grpc 1.53.1 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +78 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
- data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
- data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/validate_metadata.cc +42 -43
- data/src/core/lib/surface/validate_metadata.h +0 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +5 -2
- data/src/core/lib/transport/metadata_batch.h +17 -113
- data/src/core/lib/transport/parsed_metadata.h +6 -16
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +103 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
|
@@ -25,9 +25,20 @@ extern "C" {
|
|
|
25
25
|
// Random number generation.
|
|
26
26
|
|
|
27
27
|
|
|
28
|
-
// RAND_bytes writes |len| bytes of random data to |buf| and returns one.
|
|
28
|
+
// RAND_bytes writes |len| bytes of random data to |buf| and returns one. In the
|
|
29
|
+
// event that sufficient random data can not be obtained, |abort| is called.
|
|
29
30
|
OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);
|
|
30
31
|
|
|
32
|
+
// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data
|
|
33
|
+
// from a system entropy source to |buf|. The maximum length of entropy which
|
|
34
|
+
// may be requested is 256 bytes. If more than 256 bytes of data is requested,
|
|
35
|
+
// or if sufficient random data can not be obtained, |abort| is called.
|
|
36
|
+
// |RAND_bytes| should normally be used instead of this function. This function
|
|
37
|
+
// should only be used for seed values or where |malloc| should not be called
|
|
38
|
+
// from BoringSSL. This function is not FIPS compliant.
|
|
39
|
+
OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf,
|
|
40
|
+
size_t len);
|
|
41
|
+
|
|
31
42
|
// RAND_cleanup frees any resources used by the RNG. This is not safe if other
|
|
32
43
|
// threads might still be calling |RAND_bytes|.
|
|
33
44
|
OPENSSL_EXPORT void RAND_cleanup(void);
|
|
@@ -298,8 +298,8 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
|
|
|
298
298
|
// |hash_nid|. Passing unhashed inputs will not result in a secure signature
|
|
299
299
|
// scheme.
|
|
300
300
|
OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest,
|
|
301
|
-
|
|
302
|
-
|
|
301
|
+
size_t digest_len, uint8_t *out, unsigned *out_len,
|
|
302
|
+
RSA *rsa);
|
|
303
303
|
|
|
304
304
|
// RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key
|
|
305
305
|
// from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
|
|
@@ -615,6 +615,9 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx);
|
|
|
615
615
|
// constants.
|
|
616
616
|
OPENSSL_EXPORT int RSA_flags(const RSA *rsa);
|
|
617
617
|
|
|
618
|
+
// RSA_test_flags returns the subset of flags in |flags| which are set in |rsa|.
|
|
619
|
+
OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags);
|
|
620
|
+
|
|
618
621
|
// RSA_blinding_on returns one.
|
|
619
622
|
OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
|
|
620
623
|
|
|
@@ -622,7 +625,7 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
|
|
|
622
625
|
// should use instead. It returns NULL on error, or a newly-allocated |RSA| on
|
|
623
626
|
// success. This function is provided for compatibility only. The |callback|
|
|
624
627
|
// and |cb_arg| parameters must be NULL.
|
|
625
|
-
OPENSSL_EXPORT RSA *RSA_generate_key(int bits,
|
|
628
|
+
OPENSSL_EXPORT RSA *RSA_generate_key(int bits, uint64_t e, void *callback,
|
|
626
629
|
void *cb_arg);
|
|
627
630
|
|
|
628
631
|
// d2i_RSAPublicKey parses a DER-encoded RSAPublicKey structure (RFC 8017) from
|
|
@@ -772,7 +775,7 @@ struct rsa_st {
|
|
|
772
775
|
// num_blindings contains the size of the |blindings| and |blindings_inuse|
|
|
773
776
|
// arrays. This member and the |blindings_inuse| array are protected by
|
|
774
777
|
// |lock|.
|
|
775
|
-
|
|
778
|
+
size_t num_blindings;
|
|
776
779
|
// blindings is an array of BN_BLINDING structures that can be reserved by a
|
|
777
780
|
// thread by locking |lock| and changing the corresponding element in
|
|
778
781
|
// |blindings_inuse| from 0 to 1.
|
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
2
|
+
*
|
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
|
6
|
+
*
|
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
14
|
+
|
|
15
|
+
#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H
|
|
16
|
+
#define OPENSSL_HEADER_SERVICE_INDICATOR_H
|
|
17
|
+
|
|
18
|
+
#include <openssl/base.h>
|
|
19
|
+
|
|
20
|
+
#if defined(__cplusplus)
|
|
21
|
+
extern "C" {
|
|
22
|
+
#endif
|
|
23
|
+
|
|
24
|
+
// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
|
|
25
|
+
// both currently return the same local thread counter which is slowly
|
|
26
|
+
// incremented whenever approved services are called. The
|
|
27
|
+
// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
|
|
28
|
+
// these functions directly.
