat(ret, tmp, len);
|
198
|
+
}
|
199
|
+
OPENSSL_free(tmp);
|
200
|
+
return ret;
|
222
201
|
}
|
223
202
|
|
224
|
-
char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method,
|
225
|
-
{
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
203
|
+
char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method,
|
204
|
+
const ASN1_ENUMERATED *a) {
|
205
|
+
BIGNUM *bntmp = NULL;
|
206
|
+
char *strtmp = NULL;
|
207
|
+
if (!a) {
|
208
|
+
return NULL;
|
209
|
+
}
|
210
|
+
if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
|
211
|
+
!(strtmp = bignum_to_string(bntmp))) {
|
212
|
+
}
|
213
|
+
BN_free(bntmp);
|
214
|
+
return strtmp;
|
235
215
|
}
|
236
216
|
|
237
|
-
char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
217
|
+
char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) {
|
218
|
+
BIGNUM *bntmp = NULL;
|
219
|
+
char *strtmp = NULL;
|
220
|
+
if (!a) {
|
221
|
+
return NULL;
|
222
|
+
}
|
223
|
+
if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
|
224
|
+
!(strtmp = bignum_to_string(bntmp))) {
|
225
|
+
}
|
226
|
+
BN_free(bntmp);
|
227
|
+
return strtmp;
|
248
228
|
}
|
249
229
|
|
250
|
-
ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method,
|
251
|
-
{
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
230
|
+
ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method,
|
231
|
+
const char *value) {
|
232
|
+
BIGNUM *bn = NULL;
|
233
|
+
ASN1_INTEGER *aint;
|
234
|
+
int isneg, ishex;
|
235
|
+
int ret;
|
236
|
+
if (!value) {
|
237
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
|
238
|
+
return 0;
|
239
|
+
}
|
240
|
+
bn = BN_new();
|
241
|
+
if (value[0] == '-') {
|
242
|
+
value++;
|
243
|
+
isneg = 1;
|
244
|
+
} else {
|
245
|
+
isneg = 0;
|
246
|
+
}
|
247
|
+
|
248
|
+
if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
|
249
|
+
value += 2;
|
250
|
+
ishex = 1;
|
251
|
+
} else {
|
252
|
+
ishex = 0;
|
253
|
+
}
|
254
|
+
|
255
|
+
if (ishex) {
|
256
|
+
ret = BN_hex2bn(&bn, value);
|
257
|
+
} else {
|
258
|
+
// Decoding from decimal scales quadratically in the input length. Bound the
|
259
|
+
// largest decimal input we accept in the config parser. 8,192 decimal
|
260
|
+
// digits allows values up to 27,213 bits. Ths exceeds the largest RSA, DSA,
|
261
|
+
// or DH modulus we support, and those are not usefully represented in
|
262
|
+
// decimal.
|
263
|
+
if (strlen(value) > 8192) {
|
264
|
+
BN_free(bn);
|
265
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);
|
266
|
+
return 0;
|
282
267
|
}
|
268
|
+
ret = BN_dec2bn(&bn, value);
|
269
|
+
}
|
283
270
|
|
284
|
-
|
285
|
-
isneg = 0;
|
286
|
-
|
287
|
-
aint = BN_to_ASN1_INTEGER(bn, NULL);
|
271
|
+
if (!ret || value[ret]) {
|
288
272
|
BN_free(bn);
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
}
|
293
|
-
if (isneg)
|
294
|
-
aint->type |= V_ASN1_NEG;
|
295
|
-
return aint;
|
296
|
-
}
|
273
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_DEC2BN_ERROR);
|
274
|
+
return 0;
|
275
|
+
}
|
297
276
|
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
|
308
|
-
|
309
|
-
|
277
|
+
if (isneg && BN_is_zero(bn)) {
|
278
|
+
isneg = 0;
|
279
|
+
}
|
280
|
+
|
281
|
+
aint = BN_to_ASN1_INTEGER(bn, NULL);
|
282
|
+
BN_free(bn);
|
283
|
+
if (!aint) {
|
284
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
|
285
|
+
return 0;
|
286
|
+
}
|
287
|
+
if (isneg) {
|
288
|
+
aint->type |= V_ASN1_NEG;
|
289
|
+
}
|
290
|
+
return aint;
|
310
291
|
}
|
311
292
|
|
312
|
-
int
|
313
|
-
{
|
314
|
-
|
315
|
-
|
316
|
-
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
*asn1_bool = 0xff;
|
321
|
-
return 1;
|
322
|
-
} else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
|
323
|
-
|| !strcmp(btmp, "N") || !strcmp(btmp, "n")
|
324
|
-
|| !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
|
325
|
-
*asn1_bool = 0;
|
326
|
-
return 1;
|
327
|
-
}
|
328
|
-
err:
|
329
|
-
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
|
330
|
-
X509V3_conf_err(value);
|
293
|
+
int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
|
294
|
+
STACK_OF(CONF_VALUE) **extlist) {
|
295
|
+
char *strtmp;
|
296
|
+
int ret;
|
297
|
+
if (!aint) {
|
298
|
+
return 1;
|
299
|
+
}
|
300
|
+
if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) {
|
331
301
|
return 0;
|
302
|
+
}
|
303
|
+
ret = X509V3_add_value(name, strtmp, extlist);
|
304
|
+
OPENSSL_free(strtmp);
|
305
|
+
return ret;
|
332
306
|
}
|
333
307
|
|
334
|
-
int
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
308
|
+
int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool) {
|
309
|
+
if (!strcmp(str, "TRUE") || !strcmp(str, "true") || !strcmp(str, "Y") ||
|
310
|
+
!strcmp(str, "y") || !strcmp(str, "YES") || !strcmp(str, "yes")) {
|
311
|
+
*out_bool = ASN1_BOOLEAN_TRUE;
|
312
|
+
return 1;
|
313
|
+
}
|
314
|
+
if (!strcmp(str, "FALSE") || !strcmp(str, "false") || !strcmp(str, "N") ||
|
315
|
+
!strcmp(str, "n") || !strcmp(str, "NO") || !strcmp(str, "no")) {
|
316
|
+
*out_bool = ASN1_BOOLEAN_FALSE;
|
342
317
|
return 1;
|
318
|
+
}
|
319
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
|
320
|
+
return 0;
|
343
321
|
}
|
344
322
|
|
345
|
-
|
346
|
-
|
323
|
+
int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool) {
|
324
|
+
const char *btmp = value->value;
|
325
|
+
if (btmp == NULL) {
|
326
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
|
327
|
+
goto err;
|
328
|
+
}
|
329
|
+
if (!X509V3_bool_from_string(btmp, out_bool)) {
|
330
|
+
goto err;
|
331
|
+
}
|
332
|
+
return 1;
|
347
333
|
|
348
|
-
|
349
|
-
|
350
|
-
|
334
|
+
err:
|
335
|
+
X509V3_conf_err(value);
|
336
|
+
return 0;
|
337
|
+
}
|
351
338
|
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
363
|
-
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
|
368
|
-
|
369
|
-
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
|
380
|
-
|
381
|
-
|
382
|
-
|
383
|
-
|
384
|
-
|
385
|
-
|
339
|
+
int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) {
|
340
|
+
ASN1_INTEGER *itmp;
|
341
|
+
if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
|
342
|
+
X509V3_conf_err(value);
|
343
|
+
return 0;
|
344
|
+
}
|
345
|
+
ASN1_INTEGER_free(*aint);
|
346
|
+
*aint = itmp;
|
347
|
+
return 1;
|
348
|
+
}
|
349
|
+
|
350
|
+
#define HDR_NAME 1
|
351
|
+
#define HDR_VALUE 2
|
352
|
+
|
353
|
+
// #define DEBUG
|
354
|
+
|
355
|
+
STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) {
|
356
|
+
char *p, *q, c;
|
357
|
+
char *ntmp, *vtmp;
|
358
|
+
STACK_OF(CONF_VALUE) *values = NULL;
|
359
|
+
char *linebuf;
|
360
|
+
int state;
|
361
|
+
// We are going to modify the line so copy it first
|
362
|
+
linebuf = OPENSSL_strdup(line);
|
363
|
+
if (linebuf == NULL) {
|
364
|
+
goto err;
|
365
|
+
}
|
366
|
+
state = HDR_NAME;
|
367
|
+
ntmp = NULL;
|
368
|
+
// Go through all characters
|
369
|
+
for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n'); p++) {
|
370
|
+
switch (state) {
|
371
|
+
case HDR_NAME:
|
372
|
+
if (c == ':') {
|
373
|
+
state = HDR_VALUE;
|
374
|
+
*p = 0;
|
375
|
+
ntmp = strip_spaces(q);
|
376
|
+
if (!ntmp) {
|
377
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
|
378
|
+
goto err;
|
379
|
+
}
|
380
|
+
q = p + 1;
|
381
|
+
} else if (c == ',') {
|
382
|
+
*p = 0;
|
383
|
+
ntmp = strip_spaces(q);
|
384
|
+
q = p + 1;
|
386
385
|
#if 0
|
387
386
|
printf("%s\n", ntmp);
|
388
387
|
