grpc 1.53.2 → 1.54.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (693) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +78 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/support/port_platform.h +4 -4
  6. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  7. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  8. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  9. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  10. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  11. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  12. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  13. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  14. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  15. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  16. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  17. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
  18. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  19. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  20. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
  21. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  22. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  24. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  25. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  26. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  27. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  28. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  29. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  30. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  31. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  32. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  33. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  34. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  35. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  36. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  37. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  38. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  39. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  40. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  41. data/src/core/ext/gcp/metadata_query.cc +142 -0
  42. data/src/core/ext/gcp/metadata_query.h +82 -0
  43. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  44. data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
  45. data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
  46. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
  47. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  48. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  49. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  50. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
  51. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
  52. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
  53. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
  54. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
  55. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
  58. data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
  59. data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
  60. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  61. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  62. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  63. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  64. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  65. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  67. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  68. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  69. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  70. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  71. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  72. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  73. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  74. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  75. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  76. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  77. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  78. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  79. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  80. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  81. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  82. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  83. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  84. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  85. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  86. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  87. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  88. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  89. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  90. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  91. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  92. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  93. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  94. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  95. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  96. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  97. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  98. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  99. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  100. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  101. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  102. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  103. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  104. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  105. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  106. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  107. data/src/core/ext/xds/xds_client_stats.h +24 -20
  108. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  109. data/src/core/ext/xds/xds_endpoint.h +9 -1
  110. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  111. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  112. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  113. data/src/core/lib/channel/call_finalization.h +1 -1
  114. data/src/core/lib/channel/call_tracer.cc +51 -0
  115. data/src/core/lib/channel/call_tracer.h +101 -38
  116. data/src/core/lib/channel/connected_channel.cc +483 -1050
  117. data/src/core/lib/channel/context.h +8 -1
  118. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  119. data/src/core/lib/channel/promise_based_filter.h +27 -13
  120. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  121. data/src/core/lib/config/config_vars.cc +151 -0
  122. data/src/core/lib/config/config_vars.h +127 -0
  123. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  124. data/src/core/lib/config/load_config.cc +66 -0
  125. data/src/core/lib/config/load_config.h +49 -0
  126. data/src/core/lib/debug/trace.cc +5 -6
  127. data/src/core/lib/debug/trace.h +0 -5
  128. data/src/core/lib/event_engine/event_engine.cc +37 -2
  129. data/src/core/lib/event_engine/handle_containers.h +7 -22
  130. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  131. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  132. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  133. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  134. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  135. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  136. data/src/core/lib/event_engine/posix_engine/posix_engine.h +0 -1
  137. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -32
  138. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +0 -3
  139. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  140. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  141. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  142. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  143. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  144. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  145. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  146. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  147. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  148. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  149. data/src/core/lib/experiments/config.cc +3 -10
  150. data/src/core/lib/experiments/experiments.cc +7 -0
  151. data/src/core/lib/experiments/experiments.h +9 -1
  152. data/src/core/lib/gpr/log.cc +15 -28
  153. data/src/core/lib/gprpp/fork.cc +8 -14
  154. data/src/core/lib/gprpp/orphanable.h +4 -3
  155. data/src/core/lib/gprpp/per_cpu.h +9 -3
  156. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  157. data/src/core/lib/gprpp/ref_counted.h +33 -34
  158. data/src/core/lib/gprpp/thd.h +16 -0
  159. data/src/core/lib/gprpp/time.cc +1 -0
  160. data/src/core/lib/gprpp/time.h +4 -4
  161. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  162. data/src/core/lib/iomgr/call_combiner.h +2 -2
  163. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  164. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  165. data/src/core/lib/iomgr/ev_posix.h +0 -3
  166. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  167. data/src/core/lib/iomgr/iomgr.cc +4 -8
  168. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  169. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  170. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  171. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  172. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  173. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  174. data/src/core/lib/iomgr/tcp_server_posix.cc +19 -55
  175. data/src/core/lib/iomgr/tcp_server_utils_posix.h +0 -12
  176. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
  177. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  178. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  179. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  180. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  181. data/src/core/lib/promise/activity.cc +22 -6
  182. data/src/core/lib/promise/activity.h +61 -24
  183. data/src/core/lib/promise/cancel_callback.h +77 -0
  184. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  185. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  186. data/src/core/lib/promise/for_each.h +176 -0
  187. data/src/core/lib/promise/if.h +9 -0
  188. data/src/core/lib/promise/interceptor_list.h +23 -2
  189. data/src/core/lib/promise/latch.h +89 -3
  190. data/src/core/lib/promise/loop.h +13 -9
  191. data/src/core/lib/promise/map.h +7 -0
  192. data/src/core/lib/promise/party.cc +286 -0
  193. data/src/core/lib/promise/party.h +499 -0
  194. data/src/core/lib/promise/pipe.h +197 -57
  195. data/src/core/lib/promise/poll.h +48 -0
  196. data/src/core/lib/promise/promise.h +2 -2
  197. data/src/core/lib/resource_quota/arena.cc +19 -3
  198. data/src/core/lib/resource_quota/arena.h +119 -5
  199. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  200. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  201. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  202. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  203. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  204. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  205. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  206. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  207. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  208. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  209. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  210. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  211. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  212. data/src/core/lib/slice/slice.cc +1 -1
  213. data/src/core/lib/surface/builtins.cc +2 -0
  214. data/src/core/lib/surface/call.cc +926 -1024
  215. data/src/core/lib/surface/call.h +10 -0
  216. data/src/core/lib/surface/lame_client.cc +1 -0
  217. data/src/core/lib/surface/validate_metadata.cc +42 -43
  218. data/src/core/lib/surface/validate_metadata.h +0 -9
  219. data/src/core/lib/surface/version.cc +2 -2
  220. data/src/core/lib/transport/batch_builder.cc +179 -0
  221. data/src/core/lib/transport/batch_builder.h +468 -0
  222. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  223. data/src/core/lib/transport/bdp_estimator.h +10 -6
  224. data/src/core/lib/transport/custom_metadata.h +30 -0
  225. data/src/core/lib/transport/metadata_batch.cc +5 -2
  226. data/src/core/lib/transport/metadata_batch.h +17 -113
  227. data/src/core/lib/transport/parsed_metadata.h +6 -16
  228. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  229. data/src/core/lib/transport/transport.cc +30 -2
  230. data/src/core/lib/transport/transport.h +70 -14
  231. data/src/core/lib/transport/transport_impl.h +7 -0
  232. data/src/core/lib/transport/transport_op_string.cc +52 -42
  233. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  234. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  235. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  236. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  237. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  238. data/src/core/tsi/ssl_transport_security.cc +4 -2
  239. data/src/ruby/lib/grpc/version.rb +1 -1
  240. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  241. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  242. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  243. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  244. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  245. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  246. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  247. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  248. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  249. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  250. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  251. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  252. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  253. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  254. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  255. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  256. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  257. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  258. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  259. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  260. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  261. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  262. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  263. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  264. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  265. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  266. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  267. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  268. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  269. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  288. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  289. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  290. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  291. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  292. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  293. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  294. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  295. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  296. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  297. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  298. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  299. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  300. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  301. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  302. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  303. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  304. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  305. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  306. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  307. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  308. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  309. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  310. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  311. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  312. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  313. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  314. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  315. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  316. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  317. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  318. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  319. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  320. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  321. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  322. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  323. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  324. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  325. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  326. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  327. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  328. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  329. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  330. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  331. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  332. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  333. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  334. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  335. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  336. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  337. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  338. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  339. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  340. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  341. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  342. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  343. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  344. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  345. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  346. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  347. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  349. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  350. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  351. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  352. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  353. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  354. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  355. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  363. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  364. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  365. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  366. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  367. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  368. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  369. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  370. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  371. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  372. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  373. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  395. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  400. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  402. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  405. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  407. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  410. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  446. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  447. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  448. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  449. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  451. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  452. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  453. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  454. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  455. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  456. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  457. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  458. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  459. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  460. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  461. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  463. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  464. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  465. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  466. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  467. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  468. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  469. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  470. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  471. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  472. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  473. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  474. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  475. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  476. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  477. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  478. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  479. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  480. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  481. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  482. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  483. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  484. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  485. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  486. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  487. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  488. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  489. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  490. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  491. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  532. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  533. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  534. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  535. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  536. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  537. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  538. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  539. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  540. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  541. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  557. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  558. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  559. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  560. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  561. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  562. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  563. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  564. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  565. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  566. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  567. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  568. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  569. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  570. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  571. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  572. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  573. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  574. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  575. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  576. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  577. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  578. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  579. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  581. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  582. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  583. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  584. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  585. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  586. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  587. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  588. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  589. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  590. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  591. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  592. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  593. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  594. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  595. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  596. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  597. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  598. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  599. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  600. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  601. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  602. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  603. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  604. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  605. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  606. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  607. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  608. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  609. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  610. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  611. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  612. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  613. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  614. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  615. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  616. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  617. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  618. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  619. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  620. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  621. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  622. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  623. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  624. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  625. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  627. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  628. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  629. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  630. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  631. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  632. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  633. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  634. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  635. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  636. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  637. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  638. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  639. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  640. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  641. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  642. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  643. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  644. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  645. metadata +103 -70
  646. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  647. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  648. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
  649. data/src/core/lib/gprpp/global_config.h +0 -93
  650. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  651. data/src/core/lib/gprpp/global_config_env.h +0 -133
  652. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  653. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  654. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  655. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  656. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  657. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  658. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  659. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  660. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  661. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  662. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  663. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  664. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  665. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  666. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  667. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  668. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  669. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  670. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  671. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  672. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  673. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  674. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  675. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  676. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  677. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  678. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  679. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  680. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  681. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  682. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  683. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  684. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  685. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  686. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  687. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  688. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  689. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  690. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  691. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  692. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  693. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -1,4 +1,3 @@
1
- /* v3_purp.c */
2
1
  /*
3
2
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4
3
  * 2001.
@@ -59,8 +58,8 @@
59
58
 