|
|
29
|
+
//
|
|
30
|
+
// |FIPS_service_indicator_before_call| is intended to be called immediately
|
|
31
|
+
// before an approved service, while |FIPS_service_indicator_after_call| should
|
|
32
|
+
// be called immediately after. If the values returned from these two functions
|
|
33
|
+
// are not equal, this means that the service called inbetween is deemed to be
|
|
34
|
+
// approved. If the values are still the same, this means the counter has not
|
|
35
|
+
// been incremented, and the service called is not approved for FIPS.
|
|
36
|
+
//
|
|
37
|
+
// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
|
|
38
|
+
// and |FIPS_service_indicator_after_call| always returns one. Thus calls always
|
|
39
|
+
// appear to be approved. This is intended to simplify testing.
|
|
40
|
+
OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
|
|
41
|
+
OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
|
|
42
|
+
|
|
43
|
+
#if defined(__cplusplus)
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
#if !defined(BORINGSSL_NO_CXX)
|
|
47
|
+
|
|
48
|
+
extern "C++" {
|
|
49
|
+
|
|
50
|
+
// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
|
|
51
|
+
// |FIPSStatus*| values, above, depending on whether |func| invoked an
|
|
52
|
+
// approved service. The result of |func| becomes the result of this macro.
|
|
53
|
+
#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \
|
|
54
|
+
[&] { \
|
|
55
|
+
bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \
|
|
56
|
+
return func; \
|
|
57
|
+
}()
|
|
58
|
+
|
|
59
|
+
namespace bssl {
|
|
60
|
+
|
|
61
|
+
enum class FIPSStatus {
|
|
62
|
+
NOT_APPROVED = 0,
|
|
63
|
+
APPROVED = 1,
|
|
64
|
+
};
|
|
65
|
+
|
|
66
|
+
// FIPSIndicatorHelper records whether the service indicator counter advanced
|
|
67
|
+
// during its lifetime.
|
|
68
|
+
class FIPSIndicatorHelper {
|
|
69
|
+
public:
|
|
70
|
+
FIPSIndicatorHelper(FIPSStatus *result)
|
|
71
|
+
: result_(result), before_(FIPS_service_indicator_before_call()) {
|
|
72
|
+
*result_ = FIPSStatus::NOT_APPROVED;
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
~FIPSIndicatorHelper() {
|
|
76
|
+
uint64_t after = FIPS_service_indicator_after_call();
|
|
77
|
+
if (after != before_) {
|
|
78
|
+
*result_ = FIPSStatus::APPROVED;
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
|
|
83
|
+
FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
|
|
84
|
+
|
|
85
|
+
private:
|
|
86
|
+
FIPSStatus *const result_;
|
|
87
|
+
const uint64_t before_;
|
|
88
|
+
};
|
|
89
|
+
|
|
90
|
+
} // namespace bssl
|
|
91
|
+
} // extern "C++"
|
|
92
|
+
|
|
93
|
+
#endif // !BORINGSSL_NO_CXX
|
|
94
|
+
#endif // __cplusplus
|
|
95
|
+
|
|
96
|
+
#endif // OPENSSL_HEADER_SERVICE_INDICATOR_H
|
|
@@ -96,6 +96,15 @@ class Span : private internal::SpanBase<const T> {
|
|
|
96
96
|
private:
|
|
97
97
|
static const size_t npos = static_cast<size_t>(-1);
|
|
98
98
|
|
|
99
|
+
// Heuristically test whether C is a container type that can be converted into
|
|
100
|
+
// a Span by checking for data() and size() member functions.
|
|
101
|
+
//
|
|
102
|
+
// TODO(davidben): Require C++17 support for std::is_convertible_v, etc.
|
|
103
|
+
template <typename C>
|
|
104
|
+
using EnableIfContainer = std::enable_if_t<
|
|
105
|
+
std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
|
|
106
|
+
std::is_integral<decltype(std::declval<C>().size())>::value>;
|
|
107
|
+
|
|
99
108
|
public:
|
|
100
109
|
constexpr Span() : Span(nullptr, 0) {}
|
|
101
110
|
constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {}
|
|
@@ -103,29 +112,12 @@ class Span : private internal::SpanBase<const T> {
|
|
|
103
112
|
template <size_t N>
|
|
104
113
|
constexpr Span(T (&array)[N]) : Span(array, N) {}
|
|
105
114
|
|
|
106
|
-
template <
|
|
107
|
-
|
|
108
|
-
// TODO(davidben): Switch everything to std::enable_if_t when we remove
|
|
109
|
-
// support for MSVC 2015. Although we could write our own enable_if_t and
|
|
110
|
-
// MSVC 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE
|
|
111
|
-
// implementation is problematic and does not work below unless we write
|
|
112
|
-
// the ::type at use.
