grpc 1.53.1 → 1.57.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (1783) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +231 -149
  3. data/include/grpc/event_engine/event_engine.h +51 -44
  4. data/include/grpc/grpc_audit_logging.h +96 -0
  5. data/include/grpc/grpc_security.h +23 -0
  6. data/include/grpc/impl/grpc_types.h +5 -0
  7. data/include/grpc/module.modulemap +2 -0
  8. data/include/grpc/support/json.h +218 -0
  9. data/include/grpc/support/port_platform.h +33 -27
  10. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +17 -1
  11. data/src/core/ext/filters/client_channel/backend_metric.cc +10 -1
  12. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  13. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  14. data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
  15. data/src/core/ext/filters/client_channel/client_channel.cc +949 -900
  16. data/src/core/ext/filters/client_channel/client_channel.h +145 -177
  17. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +20 -19
  18. data/src/core/ext/filters/client_channel/client_channel_internal.h +77 -0
  19. data/src/core/ext/filters/client_channel/client_channel_service_config.cc +2 -2
  20. data/src/core/ext/filters/client_channel/config_selector.h +13 -39
  21. data/src/core/ext/filters/client_channel/dynamic_filters.h +3 -3
  22. data/src/core/ext/filters/client_channel/http_proxy.cc +39 -1
  23. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +21 -52
  24. data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +19 -7
  25. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +9 -1
  26. data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +25 -35
  27. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +102 -156
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +2 -1
  29. data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +5 -4
  30. data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +4 -2
  31. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +478 -0
  32. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +52 -0
  33. data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +202 -0
  34. data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
  35. data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric_internal.h +2 -0
  36. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +136 -78
  37. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +9 -2
  38. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +72 -14
  39. data/src/core/{lib/gprpp/global_config_custom.h → ext/filters/client_channel/lb_policy/pick_first/pick_first.h} +8 -12
  40. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +9 -43
  41. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +154 -164
  42. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
  43. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +73 -144
  44. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +21 -15
  45. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +57 -22
  46. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
  47. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +94 -55
  48. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +24 -56
  49. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +57 -116
  50. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +8 -0
  51. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +43 -87
  52. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +25 -74
  53. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +64 -138
  54. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +28 -67
  55. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +28 -96
  56. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +46 -156
  57. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.h +30 -0
  58. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  59. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
  60. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_plugin.cc +60 -0
  61. data/src/core/ext/filters/client_channel/resolver/dns/{dns_resolver_selection.h → dns_resolver_plugin.h} +10 -12
  62. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +559 -0
  63. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.h +35 -0
  64. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +97 -0
  65. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.h +32 -0
  66. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +19 -36
  67. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.h +24 -0
  68. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +61 -207
  69. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +8 -4
  70. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +2 -2
  71. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +25 -13
  72. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +422 -275
  73. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +32 -1
  74. data/src/core/ext/filters/client_channel/retry_filter.cc +40 -2538
  75. data/src/core/ext/filters/client_channel/retry_filter.h +91 -1
  76. data/src/core/ext/filters/client_channel/retry_filter_legacy_call_data.cc +2052 -0
  77. data/src/core/ext/filters/client_channel/retry_filter_legacy_call_data.h +442 -0
  78. data/src/core/ext/filters/client_channel/retry_service_config.cc +9 -8
  79. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +39 -89
  80. data/src/core/ext/filters/client_channel/subchannel.cc +12 -200
  81. data/src/core/ext/filters/client_channel/subchannel.h +6 -46
  82. data/src/core/ext/filters/client_channel/subchannel_interface_internal.h +3 -0
  83. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  84. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  85. data/src/core/ext/filters/fault_injection/fault_injection_service_config_parser.cc +1 -1
  86. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  87. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  88. data/src/core/ext/filters/http/message_compress/compression_filter.cc +30 -14
  89. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  90. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  91. data/src/core/ext/filters/rbac/rbac_filter.cc +40 -111
  92. data/src/core/ext/filters/rbac/rbac_filter.h +12 -30
  93. data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +168 -75
  94. data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
  95. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +165 -88
  96. data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -7
  97. data/src/core/ext/gcp/metadata_query.cc +137 -0
  98. data/src/core/ext/gcp/metadata_query.h +87 -0
  99. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +77 -59
  100. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +324 -266
  101. data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +21 -0
  102. data/src/core/ext/transport/chttp2/transport/context_list_entry.h +70 -0
  103. data/src/core/ext/transport/chttp2/transport/decode_huff.cc +6569 -174
  104. data/src/core/ext/transport/chttp2/transport/decode_huff.h +2278 -441
  105. data/src/core/ext/transport/chttp2/transport/flow_control.cc +51 -97
  106. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  107. data/src/core/ext/transport/chttp2/transport/frame_ping.cc +3 -10
  108. data/src/core/ext/transport/chttp2/transport/frame_ping.h +0 -3
  109. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  110. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +1 -0
  111. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.cc +176 -0
  112. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +326 -0
  113. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +569 -544
  114. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +150 -9
  115. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +48 -33
  116. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +19 -5
  117. data/src/core/ext/transport/chttp2/transport/internal.h +27 -25
  118. data/src/core/ext/transport/chttp2/transport/parsing.cc +30 -17
  119. data/src/core/ext/transport/chttp2/transport/writing.cc +26 -11
  120. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  121. data/src/core/ext/upb-generated/envoy/admin/v3/certs.upb.c +87 -52
  122. data/src/core/ext/upb-generated/envoy/admin/v3/certs.upb.h +414 -181
  123. data/src/core/ext/upb-generated/envoy/admin/v3/clusters.upb.c +121 -60
  124. data/src/core/ext/upb-generated/envoy/admin/v3/clusters.upb.h +481 -224
  125. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +90 -55
  126. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +415 -188
  127. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump_shared.upb.c +357 -210
  128. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump_shared.upb.h +1572 -729
  129. data/src/core/ext/upb-generated/envoy/admin/v3/init_dump.upb.c +30 -17
  130. data/src/core/ext/upb-generated/envoy/admin/v3/init_dump.upb.h +144 -47
  131. data/src/core/ext/upb-generated/envoy/admin/v3/listeners.upb.c +34 -21
  132. data/src/core/ext/upb-generated/envoy/admin/v3/listeners.upb.h +160 -62
  133. data/src/core/ext/upb-generated/envoy/admin/v3/memory.upb.c +27 -14
  134. data/src/core/ext/upb-generated/envoy/admin/v3/memory.upb.h +78 -38
  135. data/src/core/ext/upb-generated/envoy/admin/v3/metrics.upb.c +20 -11
  136. data/src/core/ext/upb-generated/envoy/admin/v3/metrics.upb.h +48 -26
  137. data/src/core/ext/upb-generated/envoy/admin/v3/mutex_stats.upb.c +20 -11
  138. data/src/core/ext/upb-generated/envoy/admin/v3/mutex_stats.upb.h +48 -26
  139. data/src/core/ext/upb-generated/envoy/admin/v3/server_info.upb.c +109 -62
  140. data/src/core/ext/upb-generated/envoy/admin/v3/server_info.upb.h +566 -244
  141. data/src/core/ext/upb-generated/envoy/admin/v3/tap.upb.c +21 -12
  142. data/src/core/ext/upb-generated/envoy/admin/v3/tap.upb.h +45 -30
  143. data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.c +22 -19
  144. data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +82 -29
  145. data/src/core/ext/upb-generated/envoy/annotations/resource.upb.c +23 -16
  146. data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +45 -30
  147. data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +255 -147
  148. data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +876 -404
  149. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +417 -262
  150. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1850 -888
  151. data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.c +74 -41
  152. data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.h +286 -148
  153. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +531 -334
  154. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +2017 -1131
  155. data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.c +21 -12
  156. data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.h +45 -30
  157. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +89 -52
  158. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +347 -232
  159. data/src/core/ext/upb-generated/envoy/config/common/matcher/v3/matcher.upb.c +264 -165
  160. data/src/core/ext/upb-generated/envoy/config/common/matcher/v3/matcher.upb.h +888 -476
  161. data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +139 -80
  162. data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +527 -274
  163. data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.c +22 -13
  164. data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.h +50 -36
  165. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +380 -221
  166. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +1168 -611
  167. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +157 -92
  168. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +627 -292
  169. data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.c +18 -11
  170. data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.h +37 -26
  171. data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c +21 -12
  172. data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h +45 -30
  173. data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_method_list.upb.c +30 -17
  174. data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_method_list.upb.h +144 -47
  175. data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +279 -167
  176. data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +818 -440
  177. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +232 -137
  178. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +1164 -500
  179. data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.c +22 -13
  180. data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.h +60 -37
  181. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +369 -209
  182. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +1125 -635
  183. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +44 -11
  184. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +175 -18
  185. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +34 -19
  186. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +118 -56
  187. data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.c +38 -21
  188. data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.h +148 -64
  189. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +31 -18
  190. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +143 -65
  191. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +22 -13
  192. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +51 -37
  193. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +78 -43
  194. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.h +265 -127
  195. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +145 -88
  196. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.h +438 -241
  197. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.c +115 -62
  198. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.h +559 -227
  199. data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.c +18 -11
  200. data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.h +35 -26
  201. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +187 -109
  202. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +956 -421
  203. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +172 -95
  204. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +864 -374
  205. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +49 -25
  206. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +171 -100
  207. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +39 -18
  208. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +74 -56
  209. data/src/core/ext/upb-generated/envoy/config/metrics/v3/metrics_service.upb.c +29 -15
  210. data/src/core/ext/upb-generated/envoy/config/metrics/v3/metrics_service.upb.h +92 -45
  211. data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +131 -74
  212. data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +489 -249
  213. data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +163 -84
  214. data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +680 -240
  215. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +256 -129
  216. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +996 -397
  217. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +80 -49
  218. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +616 -201
  219. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +1283 -774
  220. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +5430 -2509
  221. data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +49 -28
  222. data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +164 -84
  223. data/src/core/ext/upb-generated/envoy/config/tap/v3/common.upb.c +228 -141
  224. data/src/core/ext/upb-generated/envoy/config/tap/v3/common.upb.h +738 -399
  225. data/src/core/ext/upb-generated/envoy/config/trace/v3/datadog.upb.c +20 -11
  226. data/src/core/ext/upb-generated/envoy/config/trace/v3/datadog.upb.h +48 -26
  227. data/src/core/ext/upb-generated/envoy/config/trace/v3/dynamic_ot.upb.c +21 -12
  228. data/src/core/ext/upb-generated/envoy/config/trace/v3/dynamic_ot.upb.h +45 -30
  229. data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +32 -19
  230. data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.h +70 -49
  231. data/src/core/ext/upb-generated/envoy/config/trace/v3/lightstep.upb.c +27 -14
  232. data/src/core/ext/upb-generated/envoy/config/trace/v3/lightstep.upb.h +110 -43
  233. data/src/core/ext/upb-generated/envoy/config/trace/v3/opencensus.upb.c +46 -25
  234. data/src/core/ext/upb-generated/envoy/config/trace/v3/opencensus.upb.h +259 -100
  235. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +21 -13
  236. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.h +45 -30
  237. data/src/core/ext/upb-generated/envoy/config/trace/v3/service.upb.c +18 -11
  238. data/src/core/ext/upb-generated/envoy/config/trace/v3/service.upb.h +35 -26
  239. data/src/core/ext/upb-generated/envoy/config/trace/v3/skywalking.upb.c +42 -23
  240. data/src/core/ext/upb-generated/envoy/config/trace/v3/skywalking.upb.h +108 -70
  241. data/src/core/ext/upb-generated/envoy/config/trace/v3/trace.upb.c +7 -4
  242. data/src/core/ext/upb-generated/envoy/config/trace/v3/trace.upb.h +21 -16
  243. data/src/core/ext/upb-generated/envoy/config/trace/v3/xray.upb.c +43 -24
  244. data/src/core/ext/upb-generated/envoy/config/trace/v3/xray.upb.h +110 -75
  245. data/src/core/ext/upb-generated/envoy/config/trace/v3/zipkin.upb.c +30 -17
  246. data/src/core/ext/upb-generated/envoy/config/trace/v3/zipkin.upb.h +95 -50
  247. data/src/core/ext/upb-generated/envoy/data/accesslog/v3/accesslog.upb.c +558 -0
  248. data/src/core/ext/upb-generated/envoy/data/accesslog/v3/accesslog.upb.h +2710 -0
  249. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +16 -9
  250. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +73 -23
  251. data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +60 -37
  252. data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +150 -108
  253. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +93 -43
  254. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +386 -167
  255. data/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c +44 -25
  256. data/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h +114 -80
  257. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +68 -22
  258. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +355 -82
  259. data/src/core/ext/upb-generated/envoy/extensions/filters/http/stateful_session/v3/stateful_session.upb.c +32 -19
  260. data/src/core/ext/upb-generated/envoy/extensions/filters/http/stateful_session/v3/stateful_session.upb.h +73 -51
  261. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +504 -296
  262. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +2267 -1055
  263. data/src/core/ext/upb-generated/envoy/extensions/http/stateful_session/cookie/v3/cookie.upb.c +18 -11
  264. data/src/core/ext/upb-generated/envoy/extensions/http/stateful_session/cookie/v3/cookie.upb.h +35 -26
  265. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +35 -19
  266. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +125 -67
  267. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/common/v3/common.upb.c +72 -45
  268. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/common/v3/common.upb.h +193 -138
  269. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.upb.c +47 -0
  270. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.upb.h +93 -0
  271. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +34 -19
  272. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +131 -66
  273. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.upb.c +18 -11
  274. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.upb.h +35 -26
  275. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +7 -4
  276. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h +15 -10
  277. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +184 -96
  278. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +907 -360
  279. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +56 -33
  280. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +150 -101
  281. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +188 -111
  282. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +816 -419
  283. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upb.c +32 -19
  284. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upb.h +109 -53
  285. data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.c +10 -7
  286. data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.h +18 -14
  287. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +300 -177
  288. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +1284 -522
  289. data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +42 -23
  290. data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.h +188 -75
  291. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +130 -83
  292. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +510 -238
  293. data/src/core/ext/upb-generated/envoy/type/http/v3/cookie.upb.c +22 -13
  294. data/src/core/ext/upb-generated/envoy/type/http/v3/cookie.upb.h +55 -34
  295. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +39 -26
  296. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +124 -68
  297. data/src/core/ext/upb-generated/envoy/type/matcher/v3/filter_state.upb.c +21 -12
  298. data/src/core/ext/upb-generated/envoy/type/matcher/v3/filter_state.upb.h +47 -30
  299. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +60 -26
  300. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +130 -51
  301. data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.c +37 -20
  302. data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.h +133 -63
  303. data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +22 -13
  304. data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +91 -40
  305. data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.c +21 -12
  306. data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.h +50 -32
  307. data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.c +18 -11
  308. data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.h +37 -26
  309. data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +46 -27
  310. data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.h +101 -70
  311. data/src/core/ext/upb-generated/envoy/type/matcher/v3/status_code_input.upb.c +13 -10
  312. data/src/core/ext/upb-generated/envoy/type/matcher/v3/status_code_input.upb.h +25 -22
  313. data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +40 -23
  314. data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +161 -75
  315. data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +31 -18
  316. data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +114 -56
  317. data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.c +46 -29
  318. data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.h +139 -91
  319. data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.c +65 -42
  320. data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.h +200 -121
  321. data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.c +80 -45
  322. data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.h +208 -131
  323. data/src/core/ext/upb-generated/envoy/type/v3/hash_policy.upb.c +34 -21
  324. data/src/core/ext/upb-generated/envoy/type/v3/hash_policy.upb.h +74 -53
  325. data/src/core/ext/upb-generated/envoy/type/v3/http.upb.c +7 -4
  326. data/src/core/ext/upb-generated/envoy/type/v3/http.upb.h +13 -8
  327. data/src/core/ext/upb-generated/envoy/type/v3/http_status.upb.c +16 -9
  328. data/src/core/ext/upb-generated/envoy/type/v3/http_status.upb.h +28 -18
  329. data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.c +28 -15
  330. data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.h +55 -34
  331. data/src/core/ext/upb-generated/envoy/type/v3/range.upb.c +43 -22
  332. data/src/core/ext/upb-generated/envoy/type/v3/range.upb.h +91 -53
  333. data/src/core/ext/upb-generated/envoy/type/v3/ratelimit_strategy.upb.c +35 -20
  334. data/src/core/ext/upb-generated/envoy/type/v3/ratelimit_strategy.upb.h +92 -57
  335. data/src/core/ext/upb-generated/envoy/type/v3/ratelimit_unit.upb.c +7 -4
  336. data/src/core/ext/upb-generated/envoy/type/v3/ratelimit_unit.upb.h +13 -8
  337. data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.c +20 -11
  338. data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.h +48 -26
  339. data/src/core/ext/upb-generated/envoy/type/v3/token_bucket.upb.c +23 -14
  340. data/src/core/ext/upb-generated/envoy/type/v3/token_bucket.upb.h +61 -41
  341. data/src/core/ext/upb-generated/google/api/annotations.upb.c +14 -11
  342. data/src/core/ext/upb-generated/google/api/annotations.upb.h +30 -20
  343. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c +255 -154
  344. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h +934 -450
  345. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +299 -180
  346. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +946 -483
  347. data/src/core/ext/upb-generated/google/api/http.upb.c +68 -35
  348. data/src/core/ext/upb-generated/google/api/http.upb.h +284 -120
  349. data/src/core/ext/upb-generated/google/api/httpbody.upb.c +22 -13
  350. data/src/core/ext/upb-generated/google/api/httpbody.upb.h +95 -37
  351. data/src/core/ext/upb-generated/google/protobuf/any.upb.c +19 -10
  352. data/src/core/ext/upb-generated/google/protobuf/any.upb.h +38 -22
  353. data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +1018 -424
  354. data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +3851 -1412
  355. data/src/core/ext/upb-generated/google/protobuf/duration.upb.c +19 -10
  356. data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +38 -22
  357. data/src/core/ext/upb-generated/google/protobuf/empty.upb.c +10 -7
  358. data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +18 -14
  359. data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +62 -39
  360. data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +207 -102
  361. data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.c +19 -10
  362. data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +38 -22
  363. data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.c +90 -51
  364. data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +157 -107
  365. data/src/core/ext/upb-generated/google/rpc/status.upb.c +22 -13
  366. data/src/core/ext/upb-generated/google/rpc/status.upb.h +95 -37
  367. data/src/core/ext/upb-generated/opencensus/proto/trace/v1/trace_config.upb.c +59 -34
  368. data/src/core/ext/upb-generated/opencensus/proto/trace/v1/trace_config.upb.h +154 -92
  369. data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +43 -24
  370. data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +118 -60
  371. data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +250 -145
  372. data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +919 -415
  373. data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c +34 -19
  374. data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +76 -51
  375. data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.c +25 -14
  376. data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +45 -30
  377. data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +144 -81
  378. data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +405 -217
  379. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.c +51 -26
  380. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.h +153 -61
  381. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls_config.upb.c +173 -102
  382. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls_config.upb.h +855 -298
  383. data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.c +68 -49
  384. data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +155 -104
  385. data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +26 -17
  386. data/src/core/ext/upb-generated/udpa/annotations/security.upb.h +55 -34
  387. data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c +12 -9
  388. data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +31 -14
  389. data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +26 -17
  390. data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +55 -34
  391. data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.c +23 -16
  392. data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.h +45 -30
  393. data/src/core/ext/upb-generated/validate/validate.upb.c +845 -455
  394. data/src/core/ext/upb-generated/validate/validate.upb.h +4347 -1908
  395. data/src/core/ext/upb-generated/xds/annotations/v3/migrate.upb.c +68 -49
  396. data/src/core/ext/upb-generated/xds/annotations/v3/migrate.upb.h +155 -104
  397. data/src/core/ext/upb-generated/xds/annotations/v3/security.upb.c +26 -17
  398. data/src/core/ext/upb-generated/xds/annotations/v3/security.upb.h +55 -34
  399. data/src/core/ext/upb-generated/xds/annotations/v3/sensitive.upb.c +12 -9
  400. data/src/core/ext/upb-generated/xds/annotations/v3/sensitive.upb.h +31 -14
  401. data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.c +65 -44
  402. data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.h +137 -91
  403. data/src/core/ext/upb-generated/xds/annotations/v3/versioning.upb.c +23 -16
  404. data/src/core/ext/upb-generated/xds/annotations/v3/versioning.upb.h +45 -30
  405. data/src/core/ext/upb-generated/xds/core/v3/authority.upb.c +16 -9
  406. data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +28 -18
  407. data/src/core/ext/upb-generated/xds/core/v3/cidr.upb.c +21 -12
  408. data/src/core/ext/upb-generated/xds/core/v3/cidr.upb.h +45 -30
  409. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +37 -22
  410. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +96 -63
  411. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +26 -17
  412. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +52 -29
  413. data/src/core/ext/upb-generated/xds/core/v3/extension.upb.c +21 -12
  414. data/src/core/ext/upb-generated/xds/core/v3/extension.upb.h +45 -30
  415. data/src/core/ext/upb-generated/xds/core/v3/resource.upb.c +23 -14
  416. data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +62 -42
  417. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +44 -25
  418. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +169 -79
  419. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +27 -14
  420. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +65 -38
  421. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +86 -31
  422. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +218 -58
  423. data/src/core/ext/upb-generated/xds/service/orca/v3/orca.upb.c +21 -12
  424. data/src/core/ext/upb-generated/xds/service/orca/v3/orca.upb.h +89 -34
  425. data/src/core/ext/upb-generated/xds/type/matcher/v3/cel.upb.c +18 -11
  426. data/src/core/ext/upb-generated/xds/type/matcher/v3/cel.upb.h +35 -26
  427. data/src/core/ext/upb-generated/xds/type/matcher/v3/domain.upb.c +32 -19
  428. data/src/core/ext/upb-generated/xds/type/matcher/v3/domain.upb.h +150 -54
  429. data/src/core/ext/upb-generated/xds/type/matcher/v3/http_inputs.upb.c +10 -7
  430. data/src/core/ext/upb-generated/xds/type/matcher/v3/http_inputs.upb.h +18 -14
  431. data/src/core/ext/upb-generated/xds/type/matcher/v3/ip.upb.c +34 -21
  432. data/src/core/ext/upb-generated/xds/type/matcher/v3/ip.upb.h +161 -63
  433. data/src/core/ext/upb-generated/xds/type/matcher/v3/matcher.upb.c +162 -101
  434. data/src/core/ext/upb-generated/xds/type/matcher/v3/matcher.upb.h +501 -293
  435. data/src/core/ext/upb-generated/xds/type/matcher/v3/range.upb.c +85 -52
  436. data/src/core/ext/upb-generated/xds/type/matcher/v3/range.upb.h +430 -164
  437. data/src/core/ext/upb-generated/xds/type/matcher/v3/regex.upb.c +24 -15
  438. data/src/core/ext/upb-generated/xds/type/matcher/v3/regex.upb.h +53 -37
  439. data/src/core/ext/upb-generated/xds/type/matcher/v3/string.upb.c +40 -23
  440. data/src/core/ext/upb-generated/xds/type/matcher/v3/string.upb.h +161 -75
  441. data/src/core/ext/upb-generated/xds/type/v3/cel.upb.c +37 -22
  442. data/src/core/ext/upb-generated/xds/type/v3/cel.upb.h +92 -66
  443. data/src/core/ext/upb-generated/xds/type/v3/range.upb.c +43 -22
  444. data/src/core/ext/upb-generated/xds/type/v3/range.upb.h +91 -53
  445. data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.c +21 -12
  446. data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.h +45 -30
  447. data/src/core/ext/upbdefs-generated/envoy/admin/v3/certs.upbdefs.c +1 -1
  448. data/src/core/ext/upbdefs-generated/envoy/admin/v3/certs.upbdefs.h +6 -5
  449. data/src/core/ext/upbdefs-generated/envoy/admin/v3/clusters.upbdefs.c +1 -1
  450. data/src/core/ext/upbdefs-generated/envoy/admin/v3/clusters.upbdefs.h +6 -5
  451. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +1 -1
  452. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +6 -5
  453. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump_shared.upbdefs.c +1 -1
  454. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump_shared.upbdefs.h +6 -5
  455. data/src/core/ext/upbdefs-generated/envoy/admin/v3/init_dump.upbdefs.c +1 -1
  456. data/src/core/ext/upbdefs-generated/envoy/admin/v3/init_dump.upbdefs.h +6 -5
  457. data/src/core/ext/upbdefs-generated/envoy/admin/v3/listeners.upbdefs.c +1 -1
  458. data/src/core/ext/upbdefs-generated/envoy/admin/v3/listeners.upbdefs.h +6 -5
  459. data/src/core/ext/upbdefs-generated/envoy/admin/v3/memory.upbdefs.c +1 -1
  460. data/src/core/ext/upbdefs-generated/envoy/admin/v3/memory.upbdefs.h +6 -5
  461. data/src/core/ext/upbdefs-generated/envoy/admin/v3/metrics.upbdefs.c +1 -1
  462. data/src/core/ext/upbdefs-generated/envoy/admin/v3/metrics.upbdefs.h +6 -5
  463. data/src/core/ext/upbdefs-generated/envoy/admin/v3/mutex_stats.upbdefs.c +1 -1
  464. data/src/core/ext/upbdefs-generated/envoy/admin/v3/mutex_stats.upbdefs.h +6 -5
  465. data/src/core/ext/upbdefs-generated/envoy/admin/v3/server_info.upbdefs.c +1 -1
  466. data/src/core/ext/upbdefs-generated/envoy/admin/v3/server_info.upbdefs.h +6 -5
  467. data/src/core/ext/upbdefs-generated/envoy/admin/v3/tap.upbdefs.c +1 -1
  468. data/src/core/ext/upbdefs-generated/envoy/admin/v3/tap.upbdefs.h +6 -5
  469. data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +1 -1
  470. data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.h +6 -5
  471. data/src/core/ext/upbdefs-generated/envoy/annotations/resource.upbdefs.c +1 -1
  472. data/src/core/ext/upbdefs-generated/envoy/annotations/resource.upbdefs.h +6 -5
  473. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +89 -77
  474. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.h +11 -5
  475. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +251 -248
  476. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +6 -5
  477. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/circuit_breaker.upbdefs.c +1 -1
  478. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/circuit_breaker.upbdefs.h +6 -5
  479. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +1 -1
  480. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +6 -5
  481. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/filter.upbdefs.c +1 -1
  482. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/filter.upbdefs.h +6 -5
  483. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +1 -1
  484. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.h +6 -5
  485. data/src/core/ext/upbdefs-generated/envoy/config/common/matcher/v3/matcher.upbdefs.c +1 -1
  486. data/src/core/ext/upbdefs-generated/envoy/config/common/matcher/v3/matcher.upbdefs.h +6 -5
  487. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/address.upbdefs.c +1 -1
  488. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/address.upbdefs.h +6 -5
  489. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/backoff.upbdefs.c +1 -1
  490. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/backoff.upbdefs.h +6 -5
  491. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +1 -1
  492. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +6 -5
  493. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +1 -1
  494. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.h +6 -5
  495. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/event_service_config.upbdefs.c +1 -1
  496. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/event_service_config.upbdefs.h +6 -5
  497. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/extension.upbdefs.c +1 -1
  498. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/extension.upbdefs.h +6 -5
  499. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_method_list.upbdefs.c +1 -1
  500. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_method_list.upbdefs.h +6 -5
  501. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_service.upbdefs.c +163 -161
  502. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_service.upbdefs.h +6 -5
  503. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +130 -119
  504. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.h +6 -5
  505. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/http_uri.upbdefs.c +1 -1
  506. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/http_uri.upbdefs.h +6 -5
  507. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +143 -134
  508. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +6 -5
  509. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +32 -16
  510. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +11 -5
  511. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +1 -1
  512. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +6 -5
  513. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/socket_option.upbdefs.c +1 -1
  514. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/socket_option.upbdefs.h +6 -5
  515. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +1 -1
  516. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.h +6 -5
  517. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +1 -1
  518. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +6 -5
  519. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +1 -1
  520. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.h +6 -5
  521. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.c +1 -1
  522. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.h +6 -5
  523. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/load_report.upbdefs.c +1 -1
  524. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/load_report.upbdefs.h +6 -5
  525. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/api_listener.upbdefs.c +1 -1
  526. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/api_listener.upbdefs.h +6 -5
  527. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +13 -10
  528. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +21 -5
  529. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +1 -1
  530. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.h +6 -5
  531. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +55 -46
  532. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +6 -5
  533. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +1 -1
  534. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h +6 -5
  535. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/metrics_service.upbdefs.c +20 -13
  536. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/metrics_service.upbdefs.h +6 -5
  537. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +1 -1
  538. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +6 -5
  539. data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +39 -31
  540. data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +11 -5
  541. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +142 -120
  542. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +16 -5
  543. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +1 -1
  544. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +6 -5
  545. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +101 -98
