grpc 1.53.2 → 1.54.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (693) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +78 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/support/port_platform.h +4 -4
  6. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  7. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  8. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  9. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  10. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  11. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  12. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  13. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  14. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  15. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  16. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  17. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
  18. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  19. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  20. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
  21. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  22. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  24. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  25. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  26. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  27. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  28. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  29. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  30. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  31. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  32. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  33. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  34. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  35. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  36. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  37. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  38. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  39. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  40. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  41. data/src/core/ext/gcp/metadata_query.cc +142 -0
  42. data/src/core/ext/gcp/metadata_query.h +82 -0
  43. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  44. data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
  45. data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
  46. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
  47. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  48. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  49. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  50. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
  51. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
  52. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
  53. data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
  54. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
  55. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
  58. data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
  59. data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
  60. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  61. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  62. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  63. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  64. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  65. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  67. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  68. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  69. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  70. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  71. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  72. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  73. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  74. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  75. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  76. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  77. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  78. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  79. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  80. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  81. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  82. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  83. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  84. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  85. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  86. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  87. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  88. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  89. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  90. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  91. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  92. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  93. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  94. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  95. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  96. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  97. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  98. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  99. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  100. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  101. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  102. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  103. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  104. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  105. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  106. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  107. data/src/core/ext/xds/xds_client_stats.h +24 -20
  108. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  109. data/src/core/ext/xds/xds_endpoint.h +9 -1
  110. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  111. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  112. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  113. data/src/core/lib/channel/call_finalization.h +1 -1
  114. data/src/core/lib/channel/call_tracer.cc +51 -0
  115. data/src/core/lib/channel/call_tracer.h +101 -38
  116. data/src/core/lib/channel/connected_channel.cc +483 -1050
  117. data/src/core/lib/channel/context.h +8 -1
  118. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  119. data/src/core/lib/channel/promise_based_filter.h +27 -13
  120. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  121. data/src/core/lib/config/config_vars.cc +151 -0
  122. data/src/core/lib/config/config_vars.h +127 -0
  123. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  124. data/src/core/lib/config/load_config.cc +66 -0
  125. data/src/core/lib/config/load_config.h +49 -0
  126. data/src/core/lib/debug/trace.cc +5 -6
  127. data/src/core/lib/debug/trace.h +0 -5
  128. data/src/core/lib/event_engine/event_engine.cc +37 -2
  129. data/src/core/lib/event_engine/handle_containers.h +7 -22
  130. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  131. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  132. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  133. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  134. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  135. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  136. data/src/core/lib/event_engine/posix_engine/posix_engine.h +0 -1
  137. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -32
  138. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +0 -3
  139. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  140. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  141. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  142. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  143. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  144. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  145. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  146. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  147. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  148. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  149. data/src/core/lib/experiments/config.cc +3 -10
  150. data/src/core/lib/experiments/experiments.cc +7 -0
  151. data/src/core/lib/experiments/experiments.h +9 -1
  152. data/src/core/lib/gpr/log.cc +15 -28
  153. data/src/core/lib/gprpp/fork.cc +8 -14
  154. data/src/core/lib/gprpp/orphanable.h +4 -3
  155. data/src/core/lib/gprpp/per_cpu.h +9 -3
  156. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  157. data/src/core/lib/gprpp/ref_counted.h +33 -34
  158. data/src/core/lib/gprpp/thd.h +16 -0
  159. data/src/core/lib/gprpp/time.cc +1 -0
  160. data/src/core/lib/gprpp/time.h +4 -4
  161. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  162. data/src/core/lib/iomgr/call_combiner.h +2 -2
  163. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  164. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  165. data/src/core/lib/iomgr/ev_posix.h +0 -3
  166. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  167. data/src/core/lib/iomgr/iomgr.cc +4 -8
  168. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  169. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  170. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  171. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  172. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  173. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  174. data/src/core/lib/iomgr/tcp_server_posix.cc +19 -55
  175. data/src/core/lib/iomgr/tcp_server_utils_posix.h +0 -12
  176. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
  177. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  178. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  179. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  180. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  181. data/src/core/lib/promise/activity.cc +22 -6
  182. data/src/core/lib/promise/activity.h +61 -24
  183. data/src/core/lib/promise/cancel_callback.h +77 -0
  184. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  185. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  186. data/src/core/lib/promise/for_each.h +176 -0
  187. data/src/core/lib/promise/if.h +9 -0
  188. data/src/core/lib/promise/interceptor_list.h +23 -2
  189. data/src/core/lib/promise/latch.h +89 -3
  190. data/src/core/lib/promise/loop.h +13 -9
  191. data/src/core/lib/promise/map.h +7 -0
  192. data/src/core/lib/promise/party.cc +286 -0
  193. data/src/core/lib/promise/party.h +499 -0
  194. data/src/core/lib/promise/pipe.h +197 -57
  195. data/src/core/lib/promise/poll.h +48 -0
  196. data/src/core/lib/promise/promise.h +2 -2
  197. data/src/core/lib/resource_quota/arena.cc +19 -3
  198. data/src/core/lib/resource_quota/arena.h +119 -5
  199. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  200. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  201. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  202. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  203. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  204. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  205. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  206. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  207. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  208. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  209. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  210. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  211. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  212. data/src/core/lib/slice/slice.cc +1 -1
  213. data/src/core/lib/surface/builtins.cc +2 -0
  214. data/src/core/lib/surface/call.cc +926 -1024
  215. data/src/core/lib/surface/call.h +10 -0
  216. data/src/core/lib/surface/lame_client.cc +1 -0
  217. data/src/core/lib/surface/validate_metadata.cc +42 -43
  218. data/src/core/lib/surface/validate_metadata.h +0 -9
  219. data/src/core/lib/surface/version.cc +2 -2
  220. data/src/core/lib/transport/batch_builder.cc +179 -0
  221. data/src/core/lib/transport/batch_builder.h +468 -0
  222. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  223. data/src/core/lib/transport/bdp_estimator.h +10 -6
  224. data/src/core/lib/transport/custom_metadata.h +30 -0
  225. data/src/core/lib/transport/metadata_batch.cc +5 -2
  226. data/src/core/lib/transport/metadata_batch.h +17 -113
  227. data/src/core/lib/transport/parsed_metadata.h +6 -16
  228. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  229. data/src/core/lib/transport/transport.cc +30 -2
  230. data/src/core/lib/transport/transport.h +70 -14
  231. data/src/core/lib/transport/transport_impl.h +7 -0
  232. data/src/core/lib/transport/transport_op_string.cc +52 -42
  233. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  234. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  235. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  236. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  237. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  238. data/src/core/tsi/ssl_transport_security.cc +4 -2
  239. data/src/ruby/lib/grpc/version.rb +1 -1