|
|
113
|
-
//
|
|
114
|
-
// TODO(davidben): Move this and the identical copy below into an
|
|
115
|
-
// EnableIfContainer alias when we drop MSVC 2015 support. MSVC 2015's
|
|
116
|
-
// SFINAE support cannot handle type aliases.
|
|
117
|
-
typename = typename std::enable_if<
|
|
118
|
-
std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
|
|
119
|
-
std::is_integral<decltype(std::declval<C>().size())>::value>::type,
|
|
120
|
-
typename = typename std::enable_if<std::is_const<T>::value, C>::type>
|
|
115
|
+
template <typename C, typename = EnableIfContainer<C>,
|
|
116
|
+
typename = std::enable_if_t<std::is_const<T>::value, C>>
|
|
121
117
|
Span(const C &container) : data_(container.data()), size_(container.size()) {}
|
|
122
118
|
|
|
123
|
-
template <
|
|
124
|
-
|
|
125
|
-
typename = typename std::enable_if<
|
|
126
|
-
std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
|
|
127
|
-
std::is_integral<decltype(std::declval<C>().size())>::value>::type,
|
|
128
|
-
typename = typename std::enable_if<!std::is_const<T>::value, C>::type>
|
|
119
|
+
template <typename C, typename = EnableIfContainer<C>,
|
|
120
|
+
typename = std::enable_if_t<!std::is_const<T>::value, C>>
|
|
129
121
|
explicit Span(C &container)
|
|
130
122
|
: data_(container.data()), size_(container.size()) {}
|
|
131
123
|
|
|
@@ -157,11 +157,6 @@
|
|
|
157
157
|
#include <sys/time.h>
|
|
158
158
|
#endif
|
|
159
159
|
|
|
160
|
-
// NGINX needs this #include. Consider revisiting this after NGINX 1.14.0 has
|
|
161
|
-
// been out for a year or so (assuming that they fix it in that release.) See
|
|
162
|
-
// https://boringssl-review.googlesource.com/c/boringssl/+/21664.
|
|
163
|
-
#include <openssl/hmac.h>
|
|
164
|
-
|
|
165
160
|
// Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
|
|
166
161
|
// Windows headers define too many macros to be included in public headers.
|
|
167
162
|
// However, only a forward declaration is needed.
|
|
@@ -2281,6 +2276,17 @@ OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
|
|
|
2281
2276
|
OPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(
|
|
2282
2277
|
SSL *ssl, const uint8_t *buf, size_t buf_len);
|
|
2283
2278
|
|
|
2279
|
+
// SSL_CTX_set_num_tickets configures |ctx| to send |num_tickets| immediately
|
|
2280
|
+
// after a successful TLS 1.3 handshake as a server. It returns one. Large
|
|
2281
|
+
// values of |num_tickets| will be capped within the library.
|
|
2282
|
+
//
|
|
2283
|
+
// By default, BoringSSL sends two tickets.
|
|
2284
|
+
OPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
|
|
2285
|
+
|
|
2286
|
+
// SSL_CTX_get_num_tickets returns the number of tickets |ctx| will send
|
|
2287
|
+
// immediately after a successful TLS 1.3 handshake as a server.
|
|
2288
|
+
OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
|
|
2289
|
+
|
|
2284
2290
|
|
|
2285
2291
|
// Elliptic curve Diffie-Hellman.
|
|
2286
2292
|
//
|
|
@@ -2329,6 +2335,8 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
|
|
|
2329
2335
|
#define SSL_CURVE_SECP521R1 25
|
|
2330
2336
|
#define SSL_CURVE_X25519 29
|
|
2331
2337
|
#define SSL_CURVE_CECPQ2 16696
|
|
2338
|
+
#define SSL_CURVE_X25519KYBER768 0xfe31
|
|
2339
|
+
#define SSL_CURVE_P256KYBER768 0xfe32
|
|
2332
2340
|
|
|
2333
2341
|
// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
|
|
2334
2342
|
// completed handshake or 0 if not applicable.