  546. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +6 -5
  547. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c +1 -1
  548. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h +6 -5
  549. data/src/core/ext/upbdefs-generated/envoy/config/tap/v3/common.upbdefs.c +1 -1
  550. data/src/core/ext/upbdefs-generated/envoy/config/tap/v3/common.upbdefs.h +6 -5
  551. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/datadog.upbdefs.c +1 -1
  552. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/datadog.upbdefs.h +6 -5
  553. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/dynamic_ot.upbdefs.c +1 -1
  554. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/dynamic_ot.upbdefs.h +6 -5
  555. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +1 -1
  556. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.h +6 -5
  557. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/lightstep.upbdefs.c +1 -1
  558. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/lightstep.upbdefs.h +6 -5
  559. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opencensus.upbdefs.c +1 -1
  560. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opencensus.upbdefs.h +6 -5
  561. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +16 -19
  562. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.h +6 -5
  563. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/service.upbdefs.c +1 -1
  564. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/service.upbdefs.h +6 -5
  565. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/skywalking.upbdefs.c +1 -1
  566. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/skywalking.upbdefs.h +6 -5
  567. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/trace.upbdefs.c +1 -1
  568. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/trace.upbdefs.h +6 -5
  569. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/xray.upbdefs.c +1 -1
  570. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/xray.upbdefs.h +6 -5
  571. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/zipkin.upbdefs.c +1 -1
  572. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/zipkin.upbdefs.h +6 -5
  573. data/src/core/ext/upbdefs-generated/envoy/data/accesslog/v3/accesslog.upbdefs.c +402 -0
  574. data/src/core/ext/upbdefs-generated/envoy/data/accesslog/v3/accesslog.upbdefs.h +111 -0
  575. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +1 -1
  576. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +6 -5
  577. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +1 -1
  578. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +6 -5
  579. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +81 -75
  580. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +6 -5
  581. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c +1 -1
  582. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h +6 -5
  583. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +64 -48
  584. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +11 -5
  585. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/stateful_session/v3/stateful_session.upbdefs.c +1 -1
  586. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/stateful_session/v3/stateful_session.upbdefs.h +6 -5
  587. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +315 -282
  588. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +11 -5
  589. data/src/core/ext/upbdefs-generated/envoy/extensions/http/stateful_session/cookie/v3/cookie.upbdefs.c +1 -1
  590. data/src/core/ext/upbdefs-generated/envoy/extensions/http/stateful_session/cookie/v3/cookie.upbdefs.h +6 -5
  591. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +1 -1
  592. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h +6 -5
  593. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +138 -136
  594. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.h +6 -5
  595. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +1 -1
  596. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.h +6 -5
  597. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +118 -118
  598. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.h +6 -5
  599. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upbdefs.c +1 -1
  600. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.upbdefs.h +6 -5
  601. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +6 -6
  602. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.h +6 -5
  603. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +1 -1
  604. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +6 -5
  605. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +6 -6
  606. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.h +6 -5
  607. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +12 -13
  608. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +6 -5
  609. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/cookie.upbdefs.c +1 -1
  610. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/cookie.upbdefs.h +6 -5
  611. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +1 -1
  612. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +6 -5
  613. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/filter_state.upbdefs.c +1 -1
  614. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/filter_state.upbdefs.h +6 -5
  615. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +13 -10
  616. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +11 -5
  617. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/metadata.upbdefs.c +1 -1
  618. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/metadata.upbdefs.h +6 -5
  619. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +1 -1
  620. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +6 -5
  621. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/number.upbdefs.c +1 -1
  622. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/number.upbdefs.h +6 -5
  623. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/path.upbdefs.c +1 -1
  624. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/path.upbdefs.h +6 -5
  625. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +30 -30
  626. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.h +6 -5
  627. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/status_code_input.upbdefs.c +1 -1
  628. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/status_code_input.upbdefs.h +6 -5
  629. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +1 -1
  630. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.h +6 -5
  631. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +1 -1
  632. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +6 -5
  633. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/value.upbdefs.c +1 -1
  634. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/value.upbdefs.h +6 -5
  635. data/src/core/ext/upbdefs-generated/envoy/type/metadata/v3/metadata.upbdefs.c +1 -1
  636. data/src/core/ext/upbdefs-generated/envoy/type/metadata/v3/metadata.upbdefs.h +6 -5
  637. data/src/core/ext/upbdefs-generated/envoy/type/tracing/v3/custom_tag.upbdefs.c +1 -1
  638. data/src/core/ext/upbdefs-generated/envoy/type/tracing/v3/custom_tag.upbdefs.h +6 -5
  639. data/src/core/ext/upbdefs-generated/envoy/type/v3/hash_policy.upbdefs.c +1 -1
  640. data/src/core/ext/upbdefs-generated/envoy/type/v3/hash_policy.upbdefs.h +6 -5
  641. data/src/core/ext/upbdefs-generated/envoy/type/v3/http.upbdefs.c +1 -1
  642. data/src/core/ext/upbdefs-generated/envoy/type/v3/http.upbdefs.h +6 -5
  643. data/src/core/ext/upbdefs-generated/envoy/type/v3/http_status.upbdefs.c +1 -1
  644. data/src/core/ext/upbdefs-generated/envoy/type/v3/http_status.upbdefs.h +6 -5
  645. data/src/core/ext/upbdefs-generated/envoy/type/v3/percent.upbdefs.c +1 -1
  646. data/src/core/ext/upbdefs-generated/envoy/type/v3/percent.upbdefs.h +6 -5
  647. data/src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c +1 -1
  648. data/src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h +6 -5
  649. data/src/core/ext/upbdefs-generated/envoy/type/v3/ratelimit_strategy.upbdefs.c +1 -1
  650. data/src/core/ext/upbdefs-generated/envoy/type/v3/ratelimit_strategy.upbdefs.h +6 -5
  651. data/src/core/ext/upbdefs-generated/envoy/type/v3/ratelimit_unit.upbdefs.c +1 -1
  652. data/src/core/ext/upbdefs-generated/envoy/type/v3/ratelimit_unit.upbdefs.h +6 -5
  653. data/src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c +1 -1
  654. data/src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h +6 -5
  655. data/src/core/ext/upbdefs-generated/envoy/type/v3/token_bucket.upbdefs.c +1 -1
  656. data/src/core/ext/upbdefs-generated/envoy/type/v3/token_bucket.upbdefs.h +6 -5
  657. data/src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c +1 -1
  658. data/src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h +6 -5
  659. data/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c +1 -1
  660. data/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h +6 -5
  661. data/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c +1 -1
  662. data/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h +6 -5
  663. data/src/core/ext/upbdefs-generated/google/api/http.upbdefs.c +1 -1
  664. data/src/core/ext/upbdefs-generated/google/api/http.upbdefs.h +6 -5
  665. data/src/core/ext/upbdefs-generated/google/api/httpbody.upbdefs.c +1 -1
  666. data/src/core/ext/upbdefs-generated/google/api/httpbody.upbdefs.h +6 -5
  667. data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c +1 -1
  668. data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h +6 -5
  669. data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c +329 -273
  670. data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h +11 -5
  671. data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c +1 -1
  672. data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.h +6 -5
  673. data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.c +1 -1
  674. data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.h +6 -5
  675. data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.c +1 -1
  676. data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.h +6 -5
  677. data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.c +1 -1
  678. data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.h +6 -5
  679. data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.c +1 -1
  680. data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.h +6 -5
  681. data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +1 -1
  682. data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.h +6 -5
  683. data/src/core/ext/upbdefs-generated/opencensus/proto/trace/v1/trace_config.upbdefs.c +1 -1
  684. data/src/core/ext/upbdefs-generated/opencensus/proto/trace/v1/trace_config.upbdefs.h +6 -5
  685. data/src/core/ext/upbdefs-generated/src/proto/grpc/lookup/v1/rls_config.upbdefs.c +1 -1
  686. data/src/core/ext/upbdefs-generated/src/proto/grpc/lookup/v1/rls_config.upbdefs.h +6 -5
  687. data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.c +1 -1
  688. data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.h +6 -5
  689. data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.c +1 -1
  690. data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.h +6 -5
  691. data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.c +1 -1
  692. data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.h +6 -5
  693. data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.c +1 -1
  694. data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.h +6 -5
  695. data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.c +1 -1
  696. data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.h +6 -5
  697. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +1 -1
  698. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.h +6 -5
  699. data/src/core/ext/upbdefs-generated/xds/annotations/v3/migrate.upbdefs.c +1 -1
  700. data/src/core/ext/upbdefs-generated/xds/annotations/v3/migrate.upbdefs.h +6 -5
  701. data/src/core/ext/upbdefs-generated/xds/annotations/v3/security.upbdefs.c +1 -1
  702. data/src/core/ext/upbdefs-generated/xds/annotations/v3/security.upbdefs.h +6 -5
  703. data/src/core/ext/upbdefs-generated/xds/annotations/v3/sensitive.upbdefs.c +1 -1
  704. data/src/core/ext/upbdefs-generated/xds/annotations/v3/sensitive.upbdefs.h +6 -5
  705. data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.c +1 -1
  706. data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.h +6 -5
  707. data/src/core/ext/upbdefs-generated/xds/annotations/v3/versioning.upbdefs.c +1 -1
  708. data/src/core/ext/upbdefs-generated/xds/annotations/v3/versioning.upbdefs.h +6 -5
  709. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +1 -1
  710. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +6 -5
  711. data/src/core/ext/upbdefs-generated/xds/core/v3/cidr.upbdefs.c +1 -1
  712. data/src/core/ext/upbdefs-generated/xds/core/v3/cidr.upbdefs.h +6 -5
  713. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +1 -1
  714. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +6 -5
  715. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +1 -1
  716. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +6 -5
  717. data/src/core/ext/upbdefs-generated/xds/core/v3/extension.upbdefs.c +1 -1
  718. data/src/core/ext/upbdefs-generated/xds/core/v3/extension.upbdefs.h +6 -5
  719. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +1 -1
  720. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +6 -5
  721. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +1 -1
  722. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +6 -5
  723. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +1 -1
  724. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +6 -5
  725. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/cel.upbdefs.c +1 -1
  726. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/cel.upbdefs.h +6 -5
  727. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/domain.upbdefs.c +1 -1
  728. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/domain.upbdefs.h +6 -5
  729. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/http_inputs.upbdefs.c +1 -1
  730. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/http_inputs.upbdefs.h +6 -5
  731. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/ip.upbdefs.c +1 -1
  732. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/ip.upbdefs.h +6 -5
  733. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/matcher.upbdefs.c +1 -1
  734. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/matcher.upbdefs.h +6 -5
  735. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/range.upbdefs.c +1 -1
  736. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/range.upbdefs.h +6 -5
  737. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/regex.upbdefs.c +1 -1
  738. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/regex.upbdefs.h +6 -5
  739. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/string.upbdefs.c +1 -1
  740. data/src/core/ext/upbdefs-generated/xds/type/matcher/v3/string.upbdefs.h +6 -5
  741. data/src/core/ext/upbdefs-generated/xds/type/v3/cel.upbdefs.c +1 -1
  742. data/src/core/ext/upbdefs-generated/xds/type/v3/cel.upbdefs.h +6 -5
  743. data/src/core/ext/upbdefs-generated/xds/type/v3/range.upbdefs.c +1 -1
  744. data/src/core/ext/upbdefs-generated/xds/type/v3/range.upbdefs.h +6 -5
  745. data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c +1 -1
  746. data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.h +6 -5
  747. data/src/core/ext/xds/certificate_provider_store.cc +8 -13
  748. data/src/core/ext/xds/certificate_provider_store.h +1 -1
  749. data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
  750. data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
  751. data/src/core/ext/xds/upb_utils.h +1 -1
  752. data/src/core/ext/xds/xds_api.cc +41 -18
  753. data/src/core/ext/xds/xds_api.h +5 -4
  754. data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
  755. data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
  756. data/src/core/ext/xds/xds_bootstrap.cc +3 -3
  757. data/src/core/ext/xds/xds_bootstrap_grpc.cc +65 -50
  758. data/src/core/ext/xds/xds_bootstrap_grpc.h +10 -13
  759. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  760. data/src/core/ext/xds/xds_client.cc +29 -7
  761. data/src/core/ext/xds/xds_client.h +1 -1
  762. data/src/core/ext/xds/xds_client_grpc.cc +11 -6
  763. data/src/core/ext/xds/xds_client_grpc.h +16 -2
  764. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  765. data/src/core/ext/xds/xds_client_stats.h +34 -20
  766. data/src/core/ext/xds/xds_cluster.cc +70 -67
  767. data/src/core/ext/xds/xds_cluster.h +1 -2
  768. data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +15 -11
  769. data/src/core/ext/xds/xds_cluster_specifier_plugin.h +2 -2
  770. data/src/core/ext/xds/xds_common_types.cc +8 -5
  771. data/src/core/ext/xds/xds_endpoint.cc +14 -11
  772. data/src/core/ext/xds/xds_endpoint.h +10 -2
  773. data/src/core/ext/xds/xds_health_status.cc +0 -17
  774. data/src/core/ext/xds/xds_health_status.h +5 -25
  775. data/src/core/ext/xds/xds_http_fault_filter.cc +18 -15
  776. data/src/core/ext/xds/xds_http_fault_filter.h +3 -2
  777. data/src/core/ext/xds/xds_http_filters.h +7 -4
  778. data/src/core/ext/xds/xds_http_rbac_filter.cc +159 -74
  779. data/src/core/ext/xds/xds_http_rbac_filter.h +3 -2
  780. data/src/core/ext/xds/xds_http_stateful_session_filter.cc +17 -13
  781. data/src/core/ext/xds/xds_http_stateful_session_filter.h +3 -2
  782. data/src/core/ext/xds/xds_lb_policy_registry.cc +75 -35
  783. data/src/core/ext/xds/xds_listener.cc +11 -4
  784. data/src/core/ext/xds/xds_listener.h +1 -1
  785. data/src/core/ext/xds/xds_resource_type.h +2 -2
  786. data/src/core/ext/xds/xds_route_config.cc +52 -8
  787. data/src/core/ext/xds/xds_route_config.h +1 -1
  788. data/src/core/ext/xds/xds_routing.cc +2 -2
  789. data/src/core/ext/xds/xds_transport_grpc.cc +2 -2
  790. data/src/core/lib/address_utils/parse_address.cc +63 -1
  791. data/src/core/lib/address_utils/parse_address.h +8 -0
  792. data/src/core/lib/address_utils/sockaddr_utils.cc +46 -1
  793. data/src/core/lib/address_utils/sockaddr_utils.h +2 -2
  794. data/src/core/lib/avl/avl.h +5 -0
  795. data/src/core/lib/backoff/random_early_detection.h +5 -0
  796. data/src/core/lib/channel/call_finalization.h +1 -1
  797. data/src/core/lib/channel/call_tracer.cc +51 -0
  798. data/src/core/lib/channel/call_tracer.h +101 -38
  799. data/src/core/lib/channel/channel_args.cc +101 -32
  800. data/src/core/lib/channel/channel_args.h +37 -1
  801. data/src/core/lib/channel/channel_trace.cc +16 -12
  802. data/src/core/lib/channel/channelz.cc +163 -135
  803. data/src/core/lib/channel/channelz.h +42 -35
  804. data/src/core/lib/channel/channelz_registry.cc +24 -20
  805. data/src/core/lib/channel/connected_channel.cc +545 -1043
  806. data/src/core/lib/channel/context.h +8 -1
  807. data/src/core/lib/channel/promise_based_filter.cc +100 -46
  808. data/src/core/lib/channel/promise_based_filter.h +30 -13
  809. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  810. data/src/core/lib/compression/compression_internal.cc +2 -5
  811. data/src/core/lib/config/config_vars.cc +153 -0
  812. data/src/core/lib/config/config_vars.h +127 -0
  813. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  814. data/src/core/lib/config/load_config.cc +79 -0
  815. data/src/core/lib/config/load_config.h +55 -0
  816. data/src/core/lib/debug/event_log.h +1 -1
  817. data/src/core/lib/debug/stats_data.h +1 -1
  818. data/src/core/lib/debug/trace.cc +35 -61
  819. data/src/core/lib/debug/trace.h +14 -9
  820. data/src/core/lib/event_engine/cf_engine/cf_engine.cc +212 -0
  821. data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
  822. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
  823. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
  824. data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
  825. data/src/core/lib/event_engine/default_event_engine.cc +13 -1
  826. data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
  827. data/src/core/lib/event_engine/event_engine.cc +25 -2
  828. data/src/core/lib/event_engine/forkable.cc +47 -42
  829. data/src/core/lib/event_engine/handle_containers.h +5 -24
  830. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  831. data/src/core/lib/event_engine/poller.h +2 -2
  832. data/src/core/lib/event_engine/posix.h +4 -0
  833. data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +5 -7
  834. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +4 -10
  835. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  836. data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
  837. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +73 -26
  838. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +20 -9
  839. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +49 -51
  840. data/src/core/lib/event_engine/posix_engine/posix_engine.h +10 -13
  841. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +75 -33
  842. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +12 -8
  843. data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +4 -2
  844. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +75 -21
  845. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +9 -3
  846. data/src/core/lib/event_engine/posix_engine/timer.h +10 -37
  847. data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
  848. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  849. data/src/core/lib/event_engine/shim.cc +9 -1
  850. data/src/core/lib/event_engine/tcp_socket_utils.cc +67 -7
  851. data/src/core/lib/event_engine/tcp_socket_utils.h +3 -0
  852. data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
  853. data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
  854. data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
  855. data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
  856. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +542 -0
  857. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +269 -0
  858. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +157 -0
  859. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +104 -0
  860. data/src/core/lib/event_engine/trace.cc +1 -0
  861. data/src/core/lib/event_engine/trace.h +6 -0
  862. data/src/core/lib/event_engine/windows/iocp.cc +4 -3
  863. data/src/core/lib/event_engine/windows/iocp.h +3 -3
  864. data/src/core/lib/event_engine/windows/win_socket.cc +6 -7
  865. data/src/core/lib/event_engine/windows/win_socket.h +4 -4
  866. data/src/core/lib/event_engine/windows/windows_endpoint.cc +154 -105
  867. data/src/core/lib/event_engine/windows/windows_endpoint.h +30 -10
  868. data/src/core/lib/event_engine/windows/windows_engine.cc +57 -33
  869. data/src/core/lib/event_engine/windows/windows_engine.h +16 -19
  870. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  871. data/src/core/lib/event_engine/windows/windows_listener.h +156 -0
  872. data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
  873. data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
  874. data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
  875. data/src/core/lib/experiments/config.cc +99 -37
  876. data/src/core/lib/experiments/config.h +33 -5
  877. data/src/core/lib/experiments/experiments.cc +352 -17
  878. data/src/core/lib/experiments/experiments.h +93 -18
  879. data/src/core/lib/gpr/log.cc +15 -28
  880. data/src/core/lib/gpr/log_internal.h +55 -0
  881. data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +5 -0
  882. data/src/core/lib/gprpp/crash.cc +10 -0
  883. data/src/core/lib/gprpp/crash.h +3 -0
  884. data/src/core/lib/gprpp/dual_ref_counted.h +9 -9
  885. data/src/core/lib/gprpp/fork.cc +16 -23
  886. data/src/core/lib/gprpp/fork.h +6 -5
  887. data/src/core/lib/gprpp/if_list.h +4530 -0
  888. data/src/core/lib/gprpp/orphanable.h +7 -6
  889. data/src/core/lib/gprpp/per_cpu.cc +33 -0
  890. data/src/core/lib/gprpp/per_cpu.h +33 -4
  891. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  892. data/src/core/lib/gprpp/ref_counted.h +39 -40
  893. data/src/core/lib/gprpp/sorted_pack.h +3 -12
  894. data/src/core/lib/gprpp/status_helper.cc +2 -2
  895. data/src/core/lib/gprpp/status_helper.h +16 -15
  896. data/src/core/lib/gprpp/thd.h +16 -0
  897. data/src/core/lib/gprpp/time.cc +2 -0
  898. data/src/core/lib/gprpp/time.h +16 -4
  899. data/src/core/lib/gprpp/type_list.h +32 -0
  900. data/src/core/lib/gprpp/validation_errors.cc +8 -3
  901. data/src/core/lib/gprpp/validation_errors.h +16 -9
  902. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  903. data/src/core/lib/http/httpcli.h +6 -9
  904. data/src/core/lib/iomgr/buffer_list.h +0 -1
  905. data/src/core/lib/iomgr/call_combiner.h +2 -2
  906. data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
  907. data/src/core/lib/iomgr/endpoint_cfstream.cc +14 -10
  908. data/src/core/lib/iomgr/error.cc +32 -2
  909. data/src/core/lib/iomgr/error.h +9 -10
  910. data/src/core/lib/iomgr/ev_apple.cc +12 -12
  911. data/src/core/lib/iomgr/ev_epoll1_linux.cc +15 -10
  912. data/src/core/lib/iomgr/ev_poll_posix.cc +6 -5
  913. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  914. data/src/core/lib/iomgr/ev_posix.h +0 -3
  915. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +118 -77
  916. data/src/core/lib/iomgr/exec_ctx.h +11 -0
  917. data/src/core/lib/iomgr/iocp_windows.cc +24 -3
  918. data/src/core/lib/iomgr/iocp_windows.h +11 -0
  919. data/src/core/lib/iomgr/iomgr.cc +4 -8
  920. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
  921. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  922. data/src/core/lib/iomgr/pollset.h +4 -5
  923. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  924. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  925. data/src/core/lib/iomgr/port.h +10 -0
  926. data/src/core/lib/iomgr/resolve_address.cc +13 -1
  927. data/src/core/lib/iomgr/resolve_address.h +17 -3
  928. data/src/core/lib/iomgr/sockaddr_posix.h +7 -0
  929. data/src/core/lib/iomgr/socket_utils_common_posix.cc +49 -5
  930. data/src/core/lib/iomgr/socket_utils_posix.cc +5 -0
  931. data/src/core/lib/iomgr/socket_utils_posix.h +9 -0
  932. data/src/core/lib/iomgr/socket_windows.cc +61 -7
  933. data/src/core/lib/iomgr/socket_windows.h +9 -2
  934. data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
  935. data/src/core/lib/iomgr/tcp_client_posix.cc +8 -1
  936. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  937. data/src/core/lib/iomgr/tcp_posix.cc +21 -5
  938. data/src/core/lib/iomgr/tcp_server_posix.cc +186 -133
  939. data/src/core/lib/iomgr/tcp_server_utils_posix.h +13 -1
  940. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +26 -2
  941. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  942. data/src/core/lib/iomgr/tcp_windows.cc +13 -11
  943. data/src/core/lib/iomgr/timer_generic.cc +17 -16
  944. data/src/core/lib/iomgr/vsock.cc +59 -0
  945. data/src/core/lib/iomgr/vsock.h +38 -0
  946. data/src/core/lib/iomgr/wakeup_fd_posix.h +3 -6
  947. data/src/core/lib/json/json.h +2 -218
  948. data/src/core/lib/json/json_object_loader.cc +24 -25
  949. data/src/core/lib/json/json_object_loader.h +30 -18
  950. data/src/core/lib/json/json_reader.cc +69 -42
  951. data/src/core/{ext/filters/client_channel/lb_call_state_internal.h → lib/json/json_reader.h} +7 -12
  952. data/src/core/lib/json/json_util.cc +10 -15
  953. data/src/core/lib/json/json_util.h +5 -4
  954. data/src/core/lib/json/json_writer.cc +24 -25
  955. data/src/core/lib/{security/security_connector/ssl_utils_config.h → json/json_writer.h} +14 -10
  956. data/src/core/lib/load_balancing/delegating_helper.h +115 -0
  957. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  958. data/src/core/lib/load_balancing/lb_policy.h +37 -2
  959. data/src/core/lib/load_balancing/lb_policy_registry.cc +9 -8
  960. data/src/core/lib/load_balancing/subchannel_interface.h +6 -0
  961. data/src/core/lib/matchers/matchers.cc +3 -4
  962. data/src/core/lib/matchers/matchers.h +2 -1
  963. data/src/core/lib/promise/activity.cc +27 -6
  964. data/src/core/lib/promise/activity.h +71 -24
  965. data/src/core/lib/promise/cancel_callback.h +77 -0
  966. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  967. data/src/core/lib/promise/detail/promise_factory.h +5 -1
  968. data/src/core/lib/promise/for_each.h +176 -0
  969. data/src/core/lib/promise/if.h +9 -0
  970. data/src/core/lib/promise/interceptor_list.h +23 -2
  971. data/src/core/lib/promise/latch.h +89 -3
  972. data/src/core/lib/promise/loop.h +13 -9
  973. data/src/core/lib/promise/map.h +7 -0
  974. data/src/core/lib/promise/party.cc +304 -0
  975. data/src/core/lib/promise/party.h +508 -0
  976. data/src/core/lib/promise/pipe.h +213 -59
  977. data/src/core/lib/promise/poll.h +48 -0
  978. data/src/core/lib/promise/prioritized_race.h +95 -0
  979. data/src/core/lib/promise/promise.h +2 -2
  980. data/src/core/lib/promise/sleep.cc +2 -1
  981. data/src/core/lib/resolver/resolver_factory.h +3 -2
  982. data/src/core/lib/resolver/server_address.cc +9 -102
  983. data/src/core/lib/resolver/server_address.h +10 -70
  984. data/src/core/lib/resource_quota/arena.cc +19 -3
  985. data/src/core/lib/resource_quota/arena.h +119 -5
  986. data/src/core/lib/resource_quota/memory_quota.cc +8 -8
  987. data/src/core/lib/resource_quota/memory_quota.h +2 -3
  988. data/src/core/lib/security/authorization/audit_logging.cc +98 -0
  989. data/src/core/lib/security/authorization/audit_logging.h +73 -0
  990. data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
  991. data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
  992. data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
  993. data/src/core/lib/security/authorization/rbac_policy.h +19 -2
  994. data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
  995. data/src/core/lib/security/authorization/stdout_logger.h +61 -0
  996. data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
  997. data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
  998. data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
  999. data/src/core/lib/security/credentials/channel_creds_registry.h +51 -27
  1000. data/src/core/lib/security/credentials/channel_creds_registry_init.cc +169 -9
  1001. data/src/core/lib/security/credentials/composite/composite_credentials.cc +1 -1
  1002. data/src/core/lib/security/credentials/composite/composite_credentials.h +3 -1
  1003. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +66 -84
  1004. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  1005. data/src/core/lib/security/credentials/external/external_account_credentials.cc +104 -65
  1006. data/src/core/lib/security/credentials/external/external_account_credentials.h +6 -0
  1007. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +23 -21
  1008. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +29 -27
  1009. data/src/core/lib/security/credentials/fake/fake_credentials.cc +30 -38
  1010. data/src/core/lib/security/credentials/fake/fake_credentials.h +28 -0
  1011. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +5 -61
  1012. data/src/core/lib/security/credentials/jwt/json_token.cc +19 -16
  1013. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +10 -5
  1014. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +40 -38
  1015. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +28 -21
  1016. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  1017. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  1018. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  1019. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +8 -0
  1020. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +5 -1
  1021. data/src/core/lib/security/credentials/tls/tls_credentials.cc +1 -1
  1022. data/src/core/lib/security/credentials/tls/tls_credentials.h +3 -1
  1023. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
  1024. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  1025. data/src/core/lib/security/security_connector/ssl_utils.cc +13 -26
  1026. data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
  1027. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +13 -1
  1028. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  1029. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  1030. data/src/core/lib/security/util/json_util.cc +6 -5
  1031. data/src/core/lib/service_config/service_config_call_data.h +54 -20
  1032. data/src/core/lib/service_config/service_config_impl.cc +13 -6
  1033. data/src/core/lib/slice/slice.cc +1 -1
  1034. data/src/core/lib/slice/slice.h +18 -0
  1035. data/src/core/lib/surface/builtins.cc +2 -0
  1036. data/src/core/lib/surface/call.cc +1019 -1055
  1037. data/src/core/lib/surface/call.h +11 -5
  1038. data/src/core/lib/surface/completion_queue.cc +8 -3
  1039. data/src/core/lib/surface/lame_client.cc +1 -0
  1040. data/src/core/lib/surface/server.cc +47 -19
  1041. data/src/core/lib/surface/server.h +2 -2
  1042. data/src/core/lib/surface/validate_metadata.cc +37 -22
  1043. data/src/core/lib/surface/validate_metadata.h +13 -3
  1044. data/src/core/lib/surface/version.cc +2 -2
  1045. data/src/core/lib/transport/batch_builder.cc +182 -0
  1046. data/src/core/lib/transport/batch_builder.h +480 -0
  1047. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  1048. data/src/core/lib/transport/bdp_estimator.h +10 -6
  1049. data/src/core/lib/transport/custom_metadata.h +30 -0
  1050. data/src/core/lib/transport/metadata_batch.cc +12 -9
  1051. data/src/core/lib/transport/metadata_batch.h +103 -110
  1052. data/src/core/lib/transport/metadata_compression_traits.h +67 -0
  1053. data/src/core/lib/transport/parsed_metadata.h +34 -20
  1054. data/src/core/lib/transport/simple_slice_based_metadata.h +55 -0
  1055. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  1056. data/src/core/lib/transport/transport.cc +30 -2
  1057. data/src/core/lib/transport/transport.h +73 -14
  1058. data/src/core/lib/transport/transport_impl.h +7 -0
  1059. data/src/core/lib/transport/transport_op_string.cc +52 -42
  1060. data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -8
  1061. data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
  1062. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  1063. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  1064. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  1065. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  1066. data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +4 -6
  1067. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +1 -2
  1068. data/src/core/tsi/ssl_transport_security.cc +37 -11
  1069. data/src/core/tsi/ssl_transport_security.h +13 -1
  1070. data/src/ruby/bin/math_pb.rb +24 -18
  1071. data/src/ruby/ext/grpc/extconf.rb +27 -27
  1072. data/src/ruby/ext/grpc/rb_call.c +62 -39
  1073. data/src/ruby/ext/grpc/rb_call_credentials.c +0 -1
  1074. data/src/ruby/ext/grpc/rb_channel.c +109 -84
  1075. data/src/ruby/ext/grpc/rb_channel.h +1 -0
  1076. data/src/ruby/ext/grpc/rb_channel_args.c +16 -2
  1077. data/src/ruby/ext/grpc/rb_channel_args.h +4 -0
  1078. data/src/ruby/ext/grpc/rb_channel_credentials.c +0 -1
  1079. data/src/ruby/ext/grpc/rb_compression_options.c +0 -1
  1080. data/src/ruby/ext/grpc/rb_event_thread.c +22 -6
  1081. data/src/ruby/ext/grpc/rb_event_thread.h +1 -0
  1082. data/src/ruby/ext/grpc/rb_grpc.c +192 -30
  1083. data/src/ruby/ext/grpc/rb_grpc.h +8 -2
  1084. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
  1085. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +3 -0
  1086. data/src/ruby/ext/grpc/rb_server.c +62 -45
  1087. data/src/ruby/ext/grpc/rb_server_credentials.c +0 -1
  1088. data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +0 -1
  1089. data/src/ruby/ext/grpc/rb_xds_server_credentials.c +0 -1
  1090. data/src/ruby/lib/grpc/generic/bidi_call.rb +2 -0
  1091. data/src/ruby/lib/grpc/version.rb +1 -1
  1092. data/src/ruby/pb/grpc/health/v1/health_pb.rb +24 -13
  1093. data/src/ruby/pb/src/proto/grpc/testing/empty_pb.rb +24 -3
  1094. data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +25 -111
  1095. data/src/ruby/pb/src/proto/grpc/testing/test_pb.rb +25 -2
  1096. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  1097. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  1098. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  1099. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  1100. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  1101. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  1102. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  1103. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc +26 -0
  1104. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  1105. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  1106. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  1107. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  1108. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  1109. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  1110. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  1111. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  1112. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  1113. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  1114. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  1115. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  1116. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  1117. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  1118. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  1119. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  1120. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  1121. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  1122. data/third_party/boringssl-with-bazel/err_data.c +729 -713
  1123. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  1124. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  1125. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  1126. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  1127. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  1128. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  1129. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  1130. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +177 -196
  1131. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  1132. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  1133. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  1134. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +111 -132
  1135. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +158 -111
  1136. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  1137. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +96 -181
  1138. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  1139. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  1140. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  1141. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  1142. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  1143. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +135 -90
  1144. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  1145. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +797 -793
  1146. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +529 -526
  1147. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  1148. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  1149. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  1150. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  1151. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  1152. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +20 -14
  1153. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +42 -57
  1154. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +17 -11
  1155. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +15 -11
  1156. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +30 -27
  1157. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +5 -5