  240. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  241. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  242. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  243. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  244. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  245. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  246. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  247. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  248. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  249. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  250. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  251. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  252. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  253. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  254. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  255. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  256. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  257. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  258. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  259. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  260. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  261. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  262. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  263. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  264. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  265. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  266. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  267. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  268. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  269. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  288. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  289. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  290. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  291. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  292. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  293. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  294. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  295. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  296. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  297. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  298. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  299. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  300. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  301. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  302. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  303. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  304. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  305. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  306. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  307. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  308. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  309. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  310. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  311. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  312. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  313. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  314. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  315. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  316. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  317. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  318. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  319. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  320. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  321. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  322. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  323. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  324. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  325. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  326. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  327. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  328. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  329. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  330. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  331. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  332. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  333. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  334. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  335. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  336. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  337. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  338. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  339. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  340. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  341. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  342. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  343. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  344. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  345. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  346. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  347. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  349. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  350. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  351. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  352. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  353. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  354. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  355. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  363. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  364. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  365. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  366. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  367. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  368. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  369. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  370. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  371. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  372. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  373. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  395. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  400. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  402. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  405. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  407. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  410. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  446. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  447. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  448. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  449. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  451. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  452. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  453. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  454. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  455. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  456. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  457. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  458. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  459. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  460. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  461. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  463. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  464. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  465. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  466. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  467. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  468. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  469. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  470. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  471. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  472. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  473. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  474. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  475. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  476. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  477. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  478. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  479. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  480. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  481. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  482. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  483. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  484. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  485. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  486. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  487. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  488. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  489. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  490. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  491. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  532. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  533. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  534. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  535. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  536. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  537. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  538. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  539. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  540. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  541. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  557. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  558. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  559. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  560. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  561. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  562. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  563. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  564. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  565. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  566. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  567. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  568. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  569. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  570. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  571. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  572. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  573. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  574. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  575. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  576. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  577. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  578. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  579. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  581. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  582. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  583. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  584. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  585. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  586. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  587. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  588. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  589. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  590. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  591. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  592. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  593. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  594. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  595. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  596. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  597. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  598. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  599. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  600. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  601. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  602. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  603. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  604. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  605. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  606. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  607. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  608. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  609. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  610. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  611. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  612. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  613. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  614. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  615. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  616. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  617. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  618. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  619. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  620. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  621. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  622. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  623. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  624. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  625. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  627. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  628. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  629. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  630. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  631. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  632. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  633. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  634. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  635. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  636. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  637. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  638. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  639. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  640. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  641. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  642. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  643. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  644. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  645. metadata +103 -70
  646. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  647. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  648. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
  649. data/src/core/lib/gprpp/global_config.h +0 -93
  650. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  651. data/src/core/lib/gprpp/global_config_env.h +0 -133
  652. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  653. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  654. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  655. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  656. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  657. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  658. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  659. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  660. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  661. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  662. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  663. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  664. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  665. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  666. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  667. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  668. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  669. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  670. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  671. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  672. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  673. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  674. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  675. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  676. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  677. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  678. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  679. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  680. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  681. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  682. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  683. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  684. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  685. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  686. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  687. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  688. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  689. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  690. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  691. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  692. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  693. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -25,9 +25,20 @@ extern "C" {
25
25
  // Random number generation.
26
26
 