#endif
|
389
|
-
|
390
|
-
|
391
|
-
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
397
|
-
|
398
|
-
|
399
|
-
|
400
|
-
|
401
|
-
|
388
|
+
if (!ntmp) {
|
389
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
|
390
|
+
goto err;
|
391
|
+
}
|
392
|
+
X509V3_add_value(ntmp, NULL, &values);
|
393
|
+
}
|
394
|
+
break;
|
395
|
+
|
396
|
+
case HDR_VALUE:
|
397
|
+
if (c == ',') {
|
398
|
+
state = HDR_NAME;
|
399
|
+
*p = 0;
|
400
|
+
vtmp = strip_spaces(q);
|
402
401
|
#if 0
|
403
402
|
printf("%s\n", ntmp);
|
404
403
|
#endif
|
405
|
-
|
406
|
-
|
407
|
-
|
408
|
-
|
409
|
-
|
410
|
-
|
411
|
-
|
412
|
-
}
|
413
|
-
|
404
|
+
if (!vtmp) {
|
405
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
|
406
|
+
goto err;
|
407
|
+
}
|
408
|
+
X509V3_add_value(ntmp, vtmp, &values);
|
409
|
+
ntmp = NULL;
|
410
|
+
q = p + 1;
|
414
411
|
}
|
415
412
|
}
|
413
|
+
}
|
416
414
|
|
417
|
-
|
418
|
-
|
415
|
+
if (state == HDR_VALUE) {
|
416
|
+
vtmp = strip_spaces(q);
|
419
417
|
#if 0
|
420
418
|
printf("%s=%s\n", ntmp, vtmp);
|
421
419
|
#endif
|
422
|
-
|
423
|
-
|
424
|
-
|
425
|
-
|
426
|
-
|
427
|
-
|
428
|
-
|
420
|
+
if (!vtmp) {
|
421
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);
|
422
|
+
goto err;
|
423
|
+
}
|
424
|
+
X509V3_add_value(ntmp, vtmp, &values);
|
425
|
+
} else {
|
426
|
+
ntmp = strip_spaces(q);
|
429
427
|
#if 0
|
430
428
|
printf("%s\n", ntmp);
|
431
429
|
#endif
|
432
|
-
|
433
|
-
|
434
|
-
|
435
|
-
}
|
436
|
-
X509V3_add_value(ntmp, NULL, &values);
|
430
|
+
if (!ntmp) {
|
431
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);
|
432
|
+
goto err;
|
437
433
|
}
|
438
|
-
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
OPENSSL_free(linebuf);
|
443
|
-
sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
|
444
|
-
return NULL;
|
434
|
+
X509V3_add_value(ntmp, NULL, &values);
|
435
|
+
}
|
436
|
+
OPENSSL_free(linebuf);
|
437
|
+
return values;
|
445
438
|
|
439
|
+
err:
|
440
|
+
OPENSSL_free(linebuf);
|
441
|
+
sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
|
442
|
+
return NULL;
|
446
443
|
}
|
447
444
|
|
448
|
-
|
449
|
-
static char *strip_spaces(char *name)
|
450
|
-
|
451
|
-
|
452
|
-
|
453
|
-
|
454
|
-
|
455
|
-
|
456
|
-
|
457
|
-
|
458
|
-
|
459
|
-
|
460
|
-
|
461
|
-
|
462
|
-
|
463
|
-
|
464
|
-
|
465
|
-
|
445
|
+
// Delete leading and trailing spaces from a string
|
446
|
+
static char *strip_spaces(char *name) {
|
447
|
+
char *p, *q;
|
448
|
+
// Skip over leading spaces
|
449
|
+
p = name;
|
450
|
+
while (*p && OPENSSL_isspace((unsigned char)*p)) {
|
451
|
+
p++;
|
452
|
+
}
|
453
|
+
if (!*p) {
|
454
|
+
return NULL;
|
455
|
+
}
|
456
|
+
q = p + strlen(p) - 1;
|
457
|
+
while ((q != p) && OPENSSL_isspace((unsigned char)*q)) {
|
458
|
+
q--;
|
459
|
+
}
|
460
|
+
if (p != q) {
|
461
|
+
q[1] = 0;
|
462
|
+
}
|
463
|
+
if (!*p) {
|
464
|
+
return NULL;
|
465
|
+
}
|
466
|
+
return p;
|
466
467
|
}
|
467
468
|
|
468
|
-
|
469
|
-
|
470
|
-
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
|
475
|
-
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
|
480
|
-
|
481
|
-
static const char hexdig[] = "0123456789ABCDEF";
|
482
|
-
if (!buffer || !len)
|
483
|
-
return NULL;
|
484
|
-
if (!(tmp = OPENSSL_malloc(len * 3 + 1))) {
|
485
|
-
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
|
486
|
-
return NULL;
|
487
|
-
}
|
488
|
-
q = tmp;
|
489
|
-
for (i = 0, p = buffer; i < len; i++, p++) {
|
490
|
-
*q++ = hexdig[(*p >> 4) & 0xf];
|
491
|
-
*q++ = hexdig[*p & 0xf];
|
492
|
-
*q++ = ':';
|
469
|
+
// hex string utilities
|
470
|
+
|
471
|
+
char *x509v3_bytes_to_hex(const uint8_t *in, size_t len) {
|
472
|
+
CBB cbb;
|
473
|
+
if (!CBB_init(&cbb, len * 3 + 1)) {
|
474
|
+
goto err;
|
475
|
+
}
|
476
|
+
for (size_t i = 0; i < len; i++) {
|
477
|
+
static const char hex[] = "0123456789ABCDEF";
|
478
|
+
if ((i > 0 && !CBB_add_u8(&cbb, ':')) ||
|
479
|
+
!CBB_add_u8(&cbb, hex[in[i] >> 4]) ||
|
480
|
+
!CBB_add_u8(&cbb, hex[in[i] & 0xf])) {
|
481
|
+
goto err;
|
493
482
|
}
|
494
|
-
|
483
|
+
}
|
484
|
+
uint8_t *ret;
|
485
|
+
size_t unused_len;
|
486
|
+
if (!CBB_add_u8(&cbb, 0) || !CBB_finish(&cbb, &ret, &unused_len)) {
|
487
|
+
goto err;
|
488
|
+
}
|
495
489
|
|
496
|
-
|
490
|
+
return (char *)ret;
|
491
|
+
|
492
|
+
err:
|
493
|
+
CBB_cleanup(&cbb);
|
494
|
+
return NULL;
|
497
495
|
}
|
498
496
|
|
499
|
-
unsigned char *x509v3_hex_to_bytes(const char *str, long *len)
|
500
|
-
|
501
|
-
|
502
|
-
|
503
|
-
|
504
|
-
|
505
|
-
|
497
|
+
unsigned char *x509v3_hex_to_bytes(const char *str, long *len) {
|
498
|
+
unsigned char *hexbuf, *q;
|
499
|
+
unsigned char ch, cl, *p;
|
500
|
+
uint8_t high, low;
|
501
|
+
if (!str) {
|
502
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
|
503
|
+
return NULL;
|
504
|
+
}
|
505
|
+
if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) {
|
506
|
+
goto err;
|
507
|
+
}
|
508
|
+
for (p = (unsigned char *)str, q = hexbuf; *p;) {
|
509
|
+
ch = *p++;
|
510
|
+
if (ch == ':') {
|
511
|
+
continue;
|
506
512
|
}
|
507
|
-
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
continue;
|
513
|
-
cl = *p++;
|
514
|
-
if (!cl) {
|
515
|
-
OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);
|
516
|
-
OPENSSL_free(hexbuf);
|
517
|
-
return NULL;
|
518
|
-
}
|
519
|
-
|
520
|
-
if ((ch >= '0') && (ch <= '9'))
|
521
|
-
ch -= '0';
|
522
|
-
else if ((ch >= 'a') && (ch <= 'f'))
|
523
|
-
ch -= 'a' - 10;
|
524
|
-
else if ((ch >= 'A') && (ch <= 'F'))
|
525
|
-
ch -= 'A' - 10;
|
526
|
-
else
|
527
|
-
goto badhex;
|
528
|
-
|
529
|
-
if ((cl >= '0') && (cl <= '9'))
|
530
|
-
cl -= '0';
|
531
|
-
else if ((cl >= 'a') && (cl <= 'f'))
|
532
|
-
cl -= 'a' - 10;
|
533
|
-
else if ((cl >= 'A') && (cl <= 'F'))
|
534
|
-
cl -= 'A' - 10;
|
535
|
-
else
|
536
|
-
goto badhex;
|
537
|
-
|
538
|
-
*q++ = (ch << 4) | cl;
|
513
|
+
cl = *p++;
|
514
|
+
if (!cl) {
|
515
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);
|
516
|
+
OPENSSL_free(hexbuf);
|
517
|
+
return NULL;
|
539
518
|
}
|
519
|
+
if (!OPENSSL_fromxdigit(&high, ch)) {
|
520
|
+
goto badhex;
|
521
|
+
}
|
522
|
+
if (!OPENSSL_fromxdigit(&low, cl)) {
|
523
|
+
goto badhex;
|
524
|
+
}
|
525
|
+
*q++ = (high << 4) | low;
|
526
|
+
}
|
540
527
|
|
541
|
-
|
542
|
-
|
543
|
-
|
544
|
-
return hexbuf;
|
528
|
+
if (len) {
|
529
|
+
*len = q - hexbuf;
|
530
|
+
}
|
545
531
|
|
546
|
-
|
547
|
-
if (hexbuf)
|
548
|
-
OPENSSL_free(hexbuf);
|
549
|
-
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
|
550
|
-
return NULL;
|
532
|
+
return hexbuf;
|
551
533
|
|
552
|
-
|
553
|
-
|
554
|
-
|
555
|
-
return NULL;
|
534
|
+
err:
|
535
|
+
OPENSSL_free(hexbuf);
|
536
|
+
return NULL;
|
556
537
|
|
538
|
+
badhex:
|
539
|
+
OPENSSL_free(hexbuf);
|
540
|
+
OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_HEX_DIGIT);
|
541
|
+
return NULL;
|
557
542
|
}
|
558
543
|
|
559
|
-
int
|
560
|
-
|
561
|
-
|
562
|
-
|
563
|
-
|
564
|
-
|
565
|
-
|
566
|
-
|
567
|
-
if (!c || (c == '.'))
|
568
|
-
return 0;
|
569
|
-
return 1;
|
544
|
+
int x509v3_conf_name_matches(const char *name, const char *cmp) {
|
545
|
+
// |name| must begin with |cmp|.
|
546
|
+
size_t len = strlen(cmp);
|
547
|
+
if (strncmp(name, cmp, len) != 0) {
|
548
|
+
return 0;
|
549
|
+
}
|
550
|
+
// |name| must either be equal to |cmp| or begin with |cmp|, followed by '.'.