  1158. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  1159. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +5 -8
  1160. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -2
  1161. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +40 -27
  1162. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  1163. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  1164. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  1165. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  1166. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  1167. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  1168. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  1169. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +19 -3
  1170. data/third_party/boringssl-with-bazel/src/crypto/chacha/internal.h +8 -1
  1171. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  1172. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  1173. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  1174. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  1175. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  1176. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  1177. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  1178. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  1179. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +34 -37
  1180. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +22 -11
  1181. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
  1182. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +34 -195
  1183. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +3 -8
  1184. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +20 -0
  1185. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +77 -0
  1186. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  1187. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  1188. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  1189. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
  1190. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  1191. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  1192. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  1193. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  1194. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  1195. data/third_party/boringssl-with-bazel/src/crypto/{cpu-ppc64le.c → cpu_arm_openbsd.c} +10 -17
  1196. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  1197. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  1198. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +71 -77
  1199. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_64_adx.c +18 -0
  1200. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +2834 -7442
  1201. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +26 -8
  1202. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  1203. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  1204. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  1205. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  1206. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  1207. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  1208. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +43 -16
  1209. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  1210. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +23 -3
  1211. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +118 -105
  1212. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_derive.c +4 -3
  1213. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +237 -109
  1214. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +31 -7
  1215. data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
  1216. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  1217. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +96 -70
  1218. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +80 -23
  1219. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  1220. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  1221. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  1222. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  1223. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +21 -29
  1224. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +99 -52
  1225. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  1226. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  1227. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  1228. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +6 -6
  1229. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  1230. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  1231. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  1232. data/third_party/boringssl-with-bazel/src/crypto/evp/pbkdf.c +3 -3
  1233. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +138 -246
  1234. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  1235. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  1236. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +47 -71
  1237. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  1238. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  1239. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  1240. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  1241. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  1242. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +37 -28
  1243. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  1244. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  1245. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  1246. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  1247. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +13 -6
  1248. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  1249. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  1250. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +5 -7
  1251. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  1252. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  1253. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +98 -37
  1254. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +28 -24
  1255. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +55 -20
  1256. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  1257. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  1258. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  1259. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +25 -114
  1260. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  1261. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  1262. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  1263. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  1264. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  1265. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  1266. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  1267. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  1268. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  1269. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/delocate.h +5 -6
  1270. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  1271. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +24 -6
  1272. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +58 -0
  1273. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  1274. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  1275. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/builtin_curves.h +277 -0
  1276. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +226 -450
  1277. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +95 -21
  1278. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +36 -69
  1279. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +17 -13
  1280. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +139 -155
  1281. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +71 -40
  1282. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +60 -78
  1283. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  1284. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +87 -83
  1285. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  1286. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +71 -62
  1287. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
  1288. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +24 -30
  1289. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +21 -42
  1290. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +33 -34
  1291. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +16 -17
  1292. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +9 -1
  1293. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +53 -19
  1294. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  1295. data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +2 -2
  1296. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  1297. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -23
  1298. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  1299. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +3 -8
  1300. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +170 -160
  1301. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
  1302. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +69 -61
  1303. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -12
  1304. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
  1305. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  1306. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +56 -34
  1307. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  1308. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  1309. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +30 -45
  1310. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +111 -78
  1311. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +12 -85
  1312. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  1313. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +98 -16
  1314. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +42 -314
  1315. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +244 -139
  1316. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +175 -255
  1317. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  1318. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +589 -422
  1319. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  1320. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  1321. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  1322. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  1323. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  1324. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  1325. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
  1326. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +52 -6
  1327. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +192 -18
  1328. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  1329. data/third_party/boringssl-with-bazel/src/crypto/internal.h +576 -84
  1330. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +91 -0
  1331. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +204 -0
  1332. data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +834 -0
  1333. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  1334. data/third_party/boringssl-with-bazel/src/crypto/mem.c +219 -13
  1335. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +37 -29
  1336. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +9 -4
  1337. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  1338. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  1339. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +633 -613
  1340. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  1341. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  1342. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  1343. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  1344. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  1345. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  1346. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +3 -3
  1347. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/p5_pbev2.c +3 -3
  1348. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +7 -10
  1349. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +44 -71
  1350. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  1351. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  1352. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  1353. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +2 -0
  1354. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  1355. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +7 -6
  1356. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/forkunsafe.c +6 -12
  1357. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/getentropy.c +48 -0
  1358. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/{fuchsia.c → ios.c} +8 -8
  1359. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  1360. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/trusty.c +38 -0
  1361. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +41 -19
  1362. data/third_party/boringssl-with-bazel/src/crypto/{refcount_c11.c → refcount.c} +11 -19
  1363. data/third_party/boringssl-with-bazel/src/crypto/{asn1/a_print.c → rsa_extra/internal.h} +15 -21
  1364. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
  1365. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  1366. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +171 -62
  1367. data/third_party/boringssl-with-bazel/src/crypto/thread_none.c +0 -8
  1368. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +12 -44
  1369. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +11 -35
  1370. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +128 -34
  1371. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +428 -147
  1372. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +116 -284
  1373. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +686 -161
  1374. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  1375. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +63 -55
  1376. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  1377. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  1378. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  1379. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +279 -331
  1380. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  1381. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  1382. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +69 -51
  1383. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +132 -151
  1384. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +790 -0
  1385. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  1386. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  1387. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  1388. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +220 -254
  1389. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  1390. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  1391. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +136 -270
  1392. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  1393. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  1394. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  1395. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  1396. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +526 -616
  1397. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  1398. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +164 -181
  1399. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  1400. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +186 -203
  1401. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  1402. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +171 -160
  1403. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1863 -2050
  1404. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +380 -480
  1405. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  1406. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +262 -265
  1407. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  1408. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  1409. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  1410. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  1411. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  1412. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +330 -417
  1413. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  1414. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  1415. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  1416. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  1417. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +121 -124
  1418. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  1419. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  1420. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  1421. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  1422. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  1423. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  1424. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  1425. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +79 -171
  1426. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  1427. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  1428. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  1429. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  1430. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  1431. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +294 -344
  1432. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +342 -365
  1433. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  1434. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  1435. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  1436. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  1437. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  1438. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +120 -125
  1439. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  1440. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +227 -265
  1441. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  1442. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  1443. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  1444. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  1445. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +130 -135
  1446. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +650 -691
  1447. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +90 -75
  1448. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1063 -1145
  1449. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +13 -11
  1450. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +25 -160
  1451. data/third_party/boringssl-with-bazel/src/include/openssl/asm_base.h +207 -0
  1452. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +222 -191
  1453. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  1454. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +46 -124
  1455. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +29 -14
  1456. data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
  1457. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -19
  1458. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  1459. data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +6 -0
  1460. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  1461. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +7 -16
  1462. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  1463. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  1464. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  1465. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  1466. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  1467. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -21
  1468. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +69 -7
  1469. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +56 -14
  1470. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  1471. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  1472. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +36 -40
  1473. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  1474. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  1475. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +69 -16
  1476. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  1477. data/third_party/boringssl-with-bazel/src/include/openssl/kyber.h +128 -0
  1478. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  1479. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +7 -3
  1480. data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +8 -1
  1481. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  1482. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -18
  1483. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  1484. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +15 -5
  1485. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +97 -65
  1486. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  1487. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +18 -21
  1488. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +396 -157
  1489. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  1490. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +339 -230
  1491. data/third_party/boringssl-with-bazel/src/include/openssl/target.h +154 -0
  1492. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +1 -26
  1493. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  1494. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +22 -7
  1495. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +57 -23
  1496. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  1497. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +2079 -1411
  1498. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +244 -214
  1499. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  1500. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  1501. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  1502. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  1503. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  1504. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +45 -26
  1505. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +72 -99
  1506. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +218 -74
  1507. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  1508. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +53 -34
  1509. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +77 -45
  1510. data/third_party/boringssl-with-bazel/src/ssl/internal.h +204 -132
  1511. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +47 -12
  1512. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  1513. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  1514. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  1515. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +47 -69
  1516. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  1517. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  1518. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +237 -240
  1519. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +78 -101
  1520. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +126 -155
  1521. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +356 -48
  1522. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +167 -64
  1523. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +41 -32
  1524. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
  1525. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  1526. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  1527. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +7 -44
  1528. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +6 -4
  1529. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +7 -23
  1530. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +25 -34
  1531. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  1532. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  1533. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  1534. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  1535. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_adx.h +691 -0
  1536. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
  1537. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  1538. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  1539. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
  1540. data/third_party/cares/cares/include/ares.h +23 -1
  1541. data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
  1542. data/third_party/cares/cares/include/ares_rules.h +2 -2
  1543. data/third_party/cares/cares/include/ares_version.h +3 -3
  1544. data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
  1545. data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
  1546. data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
  1547. data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
  1548. data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
  1549. data/third_party/cares/cares/src/lib/ares_data.c +16 -0
  1550. data/third_party/cares/cares/src/lib/ares_data.h +7 -0
  1551. data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
  1552. data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
  1553. data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
  1554. data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
  1555. data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
  1556. data/third_party/cares/cares/src/lib/ares_init.c +97 -485
  1557. data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
  1558. data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
  1559. data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
  1560. data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
  1561. data/third_party/cares/cares/src/lib/ares_private.h +30 -16
  1562. data/third_party/cares/cares/src/lib/ares_process.c +55 -16
  1563. data/third_party/cares/cares/src/lib/ares_query.c +1 -35
  1564. data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
  1565. data/third_party/cares/cares/src/lib/ares_send.c +5 -7
  1566. data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
  1567. data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
  1568. data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
  1569. data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
  1570. data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
  1571. data/third_party/upb/upb/{table_internal.h → alloc.h} +6 -6
  1572. data/third_party/upb/upb/arena.h +4 -193
  1573. data/third_party/upb/upb/array.h +4 -51
  1574. data/third_party/upb/upb/base/descriptor_constants.h +104 -0
  1575. data/third_party/upb/upb/base/log2.h +57 -0
  1576. data/third_party/upb/upb/{status.c → base/status.c} +2 -7
  1577. data/third_party/upb/upb/base/status.h +66 -0
  1578. data/third_party/upb/upb/base/string_view.h +75 -0
  1579. data/third_party/upb/upb/{array.c → collections/array.c} +67 -36
  1580. data/third_party/upb/upb/collections/array.h +85 -0
  1581. data/third_party/upb/upb/collections/array_internal.h +135 -0
  1582. data/third_party/upb/upb/{map.c → collections/map.c} +53 -26
  1583. data/third_party/upb/upb/collections/map.h +135 -0
  1584. data/third_party/upb/upb/collections/map_gencode_util.h +78 -0
  1585. data/third_party/upb/upb/collections/map_internal.h +170 -0
  1586. data/third_party/upb/upb/collections/map_sorter.c +166 -0
  1587. data/third_party/upb/upb/collections/map_sorter_internal.h +109 -0
  1588. data/third_party/upb/upb/{message_value.h → collections/message_value.h} +12 -13
  1589. data/third_party/upb/upb/decode.h +3 -62
  1590. data/third_party/upb/upb/def.h +4 -384
  1591. data/third_party/upb/upb/def.hpp +3 -411
  1592. data/third_party/upb/upb/encode.h +3 -48
  1593. data/third_party/upb/upb/extension_registry.h +3 -52
  1594. data/third_party/upb/upb/{table.c → hash/common.c} +52 -110
  1595. data/third_party/upb/upb/hash/common.h +199 -0
  1596. data/third_party/upb/upb/hash/int_table.h +102 -0
  1597. data/third_party/upb/upb/hash/str_table.h +161 -0
  1598. data/third_party/upb/upb/{json_decode.c → json/decode.c} +63 -98
  1599. data/third_party/upb/upb/json/decode.h +52 -0
  1600. data/third_party/upb/upb/{json_encode.c → json/encode.c} +69 -45
  1601. data/third_party/upb/upb/json/encode.h +70 -0
  1602. data/third_party/upb/upb/json_decode.h +4 -15
  1603. data/third_party/upb/upb/json_encode.h +4 -33
  1604. data/third_party/upb/upb/lex/atoi.c +68 -0
  1605. data/third_party/upb/upb/lex/atoi.h +53 -0
  1606. data/third_party/upb/upb/{upb.c → lex/round_trip.c} +2 -11
  1607. data/third_party/upb/upb/{internal/upb.h → lex/round_trip.h} +17 -30
  1608. data/third_party/upb/upb/lex/strtod.c +97 -0
  1609. data/third_party/upb/upb/lex/strtod.h +46 -0
  1610. data/third_party/upb/upb/lex/unicode.c +57 -0
  1611. data/third_party/upb/upb/lex/unicode.h +77 -0
  1612. data/third_party/upb/upb/map.h +4 -85
  1613. data/third_party/upb/upb/mem/alloc.c +47 -0
  1614. data/third_party/upb/upb/mem/alloc.h +98 -0
  1615. data/third_party/upb/upb/mem/arena.c +367 -0
  1616. data/third_party/upb/upb/mem/arena.h +160 -0
  1617. data/third_party/upb/upb/mem/arena_internal.h +114 -0
  1618. data/third_party/upb/upb/message/accessors.c +68 -0
  1619. data/third_party/upb/upb/message/accessors.h +379 -0
  1620. data/third_party/upb/upb/message/accessors_internal.h +325 -0
  1621. data/third_party/upb/upb/message/extension_internal.h +83 -0
  1622. data/third_party/upb/upb/message/internal.h +135 -0
  1623. data/third_party/upb/upb/message/message.c +180 -0
  1624. data/third_party/upb/upb/message/message.h +69 -0
  1625. data/third_party/upb/upb/mini_table/common.c +128 -0
  1626. data/third_party/upb/upb/mini_table/common.h +170 -0
  1627. data/third_party/upb/upb/mini_table/common_internal.h +111 -0
  1628. data/third_party/upb/upb/{mini_table.c → mini_table/decode.c} +513 -533
  1629. data/third_party/upb/upb/mini_table/decode.h +179 -0
  1630. data/third_party/upb/upb/mini_table/encode.c +300 -0
  1631. data/third_party/upb/upb/mini_table/encode_internal.h +111 -0
  1632. data/third_party/upb/upb/{mini_table.hpp → mini_table/encode_internal.hpp} +32 -8
  1633. data/third_party/upb/upb/mini_table/enum_internal.h +88 -0
  1634. data/third_party/upb/upb/mini_table/extension_internal.h +47 -0
  1635. data/third_party/upb/upb/{extension_registry.c → mini_table/extension_registry.c} +27 -24
  1636. data/third_party/upb/upb/mini_table/extension_registry.h +104 -0
  1637. data/third_party/upb/upb/mini_table/field_internal.h +192 -0
  1638. data/third_party/upb/upb/mini_table/file_internal.h +47 -0
  1639. data/third_party/upb/upb/mini_table/message_internal.h +136 -0
  1640. data/third_party/upb/upb/mini_table/sub_internal.h +38 -0
  1641. data/third_party/upb/upb/mini_table/types.h +40 -0
  1642. data/third_party/upb/upb/mini_table.h +4 -157
  1643. data/third_party/upb/upb/msg.h +3 -38
  1644. data/third_party/upb/upb/port/atomic.h +101 -0
  1645. data/third_party/upb/upb/{port_def.inc → port/def.inc} +94 -27
  1646. data/third_party/upb/upb/{port_undef.inc → port/undef.inc} +13 -3
  1647. data/third_party/upb/upb/{internal → port}/vsnprintf_compat.h +5 -7
  1648. data/third_party/upb/upb/reflection/common.h +67 -0
  1649. data/third_party/upb/upb/reflection/def.h +42 -0
  1650. data/third_party/upb/upb/reflection/def.hpp +610 -0
  1651. data/third_party/upb/upb/reflection/def_builder.c +357 -0
  1652. data/third_party/upb/upb/reflection/def_builder_internal.h +157 -0
  1653. data/third_party/upb/upb/reflection/def_pool.c +462 -0
  1654. data/third_party/upb/upb/reflection/def_pool.h +108 -0
  1655. data/third_party/upb/upb/reflection/def_pool_internal.h +77 -0
  1656. data/third_party/upb/upb/reflection/def_type.c +50 -0
  1657. data/third_party/upb/upb/reflection/def_type.h +81 -0
  1658. data/third_party/upb/upb/reflection/desc_state.c +53 -0
  1659. data/third_party/upb/upb/reflection/desc_state_internal.h +64 -0
  1660. data/third_party/upb/upb/reflection/enum_def.c +310 -0
  1661. data/third_party/upb/upb/reflection/enum_def.h +80 -0
  1662. data/third_party/upb/upb/reflection/enum_def_internal.h +56 -0
  1663. data/third_party/upb/upb/reflection/enum_reserved_range.c +84 -0
  1664. data/third_party/upb/upb/reflection/enum_reserved_range.h +51 -0
  1665. data/third_party/upb/upb/reflection/enum_reserved_range_internal.h +55 -0
  1666. data/third_party/upb/upb/reflection/enum_value_def.c +144 -0
  1667. data/third_party/upb/upb/reflection/enum_value_def.h +57 -0
  1668. data/third_party/upb/upb/reflection/enum_value_def_internal.h +57 -0
  1669. data/third_party/upb/upb/reflection/extension_range.c +93 -0
  1670. data/third_party/upb/upb/reflection/extension_range.h +55 -0
  1671. data/third_party/upb/upb/reflection/extension_range_internal.h +54 -0
  1672. data/third_party/upb/upb/reflection/field_def.c +930 -0
  1673. data/third_party/upb/upb/reflection/field_def.h +91 -0
  1674. data/third_party/upb/upb/reflection/field_def_internal.h +76 -0
  1675. data/third_party/upb/upb/reflection/file_def.c +370 -0
  1676. data/third_party/upb/upb/reflection/file_def.h +77 -0
  1677. data/third_party/upb/upb/reflection/file_def_internal.h +57 -0
  1678. data/third_party/upb/upb/reflection/message.c +233 -0
  1679. data/third_party/upb/upb/reflection/message.h +102 -0
  1680. data/third_party/upb/upb/reflection/message.hpp +37 -0
  1681. data/third_party/upb/upb/reflection/message_def.c +718 -0
  1682. data/third_party/upb/upb/reflection/message_def.h +174 -0
  1683. data/third_party/upb/upb/reflection/message_def_internal.h +63 -0
  1684. data/third_party/upb/upb/reflection/message_reserved_range.c +81 -0
  1685. data/third_party/upb/upb/reflection/message_reserved_range.h +51 -0
  1686. data/third_party/upb/upb/reflection/message_reserved_range_internal.h +55 -0
  1687. data/third_party/upb/upb/reflection/method_def.c +124 -0
  1688. data/third_party/upb/upb/reflection/method_def.h +59 -0
  1689. data/third_party/upb/upb/reflection/method_def_internal.h +53 -0
  1690. data/third_party/upb/upb/reflection/oneof_def.c +226 -0
  1691. data/third_party/upb/upb/reflection/oneof_def.h +66 -0
  1692. data/third_party/upb/upb/reflection/oneof_def_internal.h +57 -0
  1693. data/third_party/upb/upb/reflection/service_def.c +128 -0
  1694. data/third_party/upb/upb/reflection/service_def.h +60 -0
  1695. data/third_party/upb/upb/reflection/service_def_internal.h +53 -0
  1696. data/third_party/upb/upb/reflection.h +4 -78
  1697. data/third_party/upb/upb/reflection.hpp +3 -7
  1698. data/third_party/upb/upb/status.h +4 -34
  1699. data/third_party/upb/upb/{collections.h → string_view.h} +7 -7
  1700. data/third_party/upb/upb/{text_encode.c → text/encode.c} +74 -70
  1701. data/third_party/upb/upb/text/encode.h +69 -0
  1702. data/third_party/upb/upb/text_encode.h +4 -32
  1703. data/third_party/upb/upb/upb.h +6 -151
  1704. data/third_party/upb/upb/upb.hpp +10 -18
  1705. data/third_party/upb/upb/wire/common.h +44 -0
  1706. data/third_party/upb/upb/wire/common_internal.h +50 -0
  1707. data/third_party/upb/upb/wire/decode.c +1343 -0
  1708. data/third_party/upb/upb/wire/decode.h +108 -0
  1709. data/third_party/upb/upb/{decode_fast.c → wire/decode_fast.c} +184 -225
  1710. data/third_party/upb/upb/{decode_fast.h → wire/decode_fast.h} +21 -7
  1711. data/third_party/upb/upb/{internal/decode.h → wire/decode_internal.h} +44 -92
  1712. data/third_party/upb/upb/{encode.c → wire/encode.c} +114 -95
  1713. data/third_party/upb/upb/wire/encode.h +92 -0
  1714. data/third_party/upb/upb/wire/eps_copy_input_stream.c +39 -0
  1715. data/third_party/upb/upb/wire/eps_copy_input_stream.h +425 -0
  1716. data/third_party/upb/upb/wire/reader.c +67 -0
  1717. data/third_party/upb/upb/wire/reader.h +227 -0
  1718. data/third_party/upb/upb/wire/swap_internal.h +63 -0
  1719. data/third_party/upb/upb/wire/types.h +41 -0
  1720. data/third_party/{upb/third_party/utf8_range → utf8_range}/range2-neon.c +1 -1
  1721. data/third_party/{upb/third_party/utf8_range → utf8_range}/utf8_range.h +12 -0
  1722. metadata +323 -122
  1723. data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
  1724. data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
  1725. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_attributes.cc +0 -42
  1726. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_attributes.h +0 -64
  1727. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  1728. data/src/core/ext/transport/chttp2/transport/context_list.cc +0 -71
  1729. data/src/core/ext/transport/chttp2/transport/context_list.h +0 -54
  1730. data/src/core/ext/transport/chttp2/transport/stream_map.cc +0 -177
  1731. data/src/core/ext/transport/chttp2/transport/stream_map.h +0 -68
  1732. data/src/core/lib/gprpp/global_config.h +0 -93
  1733. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  1734. data/src/core/lib/gprpp/global_config_env.h +0 -133
  1735. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  1736. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  1737. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  1738. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  1739. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  1740. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  1741. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  1742. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  1743. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +0 -53
  1744. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  1745. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  1746. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  1747. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  1748. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  1749. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  1750. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  1751. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  1752. data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
  1753. data/third_party/upb/upb/arena.c +0 -277
  1754. data/third_party/upb/upb/decode.c +0 -1221
  1755. data/third_party/upb/upb/def.c +0 -3269
  1756. data/third_party/upb/upb/internal/table.h +0 -385
  1757. data/third_party/upb/upb/msg.c +0 -368
  1758. data/third_party/upb/upb/msg_internal.h +0 -837
  1759. data/third_party/upb/upb/reflection.c +0 -323
  1760. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  1761. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  1762. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  1763. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  1764. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  1765. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  1766. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  1767. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  1768. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  1769. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  1770. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  1771. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  1772. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  1773. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  1774. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  1775. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  1776. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  1777. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  1778. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  1779. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  1780. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  1781. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
  1782. /data/third_party/{upb/third_party/utf8_range → utf8_range}/naive.c +0 -0
  1783. /data/third_party/{upb/third_party/utf8_range → utf8_range}/range2-sse.c +0 -0
@@ -67,50 +67,51 @@
67
67
  #include <openssl/x509.h>
68
68
  #include <openssl/x509v3.h>
69
69
 