27
27
 
28
- // RAND_bytes writes |len| bytes of random data to |buf| and returns one.
28
+ // RAND_bytes writes |len| bytes of random data to |buf| and returns one. In the
29
+ // event that sufficient random data can not be obtained, |abort| is called.
29
30
  OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);
30
31
 
32
+ // RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data
33
+ // from a system entropy source to |buf|. The maximum length of entropy which
34
+ // may be requested is 256 bytes. If more than 256 bytes of data is requested,
35
+ // or if sufficient random data can not be obtained, |abort| is called.
36
+ // |RAND_bytes| should normally be used instead of this function. This function
37
+ // should only be used for seed values or where |malloc| should not be called
38
+ // from BoringSSL. This function is not FIPS compliant.
39
+ OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf,
40
+ size_t len);
41
+
31
42
  // RAND_cleanup frees any resources used by the RNG. This is not safe if other
32
43
  // threads might still be calling |RAND_bytes|.
33
44
  OPENSSL_EXPORT void RAND_cleanup(void);
@@ -298,8 +298,8 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
298
298
  // |hash_nid|. Passing unhashed inputs will not result in a secure signature
299
299
  // scheme.
300
300
  OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest,
301
- unsigned digest_len, uint8_t *out,
302
- unsigned *out_len, RSA *rsa);
301
+ size_t digest_len, uint8_t *out, unsigned *out_len,
302
+ RSA *rsa);
303
303
 
304
304
  // RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key
305
305
  // from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
@@ -615,6 +615,9 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx);
615
615
  // constants.
616
616
  OPENSSL_EXPORT int RSA_flags(const RSA *rsa);
617
617
 
618
+ // RSA_test_flags returns the subset of flags in |flags| which are set in |rsa|.
619
+ OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags);
620
+
618
621
  // RSA_blinding_on returns one.
619
622
  OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
620
623
 
@@ -622,7 +625,7 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
622
625
  // should use instead. It returns NULL on error, or a newly-allocated |RSA| on
623
626
  // success. This function is provided for compatibility only. The |callback|
624
627
  // and |cb_arg| parameters must be NULL.
625
- OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback,
628
+ OPENSSL_EXPORT RSA *RSA_generate_key(int bits, uint64_t e, void *callback,
626
629
  void *cb_arg);
627
630
 
628
631
  // d2i_RSAPublicKey parses a DER-encoded RSAPublicKey structure (RFC 8017) from
@@ -772,7 +775,7 @@ struct rsa_st {
772
775
  // num_blindings contains the size of the |blindings| and |blindings_inuse|
773
776
  // arrays. This member and the |blindings_inuse| array are protected by
774
777
  // |lock|.
775
- unsigned num_blindings;
778
+ size_t num_blindings;
776
779
  // blindings is an array of BN_BLINDING structures that can be reserved by a
777
780
  // thread by locking |lock| and changing the corresponding element in
778
781
  // |blindings_inuse| from 0 to 1.
@@ -0,0 +1,96 @@
1
+ /* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2
+ *
3
+ * Permission to use, copy, modify, and/or distribute this software for any
4
+ * purpose with or without fee is hereby granted, provided that the above
5
+ * copyright notice and this permission notice appear in all copies.
6
+ *
7
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
+
15
+ #ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H
16
+ #define OPENSSL_HEADER_SERVICE_INDICATOR_H
17
+
18
+ #include <openssl/base.h>
19
+
20
+ #if defined(__cplusplus)
21
+ extern "C" {
22
+ #endif
23
+
24
+ // FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|
25
+ // both currently return the same local thread counter which is slowly
26
+ // incremented whenever approved services are called. The
27
+ // |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling
28
+ // these functions directly.
29
+ //
30
+ // |FIPS_service_indicator_before_call| is intended to be called immediately
31
+ // before an approved service, while |FIPS_service_indicator_after_call| should
32
+ // be called immediately after. If the values returned from these two functions
33
+ // are not equal, this means that the service called inbetween is deemed to be
34
+ // approved. If the values are still the same, this means the counter has not
35
+ // been incremented, and the service called is not approved for FIPS.
36
+ //
37
+ // In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero
38
+ // and |FIPS_service_indicator_after_call| always returns one. Thus calls always
39
+ // appear to be approved. This is intended to simplify testing.
40
+ OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);
41
+ OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);
42
+
43
+ #if defined(__cplusplus)
44
+ }
45
+
46
+ #if !defined(BORINGSSL_NO_CXX)
47
+
48
+ extern "C++" {
49
+
50
+ // CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the
51
+ // |FIPSStatus*| values, above, depending on whether |func| invoked an
52
+ // approved service. The result of |func| becomes the result of this macro.
53
+ #define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \
54
+ [&] { \
55
+ bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \
56
+ return func; \
57
+ }()
58
+
59
+ namespace bssl {
60
+
61
+ enum class FIPSStatus {
62
+ NOT_APPROVED = 0,
63
+ APPROVED = 1,
64
+ };
65
+
66
+ // FIPSIndicatorHelper records whether the service indicator counter advanced
67
+ // during its lifetime.
68
+ class FIPSIndicatorHelper {
69
+ public:
70
+ FIPSIndicatorHelper(FIPSStatus *result)
71
+ : result_(result), before_(FIPS_service_indicator_before_call()) {
72
+ *result_ = FIPSStatus::NOT_APPROVED;
73
+ }
74
+
75
+ ~FIPSIndicatorHelper() {
76
+ uint64_t after = FIPS_service_indicator_after_call();
77
+ if (after != before_) {
78
+ *result_ = FIPSStatus::APPROVED;
79
+ }
80
+ }
81
+
82
+ FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;
83
+ FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;
84
+
85
+ private:
86
+ FIPSStatus *const result_;
87
+ const uint64_t before_;
88
+ };
89
+
90
+ } // namespace bssl
91
+ } // extern "C++"
92
+
93
+ #endif // !BORINGSSL_NO_CXX
94
+ #endif // __cplusplus
95
+
96
+ #endif // OPENSSL_HEADER_SERVICE_INDICATOR_H
@@ -96,6 +96,15 @@ class Span : private internal::SpanBase<const T> {
96
96
  private:
97
97
  static const size_t npos = static_cast<size_t>(-1);
98
98
 