60
59
  #include <string.h>
61
60
 
62
- #include <openssl/err.h>
63
61
  #include <openssl/digest.h>
62
+ #include <openssl/err.h>
64
63
  #include <openssl/mem.h>
65
64
  #include <openssl/obj.h>
66
65
  #include <openssl/thread.h>
@@ -70,13 +69,13 @@
70
69
  #include "../x509/internal.h"
71
70
  #include "internal.h"
72
71
 
73
- #define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
72
+ #define V1_ROOT (EXFLAG_V1 | EXFLAG_SS)
74
73
  #define ku_reject(x, usage) \
75
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
74
+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
76
75
  #define xku_reject(x, usage) \
77
- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
76
+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
78
77
  #define ns_reject(x, usage) \
79
- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
78
+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
80
79
 
81
80
  static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
82
81
  int ca);
@@ -101,11 +100,9 @@ static void xptable_free(X509_PURPOSE *p);
101
100
 
102
101
  static X509_PURPOSE xstandard[] = {
103
102
  {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
104
- check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient",
105
- NULL},
103
+ check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL},
106
104
  {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
107
- check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver",
108
- NULL},
105
+ check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver", NULL},
109
106
  {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
110
107
  check_purpose_ns_ssl_server, (char *)"Netscape SSL server",
111
108
  (char *)"nssslserver", NULL},
@@ -125,805 +122,765 @@ static X509_PURPOSE xstandard[] = {
125
122
  (char *)"timestampsign", NULL},
126
123
  };
127
124
 
128
- #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
125
+ #define X509_PURPOSE_COUNT (sizeof(xstandard) / sizeof(X509_PURPOSE))
129
126
 
130
127
  static STACK_OF(X509_PURPOSE) *xptable = NULL;
131
128
 
132
- static int xp_cmp(const X509_PURPOSE **a, const X509_PURPOSE **b)
133
- {
134
- return (*a)->purpose - (*b)->purpose;
129
+ static int xp_cmp(const X509_PURPOSE **a, const X509_PURPOSE **b) {
130
+ return (*a)->purpose - (*b)->purpose;
135
131
  }
136
132
 
137
- /*
138
- * As much as I'd like to make X509_check_purpose use a "const" X509* I
139
- * really can't because it does recalculate hashes and do other non-const
140
- * things.
141
- */
142
- int X509_check_purpose(X509 *x, int id, int ca)
143
- {
144
- int idx;
145
- const X509_PURPOSE *pt;
146
- if (!x509v3_cache_extensions(x)) {
147
- return -1;
148
- }
133
+ // As much as I'd like to make X509_check_purpose use a "const" X509* I
134
+ // really can't because it does recalculate hashes and do other non-const
135
+ // things.
136
+ int X509_check_purpose(X509 *x, int id, int ca) {
137
+ int idx;
138
+ const X509_PURPOSE *pt;
139
+ if (!x509v3_cache_extensions(x)) {
140
+ return -1;
141
+ }
149
142
 
150
- if (id == -1)
151
- return 1;
152
- idx = X509_PURPOSE_get_by_id(id);
153
- if (idx == -1)
154
- return -1;
155
- pt = X509_PURPOSE_get0(idx);
156
- return pt->check_purpose(pt, x, ca);
143
+ if (id == -1) {
144
+ return 1;
145
+ }
146
+ idx = X509_PURPOSE_get_by_id(id);
147
+ if (idx == -1) {
148
+ return -1;
149
+ }
150
+ pt = X509_PURPOSE_get0(idx);
151
+ return pt->check_purpose(pt, x, ca);
157
152
  }
158
153
 
159
- int X509_PURPOSE_set(int *p, int purpose)
160
- {
161
- if (X509_PURPOSE_get_by_id(purpose) == -1) {
162
- OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PURPOSE);
163
- return 0;
164
- }
165
- *p = purpose;
166
- return 1;
154
+ int X509_PURPOSE_set(int *p, int purpose) {
155
+ if (X509_PURPOSE_get_by_id(purpose) == -1) {
156
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PURPOSE);
157
+ return 0;
158
+ }
159
+ *p = purpose;
160
+ return 1;
167
161
  }
168
162
 
169
- int X509_PURPOSE_get_count(void)
170
- {
171
- if (!xptable)
172
- return X509_PURPOSE_COUNT;
173
- return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
163
+ int X509_PURPOSE_get_count(void) {
164
+ if (!xptable) {
165
+ return X509_PURPOSE_COUNT;
166
+ }
167
+ return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
174
168
  }
175
169
 
176
- X509_PURPOSE *X509_PURPOSE_get0(int idx)
177
- {
178
- if (idx < 0)
179
- return NULL;
180
- if (idx < (int)X509_PURPOSE_COUNT)
181
- return xstandard + idx;
182
- return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
170
+ X509_PURPOSE *X509_PURPOSE_get0(int idx) {
171
+ if (idx < 0) {
172
+ return NULL;
173
+ }
174
+ if (idx < (int)X509_PURPOSE_COUNT) {
175
+ return xstandard + idx;
176
+ }
177
+ return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
183
178
  }
184
179
 
185
- int X509_PURPOSE_get_by_sname(char *sname)
186
- {
187
- int i;
188
- X509_PURPOSE *xptmp;
189
- for (i = 0; i < X509_PURPOSE_get_count(); i++) {
190
- xptmp = X509_PURPOSE_get0(i);
191
- if (!strcmp(xptmp->sname, sname))
192
- return i;
180
+ int X509_PURPOSE_get_by_sname(char *sname) {
181
+ int i;
182
+ X509_PURPOSE *xptmp;
183
+ for (i = 0; i < X509_PURPOSE_get_count(); i++) {
184
+ xptmp = X509_PURPOSE_get0(i);
185
+ if (!strcmp(xptmp->sname, sname)) {
186
+ return i;
193
187
  }
194
- return -1;
188
+ }
189
+ return -1;
195
190
  }
196
191
 