70
- #include "internal.h"
71
70
  #include "../internal.h"
72
71
  #include "../x509v3/internal.h"
72
+ #include "internal.h"
73
73
 
74
74
  static CRYPTO_EX_DATA_CLASS g_ex_data_class =
75
75
  CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
76
76
 
77
- /* CRL score values */
77
+ // CRL score values
78
78
 
79
- /* No unhandled critical extensions */
79
+ // No unhandled critical extensions
80
80
 
81
- #define CRL_SCORE_NOCRITICAL 0x100
81
+ #define CRL_SCORE_NOCRITICAL 0x100
82
82
 
83
- /* certificate is within CRL scope */
83
+ // certificate is within CRL scope
84
84
 
85
- #define CRL_SCORE_SCOPE 0x080
85
+ #define CRL_SCORE_SCOPE 0x080
86
86
 
87
- /* CRL times valid */
87
+ // CRL times valid
88
88
 
89
- #define CRL_SCORE_TIME 0x040
89
+ #define CRL_SCORE_TIME 0x040
90
90
 
91
- /* Issuer name matches certificate */
91
+ // Issuer name matches certificate
92
92
 
93
- #define CRL_SCORE_ISSUER_NAME 0x020
93
+ #define CRL_SCORE_ISSUER_NAME 0x020
94
94
 
95
- /* If this score or above CRL is probably valid */
95
+ // If this score or above CRL is probably valid
96
96
 
97
- #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
97
+ #define CRL_SCORE_VALID \
98
+ (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
98
99
 
99
- /* CRL issuer is certificate issuer */
100
+ // CRL issuer is certificate issuer
100
101
 
101
- #define CRL_SCORE_ISSUER_CERT 0x018
102
+ #define CRL_SCORE_ISSUER_CERT 0x018
102
103
 
103
- /* CRL issuer is on certificate path */
104
+ // CRL issuer is on certificate path
104
105
 
105
- #define CRL_SCORE_SAME_PATH 0x008
106
+ #define CRL_SCORE_SAME_PATH 0x008
106
107
 
107
- /* CRL issuer matches CRL AKID */
108
+ // CRL issuer matches CRL AKID
108
109
 
109
- #define CRL_SCORE_AKID 0x004
110
+ #define CRL_SCORE_AKID 0x004
110
111
 
111
- /* Have a delta CRL with valid times */
112
+ // Have a delta CRL with valid times
112
113
 
113
- #define CRL_SCORE_TIME_DELTA 0x002
114
+ #define CRL_SCORE_TIME_DELTA 0x002
114
115
 
115
116
  static int null_callback(int ok, X509_STORE_CTX *e);
116
117
  static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
@@ -125,2332 +126,2144 @@ static int check_policy(X509_STORE_CTX *ctx);
125
126
 
126
127
  static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
127
128
  unsigned int *preasons, X509_CRL *crl, X509 *x);
128
- static int get_crl_delta(X509_STORE_CTX *ctx,
129
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
130
- static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
131
- int *pcrl_score, X509_CRL *base,
132
- STACK_OF(X509_CRL) *crls);
129
+ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
130
+ X509 *x);
131
+ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
132
+ X509_CRL *base, STACK_OF(X509_CRL) *crls);
133
133
  static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
134
134
  int *pcrl_score);
135
135
  static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
136
136
  unsigned int *preasons);
137
137
  static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
138
- static int check_crl_chain(X509_STORE_CTX *ctx,
139
- STACK_OF(X509) *cert_path,
138
+ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
140
139
  STACK_OF(X509) *crl_path);
141
140
 
142
141
  static int internal_verify(X509_STORE_CTX *ctx);
143
142
 
144
- static int null_callback(int ok, X509_STORE_CTX *e)
145
- {
146
- return ok;
147
- }
143
+ static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
148
144
 
149
- /* cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
150
- * one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
151
- * returns zero. */
152
- static int cert_self_signed(X509 *x, int *out_is_self_signed)
153
- {
154
- if (!x509v3_cache_extensions(x)) {
155
- return 0;
156
- }
157
- *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
158
- return 1;
145
+ // cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
146
+ // one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
147
+ // returns zero.
148
+ static int cert_self_signed(X509 *x, int *out_is_self_signed) {
149
+ if (!x509v3_cache_extensions(x)) {
150
+ return 0;
151
+ }
152
+ *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
153
+ return 1;
159
154
  }
160
155
 
161
- /* Given a certificate try and find an exact match in the store */
162
-
163
- static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
164
- {
165
- STACK_OF(X509) *certs;
166
- X509 *xtmp = NULL;
167
- size_t i;
168
- /* Lookup all certs with matching subject name */
169
- certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
170
- if (certs == NULL)
171
- return NULL;
172
- /* Look for exact match */
173
- for (i = 0; i < sk_X509_num(certs); i++) {
174
- xtmp = sk_X509_value(certs, i);
175
- if (!X509_cmp(xtmp, x))
176
- break;
177
- }
178
- if (i < sk_X509_num(certs))
179
- X509_up_ref(xtmp);
180
- else
181
- xtmp = NULL;
182
- sk_X509_pop_free(certs, X509_free);
183
- return xtmp;
184
- }
185
-
186
- int X509_verify_cert(X509_STORE_CTX *ctx)
187
- {
188
- X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
189
- int bad_chain = 0;
190
- X509_VERIFY_PARAM *param = ctx->param;
191
- int depth, i, ok = 0;
192
- int num, j, retry, trust;
193
- int (*cb) (int xok, X509_STORE_CTX *xctx);
194
- STACK_OF(X509) *sktmp = NULL;
195
- if (ctx->cert == NULL) {
196
- OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
197
- ctx->error = X509_V_ERR_INVALID_CALL;
198
- return -1;
199
- }
200
- if (ctx->chain != NULL) {
201
- /*
202
- * This X509_STORE_CTX has already been used to verify a cert. We
203
- * cannot do another one.
204
- */
205
- OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
206
- ctx->error = X509_V_ERR_INVALID_CALL;
207
- return -1;
208
- }
209
-
210
- cb = ctx->verify_cb;
211
-
212
- /*
213
- * first we make sure the chain we are going to build is present and that
214
- * the first entry is in place
215
- */
216
- ctx->chain = sk_X509_new_null();
217
- if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
218
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
219
- ctx->error = X509_V_ERR_OUT_OF_MEM;
220
- goto end;
221
- }
222
- X509_up_ref(ctx->cert);
223
- ctx->last_untrusted = 1;
156
+ // Given a certificate try and find an exact match in the store
224
157
 
225
- /* We use a temporary STACK so we can chop and hack at it. */
226
- if (ctx->untrusted != NULL
227
- && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
228
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
229
- ctx->error = X509_V_ERR_OUT_OF_MEM;
158
+ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
159
+ STACK_OF(X509) *certs;
160
+ X509 *xtmp = NULL;
161
+ size_t i;
162
+ // Lookup all certs with matching subject name
163
+ certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
164
+ if (certs == NULL) {
165
+ return NULL;
166
+ }
167
+ // Look for exact match
168
+ for (i = 0; i < sk_X509_num(certs); i++) {
169
+ xtmp = sk_X509_value(certs, i);
170
+ if (!X509_cmp(xtmp, x)) {
171
+ break;
172
+ }
173
+ }
174
+ if (i < sk_X509_num(certs)) {
175
+ X509_up_ref(xtmp);
176
+ } else {
177
+ xtmp = NULL;
178
+ }
179
+ sk_X509_pop_free(certs, X509_free);
180
+ return xtmp;
181
+ }
182
+
183
+ int X509_verify_cert(X509_STORE_CTX *ctx) {
184
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
185
+ int bad_chain = 0;
186
+ X509_VERIFY_PARAM *param = ctx->param;
187
+ int depth, i, ok = 0;
188
+ int num, j, retry, trust;
189
+ STACK_OF(X509) *sktmp = NULL;
190
+
191
+ if (ctx->cert == NULL) {
192
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
193
+ ctx->error = X509_V_ERR_INVALID_CALL;
194
+ return -1;
195
+ }
196
+ if (ctx->chain != NULL) {
197
+ // This X509_STORE_CTX has already been used to verify a cert. We
198
+ // cannot do another one.
199
+ OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
200
+ ctx->error = X509_V_ERR_INVALID_CALL;
201
+ return -1;
202
+ }
203
+
204
+ // first we make sure the chain we are going to build is present and that
205
+ // the first entry is in place
206
+ ctx->chain = sk_X509_new_null();
207
+ if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
208
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
209
+ goto end;
210
+ }
211
+ X509_up_ref(ctx->cert);
212
+ ctx->last_untrusted = 1;
213
+
214
+ // We use a temporary STACK so we can chop and hack at it.
215
+ if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
216
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
217
+ goto end;
218
+ }
219
+
220
+ num = (int)sk_X509_num(ctx->chain);
221
+ x = sk_X509_value(ctx->chain, num - 1);
222
+ depth = param->depth;
223
+
224
+ for (;;) {
225
+ // If we have enough, we break
226
+ if (depth < num) {
227
+ break; // FIXME: If this happens, we should take
228
+ // note of it and, if appropriate, use the
229
+ // X509_V_ERR_CERT_CHAIN_TOO_LONG error code
230
+ // later.
231
+ }
232
+
233
+ int is_self_signed;
234
+ if (!cert_self_signed(x, &is_self_signed)) {
235
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
236
+ goto end;
237
+ }
238
+
239
+ // If we are self signed, we break
240
+ if (is_self_signed) {
241
+ break;
242
+ }
243
+ // If asked see if we can find issuer in trusted store first
244
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
245
+ ok = ctx->get_issuer(&xtmp, ctx, x);
246
+ if (ok < 0) {
247
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
230
248
  goto end;
231
- }
232
-
233
- num = sk_X509_num(ctx->chain);
234
- x = sk_X509_value(ctx->chain, num - 1);
235
- depth = param->depth;
236
-
237
- for (;;) {
238
- /* If we have enough, we break */
239
- if (depth < num)
240
- break; /* FIXME: If this happens, we should take
241
- * note of it and, if appropriate, use the
242
- * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
243
- * later. */
244
-
245
- int is_self_signed;
246
- if (!cert_self_signed(x, &is_self_signed)) {
247
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
248
- goto end;
249
- }
250
-
251
- /* If we are self signed, we break */
252
- if (is_self_signed)
253
- break;
254
- /*
255
- * If asked see if we can find issuer in trusted store first
256
- */
257
- if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
258
- ok = ctx->get_issuer(&xtmp, ctx, x);
259
- if (ok < 0) {
260
- ctx->error = X509_V_ERR_STORE_LOOKUP;
261
- goto end;
262
- }
263
- /*
264
- * If successful for now free up cert so it will be picked up
265
- * again later.
266
- */
267
- if (ok > 0) {
268
- X509_free(xtmp);
269
- break;
270
- }
271
- }
272
-
273
- /* If we were passed a cert chain, use it first */
274
- if (sktmp != NULL) {
275
- xtmp = find_issuer(ctx, sktmp, x);
276
- if (xtmp != NULL) {
277
- if (!sk_X509_push(ctx->chain, xtmp)) {
278
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
279
- ctx->error = X509_V_ERR_OUT_OF_MEM;
280
- ok = 0;
281
- goto end;
282
- }
283
- X509_up_ref(xtmp);
284
- (void)sk_X509_delete_ptr(sktmp, xtmp);
285
- ctx->last_untrusted++;
286
- x = xtmp;
287
- num++;
288
- /*
289
- * reparse the full chain for the next one
290
- */
291
- continue;
292
- }
293
- }
249
+ }
250
+ // If successful for now free up cert so it will be picked up
251
+ // again later.
252
+ if (ok > 0) {
253
+ X509_free(xtmp);
294
254
  break;
255
+ }
295
256
  }
296
257
 
297
- /* Remember how many untrusted certs we have */
298
- j = num;
299
- /*
300
- * at this point, chain should contain a list of untrusted certificates.
301
- * We now need to add at least one trusted one, if possible, otherwise we
302
- * complain.
303
- */
304
-
305
- do {
306
- /*
307
- * Examine last certificate in chain and see if it is self signed.
308
- */
309
- i = sk_X509_num(ctx->chain);
310
- x = sk_X509_value(ctx->chain, i - 1);
311
-
312
- int is_self_signed;
313
- if (!cert_self_signed(x, &is_self_signed)) {
314
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
315
- goto end;
258
+ // If we were passed a cert chain, use it first
259
+ if (sktmp != NULL) {
260
+ xtmp = find_issuer(ctx, sktmp, x);
261
+ if (xtmp != NULL) {
262
+ if (!sk_X509_push(ctx->chain, xtmp)) {
263
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
264
+ ok = 0;
265
+ goto end;
316
266
  }
317
-
318
- if (is_self_signed) {
319
- /* we have a self signed certificate */
320
- if (sk_X509_num(ctx->chain) == 1) {
321
- /*
322
- * We have a single self signed certificate: see if we can
323
- * find it in the store. We must have an exact match to avoid
324
- * possible impersonation.
325
- */
326
- ok = ctx->get_issuer(&xtmp, ctx, x);
327
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
328
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
329
- ctx->current_cert = x;
330
- ctx->error_depth = i - 1;
331
- if (ok == 1)
332
- X509_free(xtmp);
333
- bad_chain = 1;
334
- ok = cb(0, ctx);
335
- if (!ok)
336
- goto end;
337
- } else {
338
- /*
339
- * We have a match: replace certificate with store
340
- * version so we get any trust settings.
341
- */
342
- X509_free(x);
343
- x = xtmp;
344
- (void)sk_X509_set(ctx->chain, i - 1, x);
345
- ctx->last_untrusted = 0;
346
- }
347
- } else {
348
- /*
349
- * extract and save self signed certificate for later use
350
- */
351
- chain_ss = sk_X509_pop(ctx->chain);
352
- ctx->last_untrusted--;
353
- num--;
354
- j--;
355
- x = sk_X509_value(ctx->chain, num - 1);
356
- }
357
- }
358
- /* We now lookup certs from the certificate store */
359
- for (;;) {
360
- /* If we have enough, we break */
361
- if (depth < num)
362
- break;
363
- if (!cert_self_signed(x, &is_self_signed)) {
364
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
365
- goto end;
366
- }
367
- /* If we are self signed, we break */
368
- if (is_self_signed)
369
- break;
370
- ok = ctx->get_issuer(&xtmp, ctx, x);
371
-
372
- if (ok < 0) {
373
- ctx->error = X509_V_ERR_STORE_LOOKUP;
374
- goto end;
375
- }
376
- if (ok == 0)
377
- break;
378
- x = xtmp;
379
- if (!sk_X509_push(ctx->chain, x)) {
380
- X509_free(xtmp);
381
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
382
- ctx->error = X509_V_ERR_OUT_OF_MEM;
383
- ok = 0;
384
- goto end;
385
- }
386
- num++;
387
- }
388
-
389
- /* we now have our chain, lets check it... */
390
- trust = check_trust(ctx);
391
-
392
- /* If explicitly rejected error */
393
- if (trust == X509_TRUST_REJECTED) {
394
- ok = 0;
267
+ X509_up_ref(xtmp);
268
+ (void)sk_X509_delete_ptr(sktmp, xtmp);
269
+ ctx->last_untrusted++;
270
+ x = xtmp;
271
+ num++;
272
+ // reparse the full chain for the next one
273
+ continue;
274
+ }
275
+ }
276
+ break;
277
+ }
278
+
279
+ // Remember how many untrusted certs we have
280
+ j = num;
281
+ // at this point, chain should contain a list of untrusted certificates.
282
+ // We now need to add at least one trusted one, if possible, otherwise we
283
+ // complain.
284
+
285
+ do {
286
+ // Examine last certificate in chain and see if it is self signed.
287
+ i = (int)sk_X509_num(ctx->chain);
288
+ x = sk_X509_value(ctx->chain, i - 1);
289
+
290
+ int is_self_signed;
291
+ if (!cert_self_signed(x, &is_self_signed)) {
292
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
293
+ goto end;
294
+ }
295
+
296
+ if (is_self_signed) {
297
+ // we have a self signed certificate
298
+ if (sk_X509_num(ctx->chain) == 1) {
299
+ // We have a single self signed certificate: see if we can
300
+ // find it in the store. We must have an exact match to avoid
301
+ // possible impersonation.
302
+ ok = ctx->get_issuer(&xtmp, ctx, x);
303
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
304
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
305
+ ctx->current_cert = x;
306
+ ctx->error_depth = i - 1;
307
+ if (ok == 1) {
308
+ X509_free(xtmp);
309
+ }
310
+ bad_chain = 1;
311
+ ok = ctx->verify_cb(0, ctx);
312
+ if (!ok) {
395
313
  goto end;
396
- }
397
- /*
398
- * If it's not explicitly trusted then check if there is an alternative
399
- * chain that could be used. We only do this if we haven't already
400
- * checked via TRUSTED_FIRST and the user hasn't switched off alternate
401
- * chain checking
402
- */
403
- retry = 0;
404
- if (trust != X509_TRUST_TRUSTED
405
- && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
406
- && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
407
- while (j-- > 1) {
408
- xtmp2 = sk_X509_value(ctx->chain, j - 1);
409
- ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
410
- if (ok < 0)
411
- goto end;
412
- /* Check if we found an alternate chain */
413
- if (ok > 0) {
414
- /*
415
- * Free up the found cert we'll add it again later
416
- */
417
- X509_free(xtmp);
418
-
419
- /*
420
- * Dump all the certs above this point - we've found an
421
- * alternate chain
422
- */
423
- while (num > j) {
424
- xtmp = sk_X509_pop(ctx->chain);
425
- X509_free(xtmp);
426
- num--;
427
- }
428
- ctx->last_untrusted = sk_X509_num(ctx->chain);
429
- retry = 1;
430
- break;
431
- }
432
- }
433
- }
434
- } while (retry);
435
-
436
- /*
437
- * If not explicitly trusted then indicate error unless it's a single
438
- * self signed certificate in which case we've indicated an error already
439
- * and set bad_chain == 1
440
- */
441
- if (trust != X509_TRUST_TRUSTED && !bad_chain) {
442
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
443
- if (ctx->last_untrusted >= num)
444
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
445
- else
446
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
447
- ctx->current_cert = x;
314
+ }
448
315
  } else {
449
-
450
- sk_X509_push(ctx->chain, chain_ss);
451
- num++;
452
- ctx->last_untrusted = num;
453
- ctx->current_cert = chain_ss;
454
- ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
455
- chain_ss = NULL;
316
+ // We have a match: replace certificate with store
317
+ // version so we get any trust settings.
318
+ X509_free(x);
319
+ x = xtmp;
320
+ (void)sk_X509_set(ctx->chain, i - 1, x);
321
+ ctx->last_untrusted = 0;
456
322
  }
457
-
458
- ctx->error_depth = num - 1;
459
- bad_chain = 1;
460
- ok = cb(0, ctx);
461
- if (!ok)
462
- goto end;
463
- }
464
-
465
- /* We have the chain complete: now we need to check its purpose */
466
- ok = check_chain_extensions(ctx);
467
-
468
- if (!ok)
469
- goto end;
470
-
471
- ok = check_id(ctx);
472
-
473
- if (!ok)
474
- goto end;
475
-
476
- /*
477
- * Check revocation status: we do this after copying parameters because
478
- * they may be needed for CRL signature verification.
479
- */
480
-
481
- ok = ctx->check_revocation(ctx);
482
- if (!ok)
323
+ } else {
324
+ // extract and save self signed certificate for later use
325
+ chain_ss = sk_X509_pop(ctx->chain);
326
+ ctx->last_untrusted--;
327
+ num--;
328
+ j--;
329
+ x = sk_X509_value(ctx->chain, num - 1);
330
+ }
331
+ }
332
+ // We now lookup certs from the certificate store
333
+ for (;;) {
334
+ // If we have enough, we break
335
+ if (depth < num) {
336
+ break;
337
+ }
338
+ if (!cert_self_signed(x, &is_self_signed)) {
339
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
483
340
  goto end;
341
+ }
342
+ // If we are self signed, we break
343
+ if (is_self_signed) {
344
+ break;
345
+ }
346
+ ok = ctx->get_issuer(&xtmp, ctx, x);
484
347
 
485
- int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
486
- ctx->param->flags);
487
- if (err != X509_V_OK) {
488
- ctx->error = err;
489
- ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
490
- ok = cb(0, ctx);
491
- if (!ok)
492
- goto end;
493
- }
494
-
495
- /* At this point, we have a chain and need to verify it */
496
- if (ctx->verify != NULL)
497
- ok = ctx->verify(ctx);
498
- else
499
- ok = internal_verify(ctx);
500
- if (!ok)
348
+ if (ok < 0) {
349
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
501
350
  goto end;
502
-
503
- /* Check name constraints */
504
-
505
- ok = check_name_constraints(ctx);
506
- if (!ok)
351
+ }
352
+ if (ok == 0) {
353
+ break;
354
+ }
355
+ x = xtmp;
356
+ if (!sk_X509_push(ctx->chain, x)) {
357
+ X509_free(xtmp);
358
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
359
+ ok = 0;
507
360
  goto end;
361
+ }
362
+ num++;
363
+ }
364
+
365
+ // we now have our chain, lets check it...
366
+ trust = check_trust(ctx);
367
+
368
+ // If explicitly rejected error
369
+ if (trust == X509_TRUST_REJECTED) {
370
+ ok = 0;
371
+ goto end;
372
+ }
373
+ // If it's not explicitly trusted then check if there is an alternative
374
+ // chain that could be used. We only do this if we haven't already
375
+ // checked via TRUSTED_FIRST and the user hasn't switched off alternate
376
+ // chain checking
377
+ retry = 0;
378
+ if (trust != X509_TRUST_TRUSTED &&
379
+ !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
380
+ !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
381
+ while (j-- > 1) {
382
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
383
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
384
+ if (ok < 0) {
385
+ goto end;
386
+ }
387
+ // Check if we found an alternate chain
388
+ if (ok > 0) {
389
+ // Free up the found cert we'll add it again later
390
+ X509_free(xtmp);
391
+
392
+ // Dump all the certs above this point - we've found an
393
+ // alternate chain
394
+ while (num > j) {
395
+ xtmp = sk_X509_pop(ctx->chain);
396
+ X509_free(xtmp);
397
+ num--;
398
+ }
399
+ ctx->last_untrusted = (int)sk_X509_num(ctx->chain);
400
+ retry = 1;
401
+ break;
402
+ }
403
+ }
404
+ }
405
+ } while (retry);
406
+
407
+ // If not explicitly trusted then indicate error unless it's a single
408
+ // self signed certificate in which case we've indicated an error already
409
+ // and set bad_chain == 1
410
+ if (trust != X509_TRUST_TRUSTED && !bad_chain) {
411
+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
412
+ if (ctx->last_untrusted >= num) {
413
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
414
+ } else {
415
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
416
+ }
417
+ ctx->current_cert = x;
418
+ } else {
419
+ sk_X509_push(ctx->chain, chain_ss);
420
+ num++;
421
+ ctx->last_untrusted = num;
422
+ ctx->current_cert = chain_ss;
423
+ ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
424
+ chain_ss = NULL;
425
+ }
426
+
427
+ ctx->error_depth = num - 1;
428
+ bad_chain = 1;
429
+ ok = ctx->verify_cb(0, ctx);
430
+ if (!ok) {
431
+ goto end;
432
+ }
433
+ }
434
+
435
+ // We have the chain complete: now we need to check its purpose
436
+ ok = check_chain_extensions(ctx);
437
+
438
+ if (!ok) {
439
+ goto end;
440
+ }
441
+
442
+ ok = check_id(ctx);
443
+
444
+ if (!ok) {
445
+ goto end;
446
+ }
447
+
448
+ // Check revocation status: we do this after copying parameters because
449
+ // they may be needed for CRL signature verification.
450
+ ok = ctx->check_revocation(ctx);
451
+ if (!ok) {
452
+ goto end;
453
+ }
454
+
455
+ // At this point, we have a chain and need to verify it
456
+ if (ctx->verify != NULL) {
457
+ ok = ctx->verify(ctx);
458
+ } else {
459
+ ok = internal_verify(ctx);
460
+ }
461
+ if (!ok) {
462
+ goto end;
463
+ }
464
+
465
+ // Check name constraints
466
+ ok = check_name_constraints(ctx);
467
+ if (!ok) {
468
+ goto end;
469
+ }
470
+
471
+ // If we get this far, evaluate policies.
472
+ if (!bad_chain) {
473
+ ok = ctx->check_policy(ctx);
474
+ }
475
+
476
+ end:
477
+ if (sktmp != NULL) {
478
+ sk_X509_free(sktmp);
479
+ }
480
+ if (chain_ss != NULL) {
481
+ X509_free(chain_ss);
482
+ }
483
+
484
+ // Safety net, error returns must set ctx->error
485
+ if (ok <= 0 && ctx->error == X509_V_OK) {
486
+ ctx->error = X509_V_ERR_UNSPECIFIED;
487
+ }
488
+ return ok;
489
+ }
490
+
491
+ // Given a STACK_OF(X509) find the issuer of cert (if any)
492
+
493
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
494
+ size_t i;
495
+ X509 *issuer;
496
+ for (i = 0; i < sk_X509_num(sk); i++) {
497
+ issuer = sk_X509_value(sk, i);
498
+ if (ctx->check_issued(ctx, x, issuer)) {
499
+ return issuer;
500
+ }
501
+ }
502
+ return NULL;
503
+ }
504
+
505
+ // Given a possible certificate and issuer check them
506
+
507
+ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) {
508
+ int ret;
509
+ ret = X509_check_issued(issuer, x);
510
+ if (ret == X509_V_OK) {
511
+ return 1;
512
+ }
513
+ // If we haven't asked for issuer errors don't set ctx
514
+ if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
515
+ return 0;
516
+ }
508
517
 