99
+ // Heuristically test whether C is a container type that can be converted into
100
+ // a Span by checking for data() and size() member functions.
101
+ //
102
+ // TODO(davidben): Require C++17 support for std::is_convertible_v, etc.
103
+ template <typename C>
104
+ using EnableIfContainer = std::enable_if_t<
105
+ std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
106
+ std::is_integral<decltype(std::declval<C>().size())>::value>;
107
+
99
108
  public:
100
109
  constexpr Span() : Span(nullptr, 0) {}
101
110
  constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {}
@@ -103,29 +112,12 @@ class Span : private internal::SpanBase<const T> {
103
112
  template <size_t N>
104
113
  constexpr Span(T (&array)[N]) : Span(array, N) {}
105
114
 
106
- template <
107
- typename C,
108
- // TODO(davidben): Switch everything to std::enable_if_t when we remove
109
- // support for MSVC 2015. Although we could write our own enable_if_t and
110
- // MSVC 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE
111
- // implementation is problematic and does not work below unless we write
112
- // the ::type at use.
113
- //
114
- // TODO(davidben): Move this and the identical copy below into an
115
- // EnableIfContainer alias when we drop MSVC 2015 support. MSVC 2015's
116
- // SFINAE support cannot handle type aliases.
117
- typename = typename std::enable_if<
118
- std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
119
- std::is_integral<decltype(std::declval<C>().size())>::value>::type,
120
- typename = typename std::enable_if<std::is_const<T>::value, C>::type>
115
+ template <typename C, typename = EnableIfContainer<C>,
116
+ typename = std::enable_if_t<std::is_const<T>::value, C>>
121
117
  Span(const C &container) : data_(container.data()), size_(container.size()) {}
122
118
 
123
- template <
124
- typename C,
125
- typename = typename std::enable_if<
126
- std::is_convertible<decltype(std::declval<C>().data()), T *>::value &&
127
- std::is_integral<decltype(std::declval<C>().size())>::value>::type,
128
- typename = typename std::enable_if<!std::is_const<T>::value, C>::type>
119
+ template <typename C, typename = EnableIfContainer<C>,
120
+ typename = std::enable_if_t<!std::is_const<T>::value, C>>
129
121
  explicit Span(C &container)
130
122
  : data_(container.data()), size_(container.size()) {}
131
123
 
@@ -157,11 +157,6 @@
157
157
  #include <sys/time.h>
158
158
  #endif
159
159
 
160
- // NGINX needs this #include. Consider revisiting this after NGINX 1.14.0 has
161
- // been out for a year or so (assuming that they fix it in that release.) See
162
- // https://boringssl-review.googlesource.com/c/boringssl/+/21664.
163
- #include <openssl/hmac.h>
164
-
165
160
  // Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
166
161
  // Windows headers define too many macros to be included in public headers.
167
162
  // However, only a forward declaration is needed.
@@ -2281,6 +2276,17 @@ OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
2281
2276
  OPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(
2282
2277
  SSL *ssl, const uint8_t *buf, size_t buf_len);
2283
2278
 