|
|
@@ -2341,6 +2349,20 @@ OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
|
|
|
2341
2349
|
// the given TLS curve id, or NULL if the curve is unknown.
|
|
2342
2350
|
OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
|
|
2343
2351
|
|
|
2352
|
+
// SSL_CTX_set1_groups calls |SSL_CTX_set1_curves|.
|
|
2353
|
+
OPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups,
|
|
2354
|
+
size_t groups_len);
|
|
2355
|
+
|
|
2356
|
+
// SSL_set1_groups calls |SSL_set1_curves|.
|
|
2357
|
+
OPENSSL_EXPORT int SSL_set1_groups(SSL *ssl, const int *groups,
|
|
2358
|
+
size_t groups_len);
|
|
2359
|
+
|
|
2360
|
+
// SSL_CTX_set1_groups_list calls |SSL_CTX_set1_curves_list|.
|
|
2361
|
+
OPENSSL_EXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
|
|
2362
|
+
|
|
2363
|
+
// SSL_set1_groups_list calls |SSL_set1_curves_list|.
|
|
2364
|
+
OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);
|
|
2365
|
+
|
|
2344
2366
|
|
|
2345
2367
|
// Certificate verification.
|
|
2346
2368
|
//
|
|
@@ -2459,6 +2481,15 @@ OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
|
|
|
2459
2481
|
OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))(
|
|
2460
2482
|
int ok, X509_STORE_CTX *store_ctx);
|
|
2461
2483
|
|
|
2484
|
+
// SSL_set1_host sets a DNS name that will be required to be present in the
|
|
2485
|
+
// verified leaf certificate. It returns one on success and zero on error.
|
|
2486
|
+
//
|
|
2487
|
+
// Note: unless _some_ name checking is performed, certificate validation is
|
|
2488
|
+
// ineffective. Simply checking that a host has some certificate from a CA is
|
|
2489
|
+
// rarely meaningful—you have to check that the CA believed that the host was
|
|
2490
|
+
// who you expect to be talking to.
|
|
2491
|
+
OPENSSL_EXPORT int SSL_set1_host(SSL *ssl, const char *hostname);
|
|
2492
|
+
|
|
2462
2493
|
// SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain
|
|
2463
2494
|
// accepted in verification. This number does not include the leaf, so a depth
|
|
2464
2495
|
// of 1 allows the leaf and one CA certificate.
|
|
@@ -2632,6 +2663,11 @@ OPENSSL_EXPORT int SSL_set_verify_algorithm_prefs(SSL *ssl,
|
|
|
2632
2663
|
const uint16_t *prefs,
|
|
2633
2664
|
size_t num_prefs);
|
|
2634
2665
|
|
|
2666
|
+
// SSL_set_hostflags calls |X509_VERIFY_PARAM_set_hostflags| on the
|
|
2667
|
+
// |X509_VERIFY_PARAM| associated with this |SSL*|. The |flags| argument
|
|
2668
|
+
// should be one of the |X509_CHECK_*| constants.
|
|
2669
|
+
OPENSSL_EXPORT void SSL_set_hostflags(SSL *ssl, unsigned flags);
|
|
2670
|
+
|
|
2635
2671
|
|
|
2636
2672
|
// Client certificate CA list.
|
|
2637
2673
|
//
|
|
@@ -2697,7 +2733,7 @@ OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509);
|
|
|
2697
2733
|
|
|
2698
2734
|
// SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from
|
|
2699
2735
|
// it. It returns a newly-allocated stack of the certificate subjects or NULL
|
|
2700
|
-
// on error.
|
|
2736
|
+
// on error. Duplicates in |file| are ignored.
|
|
2701
2737
|
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
|
|
2702
2738
|
|
|
2703
2739
|
// SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on
|
|
@@ -2710,6 +2746,11 @@ OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list);
|
|
|
2710
2746
|
OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
|
|
2711
2747
|
const char *file);
|
|
2712
2748
|
|
|
2749
|
+
// SSL_add_bio_cert_subjects_to_stack behaves like
|
|
2750
|
+
// |SSL_add_file_cert_subjects_to_stack| but reads from |bio|.
|
|
2751
|
+
OPENSSL_EXPORT int SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
|
|
2752
|
+
BIO *bio);
|
|
2753
|
+
|
|
2713
2754
|
|
|
2714
2755
|
// Server name indication.
|
|
2715
2756
|
//
|
|
@@ -2788,7 +2829,7 @@ OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
|
|
|
2788
2829
|
// WARNING: this function is dangerous because it breaks the usual return value
|
|
2789
2830
|
// convention.