|
551
|
+
return name[len] == '\0' || name[len] == '.';
|
570
552
|
}
|
571
553
|
|
572
|
-
static int sk_strcmp(const
|
573
|
-
{
|
574
|
-
return strcmp(*a, *b);
|
575
|
-
}
|
554
|
+
static int sk_strcmp(const char **a, const char **b) { return strcmp(*a, *b); }
|
576
555
|
|
577
|
-
STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
|
578
|
-
|
579
|
-
|
580
|
-
STACK_OF(OPENSSL_STRING) *ret;
|
556
|
+
STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) {
|
557
|
+
GENERAL_NAMES *gens;
|
558
|
+
STACK_OF(OPENSSL_STRING) *ret;
|
581
559
|
|
582
|
-
|
583
|
-
|
584
|
-
|
585
|
-
|
560
|
+
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
561
|
+
ret = get_email(X509_get_subject_name(x), gens);
|
562
|
+
sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
|
563
|
+
return ret;
|
586
564
|
}
|
587
565
|
|
588
|
-
STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
|
589
|
-
|
590
|
-
|
591
|
-
|
592
|
-
size_t i;
|
566
|
+
STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) {
|
567
|
+
AUTHORITY_INFO_ACCESS *info;
|
568
|
+
STACK_OF(OPENSSL_STRING) *ret = NULL;
|
569
|
+
size_t i;
|
593
570
|
|
594
|
-
|
595
|
-
|
596
|
-
|
597
|
-
|
598
|
-
|
599
|
-
|
600
|
-
|
601
|
-
|
602
|
-
|
603
|
-
|
604
|
-
}
|
571
|
+
info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
|
572
|
+
if (!info) {
|
573
|
+
return NULL;
|
574
|
+
}
|
575
|
+
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
|
576
|
+
ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
|
577
|
+
if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
|
578
|
+
if (ad->location->type == GEN_URI) {
|
579
|
+
if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier)) {
|
580
|
+
break;
|
605
581
|
}
|
582
|
+
}
|
606
583
|
}
|
607
|
-
|
608
|
-
|
584
|
+
}
|
585
|
+
AUTHORITY_INFO_ACCESS_free(info);
|
586
|
+
return ret;
|
609
587
|
}
|
610
588
|
|
611
|
-
STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
|
612
|
-
|
613
|
-
|
614
|
-
|
615
|
-
|
616
|
-
|
617
|
-
|
618
|
-
|
619
|
-
|
620
|
-
|
621
|
-
|
622
|
-
return ret;
|
589
|
+
STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) {
|
590
|
+
GENERAL_NAMES *gens;
|
591
|
+
STACK_OF(X509_EXTENSION) *exts;
|
592
|
+
STACK_OF(OPENSSL_STRING) *ret;
|
593
|
+
|
594
|
+
exts = X509_REQ_get_extensions(x);
|
595
|
+
gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
|
596
|
+
ret = get_email(X509_REQ_get_subject_name(x), gens);
|
597
|
+
sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
|
598
|
+
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
|
599
|
+
return ret;
|
623
600
|
}
|
624
601
|
|
625
|
-
static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
|
626
|
-
GENERAL_NAMES *gens)
|
627
|
-
|
628
|
-
|
629
|
-
|
630
|
-
|
631
|
-
|
632
|
-
|
633
|
-
|
634
|
-
|
635
|
-
|
636
|
-
|
637
|
-
while ((i = X509_NAME_get_index_by_NID(name,
|
638
|
-
NID_pkcs9_emailAddress, i)) >= 0) {
|
639
|
-
ne = X509_NAME_get_entry(name, i);
|
640
|
-
email = X509_NAME_ENTRY_get_data(ne);
|
641
|
-
if (!append_ia5(&ret, email))
|
642
|
-
return NULL;
|
602
|
+
static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
|
603
|
+
const GENERAL_NAMES *gens) {
|
604
|
+
STACK_OF(OPENSSL_STRING) *ret = NULL;
|
605
|
+
// Now add any email address(es) to STACK
|
606
|
+
int i = -1;
|
607
|
+
// First supplied X509_NAME
|
608
|
+
while ((i = X509_NAME_get_index_by_NID(name, NID_pkcs9_emailAddress, i)) >=
|
609
|
+
0) {
|
610
|
+
const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
|
611
|
+
const ASN1_IA5STRING *email = X509_NAME_ENTRY_get_data(ne);
|
612
|
+
if (!append_ia5(&ret, email)) {
|
613
|
+
return NULL;
|
643
614
|
}
|
644
|
-
|
645
|
-
|
646
|
-
|
647
|
-
|
648
|
-
|
649
|
-
return NULL;
|
615
|
+
}
|
616
|
+
for (size_t j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
|
617
|
+
const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, j);
|
618
|
+
if (gen->type != GEN_EMAIL) {
|
619
|
+
continue;
|
650
620
|
}
|
651
|
-
|
652
|
-
|
653
|
-
|
654
|
-
|
655
|
-
|
656
|
-
OPENSSL_free(str);
|
621
|
+
if (!append_ia5(&ret, gen->d.ia5)) {
|
622
|
+
return NULL;
|
623
|
+
}
|
624
|
+
}
|
625
|
+
return ret;
|
657
626
|
}
|
658
627
|
|
659
|
-
static
|
660
|
-
{
|
661
|
-
/* First some sanity checks */
|
662
|
-
if (email->type != V_ASN1_IA5STRING)
|
663
|
-
return 1;
|
664
|
-
if (email->data == NULL || email->length == 0)
|
665
|
-
return 1;
|
666
|
-
/* |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
|
667
|
-
* report them as outputs. */
|
668
|
-
if (OPENSSL_memchr(email->data, 0, email->length) != NULL)
|
669
|
-
return 1;
|
670
|
-
|
671
|
-
char *emtmp = NULL;
|
672
|
-
if (!*sk)
|
673
|
-
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
|
674
|
-
if (!*sk)
|
675
|
-
goto err;
|
676
|
-
|
677
|
-
emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
678
|
-
if (emtmp == NULL) {
|
679
|
-
goto err;
|
680
|
-
}
|
628
|
+
static void str_free(OPENSSL_STRING str) { OPENSSL_free(str); }
|
681
629
|
|
682
|
-
|
683
|
-
|
684
|
-
|
685
|
-
|
686
|
-
|
687
|
-
|
688
|
-
|
689
|
-
|
690
|
-
|
630
|
+
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
|
631
|
+
const ASN1_IA5STRING *email) {
|
632
|
+
// First some sanity checks
|
633
|
+
if (email->type != V_ASN1_IA5STRING) {
|
634
|
+
return 1;
|
635
|
+
}
|
636
|
+
if (email->data == NULL || email->length == 0) {
|
637
|
+
return 1;
|
638
|
+
}
|
639
|
+
// |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
|
640
|
+
// report them as outputs.
|
641
|
+
if (OPENSSL_memchr(email->data, 0, email->length) != NULL) {
|
691
642
|
return 1;
|
643
|
+
}
|
644
|
+
|
645
|
+
char *emtmp = NULL;
|
646
|
+
if (!*sk) {
|
647
|
+
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
|
648
|
+
}
|
649
|
+
if (!*sk) {
|
650
|
+
goto err;
|
651
|
+
}
|
652
|
+
|
653
|
+
emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
654
|
+
if (emtmp == NULL) {
|
655
|
+
goto err;
|
656
|
+
}
|
657
|
+
|
658
|
+
// Don't add duplicates
|
659
|
+
sk_OPENSSL_STRING_sort(*sk);
|
660
|
+
if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) {
|
661
|
+
OPENSSL_free(emtmp);
|
662
|
+
return 1;
|
663
|
+
}
|
664
|
+
if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
|
665
|
+
goto err;
|
666
|
+
}
|
667
|
+
return 1;
|
692
668
|
|
693
669
|
err:
|
694
|
-
|
695
|
-
|
696
|
-
|
697
|
-
|
698
|
-
|
699
|
-
|
670
|
+
// TODO(davidben): Fix the error-handling in this file. It currently relies
|
671
|
+
// on |append_ia5| leaving |*sk| at NULL on error.
|
672
|
+
OPENSSL_free(emtmp);
|
673
|
+
X509_email_free(*sk);
|
674
|
+
*sk = NULL;
|
675
|
+
return 0;
|
700
676
|
}
|
701
677
|
|
702
|
-
void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
|
703
|
-
|
704
|
-
sk_OPENSSL_STRING_pop_free(sk, str_free);
|
678
|
+
void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) {
|
679
|
+
sk_OPENSSL_STRING_pop_free(sk, str_free);
|
705
680
|
}
|
706
681
|
|
707
|
-
typedef int (*equal_fn)
|
708
|
-
const unsigned char *subject, size_t subject_len,
|
709
|
-
unsigned int flags);
|
710
|
-
|
711
|
-
/* Skip pattern prefix to match "wildcard" subject */
|
712
|
-
static void skip_prefix(const unsigned char **p, size_t *plen,
|
682
|
+
typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
|
713
683
|
const unsigned char *subject, size_t subject_len,
|
714
|
-
unsigned int flags)
|
715
|
-
{
|
716
|
-
const unsigned char *pattern = *p;
|
717
|
-
size_t pattern_len = *plen;
|
718
|
-
|
719
|
-
/*
|
720
|
-
* If subject starts with a leading '.' followed by more octets, and
|
721
|
-
* pattern is longer, compare just an equal-length suffix with the
|
722
|
-
* full subject (starting at the '.'), provided the prefix contains
|
723
|
-
* no NULs.
|
724
|
-
*/
|
725
|
-
if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
|
726
|
-
return;
|
727
|
-
|
728
|
-
while (pattern_len > subject_len && *pattern) {
|
729
|
-
if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
|
730
|
-
*pattern == '.')