509
- /* If we get this far evaluate policies */
510
- if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
511
- ok = ctx->check_policy(ctx);
512
-
513
- end:
514
- if (sktmp != NULL)
515
- sk_X509_free(sktmp);
516
- if (chain_ss != NULL)
517
- X509_free(chain_ss);
518
-
519
- /* Safety net, error returns must set ctx->error */
520
- if (ok <= 0 && ctx->error == X509_V_OK)
521
- ctx->error = X509_V_ERR_UNSPECIFIED;
522
- return ok;
523
- }
524
-
525
- /*
526
- * Given a STACK_OF(X509) find the issuer of cert (if any)
527
- */
528
-
529
- static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
530
- {
531
- size_t i;
532
- X509 *issuer;
533
- for (i = 0; i < sk_X509_num(sk); i++) {
534
- issuer = sk_X509_value(sk, i);
535
- if (ctx->check_issued(ctx, x, issuer))
536
- return issuer;
537
- }
538
- return NULL;
539
- }
540
-
541
- /* Given a possible certificate and issuer check them */
542
-
543
- static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
544
- {
545
- int ret;
546
- ret = X509_check_issued(issuer, x);
547
- if (ret == X509_V_OK)
548
- return 1;
549
- /* If we haven't asked for issuer errors don't set ctx */
550
- if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
551
- return 0;
552
-
553
- ctx->error = ret;
554
- ctx->current_cert = x;
555
- ctx->current_issuer = issuer;
556
- return ctx->verify_cb(0, ctx);
518
+ ctx->error = ret;
519
+ ctx->current_cert = x;
520
+ ctx->current_issuer = issuer;
521
+ return ctx->verify_cb(0, ctx);
557
522
  }
558
523
 
559
- /* Alternative lookup method: look from a STACK stored in other_ctx */
524
+ // Alternative lookup method: look from a STACK stored in other_ctx
560
525
 
561
- static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
562
- {
563
- *issuer = find_issuer(ctx, ctx->other_ctx, x);
564
- if (*issuer) {
565
- X509_up_ref(*issuer);
566
- return 1;
567
- } else
568
- return 0;
526
+ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
527
+ *issuer = find_issuer(ctx, ctx->other_ctx, x);
528
+ if (*issuer) {
529
+ X509_up_ref(*issuer);
530
+ return 1;
531
+ } else {
532
+ return 0;
533
+ }
569
534
  }
570
535
 
571
- /*
572
- * Check a certificate chains extensions for consistency with the supplied
573
- * purpose
574
- */
575
-
576
- static int check_chain_extensions(X509_STORE_CTX *ctx)
577
- {
578
- int i, ok = 0, plen = 0;
579
- X509 *x;
580
- int (*cb) (int xok, X509_STORE_CTX *xctx);
581
- int proxy_path_length = 0;
582
- int purpose;
583
- int allow_proxy_certs;
584
- cb = ctx->verify_cb;
585
-
586
- enum {
587
- // ca_or_leaf allows either type of certificate so that direct use of
588
- // self-signed certificates works.
589
- ca_or_leaf,
590
- must_be_ca,
591
- must_not_be_ca,
592
- } ca_requirement;
593
-
594
- /* CRL path validation */
595
- if (ctx->parent) {
596
- allow_proxy_certs = 0;
597
- purpose = X509_PURPOSE_CRL_SIGN;
598
- } else {
599
- allow_proxy_certs =
600
- ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
601
- purpose = ctx->param->purpose;
602
- }
603
-
604
- ca_requirement = ca_or_leaf;
536
+ // Check a certificate chains extensions for consistency with the supplied
537
+ // purpose
605
538
 
606
- /* Check all untrusted certificates */
607
- for (i = 0; i < ctx->last_untrusted; i++) {
608
- int ret;
609
- x = sk_X509_value(ctx->chain, i);
610
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
611
- && (x->ex_flags & EXFLAG_CRITICAL)) {
612
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
613
- ctx->error_depth = i;
614
- ctx->current_cert = x;
615
- ok = cb(0, ctx);
616
- if (!ok)
617
- goto end;
618
- }
619
- if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
620
- ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
621
- ctx->error_depth = i;
622
- ctx->current_cert = x;
623
- ok = cb(0, ctx);
624
- if (!ok)
625
- goto end;
626
- }
627
-
628
- switch (ca_requirement) {
629
- case ca_or_leaf:
630
- ret = 1;
631
- break;
632
- case must_not_be_ca:
633
- if (X509_check_ca(x)) {
634
- ret = 0;
635
- ctx->error = X509_V_ERR_INVALID_NON_CA;
636
- } else
637
- ret = 1;
638
- break;
639
- case must_be_ca:
640
- if (!X509_check_ca(x)) {
641
- ret = 0;
642
- ctx->error = X509_V_ERR_INVALID_CA;
643
- } else
644
- ret = 1;
645
- break;
646
- default:
647
- // impossible.
648
- ret = 0;
649
- }
539
+ static int check_chain_extensions(X509_STORE_CTX *ctx) {
540
+ int ok = 0, plen = 0;
650
541
 
651
- if (ret == 0) {
652
- ctx->error_depth = i;
653
- ctx->current_cert = x;
654
- ok = cb(0, ctx);
655
- if (!ok)
656
- goto end;
657
- }
658
- if (ctx->param->purpose > 0) {
659
- ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
660
- if (ret != 1) {
661
- ret = 0;
662
- ctx->error = X509_V_ERR_INVALID_PURPOSE;
663
- ctx->error_depth = i;
664
- ctx->current_cert = x;
665
- ok = cb(0, ctx);
666
- if (!ok)
667
- goto end;
668
- }
669
- }
670
- /* Check pathlen if not self issued */
671
- if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
672
- && (x->ex_pathlen != -1)
673
- && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
674
- ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
675
- ctx->error_depth = i;
676
- ctx->current_cert = x;
677
- ok = cb(0, ctx);
678
- if (!ok)
679
- goto end;
680
- }
681
- /* Increment path length if not self issued */
682
- if (!(x->ex_flags & EXFLAG_SI))
683
- plen++;
684
- /*
685
- * If this certificate is a proxy certificate, the next certificate
686
- * must be another proxy certificate or a EE certificate. If not,
687
- * the next certificate must be a CA certificate.
688
- */
689
- if (x->ex_flags & EXFLAG_PROXY) {
690
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
691
- ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
692
- ctx->error_depth = i;
693
- ctx->current_cert = x;
694
- ok = cb(0, ctx);
695
- if (!ok)
696
- goto end;
697
- }
698
- proxy_path_length++;
699
- ca_requirement = must_not_be_ca;
700
- } else {
701
- ca_requirement = must_be_ca;
702
- }
703
- }
704
- ok = 1;
705
- end:
706
- return ok;
707
- }
542
+ // If |ctx->parent| is set, this is CRL path validation.
543
+ int purpose =
544
+ ctx->parent == NULL ? ctx->param->purpose : X509_PURPOSE_CRL_SIGN;
708
545
 
709
- static int reject_dns_name_in_common_name(X509 *x509)
710
- {
711
- X509_NAME *name = X509_get_subject_name(x509);
712
- int i = -1;
713
- for (;;) {
714
- i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
715
- if (i == -1) {
716
- return X509_V_OK;
717
- }
718
-
719
- X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
720
- ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
721
- unsigned char *idval;
722
- int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
723
- if (idlen < 0) {
724
- return X509_V_ERR_OUT_OF_MEM;
725
- }
726
- /* Only process attributes that look like host names. Note it is
727
- * important that this check be mirrored in |X509_check_host|. */
728
- int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
729
- OPENSSL_free(idval);
730
- if (looks_like_dns) {
731
- return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
732
- }
733
- }
734
- }
735
-
736
- static int check_name_constraints(X509_STORE_CTX *ctx)
737
- {
738
- int i, j, rv;
739
- int has_name_constraints = 0;
740
- /* Check name constraints for all certificates */
741
- for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
742
- X509 *x = sk_X509_value(ctx->chain, i);
743
- /* Ignore self issued certs unless last in chain */
744
- if (i && (x->ex_flags & EXFLAG_SI))
745
- continue;
746
- /*
747
- * Check against constraints for all certificates higher in chain
748
- * including trust anchor. Trust anchor not strictly speaking needed
749
- * but if it includes constraints it is to be assumed it expects them
750
- * to be obeyed.
751
- */
752
- for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
753
- NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
754
- if (nc) {
755
- has_name_constraints = 1;
756
- rv = NAME_CONSTRAINTS_check(x, nc);
757
- switch (rv) {
758
- case X509_V_OK:
759
- continue;
760
- case X509_V_ERR_OUT_OF_MEM:
761
- ctx->error = rv;
762
- return 0;
763
- default:
764
- ctx->error = rv;
765
- ctx->error_depth = i;
766
- ctx->current_cert = x;
767
- if (!ctx->verify_cb(0, ctx))
768
- return 0;
769
- break;
770
- }
771
- }
772
- }
546
+ // Check all untrusted certificates
547
+ for (int i = 0; i < ctx->last_untrusted; i++) {
548
+ X509 *x = sk_X509_value(ctx->chain, i);
549
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
550
+ (x->ex_flags & EXFLAG_CRITICAL)) {
551
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
552
+ ctx->error_depth = i;
553
+ ctx->current_cert = x;
554
+ ok = ctx->verify_cb(0, ctx);
555
+ if (!ok) {
556
+ goto end;
557
+ }
773
558
  }
774
559
 
775
- /* Name constraints do not match against the common name, but
776
- * |X509_check_host| still implements the legacy behavior where, on
777
- * certificates lacking a SAN list, DNS-like names in the common name are
778
- * checked instead.
779
- *
780
- * While we could apply the name constraints to the common name, name
781
- * constraints are rare enough that can hold such certificates to a higher
782
- * standard. Note this does not make "DNS-like" heuristic failures any
783
- * worse. A decorative common-name misidentified as a DNS name would fail
784
- * the name constraint anyway. */
785
- X509 *leaf = sk_X509_value(ctx->chain, 0);
786
- if (has_name_constraints && leaf->altname == NULL) {
787
- rv = reject_dns_name_in_common_name(leaf);
560
+ int must_be_ca = i > 0;
561
+ if (must_be_ca && !X509_check_ca(x)) {
562
+ ctx->error = X509_V_ERR_INVALID_CA;
563
+ ctx->error_depth = i;
564
+ ctx->current_cert = x;
565
+ ok = ctx->verify_cb(0, ctx);
566
+ if (!ok) {
567
+ goto end;
568
+ }
569
+ }
570
+ if (ctx->param->purpose > 0 &&
571
+ X509_check_purpose(x, purpose, must_be_ca) != 1) {
572
+ ctx->error = X509_V_ERR_INVALID_PURPOSE;
573
+ ctx->error_depth = i;
574
+ ctx->current_cert = x;
575
+ ok = ctx->verify_cb(0, ctx);
576
+ if (!ok) {
577
+ goto end;
578
+ }
579
+ }
580
+ // Check pathlen if not self issued
581
+ if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
582
+ plen > x->ex_pathlen + 1) {
583
+ ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
584
+ ctx->error_depth = i;
585
+ ctx->current_cert = x;
586
+ ok = ctx->verify_cb(0, ctx);
587
+ if (!ok) {
588
+ goto end;
589
+ }
590
+ }
591
+ // Increment path length if not self issued
592
+ if (!(x->ex_flags & EXFLAG_SI)) {
593
+ plen++;
594
+ }
595
+ }
596
+ ok = 1;
597
+ end:
598
+ return ok;
599
+ }
600
+
601
+ static int reject_dns_name_in_common_name(X509 *x509) {
602
+ const X509_NAME *name = X509_get_subject_name(x509);
603
+ int i = -1;
604
+ for (;;) {
605
+ i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
606
+ if (i == -1) {
607
+ return X509_V_OK;
608
+ }
609
+
610
+ const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
611
+ const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
612
+ unsigned char *idval;
613
+ int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
614
+ if (idlen < 0) {
615
+ return X509_V_ERR_OUT_OF_MEM;
616
+ }
617
+ // Only process attributes that look like host names. Note it is
618
+ // important that this check be mirrored in |X509_check_host|.
619
+ int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
620
+ OPENSSL_free(idval);
621
+ if (looks_like_dns) {
622
+ return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
623
+ }
624
+ }
625
+ }
626
+
627
+ static int check_name_constraints(X509_STORE_CTX *ctx) {
628
+ int i, j, rv;
629
+ int has_name_constraints = 0;
630
+ // Check name constraints for all certificates
631
+ for (i = (int)sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
632
+ X509 *x = sk_X509_value(ctx->chain, i);
633
+ // Ignore self issued certs unless last in chain
634
+ if (i && (x->ex_flags & EXFLAG_SI)) {
635
+ continue;
636
+ }
637
+ // Check against constraints for all certificates higher in chain
638
+ // including trust anchor. Trust anchor not strictly speaking needed
639
+ // but if it includes constraints it is to be assumed it expects them
640
+ // to be obeyed.
641
+ for (j = (int)sk_X509_num(ctx->chain) - 1; j > i; j--) {
642
+ NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
643
+ if (nc) {
644
+ has_name_constraints = 1;
645
+ rv = NAME_CONSTRAINTS_check(x, nc);
788
646
  switch (rv) {
789
- case X509_V_OK:
790
- break;
791
- case X509_V_ERR_OUT_OF_MEM:
647
+ case X509_V_OK:
648
+ continue;
649
+ case X509_V_ERR_OUT_OF_MEM:
792
650
  ctx->error = rv;
793
651
  return 0;
794
- default:
652
+ default:
795
653
  ctx->error = rv;
796
654
  ctx->error_depth = i;
797
- ctx->current_cert = leaf;
798
- if (!ctx->verify_cb(0, ctx))
799
- return 0;
655
+ ctx->current_cert = x;
656
+ if (!ctx->verify_cb(0, ctx)) {
657
+ return 0;
658
+ }
800
659
  break;
801
660
  }
661
+ }
662
+ }
663
+ }
664
+
665
+ // Name constraints do not match against the common name, but
666
+ // |X509_check_host| still implements the legacy behavior where, on
667
+ // certificates lacking a SAN list, DNS-like names in the common name are
668
+ // checked instead.
669
+ //
670
+ // While we could apply the name constraints to the common name, name
671
+ // constraints are rare enough that can hold such certificates to a higher
672
+ // standard. Note this does not make "DNS-like" heuristic failures any
673
+ // worse. A decorative common-name misidentified as a DNS name would fail
674
+ // the name constraint anyway.
675
+ X509 *leaf = sk_X509_value(ctx->chain, 0);
676
+ if (has_name_constraints && leaf->altname == NULL) {
677
+ rv = reject_dns_name_in_common_name(leaf);
678
+ switch (rv) {
679
+ case X509_V_OK:
680
+ break;
681
+ case X509_V_ERR_OUT_OF_MEM:
682
+ ctx->error = rv;
683
+ return 0;
684
+ default:
685
+ ctx->error = rv;
686
+ ctx->error_depth = i;
687
+ ctx->current_cert = leaf;
688
+ if (!ctx->verify_cb(0, ctx)) {
689
+ return 0;
690
+ }
691
+ break;
802
692
  }
803
-
693
+ }
694
+
695
+ return 1;
696
+ }
697
+
698
+ static int check_id_error(X509_STORE_CTX *ctx, int errcode) {
699
+ ctx->error = errcode;
700
+ ctx->current_cert = ctx->cert;
701
+ ctx->error_depth = 0;
702
+ return ctx->verify_cb(0, ctx);
703
+ }
704
+
705
+ static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {
706
+ size_t i;
707
+ size_t n = sk_OPENSSL_STRING_num(param->hosts);
708
+ char *name;
709
+
710
+ if (param->peername != NULL) {
711
+ OPENSSL_free(param->peername);
712
+ param->peername = NULL;
713
+ }
714
+ for (i = 0; i < n; ++i) {
715
+ name = sk_OPENSSL_STRING_value(param->hosts, i);
716
+ if (X509_check_host(x, name, strlen(name), param->hostflags,
717
+ &param->peername) > 0) {
718
+ return 1;
719
+ }
720
+ }
721
+ return n == 0;
722
+ }
723
+
724
+ static int check_id(X509_STORE_CTX *ctx) {
725
+ X509_VERIFY_PARAM *vpm = ctx->param;
726
+ X509 *x = ctx->cert;
727
+ if (vpm->poison) {
728
+ if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {
729
+ return 0;
730
+ }
731
+ }
732
+ if (vpm->hosts && check_hosts(x, vpm) <= 0) {
733
+ if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {
734
+ return 0;
735
+ }
736
+ }
737
+ if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
738
+ if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {
739
+ return 0;
740
+ }
741
+ }
742
+ if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
743
+ if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {
744
+ return 0;
745
+ }
746
+ }
747
+ return 1;
748
+ }
749
+
750
+ static int check_trust(X509_STORE_CTX *ctx) {
751
+ int ok;
752
+ X509 *x = NULL;
753
+ // Check all trusted certificates in chain
754
+ for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
755
+ x = sk_X509_value(ctx->chain, i);
756
+ ok = X509_check_trust(x, ctx->param->trust, 0);
757
+ // If explicitly trusted return trusted
758
+ if (ok == X509_TRUST_TRUSTED) {
759
+ return X509_TRUST_TRUSTED;
760
+ }
761
+ // If explicitly rejected notify callback and reject if not
762
+ // overridden.
763
+ if (ok == X509_TRUST_REJECTED) {
764
+ ctx->error_depth = (int)i;
765
+ ctx->current_cert = x;
766
+ ctx->error = X509_V_ERR_CERT_REJECTED;
767
+ ok = ctx->verify_cb(0, ctx);
768
+ if (!ok) {
769
+ return X509_TRUST_REJECTED;
770
+ }
771
+ }
772
+ }
773
+ // If we accept partial chains and have at least one trusted certificate
774
+ // return success.
775
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
776
+ X509 *mx;
777
+ if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
778
+ return X509_TRUST_TRUSTED;
779
+ }
780
+ x = sk_X509_value(ctx->chain, 0);
781
+ mx = lookup_cert_match(ctx, x);
782
+ if (mx) {
783
+ (void)sk_X509_set(ctx->chain, 0, mx);
784
+ X509_free(x);
785
+ ctx->last_untrusted = 0;
786
+ return X509_TRUST_TRUSTED;
787
+ }
788
+ }
789
+
790
+ // If no trusted certs in chain at all return untrusted and allow
791
+ // standard (no issuer cert) etc errors to be indicated.
792
+ return X509_TRUST_UNTRUSTED;
793
+ }
794
+
795
+ static int check_revocation(X509_STORE_CTX *ctx) {
796
+ if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {
804
797
  return 1;
805
- }
806
-
807
- static int check_id_error(X509_STORE_CTX *ctx, int errcode)
808
- {
809
- ctx->error = errcode;
810
- ctx->current_cert = ctx->cert;
811
- ctx->error_depth = 0;
812
- return ctx->verify_cb(0, ctx);
813
- }
814
-
815
- static int check_hosts(X509 *x, X509_VERIFY_PARAM *param)
816
- {
817
- size_t i;
818
- size_t n = sk_OPENSSL_STRING_num(param->hosts);
819
- char *name;
820
-
821
- if (param->peername != NULL) {
822
- OPENSSL_free(param->peername);
823
- param->peername = NULL;
824
- }
825
- for (i = 0; i < n; ++i) {
826
- name = sk_OPENSSL_STRING_value(param->hosts, i);
827
- if (X509_check_host(x, name, strlen(name), param->hostflags,
828
- &param->peername) > 0)
829
- return 1;
830
- }
831
- return n == 0;
832
- }
833
-
834
- static int check_id(X509_STORE_CTX *ctx)
835
- {
836
- X509_VERIFY_PARAM *vpm = ctx->param;
837
- X509 *x = ctx->cert;
838
- if (vpm->poison) {
839
- if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
840
- return 0;
841
- }
842
- if (vpm->hosts && check_hosts(x, vpm) <= 0) {
843
- if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
844
- return 0;
798
+ }
799
+ int last;
800
+ if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
801
+ last = (int)sk_X509_num(ctx->chain) - 1;
802
+ } else {
803
+ // If checking CRL paths this isn't the EE certificate
804
+ if (ctx->parent) {
805
+ return 1;
806
+ }
807
+ last = 0;
808
+ }
809
+ for (int i = 0; i <= last; i++) {
810
+ ctx->error_depth = i;
811
+ int ok = check_cert(ctx);
812
+ if (!ok) {
813
+ return ok;
814
+ }
815
+ }
816
+ return 1;
817
+ }
818
+
819
+ static int check_cert(X509_STORE_CTX *ctx) {
820
+ X509_CRL *crl = NULL, *dcrl = NULL;
821
+ X509 *x;
822
+ int ok = 0, cnum;
823
+ unsigned int last_reasons;
824
+ cnum = ctx->error_depth;
825
+ x = sk_X509_value(ctx->chain, cnum);
826
+ ctx->current_cert = x;
827
+ ctx->current_issuer = NULL;
828
+ ctx->current_crl_score = 0;
829
+ ctx->current_reasons = 0;
830
+ while (ctx->current_reasons != CRLDP_ALL_REASONS) {
831
+ last_reasons = ctx->current_reasons;
832
+ // Try to retrieve relevant CRL
833
+ if (ctx->get_crl) {
834
+ ok = ctx->get_crl(ctx, &crl, x);
835
+ } else {
836
+ ok = get_crl_delta(ctx, &crl, &dcrl, x);
845
837
  }
846
- if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
847
- if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
848
- return 0;
838
+ // If error looking up CRL, nothing we can do except notify callback
839
+ if (!ok) {
840
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
841
+ ok = ctx->verify_cb(0, ctx);
842
+ goto err;
849
843
  }
850
- if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
851
- if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
852
- return 0;
844
+ ctx->current_crl = crl;
845
+ ok = ctx->check_crl(ctx, crl);
846
+ if (!ok) {
847
+ goto err;
853
848
  }
854
- return 1;
855
- }
856
849
 
857
- static int check_trust(X509_STORE_CTX *ctx)
858
- {
859
- size_t i;
860
- int ok;
861
- X509 *x = NULL;
862
- int (*cb) (int xok, X509_STORE_CTX *xctx);
863
- cb = ctx->verify_cb;
864
- /* Check all trusted certificates in chain */
865
- for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
866
- x = sk_X509_value(ctx->chain, i);
867
- ok = X509_check_trust(x, ctx->param->trust, 0);
868
- /* If explicitly trusted return trusted */
869
- if (ok == X509_TRUST_TRUSTED)
870
- return X509_TRUST_TRUSTED;
871
- /*
872
- * If explicitly rejected notify callback and reject if not
873
- * overridden.
874
- */
875
- if (ok == X509_TRUST_REJECTED) {
876
- ctx->error_depth = i;
877
- ctx->current_cert = x;
878
- ctx->error = X509_V_ERR_CERT_REJECTED;
879
- ok = cb(0, ctx);
880
- if (!ok)
881
- return X509_TRUST_REJECTED;
882
- }
883
- }
884
- /*
885
- * If we accept partial chains and have at least one trusted certificate
886
- * return success.
887
- */
888
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
889
- X509 *mx;
890
- if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
891
- return X509_TRUST_TRUSTED;
892
- x = sk_X509_value(ctx->chain, 0);
893
- mx = lookup_cert_match(ctx, x);
894
- if (mx) {
895
- (void)sk_X509_set(ctx->chain, 0, mx);
896
- X509_free(x);
897
- ctx->last_untrusted = 0;
898
- return X509_TRUST_TRUSTED;
899
- }
850
+ if (dcrl) {
851
+ ok = ctx->check_crl(ctx, dcrl);
852
+ if (!ok) {
853
+ goto err;
854
+ }
855
+ ok = ctx->cert_crl(ctx, dcrl, x);
856
+ if (!ok) {
857
+ goto err;
858
+ }
859
+ } else {
860
+ ok = 1;
900
861
  }
901
862
 
902
- /*
903
- * If no trusted certs in chain at all return untrusted and allow
904
- * standard (no issuer cert) etc errors to be indicated.
905
- */
906
- return X509_TRUST_UNTRUSTED;
907
- }
908
-
909
- static int check_revocation(X509_STORE_CTX *ctx)
910
- {
911
- int i, last, ok;
912
- if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
913
- return 1;
914
- if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
915
- last = sk_X509_num(ctx->chain) - 1;
916
- else {
917
- /* If checking CRL paths this isn't the EE certificate */
918
- if (ctx->parent)
919
- return 1;
920
- last = 0;
921
- }
922
- for (i = 0; i <= last; i++) {
923
- ctx->error_depth = i;
924
- ok = check_cert(ctx);
925
- if (!ok)
926
- return ok;
863
+ // Don't look in full CRL if delta reason is removefromCRL
864
+ if (ok != 2) {
865
+ ok = ctx->cert_crl(ctx, crl, x);
866
+ if (!ok) {
867
+ goto err;
868
+ }
927
869
  }
928
- return 1;
929
- }
930
-
931
- static int check_cert(X509_STORE_CTX *ctx)
932
- {
933
- X509_CRL *crl = NULL, *dcrl = NULL;
934
- X509 *x;
935
- int ok = 0, cnum;
936
- unsigned int last_reasons;
937
- cnum = ctx->error_depth;
938
- x = sk_X509_value(ctx->chain, cnum);
939
- ctx->current_cert = x;
940
- ctx->current_issuer = NULL;
941
- ctx->current_crl_score = 0;
942
- ctx->current_reasons = 0;
943
- while (ctx->current_reasons != CRLDP_ALL_REASONS) {
944
- last_reasons = ctx->current_reasons;
945
- /* Try to retrieve relevant CRL */
946
- if (ctx->get_crl)
947
- ok = ctx->get_crl(ctx, &crl, x);
948
- else
949
- ok = get_crl_delta(ctx, &crl, &dcrl, x);
950
- /*
951
- * If error looking up CRL, nothing we can do except notify callback
952
- */
953
- if (!ok) {
954
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
955
- ok = ctx->verify_cb(0, ctx);
956
- goto err;
957
- }
958
- ctx->current_crl = crl;
959
- ok = ctx->check_crl(ctx, crl);
960
- if (!ok)
961
- goto err;
962
-
963
- if (dcrl) {
964
- ok = ctx->check_crl(ctx, dcrl);
965
- if (!ok)
966
- goto err;
967
- ok = ctx->cert_crl(ctx, dcrl, x);
968
- if (!ok)
969
- goto err;
970
- } else
971
- ok = 1;
972
-
973
- /* Don't look in full CRL if delta reason is removefromCRL */
974
- if (ok != 2) {
975
- ok = ctx->cert_crl(ctx, crl, x);
976
- if (!ok)
977
- goto err;
978
- }
979
870
 
980
- X509_CRL_free(crl);
981
- X509_CRL_free(dcrl);
982
- crl = NULL;
983
- dcrl = NULL;
984
- /*
985
- * If reasons not updated we wont get anywhere by another iteration,
986
- * so exit loop.
987
- */
988
- if (last_reasons == ctx->current_reasons) {
989
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
990
- ok = ctx->verify_cb(0, ctx);
991
- goto err;
992
- }
993
- }
994
- err:
995
871
  X509_CRL_free(crl);
996
872
  X509_CRL_free(dcrl);
873
+ crl = NULL;
874
+ dcrl = NULL;
875
+ // If reasons not updated we wont get anywhere by another iteration,
876
+ // so exit loop.
877
+ if (last_reasons == ctx->current_reasons) {
878
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
879
+ ok = ctx->verify_cb(0, ctx);
880
+ goto err;
881
+ }
882
+ }
883
+ err:
884
+ X509_CRL_free(crl);
885
+ X509_CRL_free(dcrl);
997
886
 
998
- ctx->current_crl = NULL;
999
- return ok;
1000
-
887
+ ctx->current_crl = NULL;
888
+ return ok;
1001
889
  }
1002
890
 
1003
- /* Check CRL times against values in X509_STORE_CTX */
891
+ // Check CRL times against values in X509_STORE_CTX
1004
892
 
1005
- static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
1006
- {
1007
- time_t *ptime;
1008
- int i;
1009
- if (notify)
1010
- ctx->current_crl = crl;
1011
- if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1012
- ptime = &ctx->param->check_time;
1013
- else
1014
- ptime = NULL;
893
+ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
894
+ if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
895
+ return 1;
896
+ }
1015
897
 