2279
+ // SSL_CTX_set_num_tickets configures |ctx| to send |num_tickets| immediately
2280
+ // after a successful TLS 1.3 handshake as a server. It returns one. Large
2281
+ // values of |num_tickets| will be capped within the library.
2282
+ //
2283
+ // By default, BoringSSL sends two tickets.
2284
+ OPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
2285
+
2286
+ // SSL_CTX_get_num_tickets returns the number of tickets |ctx| will send
2287
+ // immediately after a successful TLS 1.3 handshake as a server.
2288
+ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
2289
+
2284
2290
 
2285
2291
  // Elliptic curve Diffie-Hellman.
2286
2292
  //
@@ -2329,6 +2335,8 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
2329
2335
  #define SSL_CURVE_SECP521R1 25
2330
2336
  #define SSL_CURVE_X25519 29
2331
2337
  #define SSL_CURVE_CECPQ2 16696
2338
+ #define SSL_CURVE_X25519KYBER768 0xfe31
2339
+ #define SSL_CURVE_P256KYBER768 0xfe32
2332
2340
 
2333
2341
  // SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
2334
2342
  // completed handshake or 0 if not applicable.
@@ -2341,6 +2349,20 @@ OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
2341
2349
  // the given TLS curve id, or NULL if the curve is unknown.
2342
2350
  OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
2343
2351
 
2352
+ // SSL_CTX_set1_groups calls |SSL_CTX_set1_curves|.
2353
+ OPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups,
2354
+ size_t groups_len);
2355
+
2356
+ // SSL_set1_groups calls |SSL_set1_curves|.
2357
+ OPENSSL_EXPORT int SSL_set1_groups(SSL *ssl, const int *groups,
2358
+ size_t groups_len);
2359
+
2360
+ // SSL_CTX_set1_groups_list calls |SSL_CTX_set1_curves_list|.
2361
+ OPENSSL_EXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
2362
+
2363
+ // SSL_set1_groups_list calls |SSL_set1_curves_list|.
2364
+ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);
2365
+
2344
2366
 
2345
2367
  // Certificate verification.
2346
2368
  //
@@ -2459,6 +2481,15 @@ OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
2459
2481
  OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))(
2460
2482
  int ok, X509_STORE_CTX *store_ctx);
2461
2483
 
2484
+ // SSL_set1_host sets a DNS name that will be required to be present in the
2485
+ // verified leaf certificate. It returns one on success and zero on error.
2486
+ //
2487
+ // Note: unless _some_ name checking is performed, certificate validation is
2488
+ // ineffective. Simply checking that a host has some certificate from a CA is
2489
+ // rarely meaningful—you have to check that the CA believed that the host was
2490
+ // who you expect to be talking to.
2491
+ OPENSSL_EXPORT int SSL_set1_host(SSL *ssl, const char *hostname);
2492
+
2462
2493
  // SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain
2463
2494
  // accepted in verification. This number does not include the leaf, so a depth
2464
2495
  // of 1 allows the leaf and one CA certificate.
@@ -2632,6 +2663,11 @@ OPENSSL_EXPORT int SSL_set_verify_algorithm_prefs(SSL *ssl,
2632
2663
  const uint16_t *prefs,
2633
2664
  size_t num_prefs);
2634
2665
 
2666
+ // SSL_set_hostflags calls |X509_VERIFY_PARAM_set_hostflags| on the
2667
+ // |X509_VERIFY_PARAM| associated with this |SSL*|. The |flags| argument
2668
+ // should be one of the |X509_CHECK_*| constants.
2669
+ OPENSSL_EXPORT void SSL_set_hostflags(SSL *ssl, unsigned flags);
2670
+
2635
2671
 
2636
2672
  // Client certificate CA list.
2637
2673
  //
@@ -2697,7 +2733,7 @@ OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509);
2697
2733
 
2698
2734
  // SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from
2699
2735
  // it. It returns a newly-allocated stack of the certificate subjects or NULL
2700
- // on error.
2736
+ // on error. Duplicates in |file| are ignored.
2701
2737
  OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
2702
2738
 
2703
2739
  // SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on
@@ -2710,6 +2746,11 @@ OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list);
2710
2746
  OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
2711
2747
  const char *file);
2712
2748
 
2749
+ // SSL_add_bio_cert_subjects_to_stack behaves like
2750
+ // |SSL_add_file_cert_subjects_to_stack| but reads from |bio|.
2751
+ OPENSSL_EXPORT int SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
2752
+ BIO *bio);
2753
+
2713
2754
 
2714
2755
  // Server name indication.
2715
2756
  //
@@ -2788,7 +2829,7 @@ OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
2788
2829
  // WARNING: this function is dangerous because it breaks the usual return value
2789
2830
  // convention.
2790
2831
  OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2791
- unsigned protos_len);
2832
+ size_t protos_len);
2792
2833
 