197
- int X509_PURPOSE_get_by_id(int purpose)
198
- {
199
- X509_PURPOSE tmp;
200
- size_t idx;
192
+ int X509_PURPOSE_get_by_id(int purpose) {
193
+ X509_PURPOSE tmp;
194
+ size_t idx;
201
195
 
202
- if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
203
- return purpose - X509_PURPOSE_MIN;
204
- tmp.purpose = purpose;
205
- if (!xptable)
206
- return -1;
196
+ if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) {
197
+ return purpose - X509_PURPOSE_MIN;
198
+ }
199
+ tmp.purpose = purpose;
200
+ if (!xptable) {
201
+ return -1;
202
+ }
207
203
 
208
- sk_X509_PURPOSE_sort(xptable);
209
- if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp))
210
- return -1;
211
- return idx + X509_PURPOSE_COUNT;
204
+ sk_X509_PURPOSE_sort(xptable);
205
+ if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp)) {
206
+ return -1;
207
+ }
208
+ return idx + X509_PURPOSE_COUNT;
212
209
  }
213
210
 
214
211
  int X509_PURPOSE_add(int id, int trust, int flags,
215
- int (*ck) (const X509_PURPOSE *, const X509 *, int),
216
- char *name, char *sname, void *arg)
217
- {
218
- int idx;
219
- X509_PURPOSE *ptmp;
220
- char *name_dup, *sname_dup;
221
-
222
- /*
223
- * This is set according to what we change: application can't set it
224
- */
225
- flags &= ~X509_PURPOSE_DYNAMIC;
226
- /* This will always be set for application modified trust entries */
227
- flags |= X509_PURPOSE_DYNAMIC_NAME;
228
- /* Get existing entry if any */
229
- idx = X509_PURPOSE_get_by_id(id);
230
- /* Need a new entry */
231
- if (idx == -1) {
232
- if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
233
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
234
- return 0;
235
- }
236
- ptmp->flags = X509_PURPOSE_DYNAMIC;
237
- } else
238
- ptmp = X509_PURPOSE_get0(idx);
239
-
240
- /* Duplicate the supplied names. */
241
- name_dup = OPENSSL_strdup(name);
242
- sname_dup = OPENSSL_strdup(sname);
243
- if (name_dup == NULL || sname_dup == NULL) {
244
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
245
- if (name_dup != NULL)
246
- OPENSSL_free(name_dup);
247
- if (sname_dup != NULL)
248
- OPENSSL_free(sname_dup);
249
- if (idx == -1)
250
- OPENSSL_free(ptmp);
251
- return 0;
252
- }
253
-
254
- /* OPENSSL_free existing name if dynamic */
255
- if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
256
- OPENSSL_free(ptmp->name);
257
- OPENSSL_free(ptmp->sname);
212
+ int (*ck)(const X509_PURPOSE *, const X509 *, int),
213
+ char *name, char *sname, void *arg) {
214
+ int idx;
215
+ X509_PURPOSE *ptmp;
216
+ char *name_dup, *sname_dup;
217
+
218
+ // This is set according to what we change: application can't set it
219
+ flags &= ~X509_PURPOSE_DYNAMIC;
220
+ // This will always be set for application modified trust entries
221
+ flags |= X509_PURPOSE_DYNAMIC_NAME;
222
+ // Get existing entry if any
223
+ idx = X509_PURPOSE_get_by_id(id);
224
+ // Need a new entry
225
+ if (idx == -1) {
226
+ if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
227
+ return 0;
228
+ }
229
+ ptmp->flags = X509_PURPOSE_DYNAMIC;
230
+ } else {
231
+ ptmp = X509_PURPOSE_get0(idx);
232
+ }
233
+
234
+ // Duplicate the supplied names.
235
+ name_dup = OPENSSL_strdup(name);
236
+ sname_dup = OPENSSL_strdup(sname);
237
+ if (name_dup == NULL || sname_dup == NULL) {
238
+ if (name_dup != NULL) {
239
+ OPENSSL_free(name_dup);
240
+ }
241
+ if (sname_dup != NULL) {
242
+ OPENSSL_free(sname_dup);
258
243
  }
259
- /* dup supplied name */
260
- ptmp->name = name_dup;
261
- ptmp->sname = sname_dup;
262
- /* Keep the dynamic flag of existing entry */
263
- ptmp->flags &= X509_PURPOSE_DYNAMIC;
264
- /* Set all other flags */
265
- ptmp->flags |= flags;
266
-
267
- ptmp->purpose = id;
268
- ptmp->trust = trust;
269
- ptmp->check_purpose = ck;
270
- ptmp->usr_data = arg;
271
-
272
- /* If its a new entry manage the dynamic table */
273
244
  if (idx == -1) {
274
- if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
275
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
276
- xptable_free(ptmp);
277
- return 0;
278
- }
279
- if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
280
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
281
- xptable_free(ptmp);
282
- return 0;
283
- }
284
- }
285
- return 1;
286
- }
287
-
288
- static void xptable_free(X509_PURPOSE *p)
289
- {
290
- if (!p)
291
- return;
292
- if (p->flags & X509_PURPOSE_DYNAMIC) {
293
- if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
294
- OPENSSL_free(p->name);
295
- OPENSSL_free(p->sname);
296
- }
297
- OPENSSL_free(p);
245
+ OPENSSL_free(ptmp);
298
246
  }
299
- }
300
-
301
- void X509_PURPOSE_cleanup(void)
302
- {
303
- unsigned int i;
304
- sk_X509_PURPOSE_pop_free(xptable, xptable_free);
305
- for (i = 0; i < X509_PURPOSE_COUNT; i++)
306
- xptable_free(xstandard + i);
307
- xptable = NULL;
308
- }
309
-
310
- int X509_PURPOSE_get_id(const X509_PURPOSE *xp)
311
- {
312
- return xp->purpose;
313
- }
314
-
315
- char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
316
- {
317
- return xp->name;
318
- }
319
-
320
- char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
321
- {
322
- return xp->sname;
323
- }
324
-
325
- int X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
326
- {
327
- return xp->trust;
328
- }
329
-
330
- static int nid_cmp(const void *void_a, const void *void_b)
331
- {
332
- const int *a = void_a, *b = void_b;
333
-
334
- return *a - *b;
335
- }
336
-
337
- int X509_supported_extension(X509_EXTENSION *ex)
338
- {
339
- /*
340
- * This table is a list of the NIDs of supported extensions: that is
341
- * those which are used by the verify process. If an extension is
342
- * critical and doesn't appear in this list then the verify process will
343
- * normally reject the certificate. The list must be kept in numerical
344
- * order because it will be searched using bsearch.
345
- */
346
-
347
- static const int supported_nids[] = {
348
- NID_netscape_cert_type, /* 71 */
349
- NID_key_usage, /* 83 */
350
- NID_subject_alt_name, /* 85 */
351
- NID_basic_constraints, /* 87 */
352
- NID_certificate_policies, /* 89 */
353
- NID_ext_key_usage, /* 126 */
354
- NID_policy_constraints, /* 401 */
355
- NID_proxyCertInfo, /* 663 */
356
- NID_name_constraints, /* 666 */
357
- NID_policy_mappings, /* 747 */
358
- NID_inhibit_any_policy /* 748 */
359
- };
360
-
361
- int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
362
-
363
- if (ex_nid == NID_undef)
364
- return 0;
365
-
366
- if (bsearch
367
- (&ex_nid, supported_nids, sizeof(supported_nids) / sizeof(int),
368
- sizeof(int), nid_cmp) != NULL)
369
- return 1;
370
247
  return 0;
371
- }
372
-
373
- static int setup_dp(X509 *x, DIST_POINT *dp)
374
- {
375
- X509_NAME *iname = NULL;
376
- size_t i;
377
- if (dp->reasons) {
378
- if (dp->reasons->length > 0)
379
- dp->dp_reasons = dp->reasons->data[0];
380
- if (dp->reasons->length > 1)
381
- dp->dp_reasons |= (dp->reasons->data[1] << 8);
382
- dp->dp_reasons &= CRLDP_ALL_REASONS;
383
- } else
384
- dp->dp_reasons = CRLDP_ALL_REASONS;
385
- if (!dp->distpoint || (dp->distpoint->type != 1))
386
- return 1;
387
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
388
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
389
- if (gen->type == GEN_DIRNAME) {
390
- iname = gen->d.directoryName;
391
- break;
392
- }
393
- }
394
- if (!iname)
395
- iname = X509_get_issuer_name(x);
248
+ }
249
+
250
+ // OPENSSL_free existing name if dynamic
251
+ if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
252
+ OPENSSL_free(ptmp->name);
253
+ OPENSSL_free(ptmp->sname);
254
+ }
255
+ // dup supplied name
256
+ ptmp->name = name_dup;
257
+ ptmp->sname = sname_dup;
258
+ // Keep the dynamic flag of existing entry
259
+ ptmp->flags &= X509_PURPOSE_DYNAMIC;
260
+ // Set all other flags
261
+ ptmp->flags |= flags;
262
+
263
+ ptmp->purpose = id;
264
+ ptmp->trust = trust;
265
+ ptmp->check_purpose = ck;
266
+ ptmp->usr_data = arg;
267
+
268
+ // If its a new entry manage the dynamic table
269
+ if (idx == -1) {
270
+ if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
271
+ xptable_free(ptmp);
272
+ return 0;
273
+ }
274
+ if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
275
+ xptable_free(ptmp);
276
+ return 0;
277
+ }
278
+ }
279
+ return 1;
280
+ }
281
+
282
+ static void xptable_free(X509_PURPOSE *p) {
283
+ if (!p) {
284
+ return;
285
+ }
286
+ if (p->flags & X509_PURPOSE_DYNAMIC) {
287
+ if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
288
+ OPENSSL_free(p->name);
289
+ OPENSSL_free(p->sname);
290
+ }
291
+ OPENSSL_free(p);
292
+ }
293
+ }
294
+
295
+ void X509_PURPOSE_cleanup(void) {
296
+ unsigned int i;
297
+ sk_X509_PURPOSE_pop_free(xptable, xptable_free);
298
+ for (i = 0; i < X509_PURPOSE_COUNT; i++) {
299
+ xptable_free(xstandard + i);
300
+ }
301
+ xptable = NULL;
302
+ }
303
+
304
+ int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; }
305
+
306
+ char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; }
307
+
308
+ char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; }
309
+
310
+ int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; }
311
+
312
+ static int nid_cmp(const void *void_a, const void *void_b) {
313
+ const int *a = void_a, *b = void_b;
314
+
315
+ return *a - *b;
316
+ }
317
+
318
+ int X509_supported_extension(const X509_EXTENSION *ex) {
319
+ // This table is a list of the NIDs of supported extensions: that is
320
+ // those which are used by the verify process. If an extension is
321
+ // critical and doesn't appear in this list then the verify process will
322
+ // normally reject the certificate. The list must be kept in numerical
323
+ // order because it will be searched using bsearch.
324
+
325
+ static const int supported_nids[] = {
326
+ NID_netscape_cert_type, // 71
327
+ NID_key_usage, // 83
328
+ NID_subject_alt_name, // 85
329
+ NID_basic_constraints, // 87
330
+ NID_certificate_policies, // 89
331
+ NID_ext_key_usage, // 126
332
+ NID_policy_constraints, // 401
333
+ NID_name_constraints, // 666
334
+ NID_policy_mappings, // 747
335
+ NID_inhibit_any_policy // 748
336
+ };
337
+
338
+ int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
339
+
340
+ if (ex_nid == NID_undef) {
341
+ return 0;
342
+ }
396
343
 