1016
- i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
1017
- if (i == 0) {
1018
- if (!notify)
1019
- return 0;
1020
- ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
1021
- if (!ctx->verify_cb(0, ctx))
1022
- return 0;
898
+ if (notify) {
899
+ ctx->current_crl = crl;
900
+ }
901
+ int64_t ptime;
902
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
903
+ ptime = ctx->param->check_time;
904
+ } else {
905
+ ptime = time(NULL);
906
+ }
907
+
908
+ int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);
909
+ if (i == 0) {
910
+ if (!notify) {
911
+ return 0;
912
+ }
913
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
914
+ if (!ctx->verify_cb(0, ctx)) {
915
+ return 0;
1023
916
  }
917
+ }
1024
918
 
1025
- if (i > 0) {
1026
- if (!notify)
1027
- return 0;
1028
- ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
1029
- if (!ctx->verify_cb(0, ctx))
1030
- return 0;
919
+ if (i > 0) {
920
+ if (!notify) {
921
+ return 0;
1031
922
  }
923
+ ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
924
+ if (!ctx->verify_cb(0, ctx)) {
925
+ return 0;
926
+ }
927
+ }
1032
928
 
1033
- if (X509_CRL_get0_nextUpdate(crl)) {
1034
- i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
929
+ if (X509_CRL_get0_nextUpdate(crl)) {
930
+ i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);
1035
931
 
1036
- if (i == 0) {
1037
- if (!notify)
1038
- return 0;
1039
- ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
1040
- if (!ctx->verify_cb(0, ctx))
1041
- return 0;
1042
- }
1043
- /* Ignore expiry of base CRL is delta is valid */
1044
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
1045
- if (!notify)
1046
- return 0;
1047
- ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
1048
- if (!ctx->verify_cb(0, ctx))
1049
- return 0;
1050
- }
932
+ if (i == 0) {
933
+ if (!notify) {
934
+ return 0;
935
+ }
936
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
937
+ if (!ctx->verify_cb(0, ctx)) {
938
+ return 0;
939
+ }
940
+ }
941
+ // Ignore expiry of base CRL is delta is valid
942
+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
943
+ if (!notify) {
944
+ return 0;
945
+ }
946
+ ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
947
+ if (!ctx->verify_cb(0, ctx)) {
948
+ return 0;
949
+ }
1051
950
  }
951
+ }
1052
952
 
1053
- if (notify)
1054
- ctx->current_crl = NULL;
953
+ if (notify) {
954
+ ctx->current_crl = NULL;
955
+ }
1055
956
 
1056
- return 1;
957
+ return 1;
1057
958
  }
1058
959
 
1059
960
  static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1060
961
  X509 **pissuer, int *pscore, unsigned int *preasons,
1061
- STACK_OF(X509_CRL) *crls)
1062
- {
1063
- int crl_score, best_score = *pscore;
1064
- size_t i;
1065
- unsigned int reasons, best_reasons = 0;
1066
- X509 *x = ctx->current_cert;
1067
- X509_CRL *crl, *best_crl = NULL;
1068
- X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
1069
-
1070
- for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1071
- crl = sk_X509_CRL_value(crls, i);
1072
- reasons = *preasons;
1073
- crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1074
- if (crl_score < best_score || crl_score == 0)
1075
- continue;
1076
- /* If current CRL is equivalent use it if it is newer */
1077
- if (crl_score == best_score && best_crl != NULL) {
1078
- int day, sec;
1079
- if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
1080
- X509_CRL_get0_lastUpdate(crl)) == 0)
1081
- continue;
1082
- /*
1083
- * ASN1_TIME_diff never returns inconsistent signs for |day|
1084
- * and |sec|.
1085
- */
1086
- if (day <= 0 && sec <= 0)
1087
- continue;
1088
- }
1089
- best_crl = crl;
1090
- best_crl_issuer = crl_issuer;
1091
- best_score = crl_score;
1092
- best_reasons = reasons;
1093
- }
1094
-
1095
- if (best_crl) {
1096
- if (*pcrl)
1097
- X509_CRL_free(*pcrl);
1098
- *pcrl = best_crl;
1099
- *pissuer = best_crl_issuer;
1100
- *pscore = best_score;
1101
- *preasons = best_reasons;
1102
- X509_CRL_up_ref(best_crl);
1103
- if (*pdcrl) {
1104
- X509_CRL_free(*pdcrl);
1105
- *pdcrl = NULL;
1106
- }
1107
- get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1108
- }
1109
-
1110
- if (best_score >= CRL_SCORE_VALID)
1111
- return 1;
962
+ STACK_OF(X509_CRL) *crls) {
963
+ int crl_score, best_score = *pscore;
964
+ size_t i;
965
+ unsigned int reasons, best_reasons = 0;
966
+ X509 *x = ctx->current_cert;
967
+ X509_CRL *crl, *best_crl = NULL;
968
+ X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
969
+
970
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
971
+ crl = sk_X509_CRL_value(crls, i);
972
+ reasons = *preasons;
973
+ crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
974
+ if (crl_score < best_score || crl_score == 0) {
975
+ continue;
976
+ }
977
+ // If current CRL is equivalent use it if it is newer
978
+ if (crl_score == best_score && best_crl != NULL) {
979
+ int day, sec;
980
+ if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
981
+ X509_CRL_get0_lastUpdate(crl)) == 0) {
982
+ continue;
983
+ }
984
+ // ASN1_TIME_diff never returns inconsistent signs for |day|
985
+ // and |sec|.
986
+ if (day <= 0 && sec <= 0) {
987
+ continue;
988
+ }
989
+ }
990
+ best_crl = crl;
991
+ best_crl_issuer = crl_issuer;
992
+ best_score = crl_score;
993
+ best_reasons = reasons;
994
+ }
995
+
996
+ if (best_crl) {
997
+ if (*pcrl) {
998
+ X509_CRL_free(*pcrl);
999
+ }
1000
+ *pcrl = best_crl;
1001
+ *pissuer = best_crl_issuer;
1002
+ *pscore = best_score;
1003
+ *preasons = best_reasons;
1004
+ X509_CRL_up_ref(best_crl);
1005
+ if (*pdcrl) {
1006
+ X509_CRL_free(*pdcrl);
1007
+ *pdcrl = NULL;
1008
+ }
1009
+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1010
+ }
1011
+
1012
+ if (best_score >= CRL_SCORE_VALID) {
1013
+ return 1;
1014
+ }
1112
1015
 
1113
- return 0;
1016
+ return 0;
1114
1017
  }
1115
1018
 
1116
- /*
1117
- * Compare two CRL extensions for delta checking purposes. They should be
1118
- * both present or both absent. If both present all fields must be identical.
1119
- */
1120
-
1121
- static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
1122
- {
1123
- ASN1_OCTET_STRING *exta, *extb;
1124
- int i;
1125
- i = X509_CRL_get_ext_by_NID(a, nid, -1);
1126
- if (i >= 0) {
1127
- /* Can't have multiple occurrences */
1128
- if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
1129
- return 0;
1130
- exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1131
- } else
1132
- exta = NULL;
1019
+ // Compare two CRL extensions for delta checking purposes. They should be
1020
+ // both present or both absent. If both present all fields must be identical.
1133
1021
 
1134
- i = X509_CRL_get_ext_by_NID(b, nid, -1);
1022
+ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) {
1023
+ const ASN1_OCTET_STRING *exta, *extb;
1024
+ int i;
1025
+ i = X509_CRL_get_ext_by_NID(a, nid, -1);
1026
+ if (i >= 0) {
1027
+ // Can't have multiple occurrences
1028
+ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) {
1029
+ return 0;
1030
+ }
1031
+ exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1032
+ } else {
1033
+ exta = NULL;
1034
+ }
1135
1035
 
1136
- if (i >= 0) {
1036
+ i = X509_CRL_get_ext_by_NID(b, nid, -1);
1137
1037
 
1138
- if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
1139
- return 0;
1140
- extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1141
- } else
1142
- extb = NULL;
1038
+ if (i >= 0) {
1039
+ if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) {
1040
+ return 0;
1041
+ }
1042
+ extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1043
+ } else {
1044
+ extb = NULL;
1045
+ }
1143
1046
 
1144
- if (!exta && !extb)
1145
- return 1;
1047
+ if (!exta && !extb) {
1048
+ return 1;
1049
+ }
1146
1050
 
1147
- if (!exta || !extb)
1148
- return 0;
1051
+ if (!exta || !extb) {
1052
+ return 0;
1053
+ }
1149
1054
 
1150
- if (ASN1_OCTET_STRING_cmp(exta, extb))
1151
- return 0;
1055
+ if (ASN1_OCTET_STRING_cmp(exta, extb)) {
1056
+ return 0;
1057
+ }
1152
1058
 
1153
- return 1;
1059
+ return 1;
1154
1060
  }
1155
1061
 
1156
- /* See if a base and delta are compatible */
1062
+ // See if a base and delta are compatible
1157
1063
 
1158
- static int check_delta_base(X509_CRL *delta, X509_CRL *base)
1159
- {
1160
- /* Delta CRL must be a delta */
1161
- if (!delta->base_crl_number)
1162
- return 0;
1163
- /* Base must have a CRL number */
1164
- if (!base->crl_number)
1165
- return 0;
1166
- /* Issuer names must match */
1167
- if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
1168
- return 0;
1169
- /* AKID and IDP must match */
1170
- if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1171
- return 0;
1172
- if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1173
- return 0;
1174
- /* Delta CRL base number must not exceed Full CRL number. */
1175
- if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1176
- return 0;
1177
- /* Delta CRL number must exceed full CRL number */
1178
- if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1179
- return 1;
1064
+ static int check_delta_base(X509_CRL *delta, X509_CRL *base) {
1065
+ // Delta CRL must be a delta
1066
+ if (!delta->base_crl_number) {
1067
+ return 0;
1068
+ }
1069
+ // Base must have a CRL number
1070
+ if (!base->crl_number) {
1180
1071
  return 0;
1072
+ }
1073
+ // Issuer names must match
1074
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) {
1075
+ return 0;
1076
+ }
1077
+ // AKID and IDP must match
1078
+ if (!crl_extension_match(delta, base, NID_authority_key_identifier)) {
1079
+ return 0;
1080
+ }
1081
+ if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) {
1082
+ return 0;
1083
+ }
1084
+ // Delta CRL base number must not exceed Full CRL number.
1085
+ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) {
1086
+ return 0;
1087
+ }
1088
+ // Delta CRL number must exceed full CRL number
1089
+ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) {
1090
+ return 1;
1091
+ }
1092
+ return 0;
1181
1093
  }
1182
1094
 
1183
- /*
1184
- * For a given base CRL find a delta... maybe extend to delta scoring or
1185
- * retrieve a chain of deltas...
1186
- */
1095
+ // For a given base CRL find a delta... maybe extend to delta scoring or
1096
+ // retrieve a chain of deltas...
1187
1097
 
1188
1098
  static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
1189
- X509_CRL *base, STACK_OF(X509_CRL) *crls)
1190
- {
1191
- X509_CRL *delta;
1192
- size_t i;
1193
- if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1194
- return;
1195
- if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1196
- return;
1197
- for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1198
- delta = sk_X509_CRL_value(crls, i);
1199
- if (check_delta_base(delta, base)) {
1200
- if (check_crl_time(ctx, delta, 0))
1201
- *pscore |= CRL_SCORE_TIME_DELTA;
1202
- X509_CRL_up_ref(delta);
1203
- *dcrl = delta;
1204
- return;
1205
- }
1206
- }
1207
- *dcrl = NULL;
1208
- }
1209
-
1210
- /*
1211
- * For a given CRL return how suitable it is for the supplied certificate
1212
- * 'x'. The return value is a mask of several criteria. If the issuer is not
1213
- * the certificate issuer this is returned in *pissuer. The reasons mask is
1214
- * also used to determine if the CRL is suitable: if no new reasons the CRL
1215
- * is rejected, otherwise reasons is updated.
1216
- */
1099
+ X509_CRL *base, STACK_OF(X509_CRL) *crls) {
1100
+ X509_CRL *delta;
1101
+ size_t i;
1102
+ if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) {
1103
+ return;
1104
+ }
1105
+ if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) {
1106
+ return;
1107
+ }
1108
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1109
+ delta = sk_X509_CRL_value(crls, i);
1110
+ if (check_delta_base(delta, base)) {
1111
+ if (check_crl_time(ctx, delta, 0)) {
1112
+ *pscore |= CRL_SCORE_TIME_DELTA;
1113
+ }
1114
+ X509_CRL_up_ref(delta);
1115
+ *dcrl = delta;
1116
+ return;
1117
+ }
1118
+ }
1119
+ *dcrl = NULL;
1120
+ }
1121
+
1122
+ // For a given CRL return how suitable it is for the supplied certificate
1123
+ // 'x'. The return value is a mask of several criteria. If the issuer is not
1124
+ // the certificate issuer this is returned in *pissuer. The reasons mask is
1125
+ // also used to determine if the CRL is suitable: if no new reasons the CRL
1126
+ // is rejected, otherwise reasons is updated.
1217
1127
 
1218
1128
  static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1219
- unsigned int *preasons, X509_CRL *crl, X509 *x)
1220
- {
1221
-
1222
- int crl_score = 0;
1223
- unsigned int tmp_reasons = *preasons, crl_reasons;
1129
+ unsigned int *preasons, X509_CRL *crl, X509 *x) {
1130
+ int crl_score = 0;
1131
+ unsigned int tmp_reasons = *preasons, crl_reasons;
1224
1132
 
1225
- /* First see if we can reject CRL straight away */
1133
+ // First see if we can reject CRL straight away
1226
1134
 
1227
- /* Invalid IDP cannot be processed */
1228
- if (crl->idp_flags & IDP_INVALID)
1229
- return 0;
1230
- /* Reason codes or indirect CRLs need extended CRL support */
1231
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1232
- if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1233
- return 0;
1234
- } else if (crl->idp_flags & IDP_REASONS) {
1235
- /* If no new reasons reject */
1236
- if (!(crl->idp_reasons & ~tmp_reasons))
1237
- return 0;
1135
+ // Invalid IDP cannot be processed
1136
+ if (crl->idp_flags & IDP_INVALID) {
1137
+ return 0;
1138
+ }
1139
+ // Reason codes or indirect CRLs need extended CRL support
1140
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1141
+ if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
1142
+ return 0;
1143
+ }
1144
+ } else if (crl->idp_flags & IDP_REASONS) {
1145
+ // If no new reasons reject
1146
+ if (!(crl->idp_reasons & ~tmp_reasons)) {
1147
+ return 0;
1148
+ }
1149
+ }
1150
+ // Don't process deltas at this stage
1151
+ else if (crl->base_crl_number) {
1152
+ return 0;
1153
+ }
1154
+ // If issuer name doesn't match certificate need indirect CRL
1155
+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1156
+ if (!(crl->idp_flags & IDP_INDIRECT)) {
1157
+ return 0;
1238
1158
  }
1239
- /* Don't process deltas at this stage */
1240
- else if (crl->base_crl_number)
1241
- return 0;
1242
- /* If issuer name doesn't match certificate need indirect CRL */
1243
- if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1244
- if (!(crl->idp_flags & IDP_INDIRECT))
1245
- return 0;
1246
- } else
1247
- crl_score |= CRL_SCORE_ISSUER_NAME;
1159
+ } else {
1160
+ crl_score |= CRL_SCORE_ISSUER_NAME;
1161
+ }
1248
1162
 
1249
- if (!(crl->flags & EXFLAG_CRITICAL))
1250
- crl_score |= CRL_SCORE_NOCRITICAL;
1163
+ if (!(crl->flags & EXFLAG_CRITICAL)) {
1164
+ crl_score |= CRL_SCORE_NOCRITICAL;
1165
+ }
1251
1166
 
1252
- /* Check expiry */
1253
- if (check_crl_time(ctx, crl, 0))
1254
- crl_score |= CRL_SCORE_TIME;
1167
+ // Check expiry
1168
+ if (check_crl_time(ctx, crl, 0)) {
1169
+ crl_score |= CRL_SCORE_TIME;
1170
+ }
1255
1171
 
1256
- /* Check authority key ID and locate certificate issuer */
1257
- crl_akid_check(ctx, crl, pissuer, &crl_score);
1172
+ // Check authority key ID and locate certificate issuer
1173
+ crl_akid_check(ctx, crl, pissuer, &crl_score);
1258
1174
 
1259
- /* If we can't locate certificate issuer at this point forget it */
1175
+ // If we can't locate certificate issuer at this point forget it
1260
1176
 
1261
- if (!(crl_score & CRL_SCORE_AKID))
1262
- return 0;
1177
+ if (!(crl_score & CRL_SCORE_AKID)) {
1178
+ return 0;
1179
+ }
1263
1180
 
1264
- /* Check cert for matching CRL distribution points */
1181
+ // Check cert for matching CRL distribution points
1265
1182
 
1266
- if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1267
- /* If no new reasons reject */
1268
- if (!(crl_reasons & ~tmp_reasons))
1269
- return 0;
1270
- tmp_reasons |= crl_reasons;
1271
- crl_score |= CRL_SCORE_SCOPE;
1183
+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1184
+ // If no new reasons reject
1185
+ if (!(crl_reasons & ~tmp_reasons)) {
1186
+ return 0;
1272
1187
  }
1188
+ tmp_reasons |= crl_reasons;
1189
+ crl_score |= CRL_SCORE_SCOPE;
1190
+ }
1273
1191
 
1274
- *preasons = tmp_reasons;
1275
-
1276
- return crl_score;
1192
+ *preasons = tmp_reasons;
1277
1193
 
1194
+ return crl_score;
1278
1195
  }
1279
1196
 
1280
- static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1281
- X509 **pissuer, int *pcrl_score)
1282
- {
1283
- X509 *crl_issuer = NULL;
1284
- X509_NAME *cnm = X509_CRL_get_issuer(crl);
1285
- int cidx = ctx->error_depth;
1286
- size_t i;
1197
+ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1198
+ int *pcrl_score) {
1199
+ X509 *crl_issuer = NULL;
1200
+ X509_NAME *cnm = X509_CRL_get_issuer(crl);
1201
+ int cidx = ctx->error_depth;
1202
+ size_t i;
1287
1203
 
1288
- if ((size_t)cidx != sk_X509_num(ctx->chain) - 1)
1289
- cidx++;
1204
+ if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {
1205
+ cidx++;
1206
+ }
1290
1207
 
1291
- crl_issuer = sk_X509_value(ctx->chain, cidx);
1208
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1292
1209
 
1293
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1294
- if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1295
- *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1296
- *pissuer = crl_issuer;
1297
- return;
1298
- }
1210
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1211
+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1212
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1213
+ *pissuer = crl_issuer;
1214
+ return;
1299
1215
  }
1216
+ }
1300
1217
 
1301
- for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1302
- crl_issuer = sk_X509_value(ctx->chain, cidx);
1303
- if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1304
- continue;
1305
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1306
- *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1307
- *pissuer = crl_issuer;
1308
- return;
1309
- }
1218
+ for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1219
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1220
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
1221
+ continue;
1310
1222
  }
1223
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1224
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1225
+ *pissuer = crl_issuer;
1226
+ return;
1227
+ }
1228
+ }
1311
1229
 
1312
- /* Anything else needs extended CRL support */
1230
+ // Anything else needs extended CRL support
1313
1231
 
1314
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1315
- return;
1232
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1233
+ return;
1234
+ }
1316
1235
 
1317
- /*
1318
- * Otherwise the CRL issuer is not on the path. Look for it in the set of
1319
- * untrusted certificates.
1320
- */
1321
- for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1322
- crl_issuer = sk_X509_value(ctx->untrusted, i);
1323
- if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1324
- continue;
1325
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1326
- *pissuer = crl_issuer;
1327
- *pcrl_score |= CRL_SCORE_AKID;
1328
- return;
1329
- }
1236
+ // Otherwise the CRL issuer is not on the path. Look for it in the set of
1237
+ // untrusted certificates.
1238
+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1239
+ crl_issuer = sk_X509_value(ctx->untrusted, i);
1240
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
1241
+ continue;
1242
+ }
1243
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1244
+ *pissuer = crl_issuer;
1245
+ *pcrl_score |= CRL_SCORE_AKID;
1246
+ return;
1330
1247
  }
1248
+ }
1331
1249
  }
1332
1250
 
1333
- /*
1334
- * Check the path of a CRL issuer certificate. This creates a new
1335
- * X509_STORE_CTX and populates it with most of the parameters from the
1336
- * parent. This could be optimised somewhat since a lot of path checking will
1337
- * be duplicated by the parent, but this will rarely be used in practice.
1338
- */
1339
-
1340
- static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1341
- {
1342
- X509_STORE_CTX crl_ctx;
1343
- int ret;
1344
- /* Don't allow recursive CRL path validation */
1345
- if (ctx->parent)
1346
- return 0;
1347
- if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1348
- return -1;
1349
-
1350
- crl_ctx.crls = ctx->crls;
1351
- /* Copy verify params across */
1352
- X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1353
-
1354
- crl_ctx.parent = ctx;
1355
- crl_ctx.verify_cb = ctx->verify_cb;
1356
-
1357
- /* Verify CRL issuer */
1358
- ret = X509_verify_cert(&crl_ctx);
1251
+ // Check the path of a CRL issuer certificate. This creates a new
1252
+ // X509_STORE_CTX and populates it with most of the parameters from the
1253
+ // parent. This could be optimised somewhat since a lot of path checking will
1254
+ // be duplicated by the parent, but this will rarely be used in practice.
1359
1255
 
1360
- if (ret <= 0)
1361
- goto err;
1362
-
1363
- /* Check chain is acceptable */
1364
-
1365
- ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1366
- err:
1367
- X509_STORE_CTX_cleanup(&crl_ctx);
1368
- return ret;
1369
- }
1370
-
1371
- /*
1372
- * RFC 3280 says nothing about the relationship between CRL path and
1373
- * certificate path, which could lead to situations where a certificate could
1374
- * be revoked or validated by a CA not authorised to do so. RFC 5280 is more
1375
- * strict and states that the two paths must end in the same trust anchor,
1376
- * though some discussions remain... until this is resolved we use the
1377
- * RFC 5280 version
1378
- */
1379
-
1380
- static int check_crl_chain(X509_STORE_CTX *ctx,
1381
- STACK_OF(X509) *cert_path,
1382
- STACK_OF(X509) *crl_path)
1383
- {
1384
- X509 *cert_ta, *crl_ta;
1385
- cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1386
- crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1387
- if (!X509_cmp(cert_ta, crl_ta))
1388
- return 1;
1256
+ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) {
1257
+ X509_STORE_CTX crl_ctx;
1258
+ int ret;
1259
+ // Don't allow recursive CRL path validation
1260
+ if (ctx->parent) {
1389
1261
  return 0;
1262
+ }
1263
+ if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) {
1264
+ return -1;
1265
+ }
1266
+
1267
+ crl_ctx.crls = ctx->crls;
1268
+ // Copy verify params across
1269
+ X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1270
+
1271
+ crl_ctx.parent = ctx;
1272
+ crl_ctx.verify_cb = ctx->verify_cb;
1273
+
1274
+ // Verify CRL issuer
1275
+ ret = X509_verify_cert(&crl_ctx);
1276
+
1277
+ if (ret <= 0) {
1278
+ goto err;
1279
+ }
1280
+
1281
+ // Check chain is acceptable
1282
+
1283
+ ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1284
+ err:
1285
+ X509_STORE_CTX_cleanup(&crl_ctx);
1286
+ return ret;
1287
+ }
1288
+
1289
+ // RFC 3280 says nothing about the relationship between CRL path and
1290
+ // certificate path, which could lead to situations where a certificate could
1291
+ // be revoked or validated by a CA not authorised to do so. RFC 5280 is more
1292
+ // strict and states that the two paths must end in the same trust anchor,
1293
+ // though some discussions remain... until this is resolved we use the
1294
+ // RFC 5280 version
1295
+
1296
+ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1297
+ STACK_OF(X509) *crl_path) {
1298
+ X509 *cert_ta, *crl_ta;
1299
+ cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1300
+ crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1301
+ if (!X509_cmp(cert_ta, crl_ta)) {
1302
+ return 1;
1303
+ }
1304
+ return 0;
1390
1305
  }
1391
1306
 
1392
- /*
1393
- * Check for match between two dist point names: three separate cases. 1.
1394
- * Both are relative names and compare X509_NAME types. 2. One full, one
1395
- * relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1396
- * compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1397
- */
1398
-
1399
- static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1400
- {
1401
- X509_NAME *nm = NULL;
1402
- GENERAL_NAMES *gens = NULL;
1403
- GENERAL_NAME *gena, *genb;
1404
- size_t i, j;
1405
- if (!a || !b)
1307
+ // Check for match between two dist point names: three separate cases. 1.
1308
+ // Both are relative names and compare X509_NAME types. 2. One full, one
1309
+ // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1310
+ // compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1311
+
1312
+ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
1313
+ X509_NAME *nm = NULL;
1314
+ GENERAL_NAMES *gens = NULL;
1315
+ GENERAL_NAME *gena, *genb;
1316
+ size_t i, j;
1317
+ if (!a || !b) {
1318
+ return 1;
1319
+ }
1320
+ if (a->type == 1) {
1321
+ if (!a->dpname) {
1322
+ return 0;
1323
+ }
1324
+ // Case 1: two X509_NAME
1325
+ if (b->type == 1) {
1326
+ if (!b->dpname) {
1327
+ return 0;
1328
+ }
1329
+ if (!X509_NAME_cmp(a->dpname, b->dpname)) {
1406
1330
  return 1;
1407
- if (a->type == 1) {
1408
- if (!a->dpname)
1409
- return 0;
1410
- /* Case 1: two X509_NAME */
1411
- if (b->type == 1) {
1412
- if (!b->dpname)
1413
- return 0;
1414
- if (!X509_NAME_cmp(a->dpname, b->dpname))
1415
- return 1;
1416
- else
1417
- return 0;
1418
- }
1419
- /* Case 2: set name and GENERAL_NAMES appropriately */
1420
- nm = a->dpname;
1421
- gens = b->name.fullname;
1422
- } else if (b->type == 1) {
1423
- if (!b->dpname)
1424
- return 0;
1425
- /* Case 2: set name and GENERAL_NAMES appropriately */
1426
- gens = a->name.fullname;
1427
- nm = b->dpname;
1428
- }
1429
-
1430
- /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1431
- if (nm) {
1432
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1433
- gena = sk_GENERAL_NAME_value(gens, i);
1434
- if (gena->type != GEN_DIRNAME)
1435
- continue;
1436
- if (!X509_NAME_cmp(nm, gena->d.directoryName))
1437
- return 1;
1438
- }
1331
+ } else {
1439
1332
  return 0;
1333
+ }
1334
+ }
1335
+ // Case 2: set name and GENERAL_NAMES appropriately
1336
+ nm = a->dpname;
1337
+ gens = b->name.fullname;
1338
+ } else if (b->type == 1) {
1339
+ if (!b->dpname) {
1340
+ return 0;
1341
+ }
1342
+ // Case 2: set name and GENERAL_NAMES appropriately
1343
+ gens = a->name.fullname;
1344
+ nm = b->dpname;
1345
+ }
1346
+
1347
+ // Handle case 2 with one GENERAL_NAMES and one X509_NAME
1348
+ if (nm) {
1349
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1350
+ gena = sk_GENERAL_NAME_value(gens, i);
1351
+ if (gena->type != GEN_DIRNAME) {
1352
+ continue;
1353
+ }
1354
+ if (!X509_NAME_cmp(nm, gena->d.directoryName)) {
1355
+ return 1;
1356
+ }
1440
1357
  }
1358
+ return 0;
1359
+ }
1441
1360
 
1442
- /* Else case 3: two GENERAL_NAMES */
1361
+ // Else case 3: two GENERAL_NAMES
1443
1362
 
