grpc 1.53.2 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +78 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2 -16
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +8 -12
- data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -5
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +116 -58
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +222 -118
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +113 -295
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +0 -2
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +277 -451
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +1 -3
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -14
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +1 -9
- data/src/core/ext/transport/chttp2/transport/internal.h +16 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +3 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +0 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -32
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +0 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +19 -55
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +0 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/validate_metadata.cc +42 -43
- data/src/core/lib/surface/validate_metadata.h +0 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +5 -2
- data/src/core/lib/transport/metadata_batch.h +17 -113
- data/src/core/lib/transport/parsed_metadata.h +6 -16
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +103 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.h +0 -29
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
|
@@ -140,7 +140,10 @@
|
|
|
140
140
|
|
|
141
141
|
#include <openssl/ssl.h>
|
|
142
142
|
|
|
143
|
+
#include <algorithm>
|
|
144
|
+
|
|
143
145
|
#include <assert.h>
|
|
146
|
+
#include <limits.h>
|
|
144
147
|
#include <stdlib.h>
|
|
145
148
|
#include <string.h>
|
|
146
149
|
|
|
@@ -164,6 +167,10 @@
|
|
|
164
167
|
|
|
165
168
|
BSSL_NAMESPACE_BEGIN
|
|
166
169
|
|
|
170
|
+
static_assert(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=
|
|
171
|
+
SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
|
|
172
|
+
"max overheads are inconsistent");
|
|
173
|
+
|
|
167
174
|
// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
|
|
168
175
|
// to avoid downstream churn.
|
|
169
176
|
OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
|
|
@@ -517,7 +524,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
|
|
|
517
524
|
allow_unknown_alpn_protos(false),
|
|
518
525
|
false_start_allowed_without_alpn(false),
|
|
519
526
|
handoff(false),
|
|
520
|
-
enable_early_data(false)
|
|
527
|
+
enable_early_data(false),
|
|
528
|
+
only_fips_cipher_suites_in_tls13(false) {
|
|
521
529
|
CRYPTO_MUTEX_init(&lock);
|
|
522
530
|
CRYPTO_new_ex_data(&ex_data);
|
|
523
531
|
}
|
|
@@ -637,6 +645,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
|
|
|
637
645
|
ssl->config->retain_only_sha256_of_client_certs =
|
|
638
646
|
ctx->retain_only_sha256_of_client_certs;
|
|
639
647
|
ssl->config->permute_extensions = ctx->permute_extensions;
|
|
648
|
+
ssl->config->only_fips_cipher_suites_in_tls13 =
|
|
649
|
+
ctx->only_fips_cipher_suites_in_tls13;
|
|
640
650
|
|
|
641
651
|
if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
|
|
642
652
|
!ssl->config->alpn_client_proto_list.CopyFrom(
|
|
@@ -1053,6 +1063,7 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
|
|
|
1053
1063
|
}
|
|
1054
1064
|
|
|
1055
1065
|
int ret = 0;
|
|
1066
|
+
size_t bytes_written = 0;
|
|
1056
1067
|
bool needs_handshake = false;
|
|
1057
1068
|
do {
|
|
1058
1069
|
// If necessary, complete the handshake implicitly.
|
|
@@ -1067,10 +1078,16 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
|
|
|
1067
1078
|
}
|
|
1068
1079
|
}
|
|
1069
1080
|
|
|
1070
|
-
|
|
1071
|
-
|
|
1081
|
+
if (num < 0) {
|
|
1082
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
|
|
1083
|
+
return -1;
|
|
1084
|
+
}
|
|
1085
|
+
ret = ssl->method->write_app_data(
|
|
1086
|
+
ssl, &needs_handshake, &bytes_written,
|
|
1087
|
+
MakeConstSpan(static_cast<const uint8_t *>(buf),
|
|
1088
|
+
static_cast<size_t>(num)));
|
|
1072
1089
|
} while (needs_handshake);
|
|
1073
|
-
return ret;
|
|
1090
|
+
return ret <= 0 ? ret : static_cast<int>(bytes_written);
|
|
1074
1091
|
}
|
|
1075
1092
|
|
|
1076
1093
|
int SSL_key_update(SSL *ssl, int request_type) {
|
|
@@ -1234,7 +1251,7 @@ void SSL_reset_early_data_reject(SSL *ssl) {
|
|
|
1234
1251
|
// Discard any unfinished writes from the perspective of |SSL_write|'s
|
|
1235
1252
|
// retry. The handshake will transparently flush out the pending record
|
|
1236
1253
|
// (discarded by the server) to keep the framing correct.