2793
2834
  // SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
2794
2835
  // |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
@@ -2799,7 +2840,7 @@ OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2799
2840
  // WARNING: this function is dangerous because it breaks the usual return value
2800
2841
  // convention.
2801
2842
  OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
2802
- unsigned protos_len);
2843
+ size_t protos_len);
2803
2844
 
2804
2845
  // SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
2805
2846
  // during ClientHello processing in order to select an ALPN protocol from the
@@ -3887,13 +3928,14 @@ OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
3887
3928
  const uint8_t **out_write_iv,
3888
3929
  size_t *out_iv_len);
3889
3930
 
3890
- // SSL_get_key_block_len returns the length of |ssl|'s key block. It is an error
3891
- // to call this function during a handshake.
3931
+ // SSL_get_key_block_len returns the length of |ssl|'s key block, for TLS 1.2
3932
+ // and below. It is an error to call this function during a handshake, or if
3933
+ // |ssl| negotiated TLS 1.3.
3892
3934
  OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);
3893
3935
 
3894
3936
  // SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
3895
- // current connection state. It is an error to call this function during a
3896
- // handshake.
3937
+ // current connection state, for TLS 1.2 and below. It is an error to call this
3938
+ // function during a handshake, or if |ssl| negotiated TLS 1.3.
3897
3939
  OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,
3898
3940
  size_t out_len);
3899
3941
 
@@ -3947,8 +3989,9 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx,
3947
3989
  // those cases, BoringSSL will not predict a signature as there is no benefit.
3948
3990
  // Callers must allow for handshakes to complete without a predicted signature.
3949
3991
  //
3950
- // For now, only TLS 1.3 is hinted. TLS 1.2 will work, but the hints will be
3951
- // empty.
3992
+ // Handshake hints are supported for TLS 1.3 and partially supported for
3993
+ // TLS 1.2. TLS 1.2 resumption handshakes are not yet fully hinted. They will
3994
+ // still work, but may not be as efficient.
3952
3995
 
3953
3996
  // SSL_serialize_capabilities writes an opaque byte string to |out| describing
3954
3997
  // some of |ssl|'s capabilities. It returns one on success and zero on error.
@@ -4025,10 +4068,16 @@ OPENSSL_EXPORT int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints,
4025
4068
  // |len| bytes from |buf| contain the handshake message, one-byte
4026
4069
  // ChangeCipherSpec body, and two-byte alert, respectively.
4027
4070
  //
4071
+ // In connections that enable ECH, |cb| is additionally called with
4072
+ // |content_type| = |SSL3_RT_CLIENT_HELLO_INNER| for each ClientHelloInner that
4073
+ // is encrypted or decrypted. The |len| bytes from |buf| contain the
4074
+ // ClientHelloInner, including the reconstructed outer extensions and handshake
4075
+ // header.
4076
+ //
4028
4077
  // For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and
4029
4078
  // the |len| bytes from |buf| contain the V2ClientHello structure.
4030
4079
  OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
4031
- SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type,
4080
+ SSL_CTX *ctx, void (*cb)(int is_write, int version, int content_type,
4032
4081
  const void *buf, size_t len, SSL *ssl, void *arg));
4033
4082
 
4034
4083
  // SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
@@ -4098,6 +4147,13 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT {
4098
4147
  // renegotiation attempts by a server. If |ssl| is a server, peer-initiated
4099
4148
  // renegotiations are *always* rejected and this function does nothing.
4100
4149
  //
4150
+ // WARNING: Renegotiation is error-prone, complicates TLS's security properties,
4151
+ // and increases its attack surface. When enabled, many common assumptions about
4152
+ // BoringSSL's behavior no longer hold, and the calling application must handle
4153
+ // more cases. Renegotiation is also incompatible with many application
4154
+ // protocols, e.g. section 9.2.1 of RFC 7540. Many functions behave in ambiguous
4155
+ // or undefined ways during a renegotiation.
4156
+ //
4101
4157
  // The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
4102
4158
  // at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
4103
4159
  // allow one renegotiation, |ssl_renegotiate_freely| to allow all
@@ -4119,6 +4175,20 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT {
4119
4175
  // e.g., ALPN must enable renegotiation before the handshake and conditionally
4120
4176
  // disable it afterwards.
4121
4177
  //
4178
+ // When enabled, renegotiation can cause properties of |ssl|, such as the cipher
4179
+ // suite, to change during the lifetime of the connection. More over, during a
4180
+ // renegotiation, not all properties of the new handshake are available or fully
4181
+ // established. In BoringSSL, most functions, such as |SSL_get_current_cipher|,
4182
+ // report information from the most recently completed handshake, not the
4183
+ // pending one. However, renegotiation may rerun handshake callbacks, such as
4184
+ // |SSL_CTX_set_cert_cb|. Such callbacks must ensure they are acting on the
4185
+ // desired versions of each property.
4186
+ //
4187
+ // BoringSSL does not reverify peer certificates on renegotiation and instead
4188
+ // requires they match between handshakes, so certificate verification callbacks
4189
+ // (see |SSL_CTX_set_custom_verify|) may assume |ssl| is in the initial
4190
+ // handshake and use |SSL_get0_peer_certificates|, etc.
4191
+ //
4122
4192
  // There is no support in BoringSSL for initiating renegotiations as a client
4123
4193
  // or server.
4124
4194
  OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl,
@@ -4254,12 +4324,24 @@ OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
4254
4324
  // respected on clients.
4255
4325
  OPENSSL_EXPORT void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled);
4256
4326
 