1444
- for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1445
- gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1446
- for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1447
- genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1448
- if (!GENERAL_NAME_cmp(gena, genb))
1449
- return 1;
1450
- }
1363
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1364
+ gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1365
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1366
+ genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1367
+ if (!GENERAL_NAME_cmp(gena, genb)) {
1368
+ return 1;
1369
+ }
1451
1370
  }
1371
+ }
1452
1372
 
1453
- return 0;
1454
-
1373
+ return 0;
1455
1374
  }
1456
1375
 
1457
- static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1458
- {
1459
- size_t i;
1460
- X509_NAME *nm = X509_CRL_get_issuer(crl);
1461
- /* If no CRLissuer return is successful iff don't need a match */
1462
- if (!dp->CRLissuer)
1463
- return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
1464
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1465
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1466
- if (gen->type != GEN_DIRNAME)
1467
- continue;
1468
- if (!X509_NAME_cmp(gen->d.directoryName, nm))
1469
- return 1;
1376
+ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) {
1377
+ size_t i;
1378
+ X509_NAME *nm = X509_CRL_get_issuer(crl);
1379
+ // If no CRLissuer return is successful iff don't need a match
1380
+ if (!dp->CRLissuer) {
1381
+ return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1382
+ }
1383
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1384
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1385
+ if (gen->type != GEN_DIRNAME) {
1386
+ continue;
1470
1387
  }
1471
- return 0;
1388
+ if (!X509_NAME_cmp(gen->d.directoryName, nm)) {
1389
+ return 1;
1390
+ }
1391
+ }
1392
+ return 0;
1472
1393
  }
1473
1394
 
1474
- /* Check CRLDP and IDP */
1395
+ // Check CRLDP and IDP
1475
1396
 
1476
1397
  static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1477
- unsigned int *preasons)
1478
- {
1479
- size_t i;
1480
- if (crl->idp_flags & IDP_ONLYATTR)
1481
- return 0;
1482
- if (x->ex_flags & EXFLAG_CA) {
1483
- if (crl->idp_flags & IDP_ONLYUSER)
1484
- return 0;
1485
- } else {
1486
- if (crl->idp_flags & IDP_ONLYCA)
1487
- return 0;
1488
- }
1489
- *preasons = crl->idp_reasons;
1490
- for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1491
- DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1492
- if (crldp_check_crlissuer(dp, crl, crl_score)) {
1493
- if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1494
- *preasons &= dp->dp_reasons;
1495
- return 1;
1496
- }
1497
- }
1498
- }
1499
- if ((!crl->idp || !crl->idp->distpoint)
1500
- && (crl_score & CRL_SCORE_ISSUER_NAME))
1501
- return 1;
1398
+ unsigned int *preasons) {
1399
+ size_t i;
1400
+ if (crl->idp_flags & IDP_ONLYATTR) {
1502
1401
  return 0;
1402
+ }
1403
+ if (x->ex_flags & EXFLAG_CA) {
1404
+ if (crl->idp_flags & IDP_ONLYUSER) {
1405
+ return 0;
1406
+ }
1407
+ } else {
1408
+ if (crl->idp_flags & IDP_ONLYCA) {
1409
+ return 0;
1410
+ }
1411
+ }
1412
+ *preasons = crl->idp_reasons;
1413
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1414
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1415
+ if (crldp_check_crlissuer(dp, crl, crl_score)) {
1416
+ if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1417
+ *preasons &= dp->dp_reasons;
1418
+ return 1;
1419
+ }
1420
+ }
1421
+ }
1422
+ if ((!crl->idp || !crl->idp->distpoint) &&
1423
+ (crl_score & CRL_SCORE_ISSUER_NAME)) {
1424
+ return 1;
1425
+ }
1426
+ return 0;
1503
1427
  }
1504
1428
 
1505
- /*
1506
- * Retrieve CRL corresponding to current certificate. If deltas enabled try
1507
- * to find a delta CRL too
1508
- */
1429
+ // Retrieve CRL corresponding to current certificate. If deltas enabled try
1430
+ // to find a delta CRL too
1509
1431
 
1510
- static int get_crl_delta(X509_STORE_CTX *ctx,
1511
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1512
- {
1513
- int ok;
1514
- X509 *issuer = NULL;
1515
- int crl_score = 0;
1516
- unsigned int reasons;
1517
- X509_CRL *crl = NULL, *dcrl = NULL;
1518
- STACK_OF(X509_CRL) *skcrl;
1519
- X509_NAME *nm = X509_get_issuer_name(x);
1520
- reasons = ctx->current_reasons;
1521
- ok = get_crl_sk(ctx, &crl, &dcrl,
1522
- &issuer, &crl_score, &reasons, ctx->crls);
1432
+ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1433
+ X509 *x) {
1434
+ int ok;
1435
+ X509 *issuer = NULL;
1436
+ int crl_score = 0;
1437
+ unsigned int reasons;
1438
+ X509_CRL *crl = NULL, *dcrl = NULL;
1439
+ STACK_OF(X509_CRL) *skcrl;
1440
+ X509_NAME *nm = X509_get_issuer_name(x);
1441
+ reasons = ctx->current_reasons;
1442
+ ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls);
1523
1443
 
1524
- if (ok)
1525
- goto done;
1444
+ if (ok) {
1445
+ goto done;
1446
+ }
1526
1447
 
1527
- /* Lookup CRLs from store */
1448
+ // Lookup CRLs from store
1528
1449
 
1529
- skcrl = ctx->lookup_crls(ctx, nm);
1450
+ skcrl = ctx->lookup_crls(ctx, nm);
1530
1451
 
1531
- /* If no CRLs found and a near match from get_crl_sk use that */
1532
- if (!skcrl && crl)
1533
- goto done;
1452
+ // If no CRLs found and a near match from get_crl_sk use that
1453
+ if (!skcrl && crl) {
1454
+ goto done;
1455
+ }
1534
1456
 
1535
- get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1457
+ get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1536
1458
 
1537
- sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1459
+ sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1538
1460
 
1539
- done:
1461
+ done:
1540
1462
 
1541
- /* If we got any kind of CRL use it and return success */
1542
- if (crl) {
1543
- ctx->current_issuer = issuer;
1544
- ctx->current_crl_score = crl_score;
1545
- ctx->current_reasons = reasons;
1546
- *pcrl = crl;
1547
- *pdcrl = dcrl;
1548
- return 1;
1463
+ // If we got any kind of CRL use it and return success
1464
+ if (crl) {
1465
+ ctx->current_issuer = issuer;
1466
+ ctx->current_crl_score = crl_score;
1467
+ ctx->current_reasons = reasons;
1468
+ *pcrl = crl;
1469
+ *pdcrl = dcrl;
1470
+ return 1;
1471
+ }
1472
+
1473
+ return 0;
1474
+ }
1475
+
1476
+ // Check CRL validity
1477
+ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
1478
+ X509 *issuer = NULL;
1479
+ EVP_PKEY *ikey = NULL;
1480
+ int ok = 0;
1481
+ int cnum = ctx->error_depth;
1482
+ int chnum = (int)sk_X509_num(ctx->chain) - 1;
1483
+ // if we have an alternative CRL issuer cert use that
1484
+ if (ctx->current_issuer) {
1485
+ issuer = ctx->current_issuer;
1486
+ }
1487
+
1488
+ // Else find CRL issuer: if not last certificate then issuer is next
1489
+ // certificate in chain.
1490
+ else if (cnum < chnum) {
1491
+ issuer = sk_X509_value(ctx->chain, cnum + 1);
1492
+ } else {
1493
+ issuer = sk_X509_value(ctx->chain, chnum);
1494
+ // If not self signed, can't check signature
1495
+ if (!ctx->check_issued(ctx, issuer, issuer)) {
1496
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1497
+ ok = ctx->verify_cb(0, ctx);
1498
+ if (!ok) {
1499
+ goto err;
1500
+ }
1549
1501
  }
1502
+ }
1550
1503
 
1551
- return 0;
1552
- }
1553
-
1554
- /* Check CRL validity */
1555
- static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1556
- {
1557
- X509 *issuer = NULL;
1558
- EVP_PKEY *ikey = NULL;
1559
- int ok = 0, chnum, cnum;
1560
- cnum = ctx->error_depth;
1561
- chnum = sk_X509_num(ctx->chain) - 1;
1562
- /* if we have an alternative CRL issuer cert use that */
1563
- if (ctx->current_issuer)
1564
- issuer = ctx->current_issuer;
1565
-
1566
- /*
1567
- * Else find CRL issuer: if not last certificate then issuer is next
1568
- * certificate in chain.
1569
- */
1570
- else if (cnum < chnum)
1571
- issuer = sk_X509_value(ctx->chain, cnum + 1);
1572
- else {
1573
- issuer = sk_X509_value(ctx->chain, chnum);
1574
- /* If not self signed, can't check signature */
1575
- if (!ctx->check_issued(ctx, issuer, issuer)) {
1576
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1577
- ok = ctx->verify_cb(0, ctx);
1578
- if (!ok)
1579
- goto err;
1504
+ if (issuer) {
1505
+ // Skip most tests for deltas because they have already been done
1506
+ if (!crl->base_crl_number) {
1507
+ // Check for cRLSign bit if keyUsage present
1508
+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1509
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
1510
+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1511
+ ok = ctx->verify_cb(0, ctx);
1512
+ if (!ok) {
1513
+ goto err;
1580
1514
  }
1581
- }
1582
-
1583
- if (issuer) {
1584
- /*
1585
- * Skip most tests for deltas because they have already been done
1586
- */
1587
- if (!crl->base_crl_number) {
1588
- /* Check for cRLSign bit if keyUsage present */
1589
- if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1590
- !(issuer->ex_kusage & KU_CRL_SIGN)) {
1591
- ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1592
- ok = ctx->verify_cb(0, ctx);
1593
- if (!ok)
1594
- goto err;
1595
- }
1596
-
1597
- if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1598
- ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1599
- ok = ctx->verify_cb(0, ctx);
1600
- if (!ok)
1601
- goto err;
1602
- }
1603
-
1604
- if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1605
- if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1606
- ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1607
- ok = ctx->verify_cb(0, ctx);
1608
- if (!ok)
1609
- goto err;
1610
- }
1611
- }
1612
-
1613
- if (crl->idp_flags & IDP_INVALID) {
1614
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
1615
- ok = ctx->verify_cb(0, ctx);
1616
- if (!ok)
1617
- goto err;
1618
- }
1515
+ }
1619
1516
 
1517
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1518
+ ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1519
+ ok = ctx->verify_cb(0, ctx);
1520
+ if (!ok) {
1521
+ goto err;
1620
1522
  }
1523
+ }
1621
1524
 
1622
- if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1623
- ok = check_crl_time(ctx, crl, 1);
1624
- if (!ok)
1625
- goto err;
1525
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1526
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1527
+ ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1528
+ ok = ctx->verify_cb(0, ctx);
1529
+ if (!ok) {
1530
+ goto err;
1531
+ }
1626
1532
  }
1533
+ }
1627
1534
 
1628
- /* Attempt to get issuer certificate public key */
1629
- ikey = X509_get_pubkey(issuer);
1630
-
1631
- if (!ikey) {
1632
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1633
- ok = ctx->verify_cb(0, ctx);
1634
- if (!ok)
1635
- goto err;
1636
- } else {
1637
- int rv;
1638
- rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1639
- if (rv != X509_V_OK) {
1640
- ctx->error = rv;
1641
- ok = ctx->verify_cb(0, ctx);
1642
- if (!ok)
1643
- goto err;
1644
- }
1645
- /* Verify CRL signature */
1646
- if (X509_CRL_verify(crl, ikey) <= 0) {
1647
- ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1648
- ok = ctx->verify_cb(0, ctx);
1649
- if (!ok)
1650
- goto err;
1651
- }
1535
+ if (crl->idp_flags & IDP_INVALID) {
1536
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
1537
+ ok = ctx->verify_cb(0, ctx);
1538
+ if (!ok) {
1539
+ goto err;
1652
1540
  }
1541
+ }
1653
1542
  }
1654
1543
 
1655
- ok = 1;
1544
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1545
+ ok = check_crl_time(ctx, crl, 1);
1546
+ if (!ok) {
1547
+ goto err;
1548
+ }
1549
+ }
1656
1550
 
1657
- err:
1658
- EVP_PKEY_free(ikey);
1659
- return ok;
1660
- }
1551
+ // Attempt to get issuer certificate public key
1552
+ ikey = X509_get_pubkey(issuer);
1661
1553
 
1662
- /* Check certificate against CRL */
1663
- static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1664
- {
1665
- int ok;
1666
- X509_REVOKED *rev;
1667
- /*
1668
- * The rules changed for this... previously if a CRL contained unhandled
1669
- * critical extensions it could still be used to indicate a certificate
1670
- * was revoked. This has since been changed since critical extension can
1671
- * change the meaning of CRL entries.
1672
- */
1673
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1674
- && (crl->flags & EXFLAG_CRITICAL)) {
1675
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1676
- ok = ctx->verify_cb(0, ctx);
1677
- if (!ok)
1678
- return 0;
1679
- }
1680
- /*
1681
- * Look for serial number of certificate in CRL If found make sure reason
1682
- * is not removeFromCRL.
1683
- */
1684
- if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1685
- if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1686
- return 2;
1687
- ctx->error = X509_V_ERR_CERT_REVOKED;
1554
+ if (!ikey) {
1555
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1556
+ ok = ctx->verify_cb(0, ctx);
1557
+ if (!ok) {
1558
+ goto err;
1559
+ }
1560
+ } else {
1561
+ // Verify CRL signature
1562
+ if (X509_CRL_verify(crl, ikey) <= 0) {
1563
+ ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1688
1564
  ok = ctx->verify_cb(0, ctx);
1689
- if (!ok)
1690
- return 0;
1565
+ if (!ok) {
1566
+ goto err;
1567
+ }
1568
+ }
1691
1569
  }
1570
+ }
1692
1571
 
1693
- return 1;
1572
+ ok = 1;
1573
+
1574
+ err:
1575
+ EVP_PKEY_free(ikey);
1576
+ return ok;
1694
1577
  }
1695
1578
 
1696
- static int check_policy(X509_STORE_CTX *ctx)
1697
- {
1698
- int ret;
1699
- if (ctx->parent)
1700
- return 1;
1701
- ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1702
- ctx->param->policies, ctx->param->flags);
1703
- if (ret == 0) {
1704
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
1705
- ctx->error = X509_V_ERR_OUT_OF_MEM;
1706
- return 0;
1579
+ // Check certificate against CRL
1580
+ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
1581
+ int ok;
1582
+ X509_REVOKED *rev;
1583
+ // The rules changed for this... previously if a CRL contained unhandled
1584
+ // critical extensions it could still be used to indicate a certificate
1585
+ // was revoked. This has since been changed since critical extension can
1586
+ // change the meaning of CRL entries.
1587
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1588
+ (crl->flags & EXFLAG_CRITICAL)) {
1589
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1590
+ ok = ctx->verify_cb(0, ctx);
1591
+ if (!ok) {
1592
+ return 0;
1707
1593
  }
1708
- /* Invalid or inconsistent extensions */
1709
- if (ret == -1) {
1710
- /*
1711
- * Locate certificates with bad extensions and notify callback.
1712
- */
1713
- X509 *x;
1714
- size_t i;
1715
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1716
- x = sk_X509_value(ctx->chain, i);
1717
- if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1718
- continue;
1719
- ctx->current_cert = x;
1720
- ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1721
- if (!ctx->verify_cb(0, ctx))
1722
- return 0;
1723
- }
1724
- return 1;
1594
+ }
1595
+ // Look for serial number of certificate in CRL If found make sure reason
1596
+ // is not removeFromCRL.
1597
+ if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1598
+ if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) {
1599
+ return 2;
1725
1600
  }
1726
- if (ret == -2) {
1727
- ctx->current_cert = NULL;
1728
- ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1729
- return ctx->verify_cb(0, ctx);
1730
- }
1731
-
1732
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1733
- ctx->current_cert = NULL;
1734
- /*
1735
- * Verification errors need to be "sticky", a callback may have allowed
1736
- * an SSL handshake to continue despite an error, and we must then
1737
- * remain in an error state. Therefore, we MUST NOT clear earlier
1738
- * verification errors by setting the error to X509_V_OK.
1739
- */
1740
- if (!ctx->verify_cb(2, ctx))
1741
- return 0;
1601
+ ctx->error = X509_V_ERR_CERT_REVOKED;
1602
+ ok = ctx->verify_cb(0, ctx);
1603
+ if (!ok) {
1604
+ return 0;
1742
1605
  }
1606
+ }
1743
1607
 
1744
- return 1;
1608
+ return 1;
1745
1609
  }
1746
1610
 
1747
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1748
- {
1749
- time_t *ptime;
1750
- int i;
1611
+ static int check_policy(X509_STORE_CTX *ctx) {
1612
+ // TODO(davidben): Why do we disable policy validation for CRL paths?
1613
+ if (ctx->parent) {
1614
+ return 1;
1615
+ }
1751
1616
 
1752
- if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1753
- ptime = &ctx->param->check_time;
1754
- else
1755
- ptime = NULL;
1617
+ X509 *current_cert = NULL;
1618
+ int ret = X509_policy_check(ctx->chain, ctx->param->policies,
1619
+ ctx->param->flags, &current_cert);
1620
+ if (ret != X509_V_OK) {
1621
+ ctx->current_cert = current_cert;
1622
+ ctx->error = ret;
1623
+ if (ret == X509_V_ERR_OUT_OF_MEM) {
1624
+ return 0;
1625
+ }
1626
+ return ctx->verify_cb(0, ctx);
1627
+ }
1756
1628
 
1757
- i = X509_cmp_time(X509_get_notBefore(x), ptime);
1758
- if (i == 0) {
1759
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1760
- ctx->current_cert = x;
1761
- if (!ctx->verify_cb(0, ctx))
1762
- return 0;
1629
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1630
+ ctx->current_cert = NULL;
1631
+ // Verification errors need to be "sticky", a callback may have allowed
1632
+ // an SSL handshake to continue despite an error, and we must then
1633
+ // remain in an error state. Therefore, we MUST NOT clear earlier
1634
+ // verification errors by setting the error to X509_V_OK.
1635
+ if (!ctx->verify_cb(2, ctx)) {
1636
+ return 0;
1763
1637
  }
1638
+ }
1764
1639
 
1765
- if (i > 0) {
1766
- ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1767
- ctx->current_cert = x;
1768
- if (!ctx->verify_cb(0, ctx))
1769
- return 0;
1640
+ return 1;
1641
+ }
1642
+
1643
+ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {
1644
+ if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
1645
+ return 1;
1646
+ }
1647
+
1648
+ int64_t ptime;
1649
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
1650
+ ptime = ctx->param->check_time;
1651
+ } else {
1652
+ ptime = time(NULL);
1653
+ }
1654
+
1655
+ int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);
1656
+ if (i == 0) {
1657
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1658
+ ctx->current_cert = x;
1659
+ if (!ctx->verify_cb(0, ctx)) {
1660
+ return 0;
1770
1661
  }
1662
+ }
1771
1663
 
1772
- i = X509_cmp_time(X509_get_notAfter(x), ptime);
1773
- if (i == 0) {
1774
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1775
- ctx->current_cert = x;
1776
- if (!ctx->verify_cb(0, ctx))
1777
- return 0;
1664
+ if (i > 0) {
1665
+ ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1666
+ ctx->current_cert = x;
1667
+ if (!ctx->verify_cb(0, ctx)) {
1668
+ return 0;
1778
1669
  }
1670
+ }
1779
1671
 
1780
- if (i < 0) {
1781
- ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1782
- ctx->current_cert = x;
1783
- if (!ctx->verify_cb(0, ctx))
1784
- return 0;
1672
+ i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);
1673
+ if (i == 0) {
1674
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1675
+ ctx->current_cert = x;
1676
+ if (!ctx->verify_cb(0, ctx)) {
1677
+ return 0;
1785
1678
  }
1679
+ }
1786
1680
 
1787
- return 1;
1681
+ if (i < 0) {
1682
+ ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1683
+ ctx->current_cert = x;
1684
+ if (!ctx->verify_cb(0, ctx)) {
1685
+ return 0;
1686
+ }
1687
+ }
1688
+
1689
+ return 1;
1788
1690
  }
1789
1691
 
1790
- static int internal_verify(X509_STORE_CTX *ctx)
1791
- {
1792
- int ok = 0, n;
1793
- X509 *xs, *xi;
1794
- EVP_PKEY *pkey = NULL;
1795
- int (*cb) (int xok, X509_STORE_CTX *xctx);
1692
+ static int internal_verify(X509_STORE_CTX *ctx) {
1693
+ int ok = 0;
1694
+ X509 *xs, *xi;
1695
+ EVP_PKEY *pkey = NULL;
1796
1696
 
1797
- cb = ctx->verify_cb;
1697
+ int n = (int)sk_X509_num(ctx->chain);
1698
+ ctx->error_depth = n - 1;
1699
+ n--;
1700
+ xi = sk_X509_value(ctx->chain, n);
1798
1701
 
1799
- n = sk_X509_num(ctx->chain);
1800
- ctx->error_depth = n - 1;
1801
- n--;
1802
- xi = sk_X509_value(ctx->chain, n);
1803
-
1804
- if (ctx->check_issued(ctx, xi, xi))
1805
- xs = xi;
1806
- else {
1807
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1808
- xs = xi;
1809
- goto check_cert;
1702
+ if (ctx->check_issued(ctx, xi, xi)) {
1703
+ xs = xi;
1704
+ } else {
1705
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1706
+ xs = xi;
1707
+ goto check_cert;
1708
+ }
1709
+ if (n <= 0) {
1710
+ ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1711
+ ctx->current_cert = xi;
1712
+ ok = ctx->verify_cb(0, ctx);
1713
+ goto end;
1714
+ } else {
1715
+ n--;
1716
+ ctx->error_depth = n;
1717
+ xs = sk_X509_value(ctx->chain, n);
1718
+ }
1719
+ }
1720
+
1721
+ // ctx->error=0; not needed
1722
+ while (n >= 0) {
1723
+ ctx->error_depth = n;
1724
+
1725
+ // Skip signature check for self signed certificates unless
1726
+ // explicitly asked for. It doesn't add any security and just wastes
1727
+ // time.
1728
+ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1729
+ if ((pkey = X509_get_pubkey(xi)) == NULL) {
1730
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1731
+ ctx->current_cert = xi;
1732
+ ok = ctx->verify_cb(0, ctx);
1733
+ if (!ok) {
1734
+ goto end;
1810
1735
  }
1811
- if (n <= 0) {
1812
- ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1813
- ctx->current_cert = xi;
1814
- ok = cb(0, ctx);
1815
- goto end;
1816
- } else {
1817
- n--;
1818
- ctx->error_depth = n;
1819
- xs = sk_X509_value(ctx->chain, n);
1736
+ } else if (X509_verify(xs, pkey) <= 0) {
1737
+ ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1738
+ ctx->current_cert = xs;
1739
+ ok = ctx->verify_cb(0, ctx);
1740
+ if (!ok) {
1741
+ EVP_PKEY_free(pkey);
1742
+ goto end;
1820
1743
  }
1744
+ }
1745
+ EVP_PKEY_free(pkey);
1746
+ pkey = NULL;
1821
1747
  }
1822
1748
 
1823
- /* ctx->error=0; not needed */
1824
- while (n >= 0) {
1825
- ctx->error_depth = n;
1826
-
1827
- /*
1828
- * Skip signature check for self signed certificates unless
1829
- * explicitly asked for. It doesn't add any security and just wastes
1830
- * time.
1831
- */
1832
- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1833
- if ((pkey = X509_get_pubkey(xi)) == NULL) {
1834
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1835
- ctx->current_cert = xi;
1836
- ok = (*cb) (0, ctx);
1837
- if (!ok)
1838
- goto end;
1839
- } else if (X509_verify(xs, pkey) <= 0) {
1840
- ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1841
- ctx->current_cert = xs;
1842
- ok = (*cb) (0, ctx);
1843
- if (!ok) {
1844
- EVP_PKEY_free(pkey);
1845
- goto end;
1846
- }
1847
- }
1848
- EVP_PKEY_free(pkey);
1849
- pkey = NULL;
1850
- }
1851
-
1852
- check_cert:
1853
- ok = check_cert_time(ctx, xs);
1854
- if (!ok)
1855
- goto end;
1856
-
1857
- /* The last error (if any) is still in the error value */
1858
- ctx->current_issuer = xi;
1859
- ctx->current_cert = xs;
1860
- ok = (*cb) (1, ctx);
1861
- if (!ok)
1862
- goto end;
1863
-
1864
- n--;
1865
- if (n >= 0) {
1866
- xi = xs;
1867
- xs = sk_X509_value(ctx->chain, n);
1868
- }
1749
+ check_cert:
1750
+ ok = check_cert_time(ctx, xs);
1751
+ if (!ok) {
1752
+ goto end;
1869
1753
  }
1870
- ok = 1;
1871
- end:
1872
- return ok;
1873
- }
1874
-
1875
- int X509_cmp_current_time(const ASN1_TIME *ctm)
1876
- {
1877
- return X509_cmp_time(ctm, NULL);
1878
- }
1879
-
1880
- int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1881
- {
1882
- static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
1883
- static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
1884
- ASN1_TIME *asn1_cmp_time = NULL;
1885
- int i, day, sec, ret = 0;
1886
-
1887
- /*
1888
- * Note that ASN.1 allows much more slack in the time format than RFC 5280.
1889
- * In RFC 5280, the representation is fixed:
1890
- * UTCTime: YYMMDDHHMMSSZ
1891
- * GeneralizedTime: YYYYMMDDHHMMSSZ
1892
- *
1893
- * We do NOT currently enforce the following RFC 5280 requirement:
1894
- * "CAs conforming to this profile MUST always encode certificate
1895
- * validity dates through the year 2049 as UTCTime; certificate validity
1896
- * dates in 2050 or later MUST be encoded as GeneralizedTime."
1897
- */
1898
- switch (ctm->type) {
1899
- case V_ASN1_UTCTIME:
1900
- if (ctm->length != (int)(utctime_length))
1901
- return 0;
1902
- break;
1903
- case V_ASN1_GENERALIZEDTIME:
1904
- if (ctm->length != (int)(generalizedtime_length))
1905
- return 0;
1906
- break;
1907
- default:
1908
- return 0;
1754
+
1755
+ // The last error (if any) is still in the error value
1756
+ ctx->current_issuer = xi;
1757
+ ctx->current_cert = xs;
1758
+ ok = ctx->verify_cb(1, ctx);
1759
+ if (!ok) {
1760
+ goto end;
1909
1761
  }
1910
1762
 
1911
- /**
1912
- * Verify the format: the ASN.1 functions we use below allow a more
1913
- * flexible format than what's mandated by RFC 5280.
1914
- * Digit and date ranges will be verified in the conversion methods.
1915
- */
1916
- for (i = 0; i < ctm->length - 1; i++) {
1917
- if (!isdigit(ctm->data[i]))
1918
- return 0;
1763
+ n--;
1764
+ if (n >= 0) {
1765
+ xi = xs;
1766
+ xs = sk_X509_value(ctx->chain, n);
1919
1767
  }
1920
- if (ctm->data[ctm->length - 1] != 'Z')
1921
- return 0;
1768
+ }
1769
+ ok = 1;
1770
+ end:
1771
+ return ok;
1772
+ }
1922
1773
 
1923
- /*
1924
- * There is ASN1_UTCTIME_cmp_time_t but no
1925
- * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
1926
- * so we go through ASN.1
1927
- */
1928
- asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
1929
- if (asn1_cmp_time == NULL)
1930
- goto err;
1931
- if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
1932
- goto err;
1774
+ int X509_cmp_current_time(const ASN1_TIME *ctm) {
1775
+ return X509_cmp_time_posix(ctm, time(NULL));
1776
+ }
1933
1777
 