|
731
|
-
break;
|
732
|
-
++pattern;
|
733
|
-
--pattern_len;
|
734
|
-
}
|
735
|
-
|
736
|
-
/* Skip if entire prefix acceptable */
|
737
|
-
if (pattern_len == subject_len) {
|
738
|
-
*p = pattern;
|
739
|
-
*plen = pattern_len;
|
740
|
-
}
|
741
|
-
}
|
684
|
+
unsigned int flags);
|
742
685
|
|
743
|
-
|
686
|
+
// Compare while ASCII ignoring case.
|
744
687
|
static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
|
745
688
|
const unsigned char *subject, size_t subject_len,
|
746
|
-
unsigned int flags)
|
747
|
-
{
|
748
|
-
|
749
|
-
|
689
|
+
unsigned int flags) {
|
690
|
+
if (pattern_len != subject_len) {
|
691
|
+
return 0;
|
692
|
+
}
|
693
|
+
while (pattern_len) {
|
694
|
+
unsigned char l = *pattern;
|
695
|
+
unsigned char r = *subject;
|
696
|
+
// The pattern must not contain NUL characters.
|
697
|
+
if (l == 0) {
|
698
|
+
return 0;
|
699
|
+
}
|
700
|
+
if (l != r) {
|
701
|
+
if (OPENSSL_tolower(l) != OPENSSL_tolower(r)) {
|
750
702
|
return 0;
|
751
|
-
|
752
|
-
unsigned char l = *pattern;
|
753
|
-
unsigned char r = *subject;
|
754
|
-
/* The pattern must not contain NUL characters. */
|
755
|
-
if (l == 0)
|
756
|
-
return 0;
|
757
|
-
if (l != r) {
|
758
|
-
if ('A' <= l && l <= 'Z')
|
759
|
-
l = (l - 'A') + 'a';
|
760
|
-
if ('A' <= r && r <= 'Z')
|
761
|
-
r = (r - 'A') + 'a';
|
762
|
-
if (l != r)
|
763
|
-
return 0;
|
764
|
-
}
|
765
|
-
++pattern;
|
766
|
-
++subject;
|
767
|
-
--pattern_len;
|
703
|
+
}
|
768
704
|
}
|
769
|
-
|
705
|
+
++pattern;
|
706
|
+
++subject;
|
707
|
+
--pattern_len;
|
708
|
+
}
|
709
|
+
return 1;
|
770
710
|
}
|
771
711
|
|
772
|
-
|
712
|
+
// Compare using OPENSSL_memcmp.
|
773
713
|
static int equal_case(const unsigned char *pattern, size_t pattern_len,
|
774
714
|
const unsigned char *subject, size_t subject_len,
|
775
|
-
unsigned int flags)
|
776
|
-
{
|
777
|
-
|
778
|
-
|
779
|
-
|
780
|
-
return !OPENSSL_memcmp(pattern, subject, pattern_len);
|
715
|
+
unsigned int flags) {
|
716
|
+
if (pattern_len != subject_len) {
|
717
|
+
return 0;
|
718
|
+
}
|
719
|
+
return !OPENSSL_memcmp(pattern, subject, pattern_len);
|
781
720
|
}
|
782
721
|
|
783
|
-
|
784
|
-
|
785
|
-
* case-insensitive manner.
|
786
|
-
*/
|
722
|
+
// RFC 5280, section 7.5, requires that only the domain is compared in a
|
723
|
+
// case-insensitive manner.
|
787
724
|
static int equal_email(const unsigned char *a, size_t a_len,
|
788
725
|
const unsigned char *b, size_t b_len,
|
789
|
-
unsigned int unused_flags)
|
790
|
-
|
791
|
-
|
792
|
-
|
726
|
+
unsigned int unused_flags) {
|
727
|
+
size_t i = a_len;
|
728
|
+
if (a_len != b_len) {
|
729
|
+
return 0;
|
730
|
+
}
|
731
|
+
// We search backwards for the '@' character, so that we do not have to
|
732
|
+
// deal with quoted local-parts. The domain part is compared in a
|
733
|
+
// case-insensitive manner.
|
734
|
+
while (i > 0) {
|
735
|
+
--i;
|
736
|
+
if (a[i] == '@' || b[i] == '@') {
|
737
|
+
if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0)) {
|
793
738
|
return 0;
|
794
|
-
|
795
|
-
|
796
|
-
* deal with quoted local-parts. The domain part is compared in a
|
797
|
-
* case-insensitive manner.
|
798
|
-
*/
|
799
|
-
while (i > 0) {
|
800
|
-
--i;
|
801
|
-
if (a[i] == '@' || b[i] == '@') {
|
802
|
-
if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
|
803
|
-
return 0;
|
804
|
-
break;
|
805
|
-
}
|
739
|
+
}
|
740
|
+
break;
|
806
741
|
}
|
807
|
-
|
808
|
-
|
809
|
-
|
742
|
+
}
|
743
|
+
if (i == 0) {
|
744
|
+
i = a_len;
|
745
|
+
}
|
746
|
+
return equal_case(a, i, b, i, 0);
|
810
747
|
}
|
811
748
|
|
812
|
-
|
813
|
-
|
814
|
-
* characters in-between are valid.
|
815
|
-
*/
|
749
|
+
// Compare the prefix and suffix with the subject, and check that the
|
750
|
+
// characters in-between are valid.
|
816
751
|
static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
|
817
752
|
const unsigned char *suffix, size_t suffix_len,
|
818
753
|
const unsigned char *subject, size_t subject_len,
|
819
|
-
unsigned int flags)
|
820
|
-
|
821
|
-
|
822
|
-
|
823
|
-
|
824
|
-
|
825
|
-
|
826
|
-
|
827
|
-
|
828
|
-
|
829
|
-
|
830
|
-
|
831
|
-
|
832
|
-
|
833
|
-
|
834
|
-
|
835
|
-
|
836
|
-
|
837
|
-
|
838
|
-
|
839
|
-
if (
|
840
|
-
|
841
|
-
return 0;
|
842
|
-
allow_idna = 1;
|
843
|
-
if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
|
844
|
-
allow_multi = 1;
|
754
|
+
unsigned int flags) {
|
755
|
+
const unsigned char *wildcard_start;
|
756
|
+
const unsigned char *wildcard_end;
|
757
|
+
const unsigned char *p;
|
758
|
+
int allow_idna = 0;
|
759
|
+
|
760
|
+
if (subject_len < prefix_len + suffix_len) {
|
761
|
+
return 0;
|
762
|
+
}
|
763
|
+
if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags)) {
|
764
|
+
return 0;
|
765
|
+
}
|
766
|
+
wildcard_start = subject + prefix_len;
|
767
|
+
wildcard_end = subject + (subject_len - suffix_len);
|
768
|
+
if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags)) {
|
769
|
+
return 0;
|
770
|
+
}
|
771
|
+
// If the wildcard makes up the entire first label, it must match at
|
772
|
+
// least one character.
|
773
|
+
if (prefix_len == 0 && *suffix == '.') {
|
774
|
+
if (wildcard_start == wildcard_end) {
|
775
|
+
return 0;
|
845
776
|
}
|
846
|
-
|
847
|
-
|
848
|
-
|
849
|
-
|
850
|
-
|
851
|
-
|
852
|
-
|
853
|
-
|
854
|
-
|
855
|
-
* Check that the part matched by the wildcard contains only
|
856
|
-
* permitted characters and only matches a single label unless
|
857
|
-
* allow_multi is set.
|
858
|
-
*/
|
859
|
-
for (p = wildcard_start; p != wildcard_end; ++p)
|
860
|
-
if (!(('0' <= *p && *p <= '9') ||
|
861
|
-
('A' <= *p && *p <= 'Z') ||
|
862
|
-
('a' <= *p && *p <= 'z') ||
|
863
|
-
*p == '-' || (allow_multi && *p == '.')))
|
864
|
-
return 0;
|
777
|
+
allow_idna = 1;
|
778
|
+
}
|
779
|
+
// IDNA labels cannot match partial wildcards
|
780
|
+
if (!allow_idna && subject_len >= 4 &&
|
781
|
+
OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0) {
|
782
|
+
return 0;
|
783
|
+
}
|
784
|
+
// The wildcard may match a literal '*'
|
785
|
+
if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') {
|
865
786
|
return 1;
|
787
|
+
}
|
788
|
+
// Check that the part matched by the wildcard contains only
|
789
|
+
// permitted characters and only matches a single label.
|
790
|
+
for (p = wildcard_start; p != wildcard_end; ++p) {
|
791
|
+
if (!OPENSSL_isalnum(*p) && *p != '-') {
|
792
|
+
return 0;
|
793
|
+
}
|
794
|
+
}
|
795
|
+
return 1;
|
866
796
|
}
|
867
797
|
|
868
|
-
#define LABEL_START
|
869
|
-
#define LABEL_END
|
870
|
-
#define LABEL_HYPHEN
|
871
|
-
#define LABEL_IDNA
|
798
|
+
#define LABEL_START (1 << 0)
|
799
|
+
#define LABEL_END (1 << 1)
|
800
|
+
#define LABEL_HYPHEN (1 << 2)
|
801
|
+
#define LABEL_IDNA (1 << 3)
|
872
802
|
|
873
803
|
static const unsigned char *valid_star(const unsigned char *p, size_t len,
|
874
|
-
unsigned int flags)
|
875
|
-
|
876
|
-
|
877
|
-
|
878
|
-
|
879
|
-
|
880
|
-
|
881
|
-
|
882
|
-
|
883
|
-
|
884
|
-
|
885
|
-
|
886
|
-
|
887
|
-
|
888
|
-
|
889
|
-
|
890
|
-
|
891
|
-
|
892
|
-
|
893
|
-
|
894
|
-
|
895
|
-
|
896
|
-
|
897
|
-
|
898
|
-
|
899
|
-
|
900
|
-
|
901
|
-
|
902
|
-
|
903
|
-
|
904
|
-
|
905
|
-
|
906
|
-
|
907
|
-
|
908
|
-
|
909
|
-
|
910
|
-
|
911
|
-
|
912
|
-
|
913
|
-
|
914
|
-
|
915
|
-
|
916
|
-
|
917
|
-
} else if (p[i] == '-') {
|
918
|
-
/* no domain/subdomain starts with '-' */
|
919
|
-
if ((state & LABEL_START) != 0)
|
920
|
-
return NULL;
|
921
|
-
state |= LABEL_HYPHEN;
|
922
|
-
} else
|
923
|
-
return NULL;
|
804
|
+
unsigned int flags) {
|
805
|
+
const unsigned char *star = 0;
|
806
|
+
size_t i;
|
807
|
+
int state = LABEL_START;
|
808
|
+
int dots = 0;
|
809
|
+
for (i = 0; i < len; ++i) {
|
810
|
+
// Locate first and only legal wildcard, either at the start
|
811
|
+
// or end of a non-IDNA first and not final label.