397
- return DIST_POINT_set_dpname(dp->distpoint, iname);
344
+ if (bsearch(&ex_nid, supported_nids, sizeof(supported_nids) / sizeof(int),
345
+ sizeof(int), nid_cmp) != NULL) {
346
+ return 1;
347
+ }
348
+ return 0;
398
349
  }
399
350
 
400
- static int setup_crldp(X509 *x)
401
- {
402
- int j;
403
- x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &j, NULL);
404
- if (x->crldp == NULL && j != -1) {
405
- return 0;
351
+ static int setup_dp(X509 *x, DIST_POINT *dp) {
352
+ X509_NAME *iname = NULL;
353
+ size_t i;
354
+ if (dp->reasons) {
355
+ if (dp->reasons->length > 0) {
356
+ dp->dp_reasons = dp->reasons->data[0];
406
357
  }
407
- for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
408
- if (!setup_dp(x, sk_DIST_POINT_value(x->crldp, i))) {
409
- return 0;
410
- }
358
+ if (dp->reasons->length > 1) {
359
+ dp->dp_reasons |= (dp->reasons->data[1] << 8);
411
360
  }
361
+ dp->dp_reasons &= CRLDP_ALL_REASONS;
362
+ } else {
363
+ dp->dp_reasons = CRLDP_ALL_REASONS;
364
+ }
365
+ if (!dp->distpoint || (dp->distpoint->type != 1)) {
412
366
  return 1;
413
- }
414
-
415
- int x509v3_cache_extensions(X509 *x)
416
- {
417
- BASIC_CONSTRAINTS *bs;
418
- PROXY_CERT_INFO_EXTENSION *pci;
419
- ASN1_BIT_STRING *usage;
420
- ASN1_BIT_STRING *ns;
421
- EXTENDED_KEY_USAGE *extusage;
422
- X509_EXTENSION *ex;
423
- size_t i;
424
- int j;
425
-
426
- CRYPTO_MUTEX_lock_read(&x->lock);
427
- const int is_set = x->ex_flags & EXFLAG_SET;
428
- CRYPTO_MUTEX_unlock_read(&x->lock);
429
-
430
- if (is_set) {
431
- return (x->ex_flags & EXFLAG_INVALID) == 0;
367
+ }
368
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
369
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
370
+ if (gen->type == GEN_DIRNAME) {
371
+ iname = gen->d.directoryName;
372
+ break;
432
373
  }
374
+ }
375
+ if (!iname) {
376
+ iname = X509_get_issuer_name(x);
377
+ }
433
378
 
434
- CRYPTO_MUTEX_lock_write(&x->lock);
435
- if (x->ex_flags & EXFLAG_SET) {
436
- CRYPTO_MUTEX_unlock_write(&x->lock);
437
- return (x->ex_flags & EXFLAG_INVALID) == 0;
438
- }
379
+ return DIST_POINT_set_dpname(dp->distpoint, iname);
380
+ }
439
381
 