1934
- /*
1935
- * X509_cmp_time comparison is <=.
1936
- * The return value 0 is reserved for errors.
1937
- */
1938
- ret = (day >= 0 && sec >= 0) ? -1 : 1;
1778
+ int X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time) {
1779
+ int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;
1780
+ return X509_cmp_time_posix(ctm, compare_time);
1781
+ }
1939
1782
 
1940
- err:
1941
- ASN1_TIME_free(asn1_cmp_time);
1942
- return ret;
1783
+ int X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {
1784
+ int64_t ctm_time;
1785
+ if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {
1786
+ return 0;
1787
+ }
1788
+ // The return value 0 is reserved for errors.
1789
+ return (ctm_time - cmp_time <= 0) ? -1 : 1;
1943
1790
  }
1944
1791
 
1945
- ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
1946
- {
1947
- return X509_time_adj(s, offset_sec, NULL);
1792
+ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {
1793
+ return X509_time_adj(s, offset_sec, NULL);
1948
1794
  }
1949
1795
 
1950
- ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1951
- {
1952
- return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1796
+ ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm) {
1797
+ return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1953
1798
  }
1954
1799
 
1955
- ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1956
- int offset_day, long offset_sec, time_t *in_tm)
1957
- {
1958
- time_t t = 0;
1800
+ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,
1801
+ const time_t *in_tm) {
1802
+ int64_t t = 0;
1959
1803
 
1960
- if (in_tm) {
1961
- t = *in_tm;
1962
- } else {
1963
- time(&t);
1964
- }
1965
-
1966
- return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1967
- }
1968
-
1969
- /* Make a delta CRL as the diff between two full CRLs */
1970
-
1971
- X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
1972
- EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
1973
- {
1974
- X509_CRL *crl = NULL;
1975
- int i;
1976
- size_t j;
1977
- STACK_OF(X509_REVOKED) *revs = NULL;
1978
- /* CRLs can't be delta already */
1979
- if (base->base_crl_number || newer->base_crl_number) {
1980
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
1981
- return NULL;
1982
- }
1983
- /* Base and new CRL must have a CRL number */
1984
- if (!base->crl_number || !newer->crl_number) {
1985
- OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
1986
- return NULL;
1987
- }
1988
- /* Issuer names must match */
1989
- if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
1990
- OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
1991
- return NULL;
1992
- }
1993
- /* AKID and IDP must match */
1994
- if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
1995
- OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
1996
- return NULL;
1997
- }
1998
- if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
1999
- OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
2000
- return NULL;
2001
- }
2002
- /* Newer CRL number must exceed full CRL number */
2003
- if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
2004
- OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
2005
- return NULL;
2006
- }
2007
- /* CRLs must verify */
2008
- if (skey && (X509_CRL_verify(base, skey) <= 0 ||
2009
- X509_CRL_verify(newer, skey) <= 0)) {
2010
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
2011
- return NULL;
2012
- }
2013
- /* Create new CRL */
2014
- crl = X509_CRL_new();
2015
- if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2))
2016
- goto memerr;
2017
- /* Set issuer name */
2018
- if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
2019
- goto memerr;
1804
+ if (in_tm) {
1805
+ t = *in_tm;
1806
+ } else {
1807
+ t = time(NULL);
1808
+ }
2020
1809
 
2021
- if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
2022
- goto memerr;
2023
- if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
2024
- goto memerr;
1810
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1811
+ }
2025
1812
 
2026
- /* Set base CRL number: must be critical */
1813
+ // Make a delta CRL as the diff between two full CRLs
2027
1814
 
2028
- if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
1815
+ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
1816
+ const EVP_MD *md, unsigned int flags) {
1817
+ X509_CRL *crl = NULL;
1818
+ int i;
1819
+ size_t j;
1820
+ STACK_OF(X509_REVOKED) *revs = NULL;
1821
+ // CRLs can't be delta already
1822
+ if (base->base_crl_number || newer->base_crl_number) {
1823
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
1824
+ return NULL;
1825
+ }
1826
+ // Base and new CRL must have a CRL number
1827
+ if (!base->crl_number || !newer->crl_number) {
1828
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
1829
+ return NULL;
1830
+ }
1831
+ // Issuer names must match
1832
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
1833
+ OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
1834
+ return NULL;
1835
+ }
1836
+ // AKID and IDP must match
1837
+ if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
1838
+ OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
1839
+ return NULL;
1840
+ }
1841
+ if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
1842
+ OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
1843
+ return NULL;
1844
+ }
1845
+ // Newer CRL number must exceed full CRL number
1846
+ if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
1847
+ OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
1848
+ return NULL;
1849
+ }
1850
+ // CRLs must verify
1851
+ if (skey &&
1852
+ (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
1853
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
1854
+ return NULL;
1855
+ }
1856
+ // Create new CRL
1857
+ crl = X509_CRL_new();
1858
+ if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
1859
+ goto memerr;
1860
+ }
1861
+ // Set issuer name
1862
+ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
1863
+ goto memerr;
1864
+ }
1865
+
1866
+ if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
1867
+ goto memerr;
1868
+ }
1869
+ if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
1870
+ goto memerr;
1871
+ }
1872
+
1873
+ // Set base CRL number: must be critical
1874
+
1875
+ if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
1876
+ goto memerr;
1877
+ }
1878
+
1879
+ // Copy extensions across from newest CRL to delta: this will set CRL
1880
+ // number to correct value too.
1881
+
1882
+ for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
1883
+ const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
1884
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
1885
+ goto memerr;
1886
+ }
1887
+ }
1888
+
1889
+ // Go through revoked entries, copying as needed
1890
+
1891
+ revs = X509_CRL_get_REVOKED(newer);
1892
+
1893
+ for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
1894
+ X509_REVOKED *rvn, *rvtmp;
1895
+ rvn = sk_X509_REVOKED_value(revs, j);
1896
+ // Add only if not also in base. TODO: need something cleverer here
1897
+ // for some more complex CRLs covering multiple CAs.
1898
+ if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
1899
+ rvtmp = X509_REVOKED_dup(rvn);
1900
+ if (!rvtmp) {
2029
1901
  goto memerr;
2030
-
2031
- /*
2032
- * Copy extensions across from newest CRL to delta: this will set CRL
2033
- * number to correct value too.
2034
- */
2035
-
2036
- for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
2037
- X509_EXTENSION *ext;
2038
- ext = X509_CRL_get_ext(newer, i);
2039
- if (!X509_CRL_add_ext(crl, ext, -1))
2040
- goto memerr;
2041
- }
2042
-
2043
- /* Go through revoked entries, copying as needed */
2044
-
2045
- revs = X509_CRL_get_REVOKED(newer);
2046
-
2047
- for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
2048
- X509_REVOKED *rvn, *rvtmp;
2049
- rvn = sk_X509_REVOKED_value(revs, j);
2050
- /*
2051
- * Add only if not also in base. TODO: need something cleverer here
2052
- * for some more complex CRLs covering multiple CAs.
2053
- */
2054
- if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
2055
- rvtmp = X509_REVOKED_dup(rvn);
2056
- if (!rvtmp)
2057
- goto memerr;
2058
- if (!X509_CRL_add0_revoked(crl, rvtmp)) {
2059
- X509_REVOKED_free(rvtmp);
2060
- goto memerr;
2061
- }
2062
- }
1902
+ }
1903
+ if (!X509_CRL_add0_revoked(crl, rvtmp)) {
1904
+ X509_REVOKED_free(rvtmp);
1905
+ goto memerr;
1906
+ }
2063
1907
  }
2064
- /* TODO: optionally prune deleted entries */
1908
+ }
1909
+ // TODO: optionally prune deleted entries
2065
1910
 
2066
- if (skey && md && !X509_CRL_sign(crl, skey, md))
2067
- goto memerr;
1911
+ if (skey && md && !X509_CRL_sign(crl, skey, md)) {
1912
+ goto memerr;
1913
+ }
2068
1914
 
2069
- return crl;
1915
+ return crl;
2070
1916
 
2071
- memerr:
2072
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2073
- if (crl)
2074
- X509_CRL_free(crl);
2075
- return NULL;
1917
+ memerr:
1918
+ if (crl) {
1919
+ X509_CRL_free(crl);
1920
+ }
1921
+ return NULL;
2076
1922
  }
2077
1923
 
2078
1924
  int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
2079
- CRYPTO_EX_unused * unused,
1925
+ CRYPTO_EX_unused *unused,
2080
1926
  CRYPTO_EX_dup *dup_unused,
2081
- CRYPTO_EX_free *free_func)
2082
- {
2083
- /*
2084
- * This function is (usually) called only once, by
2085
- * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
2086
- */
2087
- int index;
2088
- if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
2089
- free_func)) {
2090
- return -1;
2091
- }
2092
- return index;
1927
+ CRYPTO_EX_free *free_func) {
1928
+ // This function is (usually) called only once, by
1929
+ // SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
1930
+ int index;
1931
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
1932
+ free_func)) {
1933
+ return -1;
1934
+ }
1935
+ return index;
2093
1936
  }
2094
1937
 
2095
- int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
2096
- {
2097
- return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1938
+ int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {
1939
+ return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2098
1940
  }
2099
1941
 
2100
- void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
2101
- {
2102
- return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1942
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {
1943
+ return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2103
1944
  }
2104
1945
 
2105
- int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
2106
- {
2107
- return ctx->error;
2108
- }
1946
+ int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; }
2109
1947
 
2110
- void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
2111
- {
2112
- ctx->error = err;
1948
+ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {
1949
+ ctx->error = err;
2113
1950
  }
2114
1951
 
2115
- int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
2116
- {
2117
- return ctx->error_depth;
1952
+ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) {
1953
+ return ctx->error_depth;
2118
1954
  }
2119
1955
 
2120
- X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
2121
- {
2122
- return ctx->current_cert;
1956
+ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) {
1957
+ return ctx->current_cert;
2123
1958
  }
2124
1959
 
2125
- STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
2126
- {
2127
- return ctx->chain;
1960
+ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) {
1961
+ return ctx->chain;
2128
1962
  }
2129
1963
 
2130
- STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
2131
- {
2132
- return ctx->chain;
1964
+ STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) {
1965
+ return ctx->chain;
2133
1966
  }
2134
1967
 
2135
- STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
2136
- {
2137
- if (!ctx->chain)
2138
- return NULL;
2139
- return X509_chain_up_ref(ctx->chain);
1968
+ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) {
1969
+ if (!ctx->chain) {
1970
+ return NULL;
1971
+ }
1972
+ return X509_chain_up_ref(ctx->chain);
2140
1973
  }
2141
1974
 
2142
- X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
2143
- {
2144
- return ctx->current_issuer;
1975
+ X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) {
1976
+ return ctx->current_issuer;
2145
1977
  }
2146
1978
 
2147
- X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
2148
- {
2149
- return ctx->current_crl;
1979
+ X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) {
1980
+ return ctx->current_crl;
2150
1981
  }
2151
1982
 
2152
- X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
2153
- {
2154
- return ctx->parent;
1983
+ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) {
1984
+ return ctx->parent;
2155
1985
  }
2156
1986
 
2157
- void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
2158
- {
2159
- ctx->cert = x;
2160
- }
1987
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; }
2161
1988
 
2162
- void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2163
- {
2164
- ctx->untrusted = sk;
1989
+ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1990
+ ctx->untrusted = sk;
2165
1991
  }
2166
1992
 
2167
- STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
2168
- {
2169
- return ctx->untrusted;
1993
+ STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) {
1994
+ return ctx->untrusted;
2170
1995
  }
2171
1996
 
2172
- void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
2173
- {
2174
- ctx->crls = sk;
1997
+ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {
1998
+ ctx->crls = sk;
2175
1999
  }
2176
2000
 
2177
- int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
2178
- {
2179
- return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2001
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {
2002
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2180
2003
  }
2181
2004
 
2182
- int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2183
- {
2184
- return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2005
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {
2006
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2185
2007
  }
2186
2008
 
2187
- /*
2188
- * This function is used to set the X509_STORE_CTX purpose and trust values.
2189
- * This is intended to be used when another structure has its own trust and
2190
- * purpose values which (if set) will be inherited by the ctx. If they aren't
2191
- * set then we will usually have a default purpose in mind which should then
2192
- * be used to set the trust value. An example of this is SSL use: an SSL
2193
- * structure will have its own purpose and trust settings which the
2194
- * application can set: if they aren't set then we use the default of SSL
2195
- * client/server.
2196
- */
2009
+ // This function is used to set the X509_STORE_CTX purpose and trust values.
2010
+ // This is intended to be used when another structure has its own trust and
2011
+ // purpose values which (if set) will be inherited by the ctx. If they aren't
2012
+ // set then we will usually have a default purpose in mind which should then
2013
+ // be used to set the trust value. An example of this is SSL use: an SSL
2014
+ // structure will have its own purpose and trust settings which the
2015
+ // application can set: if they aren't set then we use the default of SSL
2016
+ // client/server.
2197
2017
 
2198
2018
  int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
2199
- int purpose, int trust)
2200
- {
2201
- int idx;
2202
- /* If purpose not set use default */
2203
- if (!purpose)
2204
- purpose = def_purpose;
2205
- /* If we have a purpose then check it is valid */
2206
- if (purpose) {
2207
- X509_PURPOSE *ptmp;
2208
- idx = X509_PURPOSE_get_by_id(purpose);
2209
- if (idx == -1) {
2210
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2211
- return 0;
2212
- }
2213
- ptmp = X509_PURPOSE_get0(idx);
2214
- if (ptmp->trust == X509_TRUST_DEFAULT) {
2215
- idx = X509_PURPOSE_get_by_id(def_purpose);
2216
- if (idx == -1) {
2217
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2218
- return 0;
2219
- }
2220
- ptmp = X509_PURPOSE_get0(idx);
2221
- }
2222
- /* If trust not set then get from purpose default */
2223
- if (!trust)
2224
- trust = ptmp->trust;
2225
- }
2226
- if (trust) {
2227
- idx = X509_TRUST_get_by_id(trust);
2228
- if (idx == -1) {
2229
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2230
- return 0;
2231
- }
2232
- }
2233
-
2234
- if (purpose && !ctx->param->purpose)
2235
- ctx->param->purpose = purpose;
2236
- if (trust && !ctx->param->trust)
2237
- ctx->param->trust = trust;
2238
- return 1;
2239
- }
2240
-
2241
- X509_STORE_CTX *X509_STORE_CTX_new(void)
2242
- {
2243
- X509_STORE_CTX *ctx;
2244
- ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2245
- if (!ctx) {
2246
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2247
- return NULL;
2248
- }
2249
- X509_STORE_CTX_zero(ctx);
2250
- return ctx;
2019
+ int purpose, int trust) {
2020
+ int idx;
2021
+ // If purpose not set use default
2022
+ if (!purpose) {
2023
+ purpose = def_purpose;
2024
+ }
2025
+ // If we have a purpose then check it is valid
2026
+ if (purpose) {
2027
+ X509_PURPOSE *ptmp;
2028
+ idx = X509_PURPOSE_get_by_id(purpose);
2029
+ if (idx == -1) {
2030
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2031
+ return 0;
2032
+ }
2033
+ ptmp = X509_PURPOSE_get0(idx);
2034
+ if (ptmp->trust == X509_TRUST_DEFAULT) {
2035
+ idx = X509_PURPOSE_get_by_id(def_purpose);
2036
+ if (idx == -1) {
2037
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2038
+ return 0;
2039
+ }
2040
+ ptmp = X509_PURPOSE_get0(idx);
2041
+ }
2042
+ // If trust not set then get from purpose default
2043
+ if (!trust) {
2044
+ trust = ptmp->trust;
2045
+ }
2046
+ }
2047
+ if (trust) {
2048
+ idx = X509_TRUST_get_by_id(trust);
2049
+ if (idx == -1) {
2050
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2051
+ return 0;
2052
+ }
2053
+ }
2054
+
2055
+ if (purpose && !ctx->param->purpose) {
2056
+ ctx->param->purpose = purpose;
2057
+ }
2058
+ if (trust && !ctx->param->trust) {
2059
+ ctx->param->trust = trust;
2060
+ }
2061
+ return 1;
2062
+ }
2063
+
2064
+ X509_STORE_CTX *X509_STORE_CTX_new(void) {
2065
+ X509_STORE_CTX *ctx;
2066
+ ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2067
+ if (!ctx) {
2068
+ return NULL;
2069
+ }
2070
+ X509_STORE_CTX_zero(ctx);
2071
+ return ctx;
2251
2072
  }
2252
2073
 
2253
- void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
2254
- {
2255
- OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2074
+ void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) {
2075
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2256
2076
  }
2257
2077
 
2258
- void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2259
- {
2260
- if (ctx == NULL) {
2261
- return;
2262
- }
2263
- X509_STORE_CTX_cleanup(ctx);
2264
- OPENSSL_free(ctx);
2078
+ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) {
2079
+ if (ctx == NULL) {
2080
+ return;
2081
+ }
2082
+ X509_STORE_CTX_cleanup(ctx);
2083
+ OPENSSL_free(ctx);
2265
2084
  }
2266
2085
 
2267
2086
  int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2268
- STACK_OF(X509) *chain)
2269
- {
2270
- X509_STORE_CTX_zero(ctx);
2271
- ctx->ctx = store;
2272
- ctx->cert = x509;
2273
- ctx->untrusted = chain;
2274
-
2275
- CRYPTO_new_ex_data(&ctx->ex_data);
2276
-
2277
- if (store == NULL) {
2278
- OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
2279
- goto err;
2280
- }
2281
-
2282
- ctx->param = X509_VERIFY_PARAM_new();
2283
- if (!ctx->param)
2284
- goto err;
2285
-
2286
- /*
2287
- * Inherit callbacks and flags from X509_STORE.
2288
- */
2289
-
2087
+ STACK_OF(X509) *chain) {
2088
+ X509_STORE_CTX_zero(ctx);
2089
+ ctx->ctx = store;
2090
+ ctx->cert = x509;
2091
+ ctx->untrusted = chain;
2092
+
2093
+ CRYPTO_new_ex_data(&ctx->ex_data);
2094
+
2095
+ if (store == NULL) {
2096
+ OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
2097
+ goto err;
2098
+ }
2099
+
2100
+ ctx->param = X509_VERIFY_PARAM_new();
2101
+ if (!ctx->param) {
2102
+ goto err;
2103
+ }
2104
+
2105
+ // Inherit callbacks and flags from X509_STORE.
2106
+
2107
+ ctx->verify_cb = store->verify_cb;
2108
+ ctx->cleanup = store->cleanup;
2109
+
2110
+ if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
2111
+ !X509_VERIFY_PARAM_inherit(ctx->param,
2112
+ X509_VERIFY_PARAM_lookup("default"))) {
2113
+ goto err;
2114
+ }
2115
+
2116
+ if (store->check_issued) {
2117
+ ctx->check_issued = store->check_issued;
2118
+ } else {
2119
+ ctx->check_issued = check_issued;
2120
+ }
2121
+
2122
+ if (store->get_issuer) {
2123
+ ctx->get_issuer = store->get_issuer;
2124
+ } else {
2125
+ ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2126
+ }
2127
+
2128
+ if (store->verify_cb) {
2290
2129
  ctx->verify_cb = store->verify_cb;
2291
- ctx->cleanup = store->cleanup;
2292
-
2293
- if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
2294
- !X509_VERIFY_PARAM_inherit(ctx->param,
2295
- X509_VERIFY_PARAM_lookup("default"))) {
2296
- goto err;
2297
- }
2298
-
2299
- if (store->check_issued)
2300
- ctx->check_issued = store->check_issued;
2301
- else
2302
- ctx->check_issued = check_issued;
2303
-
2304
- if (store->get_issuer)
2305
- ctx->get_issuer = store->get_issuer;
2306
- else
2307
- ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2308
-
2309
- if (store->verify_cb)
2310
- ctx->verify_cb = store->verify_cb;
2311
- else
2312
- ctx->verify_cb = null_callback;
2130
+ } else {
2131
+ ctx->verify_cb = null_callback;
2132
+ }
2133
+
2134
+ if (store->verify) {
2135
+ ctx->verify = store->verify;
2136
+ } else {
2137
+ ctx->verify = internal_verify;
2138
+ }
2313
2139
 
2314
- if (store->verify)
2315
- ctx->verify = store->verify;
2316
- else
2317
- ctx->verify = internal_verify;
2140
+ if (store->check_revocation) {
2141
+ ctx->check_revocation = store->check_revocation;
2142
+ } else {
2143
+ ctx->check_revocation = check_revocation;
2144
+ }
2318
2145
 
2319
- if (store->check_revocation)
2320
- ctx->check_revocation = store->check_revocation;
2321
- else
2322
- ctx->check_revocation = check_revocation;
2146
+ if (store->get_crl) {
2147
+ ctx->get_crl = store->get_crl;
2148
+ } else {
2149
+ ctx->get_crl = NULL;
2150
+ }
2323
2151
 
2324
- if (store->get_crl)
2325
- ctx->get_crl = store->get_crl;
2326
- else
2327
- ctx->get_crl = NULL;
2152
+ if (store->check_crl) {
2153
+ ctx->check_crl = store->check_crl;
2154
+ } else {
2155
+ ctx->check_crl = check_crl;
2156
+ }
2328
2157
 
2329
- if (store->check_crl)
2330
- ctx->check_crl = store->check_crl;
2331
- else
2332
- ctx->check_crl = check_crl;
2158
+ if (store->cert_crl) {
2159
+ ctx->cert_crl = store->cert_crl;
2160
+ } else {
2161
+ ctx->cert_crl = cert_crl;
2162
+ }
2333
2163
 
2334
- if (store->cert_crl)
2335
- ctx->cert_crl = store->cert_crl;
2336
- else
2337
- ctx->cert_crl = cert_crl;
2164
+ if (store->lookup_certs) {
2165
+ ctx->lookup_certs = store->lookup_certs;
2166
+ } else {
2167
+ ctx->lookup_certs = X509_STORE_get1_certs;
2168
+ }
2338
2169
 
2339
- if (store->lookup_certs)
2340
- ctx->lookup_certs = store->lookup_certs;
2341
- else
2342
- ctx->lookup_certs = X509_STORE_get1_certs;
2170
+ if (store->lookup_crls) {
2171
+ ctx->lookup_crls = store->lookup_crls;
2172
+ } else {
2173
+ ctx->lookup_crls = X509_STORE_get1_crls;
2174
+ }
2343
2175
 
2344
- if (store->lookup_crls)
2345
- ctx->lookup_crls = store->lookup_crls;
2346
- else
2347
- ctx->lookup_crls = X509_STORE_get1_crls;
2176
+ ctx->check_policy = check_policy;
2348
2177
 
2349
- ctx->check_policy = check_policy;
2178
+ return 1;
2350
2179
 
2351
- return 1;
2352
-
2353
- err:
2354
- CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2355
- if (ctx->param != NULL) {
2356
- X509_VERIFY_PARAM_free(ctx->param);
2357
- }
2180
+ err:
2181
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2182
+ if (ctx->param != NULL) {
2183
+ X509_VERIFY_PARAM_free(ctx->param);
2184
+ }
2358
2185
 
2359
- OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2360
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2361
- return 0;
2186
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2187
+ return 0;
2362
2188
  }
2363
2189
 
2364
- /*
2365
- * Set alternative lookup method: just a STACK of trusted certificates. This
2366
- * avoids X509_STORE nastiness where it isn't needed.
2367
- */
2190
+ // Set alternative lookup method: just a STACK of trusted certificates. This
2191
+ // avoids X509_STORE nastiness where it isn't needed.
2368
2192
 
2369
- void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2370
- {
2371
- ctx->other_ctx = sk;
2372
- ctx->get_issuer = get_issuer_sk;
2193
+ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
2194
+ STACK_OF(X509) *sk) {
2195
+ ctx->other_ctx = sk;
2196
+ ctx->get_issuer = get_issuer_sk;
2373
2197
  }
2374
2198
 
2375
- void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2376
- {
2377
- /* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2378
- * also calls this function. */
2379
- if (ctx->cleanup != NULL) {
2380
- ctx->cleanup(ctx);
2381
- ctx->cleanup = NULL;
2382
- }
2383
- if (ctx->param != NULL) {
2384
- if (ctx->parent == NULL)
2385
- X509_VERIFY_PARAM_free(ctx->param);
2386
- ctx->param = NULL;
2387
- }
2388
- if (ctx->tree != NULL) {
2389
- X509_policy_tree_free(ctx->tree);
2390
- ctx->tree = NULL;
2391
- }
2392
- if (ctx->chain != NULL) {
2393
- sk_X509_pop_free(ctx->chain, X509_free);
2394
- ctx->chain = NULL;
2395
- }
2396
- CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2397
- OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2199
+ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
2200
+ X509_STORE_CTX_set0_trusted_stack(ctx, sk);
2398
2201
  }
2399
2202
 
2400
- void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2401
- {
2402
- X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2203
+ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
2204
+ // We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2205
+ // also calls this function.
2206
+ if (ctx->cleanup != NULL) {
2207
+ ctx->cleanup(ctx);
2208
+ ctx->cleanup = NULL;
2209
+ }
2210
+ if (ctx->param != NULL) {
2211
+ if (ctx->parent == NULL) {
2212
+ X509_VERIFY_PARAM_free(ctx->param);
2213
+ }
2214
+ ctx->param = NULL;
2215
+ }
2216
+ if (ctx->chain != NULL) {
2217
+ sk_X509_pop_free(ctx->chain, X509_free);
2218
+ ctx->chain = NULL;
2219
+ }
2220
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2221
+ OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2403
2222
  }
2404
2223
 
2405
- void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2406
- {
2407
- X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2224
+ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {
2225
+ X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2408
2226
  }
2409
2227
 
2410
- void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2411
- time_t t)
2412
- {
2413
- X509_VERIFY_PARAM_set_time(ctx->param, t);
2228
+ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {
2229
+ X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2414
2230
  }
2415
2231
 
2416
- X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
2417
- {
2418
- return ctx->cert;
2232
+ void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,
2233
+ int64_t t) {
2234
+ X509_VERIFY_PARAM_set_time_posix(ctx->param, t);
2419
2235
  }
2420
2236
 
2421
- void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2422
- int (*verify_cb) (int, X509_STORE_CTX *))
2423
- {
2424
- ctx->verify_cb = verify_cb;
2237
+ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2238
+ time_t t) {
2239
+ X509_STORE_CTX_set_time_posix(ctx, flags, t);
2425
2240
  }
2426
2241
 
2427
- X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2428
- {
2429
- return ctx->tree;
2242
+ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) {
2243
+ return ctx->cert;
2430
2244
  }
2431
2245
 
2432
- int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2433
- {
2434
- return ctx->explicit_policy;
2246
+ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2247
+ int (*verify_cb)(int, X509_STORE_CTX *)) {
2248
+ ctx->verify_cb = verify_cb;
2435
2249
  }
2436
2250
 
2437
- int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2438
- {
2439
- const X509_VERIFY_PARAM *param;
2440
- param = X509_VERIFY_PARAM_lookup(name);
2441
- if (!param)
2442
- return 0;
2443
- return X509_VERIFY_PARAM_inherit(ctx->param, param);
2251
+ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
2252
+ const X509_VERIFY_PARAM *param;
2253
+ param = X509_VERIFY_PARAM_lookup(name);
2254
+ if (!param) {
2255
+ return 0;
2256
+ }
2257
+ return X509_VERIFY_PARAM_inherit(ctx->param, param);
2444
2258
  }
2445
2259
 
2446
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2447
- {
2448
- return ctx->param;
2260
+ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {
2261
+ return ctx->param;
2449
2262
  }
2450
2263
 
2451
- void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2452
- {
2453
- if (ctx->param)
2454
- X509_VERIFY_PARAM_free(ctx->param);
2455
- ctx->param = param;
2264
+ void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {
2265
+ if (ctx->param) {
2266
+ X509_VERIFY_PARAM_free(ctx->param);
2267
+ }
2268
+ ctx->param = param;
2456
2269
  }