|
|
2790
2831
|
OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
|
|
2791
|
-
|
|
2832
|
+
size_t protos_len);
|
|
2792
2833
|
|
|
2793
2834
|
// SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
|
|
2794
2835
|
// |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
|
|
@@ -2799,7 +2840,7 @@ OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
|
|
|
2799
2840
|
// WARNING: this function is dangerous because it breaks the usual return value
|
|
2800
2841
|
// convention.
|
|
2801
2842
|
OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
|
|
2802
|
-
|
|
2843
|
+
size_t protos_len);
|
|
2803
2844
|
|
|
2804
2845
|
// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
|
|
2805
2846
|
// during ClientHello processing in order to select an ALPN protocol from the
|
|
@@ -3887,13 +3928,14 @@ OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
|
|
|
3887
3928
|
const uint8_t **out_write_iv,
|
|
3888
3929
|
size_t *out_iv_len);
|
|
3889
3930
|
|
|
3890
|
-
// SSL_get_key_block_len returns the length of |ssl|'s key block
|
|
3891
|
-
// to call this function during a handshake
|
|
3931
|
+
// SSL_get_key_block_len returns the length of |ssl|'s key block, for TLS 1.2
|
|
3932
|
+
// and below. It is an error to call this function during a handshake, or if
|
|
3933
|
+
// |ssl| negotiated TLS 1.3.
|
|
3892
3934
|
OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);
|
|
3893
3935
|
|
|
3894
3936
|
// SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
|
|
3895
|
-
// current connection state. It is an error to call this
|
|
3896
|
-
// handshake.
|
|
3937
|
+
// current connection state, for TLS 1.2 and below. It is an error to call this
|
|
3938
|
+
// function during a handshake, or if |ssl| negotiated TLS 1.3.
|
|
3897
3939
|
OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,
|
|
3898
3940
|
size_t out_len);
|
|
3899
3941
|
|
|
@@ -3947,8 +3989,9 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx,
|
|
|
3947
3989
|
// those cases, BoringSSL will not predict a signature as there is no benefit.
|
|
3948
3990
|
// Callers must allow for handshakes to complete without a predicted signature.
|
|
3949
3991
|
//
|
|
3950
|
-
//
|
|
3951
|
-
//
|
|
3992
|
+
// Handshake hints are supported for TLS 1.3 and partially supported for
|
|
3993
|
+
// TLS 1.2. TLS 1.2 resumption handshakes are not yet fully hinted. They will
|
|
3994
|
+
// still work, but may not be as efficient.
|
|
3952
3995
|
|
|
3953
3996
|
// SSL_serialize_capabilities writes an opaque byte string to |out| describing
|
|
3954
3997
|
// some of |ssl|'s capabilities. It returns one on success and zero on error.
|
|
@@ -4025,10 +4068,16 @@ OPENSSL_EXPORT int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints,
|
|
|
4025
4068
|
// |len| bytes from |buf| contain the handshake message, one-byte
|
|
4026
4069
|
// ChangeCipherSpec body, and two-byte alert, respectively.
|
|
4027
4070
|
//
|
|
4071
|
+
// In connections that enable ECH, |cb| is additionally called with
|
|
4072
|
+
// |content_type| = |SSL3_RT_CLIENT_HELLO_INNER| for each ClientHelloInner that
|
|
4073
|
+
// is encrypted or decrypted. The |len| bytes from |buf| contain the
|
|
4074
|
+
// ClientHelloInner, including the reconstructed outer extensions and handshake
|
|
4075
|
+
// header.
|
|
4076
|
+
//
|
|
4028
4077
|
// For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and
|
|
4029
4078
|
// the |len| bytes from |buf| contain the V2ClientHello structure.
|
|
4030
4079
|
OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
|
|
4031
|
-
SSL_CTX *ctx, void (*cb)(int
|
|
4080
|
+
SSL_CTX *ctx, void (*cb)(int is_write, int version, int content_type,
|
|
4032
4081
|
const void *buf, size_t len, SSL *ssl, void *arg));
|
|
4033
4082
|
|
|
4034
4083
|
// SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
|
|
@@ -4098,6 +4147,13 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT {
|
|
|
4098
4147
|
// renegotiation attempts by a server. If |ssl| is a server, peer-initiated
|
|
4099
4148
|
// renegotiations are *always* rejected and this function does nothing.