|
812
|
+
if (p[i] == '*') {
|
813
|
+
int atstart = (state & LABEL_START);
|
814
|
+
int atend = (i == len - 1 || p[i + 1] == '.');
|
815
|
+
// At most one wildcard per pattern.
|
816
|
+
// No wildcards in IDNA labels.
|
817
|
+
// No wildcards after the first label.
|
818
|
+
if (star != NULL || (state & LABEL_IDNA) != 0 || dots) {
|
819
|
+
return NULL;
|
820
|
+
}
|
821
|
+
// Only full-label '*.example.com' wildcards.
|
822
|
+
if (!atstart || !atend) {
|
823
|
+
return NULL;
|
824
|
+
}
|
825
|
+
star = &p[i];
|
826
|
+
state &= ~LABEL_START;
|
827
|
+
} else if (OPENSSL_isalnum(p[i])) {
|
828
|
+
if ((state & LABEL_START) != 0 && len - i >= 4 &&
|
829
|
+
OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0) {
|
830
|
+
state |= LABEL_IDNA;
|
831
|
+
}
|
832
|
+
state &= ~(LABEL_HYPHEN | LABEL_START);
|
833
|
+
} else if (p[i] == '.') {
|
834
|
+
if ((state & (LABEL_HYPHEN | LABEL_START)) != 0) {
|
835
|
+
return NULL;
|
836
|
+
}
|
837
|
+
state = LABEL_START;
|
838
|
+
++dots;
|
839
|
+
} else if (p[i] == '-') {
|
840
|
+
// no domain/subdomain starts with '-'
|
841
|
+
if ((state & LABEL_START) != 0) {
|
842
|
+
return NULL;
|
843
|
+
}
|
844
|
+
state |= LABEL_HYPHEN;
|
845
|
+
} else {
|
846
|
+
return NULL;
|
924
847
|
}
|
848
|
+
}
|
925
849
|
|
926
|
-
|
927
|
-
|
928
|
-
|
929
|
-
|
930
|
-
|
931
|
-
|
932
|
-
return star;
|
850
|
+
// The final label must not end in a hyphen or ".", and
|
851
|
+
// there must be at least two dots after the star.
|
852
|
+
if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2) {
|
853
|
+
return NULL;
|
854
|
+
}
|
855
|
+
return star;
|
933
856
|
}
|
934
857
|
|
935
|
-
|
858
|
+
// Compare using wildcards.
|
936
859
|
static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
|
937
860
|
const unsigned char *subject, size_t subject_len,
|
938
|
-
unsigned int flags)
|
939
|
-
|
940
|
-
|
941
|
-
|
942
|
-
|
943
|
-
|
944
|
-
|
945
|
-
|
946
|
-
|
947
|
-
|
948
|
-
|
949
|
-
|
950
|
-
|
951
|
-
|
952
|
-
star + 1, (pattern + pattern_len) - star - 1,
|
953
|
-
subject, subject_len, flags);
|
861
|
+
unsigned int flags) {
|
862
|
+
const unsigned char *star = NULL;
|
863
|
+
|
864
|
+
// Subject names starting with '.' can only match a wildcard pattern
|
865
|
+
// via a subject sub-domain pattern suffix match.
|
866
|
+
if (!(subject_len > 1 && subject[0] == '.')) {
|
867
|
+
star = valid_star(pattern, pattern_len, flags);
|
868
|
+
}
|
869
|
+
if (star == NULL) {
|
870
|
+
return equal_nocase(pattern, pattern_len, subject, subject_len, flags);
|
871
|
+
}
|
872
|
+
return wildcard_match(pattern, star - pattern, star + 1,
|
873
|
+
(pattern + pattern_len) - star - 1, subject,
|
874
|
+
subject_len, flags);
|
954
875
|
}
|
955
876
|
|
956
877
|
int x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {
|
957
|
-
|
958
|
-
|
959
|
-
|
960
|
-
|
961
|
-
|
962
|
-
|
963
|
-
|
964
|
-
|
965
|
-
|
966
|
-
|
967
|
-
|
968
|
-
|
969
|
-
|
970
|
-
|
878
|
+
// This function is used as a heuristic for whether a common name is a
|
879
|
+
// hostname to be matched, or merely a decorative name to describe the
|
880
|
+
// subject. This heuristic must be applied to both name constraints and the
|
881
|
+
// common name fallback, so it must be loose enough to accept hostname
|
882
|
+
// common names, and tight enough to reject decorative common names.
|
883
|
+
|
884
|
+
if (len > 0 && in[len - 1] == '.') {
|
885
|
+
len--;
|
886
|
+
}
|
887
|
+
|
888
|
+
// Wildcards are allowed in front.
|
889
|
+
if (len >= 2 && in[0] == '*' && in[1] == '.') {
|
890
|
+
in += 2;
|
891
|
+
len -= 2;
|
892
|
+
}
|
893
|
+
|
894
|
+
if (len == 0) {
|
895
|
+
return 0;
|
896
|
+
}
|
897
|
+
|
898
|
+
size_t label_start = 0;
|
899
|
+
for (size_t i = 0; i < len; i++) {
|
900
|
+
unsigned char c = in[i];
|
901
|
+
if (OPENSSL_isalnum(c) || (c == '-' && i > label_start) ||
|
902
|
+
// These are not valid characters in hostnames, but commonly found
|
903
|
+
// in deployments outside the Web PKI.
|
904
|
+
c == '_' || c == ':') {
|
905
|
+
continue;
|
971
906
|
}
|
972
907
|
|
973
|
-
|
974
|
-
|
908
|
+
// Labels must not be empty.
|
909
|
+
if (c == '.' && i > label_start && i < len - 1) {
|
910
|
+
label_start = i + 1;
|
911
|
+
continue;
|
975
912
|
}
|
976
913
|
|
977
|
-
|
978
|
-
|
979
|
-
unsigned char c = in[i];
|
980
|
-
if ((c >= 'a' && c <= 'z') ||
|
981
|
-
(c >= '0' && c <= '9') ||
|
982
|
-
(c >= 'A' && c <= 'Z') ||
|
983
|
-
(c == '-' && i > label_start) ||
|
984
|
-
/* These are not valid characters in hostnames, but commonly found
|
985
|
-
* in deployments outside the Web PKI. */
|
986
|
-
c == '_' ||
|
987
|
-
c == ':') {
|
988
|
-
continue;
|
989
|
-
}
|
990
|
-
|
991
|
-
/* Labels must not be empty. */
|
992
|
-
if (c == '.' && i > label_start && i < len - 1) {
|
993
|
-
label_start = i + 1;
|
994
|
-
continue;
|
995
|
-
}
|
996
|
-
|
997
|
-
return 0;
|
998
|
-
}
|
914
|
+
return 0;
|
915
|
+
}
|
999
916
|
|
1000
|
-
|
917
|
+
return 1;
|
1001
918
|
}
|
1002
919
|
|
1003
|
-
|
1004
|
-
|
1005
|
-
|
1006
|
-
* to UTF8.
|
1007
|
-
*/
|
920
|
+
// Compare an ASN1_STRING to a supplied string. If they match return 1. If
|
921
|
+
// cmp_type > 0 only compare if string matches the type, otherwise convert it
|
922
|
+
// to UTF8.
|
1008
923
|
|
1009
|
-
static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
|
924
|
+
static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
|
1010
925
|
unsigned int flags, int check_type, const char *b,
|
1011
|
-
size_t blen, char **peername)
|
1012
|
-
|
1013
|
-
int rv = 0;
|
926
|
+
size_t blen, char **peername) {
|
927
|
+
int rv = 0;
|
1014
928
|
|
1015
|
-
|
1016
|
-
|
1017
|
-
|
1018
|
-
|
1019
|
-
|
1020
|
-
|
1021
|
-
|
1022
|
-
|
1023
|
-
|
1024
|
-
|
1025
|
-
|
929
|
+
if (!a->data || !a->length) {
|
930
|
+
return 0;
|
931
|
+
}
|
932
|
+
if (cmp_type > 0) {
|
933
|
+
if (cmp_type != a->type) {
|
934
|
+
return 0;
|
935
|
+
}
|
936
|
+
if (cmp_type == V_ASN1_IA5STRING) {
|
937
|
+
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
|
938
|
+
} else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen)) {
|
939
|
+
rv = 1;
|
940
|
+
}
|
941
|
+
if (rv > 0 && peername) {
|
942
|
+
*peername = OPENSSL_strndup((char *)a->data, a->length);
|
943
|
+
}
|
944
|
+
} else {
|
945
|
+
int astrlen;
|
946
|
+
unsigned char *astr;
|
947
|
+
astrlen = ASN1_STRING_to_UTF8(&astr, a);
|
948
|
+
if (astrlen < 0) {
|
949
|
+
return -1;
|
950
|
+
}
|
951
|
+
// We check the common name against DNS name constraints if it passes
|
952
|
+
// |x509v3_looks_like_dns_name|. Thus we must not consider common names
|
953
|
+
// for DNS fallbacks if they fail this check.