4257
- // SSL_set_enforce_rsa_key_usage configures whether the keyUsage extension of
4258
- // RSA leaf certificates will be checked for consistency with the TLS
4259
- // usage. This parameter may be set late; it will not be read until after the
4327
+ // SSL_set_enforce_rsa_key_usage configures whether, when |ssl| is a client
4328
+ // negotiating TLS 1.2 or below, the keyUsage extension of RSA leaf server
4329
+ // certificates will be checked for consistency with the TLS usage. In all other
4330
+ // cases, this check is always enabled.
4331
+ //
4332
+ // This parameter may be set late; it will not be read until after the
4260
4333
  // certificate verification callback.
4261
4334
  OPENSSL_EXPORT void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled);
4262
4335
 
4336
+ // SSL_was_key_usage_invalid returns one if |ssl|'s handshake succeeded despite
4337
+ // using TLS parameters which were incompatible with the leaf certificate's
4338
+ // keyUsage extension. Otherwise, it returns zero.
4339
+ //
4340
+ // If |SSL_set_enforce_rsa_key_usage| is enabled or not applicable, this
4341
+ // function will always return zero because key usages will be consistently
4342
+ // checked.
4343
+ OPENSSL_EXPORT int SSL_was_key_usage_invalid(const SSL *ssl);
4344
+
4263
4345
  // SSL_ST_* are possible values for |SSL_state|, the bitmasks that make them up,
4264
4346
  // and some historical values for compatibility. Only |SSL_ST_INIT| and
4265
4347
  // |SSL_ST_OK| are ever returned.
@@ -5077,6 +5159,44 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
5077
5159
  OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
5078
5160
 
5079
5161
 
5162
+ // Compliance policy configurations
5163
+ //
5164
+ // A TLS connection has a large number of different parameters. Some are well
5165
+ // known, like cipher suites, but many are obscure and configuration functions
5166
+ // for them may not exist. These policy controls allow broad configuration
5167
+ // goals to be specified so that they can flow down to all the different
5168
+ // parameters of a TLS connection.
5169
+
5170
+ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
5171
+ // ssl_policy_fips_202205 configures a TLS connection to use:
5172
+ // * TLS 1.2 or 1.3
5173
+ // * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*.
5174
+ // * For TLS 1.3, only AES-GCM
5175
+ // * P-256 or P-384 for key agreement.
5176
+ // * For server signatures, only PKCS#1/PSS with SHA256/384/512, or ECDSA
5177
+ // with P-256 or P-384.
5178
+ //
5179
+ // Note: this policy can be configured even if BoringSSL has not been built in
5180
+ // FIPS mode. Call |FIPS_mode| to check that.
5181
+ //
5182
+ // Note: this setting aids with compliance with NIST requirements but does not
5183
+ // guarantee it. Careful reading of SP 800-52r2 is recommended.
5184
+ ssl_compliance_policy_fips_202205,
5185
+ };
5186
+
5187
+ // SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on
5188
+ // the given policy requirements. Subsequently calling other functions that
5189
+ // configure |ctx| may override |policy|, or may not. This should be the final
5190
+ // configuration function called in order to have defined behaviour.
5191
+ OPENSSL_EXPORT int SSL_CTX_set_compliance_policy(
5192
+ SSL_CTX *ctx, enum ssl_compliance_policy_t policy);
5193
+
5194
+ // SSL_set_compliance_policy acts the same as |SSL_CTX_set_compliance_policy|,
5195
+ // but only configures a single |SSL*|.
5196
+ OPENSSL_EXPORT int SSL_set_compliance_policy(
5197
+ SSL *ssl, enum ssl_compliance_policy_t policy);
5198
+
5199
+
5080
5200
  // Nodejs compatibility section (hidden).
5081
5201
  //
5082
5202
  // These defines exist for node.js, with the hope that we can eliminate the
@@ -5243,62 +5363,6 @@ BORINGSSL_MAKE_UP_REF(SSL_ECH_KEYS, SSL_ECH_KEYS_up_ref)
5243
5363
  BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
5244
5364
  BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)
5245
5365
 