440
- if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
441
- x->ex_flags |= EXFLAG_INVALID;
442
- /* V1 should mean no extensions ... */
443
- if (X509_get_version(x) == X509_VERSION_1)
444
- x->ex_flags |= EXFLAG_V1;
445
- /* Handle basic constraints */
446
- if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &j, NULL))) {
447
- if (bs->ca)
448
- x->ex_flags |= EXFLAG_CA;
449
- if (bs->pathlen) {
450
- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
451
- || !bs->ca) {
452
- x->ex_flags |= EXFLAG_INVALID;
453
- x->ex_pathlen = 0;
454
- } else {
455
- /* TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,
456
- * which currently acts as if the constraint isn't present. This
457
- * works (an overflowing path length constraint may as well be
458
- * infinity), but Chromium's verifier simply treats values above
459
- * 255 as an error. */
460
- x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
461
- }
462
- } else
463
- x->ex_pathlen = -1;
464
- BASIC_CONSTRAINTS_free(bs);
465
- x->ex_flags |= EXFLAG_BCONS;
466
- } else if (j != -1) {
467
- x->ex_flags |= EXFLAG_INVALID;
468
- }
469
- /* Handle proxy certificates */
470
- if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &j, NULL))) {
471
- if (x->ex_flags & EXFLAG_CA
472
- || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
473
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
474
- x->ex_flags |= EXFLAG_INVALID;
475
- }
476
- if (pci->pcPathLengthConstraint) {
477
- x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
478
- } else
479
- x->ex_pcpathlen = -1;
480
- PROXY_CERT_INFO_EXTENSION_free(pci);
481
- x->ex_flags |= EXFLAG_PROXY;
482
- } else if (j != -1) {
483
- x->ex_flags |= EXFLAG_INVALID;
484
- }
485
- /* Handle key usage */
486
- if ((usage = X509_get_ext_d2i(x, NID_key_usage, &j, NULL))) {
487
- if (usage->length > 0) {
488
- x->ex_kusage = usage->data[0];
489
- if (usage->length > 1)
490
- x->ex_kusage |= usage->data[1] << 8;
491
- } else
492
- x->ex_kusage = 0;
493
- x->ex_flags |= EXFLAG_KUSAGE;
494
- ASN1_BIT_STRING_free(usage);
495
- } else if (j != -1) {
496
- x->ex_flags |= EXFLAG_INVALID;
497
- }
498
- x->ex_xkusage = 0;
499
- if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &j, NULL))) {
500
- x->ex_flags |= EXFLAG_XKUSAGE;
501
- for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
502
- switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
503
- case NID_server_auth:
504
- x->ex_xkusage |= XKU_SSL_SERVER;
505
- break;
506
-
507
- case NID_client_auth:
508
- x->ex_xkusage |= XKU_SSL_CLIENT;
509
- break;
510
-
511
- case NID_email_protect:
512
- x->ex_xkusage |= XKU_SMIME;
513
- break;
514
-
515
- case NID_code_sign:
516
- x->ex_xkusage |= XKU_CODE_SIGN;
517
- break;
518
-
519
- case NID_ms_sgc:
520
- case NID_ns_sgc:
521
- x->ex_xkusage |= XKU_SGC;
522
- break;
523
-
524
- case NID_OCSP_sign:
525
- x->ex_xkusage |= XKU_OCSP_SIGN;
526
- break;
527
-
528
- case NID_time_stamp:
529
- x->ex_xkusage |= XKU_TIMESTAMP;
530
- break;
531
-
532
- case NID_dvcs:
533
- x->ex_xkusage |= XKU_DVCS;
534
- break;
535
-
536
- case NID_anyExtendedKeyUsage:
537
- x->ex_xkusage |= XKU_ANYEKU;
538
- break;
539
- }
540
- }
541
- sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
542
- } else if (j != -1) {
543
- x->ex_flags |= EXFLAG_INVALID;
382
+ static int setup_crldp(X509 *x) {
383
+ int j;
384
+ x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &j, NULL);
385
+ if (x->crldp == NULL && j != -1) {
386
+ return 0;
387
+ }
388
+ for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
389
+ if (!setup_dp(x, sk_DIST_POINT_value(x->crldp, i))) {
390
+ return 0;
544
391
  }
392
+ }
393
+ return 1;
394
+ }
545
395
 
546
- if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &j, NULL))) {
547
- if (ns->length > 0)
548
- x->ex_nscert = ns->data[0];
549
- else
550
- x->ex_nscert = 0;
551
- x->ex_flags |= EXFLAG_NSCERT;
552
- ASN1_BIT_STRING_free(ns);
553
- } else if (j != -1) {
554
- x->ex_flags |= EXFLAG_INVALID;
555
- }
556
- x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &j, NULL);
557
- if (x->skid == NULL && j != -1) {
558
- x->ex_flags |= EXFLAG_INVALID;
559
- }
560
- x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &j, NULL);
561
- if (x->akid == NULL && j != -1) {
562
- x->ex_flags |= EXFLAG_INVALID;
563
- }
564
- /* Does subject name match issuer ? */
565
- if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
566
- x->ex_flags |= EXFLAG_SI;
567
- /* If SKID matches AKID also indicate self signed */
568
- if (X509_check_akid(x, x->akid) == X509_V_OK &&
569
- !ku_reject(x, KU_KEY_CERT_SIGN))
570
- x->ex_flags |= EXFLAG_SS;
571
- }
572
- x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &j, NULL);
573
- if (x->altname == NULL && j != -1) {
574
- x->ex_flags |= EXFLAG_INVALID;
575
- }
576
- x->nc = X509_get_ext_d2i(x, NID_name_constraints, &j, NULL);
577
- if (x->nc == NULL && j != -1) {
578
- x->ex_flags |= EXFLAG_INVALID;
579
- }
580
- if (!setup_crldp(x)) {
581
- x->ex_flags |= EXFLAG_INVALID;
582
- }
396
+ int x509v3_cache_extensions(X509 *x) {
397
+ BASIC_CONSTRAINTS *bs;
398
+ ASN1_BIT_STRING *usage;
399
+ ASN1_BIT_STRING *ns;
400
+ EXTENDED_KEY_USAGE *extusage;
401
+ size_t i;
402
+ int j;
583
403
 
584
- for (j = 0; j < X509_get_ext_count(x); j++) {
585
- ex = X509_get_ext(x, j);
586
- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
587
- == NID_freshest_crl)
588
- x->ex_flags |= EXFLAG_FRESHEST;
589
- if (!X509_EXTENSION_get_critical(ex))
590
- continue;
591
- if (!X509_supported_extension(ex)) {
592
- x->ex_flags |= EXFLAG_CRITICAL;
593
- break;
594
- }
595
- }
596
- x->ex_flags |= EXFLAG_SET;
404
+ CRYPTO_MUTEX_lock_read(&x->lock);
405
+ const int is_set = x->ex_flags & EXFLAG_SET;
406
+ CRYPTO_MUTEX_unlock_read(&x->lock);
597
407
 
598
- CRYPTO_MUTEX_unlock_write(&x->lock);
408
+ if (is_set) {
599
409
  return (x->ex_flags & EXFLAG_INVALID) == 0;
600
- }
410
+ }
601
411
 