|
954
|
+
if (check_type == GEN_DNS && !x509v3_looks_like_dns_name(astr, astrlen)) {
|
955
|
+
rv = 0;
|
1026
956
|
} else {
|
1027
|
-
|
1028
|
-
unsigned char *astr;
|
1029
|
-
astrlen = ASN1_STRING_to_UTF8(&astr, a);
|
1030
|
-
if (astrlen < 0)
|
1031
|
-
return -1;
|
1032
|
-
/*
|
1033
|
-
* We check the common name against DNS name constraints if it passes
|
1034
|
-
* |x509v3_looks_like_dns_name|. Thus we must not consider common names
|
1035
|
-
* for DNS fallbacks if they fail this check.
|
1036
|
-
*/
|
1037
|
-
if (check_type == GEN_DNS &&
|
1038
|
-
!x509v3_looks_like_dns_name(astr, astrlen)) {
|
1039
|
-
rv = 0;
|
1040
|
-
} else {
|
1041
|
-
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
|
1042
|
-
}
|
1043
|
-
if (rv > 0 && peername)
|
1044
|
-
*peername = OPENSSL_strndup((char *)astr, astrlen);
|
1045
|
-
OPENSSL_free(astr);
|
957
|
+
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
|
1046
958
|
}
|
1047
|
-
|
959
|
+
if (rv > 0 && peername) {
|
960
|
+
*peername = OPENSSL_strndup((char *)astr, astrlen);
|
961
|
+
}
|
962
|
+
OPENSSL_free(astr);
|
963
|
+
}
|
964
|
+
return rv;
|
1048
965
|
}
|
1049
966
|
|
1050
967
|
static int do_x509_check(X509 *x, const char *chk, size_t chklen,
|
1051
|
-
unsigned int flags, int check_type, char **peername)
|
1052
|
-
|
1053
|
-
|
1054
|
-
|
1055
|
-
|
1056
|
-
|
1057
|
-
|
1058
|
-
|
1059
|
-
|
1060
|
-
|
1061
|
-
|
1062
|
-
|
1063
|
-
flags
|
1064
|
-
|
1065
|
-
cnid = NID_pkcs9_emailAddress;
|
1066
|
-
alt_type = V_ASN1_IA5STRING;
|
1067
|
-
equal = equal_email;
|
1068
|
-
} else if (check_type == GEN_DNS) {
|
1069
|
-
cnid = NID_commonName;
|
1070
|
-
/* Implicit client-side DNS sub-domain pattern */
|
1071
|
-
if (chklen > 1 && chk[0] == '.')
|
1072
|
-
flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
|
1073
|
-
alt_type = V_ASN1_IA5STRING;
|
1074
|
-
if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
|
1075
|
-
equal = equal_nocase;
|
1076
|
-
else
|
1077
|
-
equal = equal_wildcard;
|
968
|
+
unsigned int flags, int check_type, char **peername) {
|
969
|
+
int cnid = NID_undef;
|
970
|
+
int alt_type;
|
971
|
+
int rv = 0;
|
972
|
+
equal_fn equal;
|
973
|
+
if (check_type == GEN_EMAIL) {
|
974
|
+
cnid = NID_pkcs9_emailAddress;
|
975
|
+
alt_type = V_ASN1_IA5STRING;
|
976
|
+
equal = equal_email;
|
977
|
+
} else if (check_type == GEN_DNS) {
|
978
|
+
cnid = NID_commonName;
|
979
|
+
alt_type = V_ASN1_IA5STRING;
|
980
|
+
if (flags & X509_CHECK_FLAG_NO_WILDCARDS) {
|
981
|
+
equal = equal_nocase;
|
1078
982
|
} else {
|
1079
|
-
|
1080
|
-
equal = equal_case;
|
983
|
+
equal = equal_wildcard;
|
1081
984
|
}
|
1082
|
-
|
1083
|
-
|
1084
|
-
|
1085
|
-
|
1086
|
-
|
1087
|
-
|
1088
|
-
|
1089
|
-
|
1090
|
-
|
1091
|
-
|
1092
|
-
|
1093
|
-
|
1094
|
-
|
1095
|
-
|
1096
|
-
|
1097
|
-
|
1098
|
-
|
1099
|
-
|
1100
|
-
|
1101
|
-
|
1102
|
-
|
1103
|
-
|
985
|
+
} else {
|
986
|
+
alt_type = V_ASN1_OCTET_STRING;
|
987
|
+
equal = equal_case;
|
988
|
+
}
|
989
|
+
|
990
|
+
GENERAL_NAMES *gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
991
|
+
if (gens) {
|
992
|
+
for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
993
|
+
const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
|
994
|
+
if (gen->type != check_type) {
|
995
|
+
continue;
|
996
|
+
}
|
997
|
+
const ASN1_STRING *cstr;
|
998
|
+
if (check_type == GEN_EMAIL) {
|
999
|
+
cstr = gen->d.rfc822Name;
|
1000
|
+
} else if (check_type == GEN_DNS) {
|
1001
|
+
cstr = gen->d.dNSName;
|
1002
|
+
} else {
|
1003
|
+
cstr = gen->d.iPAddress;
|
1004
|
+
}
|
1005
|
+
// Positive on success, negative on error!
|
1006
|
+
if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type, chk,
|
1007
|
+
chklen, peername)) != 0) {
|
1008
|
+
break;
|
1009
|
+
}
|
1104
1010
|
}
|
1011
|
+
GENERAL_NAMES_free(gens);
|
1012
|
+
return rv;
|
1013
|
+
}
|
1105
1014
|
|
1106
|
-
|
1107
|
-
|
1108
|
-
return 0;
|
1109
|
-
|
1110
|
-
j = -1;
|
1111
|
-
name = X509_get_subject_name(x);
|
1112
|
-
while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
|
1113
|
-
X509_NAME_ENTRY *ne;
|
1114
|
-
ASN1_STRING *str;
|
1115
|
-
ne = X509_NAME_get_entry(name, j);
|
1116
|
-
str = X509_NAME_ENTRY_get_data(ne);
|
1117
|
-
/* Positive on success, negative on error! */
|
1118
|
-
if ((rv = do_check_string(str, -1, equal, flags, check_type,
|
1119
|
-
chk, chklen, peername)) != 0)
|
1120
|
-
return rv;
|
1121
|
-
}
|
1015
|
+
// We're done if CN-ID is not pertinent
|
1016
|
+
if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) {
|
1122
1017
|
return 0;
|
1018
|
+
}
|
1019
|
+
|
1020
|
+
int j = -1;
|
1021
|
+
const X509_NAME *name = X509_get_subject_name(x);
|
1022
|
+
while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
|
1023
|
+
const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, j);
|
1024
|
+
const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
|
1025
|
+
// Positive on success, negative on error!
|
1026
|
+
if ((rv = do_check_string(str, -1, equal, flags, check_type, chk, chklen,
|
1027
|
+
peername)) != 0) {
|
1028
|
+
return rv;
|
1029
|
+
}
|
1030
|
+
}
|
1031
|
+
return 0;
|
1123
1032
|
}
|
1124
1033
|
|
1125
|
-
int X509_check_host(X509 *x, const char *chk, size_t chklen,
|
1126
|
-
|
1127
|
-
{
|
1128
|
-
|
1129
|
-
|
1130
|
-
|
1131
|
-
|
1132
|
-
|
1034
|
+
int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
|
1035
|
+
char **peername) {
|
1036
|
+
if (chk == NULL) {
|
1037
|
+
return -2;
|
1038
|
+
}
|
1039
|
+
if (OPENSSL_memchr(chk, '\0', chklen)) {
|
1040
|
+
return -2;
|
1041
|
+
}
|
1042
|
+
return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
|
1133
1043
|
}
|
1134
1044
|
|
1135
1045
|
int X509_check_email(X509 *x, const char *chk, size_t chklen,
|
1136
|
-
unsigned int flags)
|
1137
|
-
{
|
1138
|
-
|
1139
|
-
|
1140
|
-
|
1141
|
-
|
1142
|
-
|
1046
|
+
unsigned int flags) {
|
1047
|
+
if (chk == NULL) {
|
1048
|
+
return -2;
|
1049
|
+
}
|
1050
|
+
if (OPENSSL_memchr(chk, '\0', chklen)) {
|
1051
|
+
return -2;
|
1052
|
+
}
|
1053
|
+
return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
|
1143
1054
|
}
|
1144
1055
|
|
1145
1056
|
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
|
1146
|
-
unsigned int flags)
|
1147
|
-
{
|
1148
|
-
|
1149
|
-
|
1150
|
-
|
1057
|
+
unsigned int flags) {
|
1058
|
+
if (chk == NULL) {
|
1059
|
+
return -2;
|
1060
|
+
}
|
1061
|
+
return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
|
1151
1062
|
}
|
1152
1063
|
|
1153
|
-
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
|
1154
|
-
|
1155
|
-
|
1156
|
-
|
1157
|
-
|
1158
|
-
|
1159
|
-
|
1160
|
-
|
1161
|
-
|
1162
|
-
|
1163
|
-
|
1064
|
+
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) {
|
1065
|
+
unsigned char ipout[16];
|
1066
|
+
size_t iplen;
|
1067
|
+
|
1068
|
+
if (ipasc == NULL) {
|
1069
|
+
return -2;
|
1070
|
+
}
|
1071
|
+
iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);
|
1072
|
+
if (iplen == 0) {
|
1073
|
+
return -2;
|
1074
|
+
}
|
1075
|
+
return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
|
1164
1076
|
}
|
1165
1077
|
|
1166
|
-
|
1167
|
-
|
1168
|
-
* with RFC 3280.
|
1169
|
-
*/
|
1078
|
+
// Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
|
1079
|
+
// with RFC 3280.