|
|
4100
4149
|
//
|
|
4150
|
+
// WARNING: Renegotiation is error-prone, complicates TLS's security properties,
|
|
4151
|
+
// and increases its attack surface. When enabled, many common assumptions about
|
|
4152
|
+
// BoringSSL's behavior no longer hold, and the calling application must handle
|
|
4153
|
+
// more cases. Renegotiation is also incompatible with many application
|
|
4154
|
+
// protocols, e.g. section 9.2.1 of RFC 7540. Many functions behave in ambiguous
|
|
4155
|
+
// or undefined ways during a renegotiation.
|
|
4156
|
+
//
|
|
4101
4157
|
// The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
|
|
4102
4158
|
// at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
|
|
4103
4159
|
// allow one renegotiation, |ssl_renegotiate_freely| to allow all
|
|
@@ -4119,6 +4175,20 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT {
|
|
|
4119
4175
|
// e.g., ALPN must enable renegotiation before the handshake and conditionally
|
|
4120
4176
|
// disable it afterwards.
|
|
4121
4177
|
//
|
|
4178
|
+
// When enabled, renegotiation can cause properties of |ssl|, such as the cipher
|
|
4179
|
+
// suite, to change during the lifetime of the connection. More over, during a
|
|
4180
|
+
// renegotiation, not all properties of the new handshake are available or fully
|
|
4181
|
+
// established. In BoringSSL, most functions, such as |SSL_get_current_cipher|,
|
|
4182
|
+
// report information from the most recently completed handshake, not the
|
|
4183
|
+
// pending one. However, renegotiation may rerun handshake callbacks, such as
|
|
4184
|
+
// |SSL_CTX_set_cert_cb|. Such callbacks must ensure they are acting on the
|
|
4185
|
+
// desired versions of each property.
|
|
4186
|
+
//
|
|
4187
|
+
// BoringSSL does not reverify peer certificates on renegotiation and instead
|
|
4188
|
+
// requires they match between handshakes, so certificate verification callbacks
|
|
4189
|
+
// (see |SSL_CTX_set_custom_verify|) may assume |ssl| is in the initial
|
|
4190
|
+
// handshake and use |SSL_get0_peer_certificates|, etc.
|
|
4191
|
+
//
|
|
4122
4192
|
// There is no support in BoringSSL for initiating renegotiations as a client
|
|
4123
4193
|
// or server.
|
|
4124
4194
|
OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl,
|
|
@@ -4254,12 +4324,24 @@ OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
|
|
|
4254
4324
|
// respected on clients.
|
|
4255
4325
|
OPENSSL_EXPORT void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled);
|
|
4256
4326
|
|
|
4257
|
-
// SSL_set_enforce_rsa_key_usage configures whether
|
|
4258
|
-
//
|
|
4259
|
-
//
|
|
4327
|
+
// SSL_set_enforce_rsa_key_usage configures whether, when |ssl| is a client
|
|
4328
|
+
// negotiating TLS 1.2 or below, the keyUsage extension of RSA leaf server
|
|
4329
|
+
// certificates will be checked for consistency with the TLS usage. In all other
|
|
4330
|
+
// cases, this check is always enabled.
|
|
4331
|
+
//
|
|
4332
|
+
// This parameter may be set late; it will not be read until after the
|
|
4260
4333
|
// certificate verification callback.
|
|
4261
4334
|
OPENSSL_EXPORT void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled);
|
|
4262
4335
|
|
|
4336
|
+
// SSL_was_key_usage_invalid returns one if |ssl|'s handshake succeeded despite
|
|
4337
|
+
// using TLS parameters which were incompatible with the leaf certificate's
|
|
4338
|
+
// keyUsage extension. Otherwise, it returns zero.
|
|
4339
|
+
//
|
|
4340
|
+
// If |SSL_set_enforce_rsa_key_usage| is enabled or not applicable, this
|
|
4341
|
+
// function will always return zero because key usages will be consistently
|
|
4342
|
+
// checked.
|
|
4343
|
+
OPENSSL_EXPORT int SSL_was_key_usage_invalid(const SSL *ssl);
|
|
4344
|
+
|
|
4263
4345
|
// SSL_ST_* are possible values for |SSL_state|, the bitmasks that make them up,
|
|
4264
4346
|
// and some historical values for compatibility. Only |SSL_ST_INIT| and
|
|
4265
4347
|
// |SSL_ST_OK| are ever returned.
|
|
@@ -5077,6 +5159,44 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
|
|
|
5077
5159
|
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
|
|
5078
5160
|
|
|
5079
5161
|
|
|
5162
|
+
// Compliance policy configurations
|
|
5163
|
+
//
|
|
5164
|
+
// A TLS connection has a large number of different parameters. Some are well
|
|
5165
|
+
// known, like cipher suites, but many are obscure and configuration functions
|
|
5166
|
+
// for them may not exist. These policy controls allow broad configuration
|
|
5167
|
+
// goals to be specified so that they can flow down to all the different
|
|
5168
|
+
// parameters of a TLS connection.