602
- /* check_ca returns one if |x| should be considered a CA certificate and zero
603
- * otherwise. */
604
- static int check_ca(const X509 *x)
605
- {
606
- /* keyUsage if present should allow cert signing */
607
- if (ku_reject(x, KU_KEY_CERT_SIGN))
608
- return 0;
609
- /* Version 1 certificates are considered CAs and don't have extensions. */
610
- if ((x->ex_flags & V1_ROOT) == V1_ROOT) {
611
- return 1;
612
- }
613
- /* Otherwise, it's only a CA if basicConstraints says so. */
614
- return ((x->ex_flags & EXFLAG_BCONS) &&
615
- (x->ex_flags & EXFLAG_CA));
412
+ CRYPTO_MUTEX_lock_write(&x->lock);
413
+ if (x->ex_flags & EXFLAG_SET) {
414
+ CRYPTO_MUTEX_unlock_write(&x->lock);
415
+ return (x->ex_flags & EXFLAG_INVALID) == 0;
416
+ }
417
+
418
+ if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) {
419
+ x->ex_flags |= EXFLAG_INVALID;
420
+ }
421
+ // V1 should mean no extensions ...
422
+ if (X509_get_version(x) == X509_VERSION_1) {
423
+ x->ex_flags |= EXFLAG_V1;
424
+ }
425
+ // Handle basic constraints
426
+ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &j, NULL))) {
427
+ if (bs->ca) {
428
+ x->ex_flags |= EXFLAG_CA;
429
+ }
430
+ if (bs->pathlen) {
431
+ if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) || !bs->ca) {
432
+ x->ex_flags |= EXFLAG_INVALID;
433
+ x->ex_pathlen = 0;
434
+ } else {
435
+ // TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,
436
+ // which currently acts as if the constraint isn't present. This
437
+ // works (an overflowing path length constraint may as well be
438
+ // infinity), but Chromium's verifier simply treats values above
439
+ // 255 as an error.
440
+ x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
441
+ }
442
+ } else {
443
+ x->ex_pathlen = -1;
444
+ }
445
+ BASIC_CONSTRAINTS_free(bs);
446
+ x->ex_flags |= EXFLAG_BCONS;
447
+ } else if (j != -1) {
448
+ x->ex_flags |= EXFLAG_INVALID;
449
+ }
450
+ // Handle key usage
451
+ if ((usage = X509_get_ext_d2i(x, NID_key_usage, &j, NULL))) {
452
+ if (usage->length > 0) {
453
+ x->ex_kusage = usage->data[0];
454
+ if (usage->length > 1) {
455
+ x->ex_kusage |= usage->data[1] << 8;
456
+ }
457
+ } else {
458
+ x->ex_kusage = 0;
459
+ }
460
+ x->ex_flags |= EXFLAG_KUSAGE;
461
+ ASN1_BIT_STRING_free(usage);
462
+ } else if (j != -1) {
463
+ x->ex_flags |= EXFLAG_INVALID;
464
+ }
465
+ x->ex_xkusage = 0;
466
+ if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &j, NULL))) {
467
+ x->ex_flags |= EXFLAG_XKUSAGE;
468
+ for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
469
+ switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
470
+ case NID_server_auth:
471
+ x->ex_xkusage |= XKU_SSL_SERVER;
472
+ break;
473
+
474
+ case NID_client_auth:
475
+ x->ex_xkusage |= XKU_SSL_CLIENT;
476
+ break;
477
+
478
+ case NID_email_protect:
479
+ x->ex_xkusage |= XKU_SMIME;
480
+ break;
481
+
482
+ case NID_code_sign:
483
+ x->ex_xkusage |= XKU_CODE_SIGN;
484
+ break;
485
+
486
+ case NID_ms_sgc:
487
+ case NID_ns_sgc:
488
+ x->ex_xkusage |= XKU_SGC;
489
+ break;
490
+
491
+ case NID_OCSP_sign:
492
+ x->ex_xkusage |= XKU_OCSP_SIGN;
493
+ break;
494
+
495
+ case NID_time_stamp:
496
+ x->ex_xkusage |= XKU_TIMESTAMP;
497
+ break;
498
+
499
+ case NID_dvcs:
500
+ x->ex_xkusage |= XKU_DVCS;
501
+ break;
502
+
503
+ case NID_anyExtendedKeyUsage:
504
+ x->ex_xkusage |= XKU_ANYEKU;
505
+ break;
506
+ }
507
+ }
508
+ sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
509
+ } else if (j != -1) {
510
+ x->ex_flags |= EXFLAG_INVALID;
511
+ }
512
+
513
+ if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &j, NULL))) {
514
+ if (ns->length > 0) {
515
+ x->ex_nscert = ns->data[0];
516
+ } else {
517
+ x->ex_nscert = 0;
518
+ }
519
+ x->ex_flags |= EXFLAG_NSCERT;
520
+ ASN1_BIT_STRING_free(ns);
521
+ } else if (j != -1) {
522
+ x->ex_flags |= EXFLAG_INVALID;
523
+ }
524
+ x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &j, NULL);
525
+ if (x->skid == NULL && j != -1) {
526
+ x->ex_flags |= EXFLAG_INVALID;
527
+ }
528
+ x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &j, NULL);
529
+ if (x->akid == NULL && j != -1) {
530
+ x->ex_flags |= EXFLAG_INVALID;
531
+ }
532
+ // Does subject name match issuer ?
533
+ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
534
+ x->ex_flags |= EXFLAG_SI;
535
+ // If SKID matches AKID also indicate self signed
536
+ if (X509_check_akid(x, x->akid) == X509_V_OK &&
537
+ !ku_reject(x, KU_KEY_CERT_SIGN)) {
538
+ x->ex_flags |= EXFLAG_SS;
539
+ }
540
+ }
541
+ x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &j, NULL);
542
+ if (x->altname == NULL && j != -1) {
543
+ x->ex_flags |= EXFLAG_INVALID;
544
+ }
545
+ x->nc = X509_get_ext_d2i(x, NID_name_constraints, &j, NULL);
546
+ if (x->nc == NULL && j != -1) {
547
+ x->ex_flags |= EXFLAG_INVALID;
548
+ }
549
+ if (!setup_crldp(x)) {
550
+ x->ex_flags |= EXFLAG_INVALID;
551
+ }
552
+
553
+ for (j = 0; j < X509_get_ext_count(x); j++) {
554
+ const X509_EXTENSION *ex = X509_get_ext(x, j);
555
+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) {
556
+ x->ex_flags |= EXFLAG_FRESHEST;
557
+ }
558
+ if (!X509_EXTENSION_get_critical(ex)) {
559
+ continue;
560
+ }
561
+ if (!X509_supported_extension(ex)) {
562
+ x->ex_flags |= EXFLAG_CRITICAL;
563
+ break;
564
+ }
565
+ }
566
+ x->ex_flags |= EXFLAG_SET;
567
+
568
+ CRYPTO_MUTEX_unlock_write(&x->lock);
569
+ return (x->ex_flags & EXFLAG_INVALID) == 0;
570
+ }
571
+
572
+ // check_ca returns one if |x| should be considered a CA certificate and zero
573
+ // otherwise.
574
+ static int check_ca(const X509 *x) {
575
+ // keyUsage if present should allow cert signing
576
+ if (ku_reject(x, KU_KEY_CERT_SIGN)) {
577
+ return 0;
578
+ }
579
+ // Version 1 certificates are considered CAs and don't have extensions.
580
+ if ((x->ex_flags & V1_ROOT) == V1_ROOT) {
581
+ return 1;
582
+ }
583
+ // Otherwise, it's only a CA if basicConstraints says so.
584
+ return ((x->ex_flags & EXFLAG_BCONS) && (x->ex_flags & EXFLAG_CA));
616
585
  }
617
586
 
618
- int X509_check_ca(X509 *x)
619
- {
620
- if (!x509v3_cache_extensions(x)) {
621
- return 0;
622
- }
623
- return check_ca(x);
587
+ int X509_check_ca(X509 *x) {
588
+ if (!x509v3_cache_extensions(x)) {
589
+ return 0;
590
+ }
591
+ return check_ca(x);
624
592
  }
625
593
 
626
594
  static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
627
- int ca)
628
- {
629
- if (xku_reject(x, XKU_SSL_CLIENT))
630
- return 0;
631
- if (ca)
632
- return check_ca(x);
633
- /* We need to do digital signatures or key agreement */
634
- if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))
635
- return 0;
636
- /* nsCertType if present should allow SSL client use */
637
- if (ns_reject(x, NS_SSL_CLIENT))
638
- return 0;
639
- return 1;
595
+ int ca) {
596
+ if (xku_reject(x, XKU_SSL_CLIENT)) {
597
+ return 0;
598
+ }
599
+ if (ca) {
600
+ return check_ca(x);
601
+ }
602
+ // We need to do digital signatures or key agreement
603
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) {
604
+ return 0;
605
+ }
606
+ // nsCertType if present should allow SSL client use
607
+ if (ns_reject(x, NS_SSL_CLIENT)) {
608
+ return 0;
609
+ }
610
+ return 1;
640
611
  }
641
612
 
642
- /*
643
- * Key usage needed for TLS/SSL server: digital signature, encipherment or
644
- * key agreement. The ssl code can check this more thoroughly for individual
645
- * key types.
646
- */
647
- #define KU_TLS \
648
- (KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT)
613
+ // Key usage needed for TLS/SSL server: digital signature, encipherment or
614
+ // key agreement. The ssl code can check this more thoroughly for individual
615
+ // key types.
616
+ #define KU_TLS (KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT)
649
617
 