|
1170
1080
|
|
1171
|
-
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
|
1172
|
-
|
1173
|
-
|
1174
|
-
|
1175
|
-
int iplen;
|
1081
|
+
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) {
|
1082
|
+
unsigned char ipout[16];
|
1083
|
+
ASN1_OCTET_STRING *ret;
|
1084
|
+
int iplen;
|
1176
1085
|
|
1177
|
-
|
1178
|
-
|
1179
|
-
|
1086
|
+
iplen = x509v3_a2i_ipadd(ipout, ipasc);
|
1087
|
+
if (!iplen) {
|
1088
|
+
return NULL;
|
1089
|
+
}
|
1180
1090
|
|
1181
|
-
|
1182
|
-
|
1183
|
-
|
1184
|
-
|
1185
|
-
|
1186
|
-
|
1187
|
-
|
1188
|
-
|
1091
|
+
ret = ASN1_OCTET_STRING_new();
|
1092
|
+
if (!ret) {
|
1093
|
+
return NULL;
|
1094
|
+
}
|
1095
|
+
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
|
1096
|
+
ASN1_OCTET_STRING_free(ret);
|
1097
|
+
return NULL;
|
1098
|
+
}
|
1099
|
+
return ret;
|
1189
1100
|
}
|
1190
1101
|
|
1191
|
-
ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
|
1192
|
-
|
1193
|
-
|
1194
|
-
|
1195
|
-
|
1196
|
-
|
1197
|
-
|
1198
|
-
|
1199
|
-
|
1200
|
-
|
1201
|
-
|
1202
|
-
|
1203
|
-
|
1204
|
-
|
1102
|
+
ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) {
|
1103
|
+
ASN1_OCTET_STRING *ret = NULL;
|
1104
|
+
unsigned char ipout[32];
|
1105
|
+
char *iptmp = NULL, *p;
|
1106
|
+
int iplen1, iplen2;
|
1107
|
+
p = strchr(ipasc, '/');
|
1108
|
+
if (!p) {
|
1109
|
+
return NULL;
|
1110
|
+
}
|
1111
|
+
iptmp = OPENSSL_strdup(ipasc);
|
1112
|
+
if (!iptmp) {
|
1113
|
+
return NULL;
|
1114
|
+
}
|
1115
|
+
p = iptmp + (p - ipasc);
|
1116
|
+
*p++ = 0;
|
1205
1117
|
|
1206
|
-
|
1118
|
+
iplen1 = x509v3_a2i_ipadd(ipout, iptmp);
|
1207
1119
|
|
1208
|
-
|
1209
|
-
|
1120
|
+
if (!iplen1) {
|
1121
|
+
goto err;
|
1122
|
+
}
|
1210
1123
|
|
1211
|
-
|
1124
|
+
iplen2 = x509v3_a2i_ipadd(ipout + iplen1, p);
|
1212
1125
|
|
1213
|
-
|
1214
|
-
|
1126
|
+
OPENSSL_free(iptmp);
|
1127
|
+
iptmp = NULL;
|
1215
1128
|
|
1216
|
-
|
1217
|
-
|
1129
|
+
if (!iplen2 || (iplen1 != iplen2)) {
|
1130
|
+
goto err;
|
1131
|
+
}
|
1218
1132
|
|
1219
|
-
|
1220
|
-
|
1221
|
-
|
1222
|
-
|
1223
|
-
|
1133
|
+
ret = ASN1_OCTET_STRING_new();
|
1134
|
+
if (!ret) {
|
1135
|
+
goto err;
|
1136
|
+
}
|
1137
|
+
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) {
|
1138
|
+
goto err;
|
1139
|
+
}
|
1224
1140
|
|
1225
|
-
|
1141
|
+
return ret;
|
1226
1142
|
|
1227
|
-
|
1228
|
-
|
1229
|
-
|
1230
|
-
|
1231
|
-
|
1232
|
-
|
1143
|
+
err:
|
1144
|
+
if (iptmp) {
|
1145
|
+
OPENSSL_free(iptmp);
|
1146
|
+
}
|
1147
|
+
if (ret) {
|
1148
|
+
ASN1_OCTET_STRING_free(ret);
|
1149
|
+
}
|
1150
|
+
return NULL;
|
1233
1151
|
}
|
1234
1152
|
|
1235
|
-
int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc)
|
1236
|
-
|
1237
|
-
/* If string contains a ':' assume IPv6 */
|
1153
|
+
int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc) {
|
1154
|
+
// If string contains a ':' assume IPv6
|
1238
1155
|
|
1239
|
-
|
1240
|
-
|
1241
|
-
|
1242
|
-
|
1243
|
-
|
1244
|
-
|
1245
|
-
|
1246
|
-
|
1156
|
+
if (strchr(ipasc, ':')) {
|
1157
|
+
if (!ipv6_from_asc(ipout, ipasc)) {
|
1158
|
+
return 0;
|
1159
|
+
}
|
1160
|
+
return 16;
|
1161
|
+
} else {
|
1162
|
+
if (!ipv4_from_asc(ipout, ipasc)) {
|
1163
|
+
return 0;
|
1247
1164
|
}
|
1165
|
+
return 4;
|
1166
|
+
}
|
1248
1167
|
}
|
1249
1168
|
|
1250
|
-
static int ipv4_from_asc(unsigned char v4[4], const char *in)
|
1251
|
-
|
1252
|
-
|
1253
|
-
|
1254
|
-
|
1255
|
-
|
1256
|
-
|
1257
|
-
|
1258
|
-
|
1259
|
-
|
1260
|
-
|
1261
|
-
|
1262
|
-
|
1169
|
+
static int ipv4_from_asc(unsigned char v4[4], const char *in) {
|
1170
|
+
int a0, a1, a2, a3;
|
1171
|
+
if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) {
|
1172
|
+
return 0;
|
1173
|
+
}
|
1174
|
+
if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) ||
|
1175
|
+
(a2 > 255) || (a3 < 0) || (a3 > 255)) {
|
1176
|
+
return 0;
|
1177
|
+
}
|
1178
|
+
v4[0] = a0;
|
1179
|
+
v4[1] = a1;
|
1180
|
+
v4[2] = a2;
|
1181
|
+
v4[3] = a3;
|
1182
|
+
return 1;
|
1263
1183
|
}
|
1264
1184
|
|
1265
1185
|
typedef struct {
|
1266
|
-
|
1267
|
-
|
1268
|
-
|
1269
|
-
|
1270
|
-
|
1271
|
-
|
1272
|
-
|
1273
|
-
|
1186
|
+
// Temporary store for IPV6 output
|
1187
|
+
unsigned char tmp[16];
|
1188
|
+
// Total number of bytes in tmp
|
1189
|
+
int total;
|
1190
|
+
// The position of a zero (corresponding to '::')
|
1191
|
+
int zero_pos;
|
1192
|
+
// Number of zeroes
|
1193
|
+
int zero_cnt;
|
1274
1194
|
} IPV6_STAT;
|
1275
1195
|
|
1276
|
-
static int ipv6_from_asc(unsigned char v6[16], const char *in)
|
1277
|
-
|
1278
|
-
|
1279
|
-
|
1280
|
-
|
1281
|
-
|
1282
|
-
|
1283
|
-
|
1284
|
-
|
1285
|
-
|
1286
|
-
|
1287
|
-
if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
|
1288
|
-
return 0;
|
1289
|
-
|
1290
|
-
/* Now for some sanity checks */
|
1196
|
+
static int ipv6_from_asc(unsigned char v6[16], const char *in) {
|
1197
|
+
IPV6_STAT v6stat;
|
1198
|
+
v6stat.total = 0;
|
1199
|
+
v6stat.zero_pos = -1;
|
1200
|
+
v6stat.zero_cnt = 0;
|
1201
|
+
// Treat the IPv6 representation as a list of values separated by ':'.
|
1202
|
+
// The presence of a '::' will parse as one, two or three zero length
|
1203
|
+
// elements.
|
1204
|
+
if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) {
|
1205
|
+
return 0;
|
1206
|
+
}
|
1291
1207
|
|
1292
|
-
|
1293
|
-
|
1294
|
-
|
1295
|
-
|
1208
|
+
if (v6stat.zero_pos == -1) {
|
1209
|
+
// If no '::' must have exactly 16 bytes
|
1210
|
+
if (v6stat.total != 16) {
|
1211
|
+
return 0;
|
1212
|
+
}
|
1213
|
+
} else {
|
1214
|
+
// If '::' must have less than 16 bytes
|
1215
|
+
if (v6stat.total >= 16) {
|
1216
|
+
return 0;
|
1217
|
+
}
|
1218
|
+
if (v6stat.zero_cnt > 3) {
|
1219
|
+
// More than three zeroes is an error
|
1220
|
+
return 0;
|
1221
|
+
} else if (v6stat.zero_cnt == 3) {
|
1222
|
+
// Can only have three zeroes if nothing else present
|
1223
|
+
if (v6stat.total > 0) {
|
1224
|
+
return 0;
|
1225
|
+
}
|
1226
|
+
} else if (v6stat.zero_cnt == 2) {
|
1227
|
+
// Can only have two zeroes if at start or end
|
1228
|
+
if (v6stat.zero_pos != 0 && v6stat.zero_pos != v6stat.total) {
|
1229
|
+
return 0;
|
1230
|
+
}
|
1296
1231
|
} else {
|
1297
|
-
|
1298
|
-
|
1299
|
-
|
1300
|
-
|
1301
|
-
if (v6stat.zero_cnt > 3)
|
1302
|
-
return 0;
|
1303
|
-
/* Can only have three zeroes if nothing else present */
|
1304
|
-
else if (v6stat.zero_cnt == 3) {
|
1305
|
-
if (v6stat.total > 0)
|
1306
|
-
return 0;
|
1307
|
-
}
|
1308
|
-
/* Can only have two zeroes if at start or end */
|
1309
|
-
else if (v6stat.zero_cnt == 2) {
|
1310
|
-
if ((v6stat.zero_pos != 0)
|
1311
|
-
&& (v6stat.zero_pos != v6stat.total))
|
1312
|
-
return 0;
|
1313
|
-
} else
|
1314
|
-
/* Can only have one zero if *not* start or end */
|
1315
|
-
{
|
1316
|
-
if ((v6stat.zero_pos == 0)
|
1317
|
-
|| (v6stat.zero_pos == v6stat.total))
|
1318
|
-
return 0;
|
1319
|
-
}
|
1232
|
+
// Can only have one zero if *not* start or end
|
1233
|
+
if (v6stat.zero_pos == 0 || v6stat.zero_pos == v6stat.total) {
|
1234
|
+
return 0;
|
1235
|
+
}
|
1320
1236
|
}
|
1237
|
+
}
|
1238
|
+
|
1239
|
+
// Format the result.