|
|
5169
|
+
|
|
5170
|
+
enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
|
|
5171
|
+
// ssl_policy_fips_202205 configures a TLS connection to use:
|
|
5172
|
+
// * TLS 1.2 or 1.3
|
|
5173
|
+
// * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*.
|
|
5174
|
+
// * For TLS 1.3, only AES-GCM
|
|
5175
|
+
// * P-256 or P-384 for key agreement.
|
|
5176
|
+
// * For server signatures, only PKCS#1/PSS with SHA256/384/512, or ECDSA
|
|
5177
|
+
// with P-256 or P-384.
|
|
5178
|
+
//
|
|
5179
|
+
// Note: this policy can be configured even if BoringSSL has not been built in
|
|
5180
|
+
// FIPS mode. Call |FIPS_mode| to check that.
|
|
5181
|
+
//
|
|
5182
|
+
// Note: this setting aids with compliance with NIST requirements but does not
|
|
5183
|
+
// guarantee it. Careful reading of SP 800-52r2 is recommended.
|
|
5184
|
+
ssl_compliance_policy_fips_202205,
|
|
5185
|
+
};
|
|
5186
|
+
|
|
5187
|
+
// SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on
|
|
5188
|
+
// the given policy requirements. Subsequently calling other functions that
|
|
5189
|
+
// configure |ctx| may override |policy|, or may not. This should be the final
|
|
5190
|
+
// configuration function called in order to have defined behaviour.
|
|
5191
|
+
OPENSSL_EXPORT int SSL_CTX_set_compliance_policy(
|
|
5192
|
+
SSL_CTX *ctx, enum ssl_compliance_policy_t policy);
|
|
5193
|
+
|
|
5194
|
+
// SSL_set_compliance_policy acts the same as |SSL_CTX_set_compliance_policy|,
|
|
5195
|
+
// but only configures a single |SSL*|.
|
|
5196
|
+
OPENSSL_EXPORT int SSL_set_compliance_policy(
|
|
5197
|
+
SSL *ssl, enum ssl_compliance_policy_t policy);
|
|
5198
|
+
|
|
5199
|
+
|
|
5080
5200
|
// Nodejs compatibility section (hidden).
|
|
5081
5201
|
//
|
|
5082
5202
|
// These defines exist for node.js, with the hope that we can eliminate the
|
|
@@ -5243,62 +5363,6 @@ BORINGSSL_MAKE_UP_REF(SSL_ECH_KEYS, SSL_ECH_KEYS_up_ref)
|
|
|
5243
5363
|
BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
|
|
5244
5364
|
BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)
|
|
5245
5365
|
|
|
5246
|
-
enum class OpenRecordResult {
|
|
5247
|
-
kOK,
|
|
5248
|
-
kDiscard,
|
|
5249
|
-
kIncompleteRecord,
|
|
5250
|
-
kAlertCloseNotify,
|
|
5251
|
-
kError,
|
|
5252
|
-
};
|
|
5253
|
-
|
|
5254
|
-
// *** EXPERIMENTAL -- DO NOT USE ***
|
|
5255
|
-
//
|
|
5256
|
-
// OpenRecord decrypts the first complete SSL record from |in| in-place, sets
|
|
5257
|
-
// |out| to the decrypted application data, and |out_record_len| to the length
|
|
5258
|
-
// of the encrypted record. Returns:
|
|
5259
|
-
// - kOK if an application-data record was successfully decrypted and verified.
|
|
5260
|
-
// - kDiscard if a record was sucessfully processed, but should be discarded.
|
|
5261
|
-
// - kIncompleteRecord if |in| did not contain a complete record.
|
|
5262
|
-
// - kAlertCloseNotify if a record was successfully processed but is a
|
|
5263
|
-
// close_notify alert.
|
|
5264
|
-
// - kError if an error occurred or the record is invalid. |*out_alert| will be
|
|
5265
|
-
// set to an alert to emit, or zero if no alert should be emitted.
|
|
5266
|
-
OPENSSL_EXPORT OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out,
|
|
5267
|
-
size_t *out_record_len,
|
|
5268
|
-
uint8_t *out_alert,
|
|
5269
|
-
Span<uint8_t> in);
|
|
5270
|
-
|
|
5271
|
-
OPENSSL_EXPORT size_t SealRecordPrefixLen(const SSL *ssl, size_t plaintext_len);
|
|
5272
|
-
|
|
5273
|
-
// SealRecordSuffixLen returns the length of the suffix written by |SealRecord|.