5246
- enum class OpenRecordResult {
5247
- kOK,
5248
- kDiscard,
5249
- kIncompleteRecord,
5250
- kAlertCloseNotify,
5251
- kError,
5252
- };
5253
-
5254
- // *** EXPERIMENTAL -- DO NOT USE ***
5255
- //
5256
- // OpenRecord decrypts the first complete SSL record from |in| in-place, sets
5257
- // |out| to the decrypted application data, and |out_record_len| to the length
5258
- // of the encrypted record. Returns:
5259
- // - kOK if an application-data record was successfully decrypted and verified.
5260
- // - kDiscard if a record was sucessfully processed, but should be discarded.
5261
- // - kIncompleteRecord if |in| did not contain a complete record.
5262
- // - kAlertCloseNotify if a record was successfully processed but is a
5263
- // close_notify alert.
5264
- // - kError if an error occurred or the record is invalid. |*out_alert| will be
5265
- // set to an alert to emit, or zero if no alert should be emitted.
5266
- OPENSSL_EXPORT OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out,
5267
- size_t *out_record_len,
5268
- uint8_t *out_alert,
5269
- Span<uint8_t> in);
5270
-
5271
- OPENSSL_EXPORT size_t SealRecordPrefixLen(const SSL *ssl, size_t plaintext_len);
5272
-
5273
- // SealRecordSuffixLen returns the length of the suffix written by |SealRecord|.
5274
- //
5275
- // |plaintext_len| must be equal to the size of the plaintext passed to
5276
- // |SealRecord|.
5277
- //
5278
- // |plaintext_len| must not exceed |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The returned
5279
- // suffix length will not exceed |SSL3_RT_MAX_ENCRYPTED_OVERHEAD|.
5280
- OPENSSL_EXPORT size_t SealRecordSuffixLen(const SSL *ssl, size_t plaintext_len);
5281
-
5282
- // *** EXPERIMENTAL -- DO NOT USE ***
5283
- //
5284
- // SealRecord encrypts the cleartext of |in| and scatters the resulting TLS
5285
- // application data record between |out_prefix|, |out|, and |out_suffix|. It
5286
- // returns true on success or false if an error occurred.
5287
- //
5288
- // The length of |out_prefix| must equal |SealRecordPrefixLen|. The length of
5289
- // |out| must equal the length of |in|, which must not exceed
5290
- // |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The length of |out_suffix| must equal
5291
- // |SealRecordSuffixLen|.
5292
- //
5293
- // If enabled, |SealRecord| may perform TLS 1.0 CBC 1/n-1 record splitting.
5294
- // |SealRecordPrefixLen| accounts for the required overhead if that is the case.
5295
- //
5296
- // |out| may equal |in| to encrypt in-place but may not otherwise alias.
5297
- // |out_prefix| and |out_suffix| may not alias anything.
5298
- OPENSSL_EXPORT bool SealRecord(SSL *ssl, Span<uint8_t> out_prefix,
5299
- Span<uint8_t> out, Span<uint8_t> out_suffix,
5300
- Span<const uint8_t> in);
5301
-
5302
5366
 
5303
5367
  // *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
5304
5368
  //
@@ -5584,7 +5648,7 @@ BSSL_NAMESPACE_END
5584
5648
  #define SSL_R_INVALID_ECH_PUBLIC_NAME 317
5585
5649
  #define SSL_R_INVALID_ECH_CONFIG_LIST 318
5586
5650
  #define SSL_R_ECH_REJECTED 319
5587
- #define SSL_R_OUTER_EXTENSION_NOT_FOUND 320
5651
+ #define SSL_R_INVALID_OUTER_EXTENSION 320
5588
5652
  #define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321
5589
5653
  #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
5590
5654
  #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
@@ -1,4 +1,3 @@
1
- /* ssl/ssl3.h */
2
1
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
2
  * All rights reserved.
4
3
  *
@@ -118,7 +117,6 @@
118
117
  #define OPENSSL_HEADER_SSL3_H
119
118
 
120
119
  #include <openssl/aead.h>
121
- #include <openssl/type_check.h>
122
120
 
123
121
  #ifdef __cplusplus
124
122
  extern "C" {
@@ -251,10 +249,6 @@ extern "C" {
251
249
  #define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
252
250
  (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)
253
251
 
254
- OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
255
- SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
256
- "max overheads are inconsistent");
257
-
258
252
  // SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
259
253
  // |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
260
254
  // compression overhead.
@@ -275,6 +269,7 @@ OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
275
269
 
276
270
  // Pseudo content type for SSL/TLS header info
277
271
  #define SSL3_RT_HEADER 0x100
272
+ #define SSL3_RT_CLIENT_HELLO_INNER 0x101
278
273
 
279
274
  #define SSL3_AL_WARNING 1
280
275
  #define SSL3_AL_FATAL 2