650
618
  static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
651
- int ca)
652
- {
653
- if (xku_reject(x, XKU_SSL_SERVER))
654
- return 0;
655
- if (ca)
656
- return check_ca(x);
657
-
658
- if (ns_reject(x, NS_SSL_SERVER))
659
- return 0;
660
- if (ku_reject(x, KU_TLS))
661
- return 0;
619
+ int ca) {
620
+ if (xku_reject(x, XKU_SSL_SERVER)) {
621
+ return 0;
622
+ }
623
+ if (ca) {
624
+ return check_ca(x);
625
+ }
662
626
 
663
- return 1;
627
+ if (ns_reject(x, NS_SSL_SERVER)) {
628
+ return 0;
629
+ }
630
+ if (ku_reject(x, KU_TLS)) {
631
+ return 0;
632
+ }
664
633
 
634
+ return 1;
665
635
  }
666
636
 
667
637
  static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
668
- int ca)
669
- {
670
- int ret;
671
- ret = check_purpose_ssl_server(xp, x, ca);
672
- if (!ret || ca)
673
- return ret;
674
- /* We need to encipher or Netscape complains */
675
- if (ku_reject(x, KU_KEY_ENCIPHERMENT))
676
- return 0;
638
+ int ca) {
639
+ int ret;
640
+ ret = check_purpose_ssl_server(xp, x, ca);
641
+ if (!ret || ca) {
677
642
  return ret;
643
+ }
644
+ // We need to encipher or Netscape complains
645
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
646
+ return 0;
647
+ }
648
+ return ret;
678
649
  }
679
650
 
680
- /* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
681
- * (|ca| is one) certificate, and zero otherwise. */
682
- static int purpose_smime(const X509 *x, int ca)
683
- {
684
- if (xku_reject(x, XKU_SMIME))
685
- return 0;
686
- if (ca) {
687
- /* check nsCertType if present */
688
- if ((x->ex_flags & EXFLAG_NSCERT) &&
689
- (x->ex_nscert & NS_SMIME_CA) == 0) {
690
- return 0;
691
- }
692
-
693
- return check_ca(x);
694
- }
695
- if (x->ex_flags & EXFLAG_NSCERT) {
696
- return (x->ex_nscert & NS_SMIME) == NS_SMIME;
651
+ // purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
652
+ // (|ca| is one) certificate, and zero otherwise.
653
+ static int purpose_smime(const X509 *x, int ca) {
654
+ if (xku_reject(x, XKU_SMIME)) {
655
+ return 0;
656
+ }
657
+ if (ca) {
658
+ // check nsCertType if present
659
+ if ((x->ex_flags & EXFLAG_NSCERT) && (x->ex_nscert & NS_SMIME_CA) == 0) {
660
+ return 0;
697
661
  }
698
- return 1;
662
+
663
+ return check_ca(x);
664
+ }
665
+ if (x->ex_flags & EXFLAG_NSCERT) {
666
+ return (x->ex_nscert & NS_SMIME) == NS_SMIME;
667
+ }
668
+ return 1;
699
669
  }
700
670
 
701
671
  static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
702
- int ca)
703
- {
704
- int ret;
705
- ret = purpose_smime(x, ca);
706
- if (!ret || ca)
707
- return ret;
708
- if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION))
709
- return 0;
672
+ int ca) {
673
+ int ret;
674
+ ret = purpose_smime(x, ca);
675
+ if (!ret || ca) {
710
676
  return ret;
677
+ }
678
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) {
679
+ return 0;
680
+ }
681
+ return ret;
711
682
  }
712
683
 
713
684
  static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
714
- int ca)
715
- {
716
- int ret;
717
- ret = purpose_smime(x, ca);
718
- if (!ret || ca)
719
- return ret;
720
- if (ku_reject(x, KU_KEY_ENCIPHERMENT))
721
- return 0;
685
+ int ca) {
686
+ int ret;
687
+ ret = purpose_smime(x, ca);
688
+ if (!ret || ca) {
722
689
  return ret;
690
+ }
691
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
692
+ return 0;
693
+ }
694
+ return ret;
723
695
  }
724
696
 
725
697
  static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
726
- int ca)
727
- {
728
- if (ca) {
729
- return check_ca(x);
730
- }
731
- if (ku_reject(x, KU_CRL_SIGN))
732
- return 0;
733
- return 1;
698
+ int ca) {
699
+ if (ca) {
700
+ return check_ca(x);
701
+ }
702
+ if (ku_reject(x, KU_CRL_SIGN)) {
703
+ return 0;
704
+ }
705
+ return 1;
734
706
  }
735
707
 
736
- /*
737
- * OCSP helper: this is *not* a full OCSP check. It just checks that each CA
738
- * is valid. Additional checks must be made on the chain.
739
- */
708
+ // OCSP helper: this is *not* a full OCSP check. It just checks that each CA
709
+ // is valid. Additional checks must be made on the chain.
740
710
 
741
- static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
742
- {
743
- if (ca)
744
- return check_ca(x);
745
- /* leaf certificate is checked in OCSP_verify() */
746
- return 1;
711
+ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) {
712
+ if (ca) {
713
+ return check_ca(x);
714
+ }
715
+ // leaf certificate is checked in OCSP_verify()
716
+ return 1;
747
717
  }
748
718
 
749
719
  static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
750
- int ca)
751
- {
752
- int i_ext;
753
-
754
- /* If ca is true we must return if this is a valid CA certificate. */
755
- if (ca)
756
- return check_ca(x);
757
-
758
- /*
759
- * Check the optional key usage field:
760
- * if Key Usage is present, it must be one of digitalSignature
761
- * and/or nonRepudiation (other values are not consistent and shall
762
- * be rejected).
763
- */
764
- if ((x->ex_flags & EXFLAG_KUSAGE)
765
- && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
766
- !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
767
- return 0;
768
-
769
- /* Only time stamp key usage is permitted and it's required. */
770
- if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
771
- return 0;
772
-
773
- /* Extended Key Usage MUST be critical */
774
- i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
775
- if (i_ext >= 0) {
776
- X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
777
- if (!X509_EXTENSION_get_critical(ext))
778
- return 0;
720
+ int ca) {
721
+ int i_ext;
722
+
723
+ // If ca is true we must return if this is a valid CA certificate.
724
+ if (ca) {
725
+ return check_ca(x);
726
+ }
727
+
728
+ // Check the optional key usage field:
729
+ // if Key Usage is present, it must be one of digitalSignature
730
+ // and/or nonRepudiation (other values are not consistent and shall
731
+ // be rejected).
732
+ if ((x->ex_flags & EXFLAG_KUSAGE) &&
733
+ ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
734
+ !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) {
735
+ return 0;
736
+ }
737
+
738
+ // Only time stamp key usage is permitted and it's required.
739
+ if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) {
740
+ return 0;
741
+ }
742
+
743
+ // Extended Key Usage MUST be critical
744
+ i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
745
+ if (i_ext >= 0) {
746
+ const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
747
+ if (!X509_EXTENSION_get_critical(ext)) {
748
+ return 0;
779
749
  }
750
+ }
780
751
 
781
- return 1;
752
+ return 1;
782
753
  }
783
754
 
784
- static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
785
- {
786
- return 1;
787
- }
755
+ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; }
788
756
 
789
- /*
790
- * Various checks to see if one certificate issued the second. This can be
791
- * used to prune a set of possible issuer certificates which have been looked
792
- * up using some simple method such as by subject name. These are: 1. Check
793
- * issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists
794
- * check it matches issuer 3. If key_usage(issuer) exists check it supports
795
- * certificate signing returns 0 for OK, positive for reason for mismatch,
796
- * reasons match codes for X509_verify_cert()
797
- */
757
+ // Various checks to see if one certificate issued the second. This can be
758
+ // used to prune a set of possible issuer certificates which have been looked
759
+ // up using some simple method such as by subject name. These are: 1. Check
760
+ // issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists
761
+ // check it matches issuer 3. If key_usage(issuer) exists check it supports
762
+ // certificate signing returns 0 for OK, positive for reason for mismatch,
763
+ // reasons match codes for X509_verify_cert()
798
764
 