|
|
5274
|
-
//
|
|
5275
|
-
// |plaintext_len| must be equal to the size of the plaintext passed to
|
|
5276
|
-
// |SealRecord|.
|
|
5277
|
-
//
|
|
5278
|
-
// |plaintext_len| must not exceed |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The returned
|
|
5279
|
-
// suffix length will not exceed |SSL3_RT_MAX_ENCRYPTED_OVERHEAD|.
|
|
5280
|
-
OPENSSL_EXPORT size_t SealRecordSuffixLen(const SSL *ssl, size_t plaintext_len);
|
|
5281
|
-
|
|
5282
|
-
// *** EXPERIMENTAL -- DO NOT USE ***
|
|
5283
|
-
//
|
|
5284
|
-
// SealRecord encrypts the cleartext of |in| and scatters the resulting TLS
|
|
5285
|
-
// application data record between |out_prefix|, |out|, and |out_suffix|. It
|
|
5286
|
-
// returns true on success or false if an error occurred.
|
|
5287
|
-
//
|
|
5288
|
-
// The length of |out_prefix| must equal |SealRecordPrefixLen|. The length of
|
|
5289
|
-
// |out| must equal the length of |in|, which must not exceed
|
|
5290
|
-
// |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The length of |out_suffix| must equal
|
|
5291
|
-
// |SealRecordSuffixLen|.
|
|
5292
|
-
//
|
|
5293
|
-
// If enabled, |SealRecord| may perform TLS 1.0 CBC 1/n-1 record splitting.
|
|
5294
|
-
// |SealRecordPrefixLen| accounts for the required overhead if that is the case.
|
|
5295
|
-
//
|
|
5296
|
-
// |out| may equal |in| to encrypt in-place but may not otherwise alias.
|
|
5297
|
-
// |out_prefix| and |out_suffix| may not alias anything.
|
|
5298
|
-
OPENSSL_EXPORT bool SealRecord(SSL *ssl, Span<uint8_t> out_prefix,
|
|
5299
|
-
Span<uint8_t> out, Span<uint8_t> out_suffix,
|
|
5300
|
-
Span<const uint8_t> in);
|
|
5301
|
-
|
|
5302
5366
|
|
|
5303
5367
|
// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
|
|
5304
5368
|
//
|
|
@@ -5584,7 +5648,7 @@ BSSL_NAMESPACE_END
|
|
|
5584
5648
|
#define SSL_R_INVALID_ECH_PUBLIC_NAME 317
|
|
5585
5649
|
#define SSL_R_INVALID_ECH_CONFIG_LIST 318
|
|
5586
5650
|
#define SSL_R_ECH_REJECTED 319
|
|
5587
|
-
#define
|
|
5651
|
+
#define SSL_R_INVALID_OUTER_EXTENSION 320
|
|
5588
5652
|
#define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321
|
|
5589
5653
|
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
|
|
5590
5654
|
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
/* ssl/ssl3.h */
|
|
2
1
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
3
2
|
* All rights reserved.
|
|
4
3
|
*
|
|
@@ -118,7 +117,6 @@
|
|
|
118
117
|
#define OPENSSL_HEADER_SSL3_H
|
|
119
118
|
|
|
120
119
|
#include <openssl/aead.h>
|
|
121
|
-
#include <openssl/type_check.h>
|
|
122
120
|
|
|
123
121
|
#ifdef __cplusplus
|
|
124
122
|
extern "C" {
|
|
@@ -251,10 +249,6 @@ extern "C" {
|
|
|
251
249
|
#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
|
|
252
250
|
(EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)
|
|
253
251
|
|
|
254
|
-
OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
|
|
255
|
-
SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
|
|
256
|
-
"max overheads are inconsistent");
|
|
257
|
-
|
|
258
252
|
// SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
|
|
259
253
|
// |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
|
|
260
254
|
// compression overhead.
|
|
@@ -275,6 +269,7 @@ OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
|
|
|
275
269
|
|
|
276
270
|
// Pseudo content type for SSL/TLS header info
|
|
277
271
|
#define SSL3_RT_HEADER 0x100
|
|
272
|
+
#define SSL3_RT_CLIENT_HELLO_INNER 0x101
|
|
278
273
|
|
|
279
274
|
#define SSL3_AL_WARNING 1
|
|
280
275
|
#define SSL3_AL_FATAL 2
|