|
1240
|
+
if (v6stat.zero_pos >= 0) {
|
1241
|
+
// Copy initial part
|
1242
|
+
OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);
|
1243
|
+
// Zero middle
|
1244
|
+
OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
|
1245
|
+
// Copy final part
|
1246
|
+
if (v6stat.total != v6stat.zero_pos) {
|
1247
|
+
OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
|
1248
|
+
v6stat.tmp + v6stat.zero_pos,
|
1249
|
+
v6stat.total - v6stat.zero_pos);
|
1250
|
+
}
|
1251
|
+
} else {
|
1252
|
+
OPENSSL_memcpy(v6, v6stat.tmp, 16);
|
1253
|
+
}
|
1321
1254
|
|
1322
|
-
|
1323
|
-
|
1324
|
-
if (v6stat.zero_pos >= 0) {
|
1325
|
-
/* Copy initial part */
|
1326
|
-
OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);
|
1327
|
-
/* Zero middle */
|
1328
|
-
OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
|
1329
|
-
/* Copy final part */
|
1330
|
-
if (v6stat.total != v6stat.zero_pos)
|
1331
|
-
OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
|
1332
|
-
v6stat.tmp + v6stat.zero_pos,
|
1333
|
-
v6stat.total - v6stat.zero_pos);
|
1334
|
-
} else
|
1335
|
-
OPENSSL_memcpy(v6, v6stat.tmp, 16);
|
1336
|
-
|
1337
|
-
return 1;
|
1255
|
+
return 1;
|
1338
1256
|
}
|
1339
1257
|
|
1340
|
-
static int ipv6_cb(const char *elem,
|
1341
|
-
|
1342
|
-
|
1343
|
-
|
1344
|
-
|
1258
|
+
static int ipv6_cb(const char *elem, size_t len, void *usr) {
|
1259
|
+
IPV6_STAT *s = usr;
|
1260
|
+
// Error if 16 bytes written
|
1261
|
+
if (s->total == 16) {
|
1262
|
+
return 0;
|
1263
|
+
}
|
1264
|
+
if (len == 0) {
|
1265
|
+
// Zero length element, corresponds to '::'
|
1266
|
+
if (s->zero_pos == -1) {
|
1267
|
+
s->zero_pos = s->total;
|
1268
|
+
} else if (s->zero_pos != s->total) {
|
1269
|
+
// If we've already got a :: its an error
|
1270
|
+
return 0;
|
1271
|
+
}
|
1272
|
+
if (s->zero_cnt >= 3) {
|
1273
|
+
// More than three zeros is an error.
|
1274
|
+
return 0;
|
1275
|
+
}
|
1276
|
+
s->zero_cnt++;
|
1277
|
+
} else {
|
1278
|
+
// If more than 4 characters could be final a.b.c.d form
|
1279
|
+
if (len > 4) {
|
1280
|
+
// Need at least 4 bytes left
|
1281
|
+
if (s->total > 12) {
|
1282
|
+
return 0;
|
1283
|
+
}
|
1284
|
+
// Must be end of string
|
1285
|
+
if (elem[len]) {
|
1286
|
+
return 0;
|
1287
|
+
}
|
1288
|
+
if (!ipv4_from_asc(s->tmp + s->total, elem)) {
|
1345
1289
|
return 0;
|
1346
|
-
|
1347
|
-
|
1348
|
-
if (s->zero_pos == -1)
|
1349
|
-
s->zero_pos = s->total;
|
1350
|
-
/* If we've already got a :: its an error */
|
1351
|
-
else if (s->zero_pos != s->total)
|
1352
|
-
return 0;
|
1353
|
-
s->zero_cnt++;
|
1290
|
+
}
|
1291
|
+
s->total += 4;
|
1354
1292
|
} else {
|
1355
|
-
|
1356
|
-
|
1357
|
-
|
1358
|
-
|
1359
|
-
return 0;
|
1360
|
-
/* Must be end of string */
|
1361
|
-
if (elem[len])
|
1362
|
-
return 0;
|
1363
|
-
if (!ipv4_from_asc(s->tmp + s->total, elem))
|
1364
|
-
return 0;
|
1365
|
-
s->total += 4;
|
1366
|
-
} else {
|
1367
|
-
if (!ipv6_hex(s->tmp + s->total, elem, len))
|
1368
|
-
return 0;
|
1369
|
-
s->total += 2;
|
1370
|
-
}
|
1293
|
+
if (!ipv6_hex(s->tmp + s->total, elem, len)) {
|
1294
|
+
return 0;
|
1295
|
+
}
|
1296
|
+
s->total += 2;
|
1371
1297
|
}
|
1372
|
-
|
1298
|
+
}
|
1299
|
+
return 1;
|
1373
1300
|
}
|
1374
1301
|
|
1375
|
-
|
1376
|
-
* Convert a string of up to 4 hex digits into the corresponding IPv6 form.
|
1377
|
-
*/
|
1302
|
+
// Convert a string of up to 4 hex digits into the corresponding IPv6 form.
|
1378
1303
|
|
1379
|
-
static int ipv6_hex(unsigned char *out, const char *in,
|
1380
|
-
{
|
1381
|
-
|
1382
|
-
|
1383
|
-
|
1384
|
-
|
1385
|
-
|
1386
|
-
|
1387
|
-
|
1388
|
-
if ((c >= '0') && (c <= '9'))
|
1389
|
-
num |= c - '0';
|
1390
|
-
else if ((c >= 'A') && (c <= 'F'))
|
1391
|
-
num |= c - 'A' + 10;
|
1392
|
-
else if ((c >= 'a') && (c <= 'f'))
|
1393
|
-
num |= c - 'a' + 10;
|
1394
|
-
else
|
1395
|
-
return 0;
|
1304
|
+
static int ipv6_hex(unsigned char *out, const char *in, size_t inlen) {
|
1305
|
+
if (inlen > 4) {
|
1306
|
+
return 0;
|
1307
|
+
}
|
1308
|
+
uint16_t num = 0;
|
1309
|
+
while (inlen--) {
|
1310
|
+
uint8_t val;
|
1311
|
+
if (!OPENSSL_fromxdigit(&val, *in++)) {
|
1312
|
+
return 0;
|
1396
1313
|
}
|
1397
|
-
|
1398
|
-
|
1399
|
-
|
1314
|
+
num = (num << 4) | val;
|
1315
|
+
}
|
1316
|
+
out[0] = num >> 8;
|
1317
|
+
out[1] = num & 0xff;
|
1318
|
+
return 1;
|
1400
1319
|
}
|
1401
1320
|
|
1402
|
-
int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF
|
1403
|
-
|
1404
|
-
{
|
1405
|
-
|
1321
|
+
int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk,
|
1322
|
+
int chtype) {
|
1323
|
+
if (!nm) {
|
1324
|
+
return 0;
|
1325
|
+
}
|
1326
|
+
|
1327
|
+
for (size_t i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
|
1328
|
+
const CONF_VALUE *v = sk_CONF_VALUE_value(dn_sk, i);
|
1329
|
+
const char *type = v->name;
|
1330
|
+
// Skip past any leading X. X: X, etc to allow for multiple instances
|
1331
|
+
for (const char *p = type; *p; p++) {
|
1332
|
+
if ((*p == ':') || (*p == ',') || (*p == '.')) {
|
1333
|
+
p++;
|
1334
|
+
if (*p) {
|
1335
|
+
type = p;
|
1336
|
+
}
|
1337
|
+
break;
|
1338
|
+
}
|
1339
|
+
}
|
1406
1340
|
int mval;
|
1407
|
-
|
1408
|
-
|
1409
|
-
|
1410
|
-
|
1411
|
-
|
1412
|
-
for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
|
1413
|
-
v = sk_CONF_VALUE_value(dn_sk, i);
|
1414
|
-
type = v->name;
|
1415
|
-
/*
|
1416
|
-
* Skip past any leading X. X: X, etc to allow for multiple instances
|
1417
|
-
*/
|
1418
|
-
for (p = type; *p; p++)
|
1419
|
-
if ((*p == ':') || (*p == ',') || (*p == '.')) {
|
1420
|
-
p++;
|
1421
|
-
if (*p)
|
1422
|
-
type = p;
|
1423
|
-
break;
|
1424
|
-
}
|
1425
|
-
if (*type == '+') {
|
1426
|
-
mval = -1;
|
1427
|
-
type++;
|
1428
|
-
} else
|
1429
|
-
mval = 0;
|
1430
|
-
if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
|
1431
|
-
(unsigned char *)v->value, -1, -1,
|
1432
|
-
mval))
|
1433
|
-
return 0;
|
1434
|
-
|
1341
|
+
if (*type == '+') {
|
1342
|
+
mval = -1;
|
1343
|
+
type++;
|
1344
|
+
} else {
|
1345
|
+
mval = 0;
|
1435
1346
|
}
|
1436
|
-
|
1347
|
+
if (!X509_NAME_add_entry_by_txt(nm, type, chtype, (unsigned char *)v->value,
|
1348
|
+
-1, -1, mval)) {
|
1349
|
+
return 0;
|
1350
|
+
}
|
1351
|
+
}
|
1352
|
+
return 1;
|
1437
1353
|
}
|