799
- int X509_check_issued(X509 *issuer, X509 *subject)
800
- {
801
- if (X509_NAME_cmp(X509_get_subject_name(issuer),
802
- X509_get_issuer_name(subject)))
803
- return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
804
- if (!x509v3_cache_extensions(issuer) ||
805
- !x509v3_cache_extensions(subject)) {
806
- return X509_V_ERR_UNSPECIFIED;
807
- }
765
+ int X509_check_issued(X509 *issuer, X509 *subject) {
766
+ if (X509_NAME_cmp(X509_get_subject_name(issuer),
767
+ X509_get_issuer_name(subject))) {
768
+ return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
769
+ }
770
+ if (!x509v3_cache_extensions(issuer) || !x509v3_cache_extensions(subject)) {
771
+ return X509_V_ERR_UNSPECIFIED;
772
+ }
808
773
 
809
- if (subject->akid) {
810
- int ret = X509_check_akid(issuer, subject->akid);
811
- if (ret != X509_V_OK)
812
- return ret;
774
+ if (subject->akid) {
775
+ int ret = X509_check_akid(issuer, subject->akid);
776
+ if (ret != X509_V_OK) {
777
+ return ret;
813
778
  }
779
+ }
814
780
 
815
- if (subject->ex_flags & EXFLAG_PROXY) {
816
- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
817
- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
818
- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
819
- return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
820
- return X509_V_OK;
781
+ if (ku_reject(issuer, KU_KEY_CERT_SIGN)) {
782
+ return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
783
+ }
784
+ return X509_V_OK;
821
785
  }
822
786
 
823
- int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
824
- {
825
-
826
- if (!akid)
827
- return X509_V_OK;
828
-
829
- /* Check key ids (if present) */
830
- if (akid->keyid && issuer->skid &&
831
- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid))
832
- return X509_V_ERR_AKID_SKID_MISMATCH;
833
- /* Check serial number */
834
- if (akid->serial &&
835
- ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
836
- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
837
- /* Check issuer name */
838
- if (akid->issuer) {
839
- /*
840
- * Ugh, for some peculiar reason AKID includes SEQUENCE OF
841
- * GeneralName. So look for a DirName. There may be more than one but
842
- * we only take any notice of the first.
843
- */
844
- GENERAL_NAMES *gens;
845
- GENERAL_NAME *gen;
846
- X509_NAME *nm = NULL;
847
- size_t i;
848
- gens = akid->issuer;
849
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
850
- gen = sk_GENERAL_NAME_value(gens, i);
851
- if (gen->type == GEN_DIRNAME) {
852
- nm = gen->d.dirn;
853
- break;
854
- }
855
- }
856
- if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
857
- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
858
- }
787
+ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) {
788
+ if (!akid) {
859
789
  return X509_V_OK;
790
+ }
791
+
792
+ // Check key ids (if present)
793
+ if (akid->keyid && issuer->skid &&
794
+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) {
795
+ return X509_V_ERR_AKID_SKID_MISMATCH;
796
+ }
797
+ // Check serial number
798
+ if (akid->serial &&
799
+ ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) {
800
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
801
+ }
802
+ // Check issuer name
803
+ if (akid->issuer) {
804
+ // Ugh, for some peculiar reason AKID includes SEQUENCE OF
805
+ // GeneralName. So look for a DirName. There may be more than one but
806
+ // we only take any notice of the first.
807
+ GENERAL_NAMES *gens;
808
+ GENERAL_NAME *gen;
809
+ X509_NAME *nm = NULL;
810
+ size_t i;
811
+ gens = akid->issuer;
812
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
813
+ gen = sk_GENERAL_NAME_value(gens, i);
814
+ if (gen->type == GEN_DIRNAME) {
815
+ nm = gen->d.dirn;
816
+ break;
817
+ }
818
+ }
819
+ if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) {
820
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
821
+ }
822
+ }
823
+ return X509_V_OK;
860
824
  }
861
825
 
862
- uint32_t X509_get_extension_flags(X509 *x)
863
- {
864
- /* Ignore the return value. On failure, |x->ex_flags| will include
865
- * |EXFLAG_INVALID|. */
866
- x509v3_cache_extensions(x);
867
- return x->ex_flags;
826
+ uint32_t X509_get_extension_flags(X509 *x) {
827
+ // Ignore the return value. On failure, |x->ex_flags| will include
828
+ // |EXFLAG_INVALID|.
829
+ x509v3_cache_extensions(x);
830
+ return x->ex_flags;
868
831
  }
869
832
 
870
- uint32_t X509_get_key_usage(X509 *x)
871
- {
872
- if (!x509v3_cache_extensions(x)) {
873
- return 0;
874
- }
875
- if (x->ex_flags & EXFLAG_KUSAGE)
876
- return x->ex_kusage;
877
- return UINT32_MAX;
833
+ uint32_t X509_get_key_usage(X509 *x) {
834
+ if (!x509v3_cache_extensions(x)) {
835
+ return 0;
836
+ }
837
+ if (x->ex_flags & EXFLAG_KUSAGE) {
838
+ return x->ex_kusage;
839
+ }
840
+ return UINT32_MAX;
878
841
  }
879
842
 
880
- uint32_t X509_get_extended_key_usage(X509 *x)
881
- {
882
- if (!x509v3_cache_extensions(x)) {
883
- return 0;
884
- }
885
- if (x->ex_flags & EXFLAG_XKUSAGE)
886
- return x->ex_xkusage;
887
- return UINT32_MAX;
843
+ uint32_t X509_get_extended_key_usage(X509 *x) {
844
+ if (!x509v3_cache_extensions(x)) {
845
+ return 0;
846
+ }
847
+ if (x->ex_flags & EXFLAG_XKUSAGE) {
848
+ return x->ex_xkusage;
849
+ }
850
+ return UINT32_MAX;
888
851
  }
889
852
 
890
- const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509)
891
- {
892
- if (!x509v3_cache_extensions(x509)) {
893
- return NULL;
894
- }
895
- return x509->skid;
853
+ const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509) {
854
+ if (!x509v3_cache_extensions(x509)) {
855
+ return NULL;
856
+ }
857
+ return x509->skid;
896
858
  }
897
859
 
898
- const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509)
899
- {
900
- if (!x509v3_cache_extensions(x509)) {
901
- return NULL;
902
- }
903
- return x509->akid != NULL ? x509->akid->keyid : NULL;
860
+ const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509) {
861
+ if (!x509v3_cache_extensions(x509)) {
862
+ return NULL;
863
+ }
864
+ return x509->akid != NULL ? x509->akid->keyid : NULL;
904
865
  }
905
866
 
906
- const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509)
907
- {
908
- if (!x509v3_cache_extensions(x509)) {
909
- return NULL;
910
- }
911
- return x509->akid != NULL ? x509->akid->issuer : NULL;
867
+ const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509) {
868
+ if (!x509v3_cache_extensions(x509)) {
869
+ return NULL;
870
+ }
871
+ return x509->akid != NULL ? x509->akid->issuer : NULL;
912
872
  }
913
873
 
914
- const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509)
915
- {
916
- if (!x509v3_cache_extensions(x509)) {
917
- return NULL;
918
- }
919
- return x509->akid != NULL ? x509->akid->serial : NULL;
874
+ const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509) {
875
+ if (!x509v3_cache_extensions(x509)) {
876
+ return NULL;
877
+ }
878
+ return x509->akid != NULL ? x509->akid->serial : NULL;
920
879
  }
921
880
 
922
- long X509_get_pathlen(X509 *x509)
923
- {
924
- if (!x509v3_cache_extensions(x509) ||
925
- (x509->ex_flags & EXFLAG_BCONS) == 0) {
926
- return -1;
927
- }
928
- return x509->ex_pathlen;
881
+ long X509_get_pathlen(X509 *x509) {
882
+ if (!x509v3_cache_extensions(x509) || (x509->ex_flags & EXFLAG_BCONS) == 0) {
883
+ return -1;
884
+ }
885
+ return x509->ex_pathlen;
929
886
  }