|
|
1237
|
-
ssl->s3->
|
|
1254
|
+
ssl->s3->pending_write = {};
|
|
1238
1255
|
}
|
|
1239
1256
|
|
|
1240
1257
|
enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) {
|
|
@@ -1303,7 +1320,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
|
|
|
1303
1320
|
}
|
|
1304
1321
|
|
|
1305
1322
|
if (ret_code == 0) {
|
|
1306
|
-
if (ssl->s3->
|
|
1323
|
+
if (ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN) {
|
|
1307
1324
|
return SSL_ERROR_ZERO_RETURN;
|
|
1308
1325
|
}
|
|
1309
1326
|
// An EOF was observed which violates the protocol, and the underlying
|
|
@@ -1933,9 +1950,23 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
|
|
|
1933
1950
|
return tls1_set_curves_list(&ssl->config->supported_group_list, curves);
|
|
1934
1951
|
}
|
|
1935
1952
|
|
|
1953
|
+
int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) {
|
|
1954
|
+
return SSL_CTX_set1_curves(ctx, groups, groups_len);
|
|
1955
|
+
}
|
|
1956
|
+
|
|
1957
|
+
int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len) {
|
|
1958
|
+
return SSL_set1_curves(ssl, groups, groups_len);
|
|
1959
|
+
}
|
|
1960
|
+
|
|
1961
|
+
int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) {
|
|
1962
|
+
return SSL_CTX_set1_curves_list(ctx, groups);
|
|
1963
|
+
}
|
|
1964
|
+
|
|
1965
|
+
int SSL_set1_groups_list(SSL *ssl, const char *groups) {
|
|
1966
|
+
return SSL_set1_curves_list(ssl, groups);
|
|
1967
|
+
}
|
|
1968
|
+
|
|
1936
1969
|
uint16_t SSL_get_curve_id(const SSL *ssl) {
|
|
1937
|
-
// TODO(davidben): This checks the wrong session if there is a renegotiation
|
|
1938
|
-
// in progress.
|
|
1939
1970
|
SSL_SESSION *session = SSL_get_session(ssl);
|
|
1940
1971
|
if (session == NULL) {
|
|
1941
1972
|
return 0;
|
|
@@ -2117,7 +2148,6 @@ int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
|
|
|
2117
2148
|
}
|
|
2118
2149
|
ssl->hostname.reset(OPENSSL_strdup(name));
|
|
2119
2150
|
if (ssl->hostname == nullptr) {
|
|
2120
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
2121
2151
|
return 0;
|
|
2122
2152
|
}
|
|
2123
2153
|
return 1;
|
|
@@ -2169,8 +2199,10 @@ found:
|
|
|
2169
2199
|
|
|
2170
2200
|
void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
|
|
2171
2201
|
unsigned *out_len) {
|
|
2202
|
+
// NPN protocols have one-byte lengths, so they must fit in |unsigned|.
|
|
2203
|
+
assert(ssl->s3->next_proto_negotiated.size() <= UINT_MAX);
|
|
2172
2204
|
*out_data = ssl->s3->next_proto_negotiated.data();
|
|
2173
|
-
*out_len = ssl->s3->next_proto_negotiated.size();
|
|
2205
|
+
*out_len = static_cast<unsigned>(ssl->s3->next_proto_negotiated.size());
|
|
2174
2206
|
}
|
|
2175
2207
|
|
|
2176
2208
|
void SSL_CTX_set_next_protos_advertised_cb(
|
|
@@ -2190,7 +2222,7 @@ void SSL_CTX_set_next_proto_select_cb(
|
|
|
2190
2222
|
}
|
|
2191
2223
|
|
|
2192
2224
|
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
|
|
2193
|
-
|
|
2225
|
+
size_t protos_len) {
|
|
2194
2226
|
// Note this function's return value is backwards.
|
|
2195
2227
|
auto span = MakeConstSpan(protos, protos_len);
|
|
2196
2228
|
if (!span.empty() && !ssl_is_valid_alpn_list(span)) {
|
|
@@ -2200,7 +2232,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
|
|
|
2200
2232
|
return ctx->alpn_client_proto_list.CopyFrom(span) ? 0 : 1;
|
|
2201
2233
|
}
|
|
2202
2234
|
|
|
2203
|
-
int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
|
|
2235
|
+
int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, size_t protos_len) {
|
|
2204
2236
|
// Note this function's return value is backwards.
|
|
2205
2237
|
if (!ssl->config) {
|
|
2206
2238
|
return 1;
|
|
@@ -2224,13 +2256,16 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
|
|
|
2224
2256
|
|
|
2225
2257
|
void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
|
|
2226
2258
|
unsigned *out_len) {
|
|
2259
|
+
Span<const uint8_t> protocol;
|
|
2227
2260
|
if (SSL_in_early_data(ssl) && !ssl->server) {
|
|
2228
|
-
|
|
2229
|
-
*out_len = ssl->s3->hs->early_session->early_alpn.size();
|
|
2261
|
+
protocol = ssl->s3->hs->early_session->early_alpn;
|
|
2230
2262
|
} else {
|
|
2231
|
-
|
|
2232
|
-
*out_len = ssl->s3->alpn_selected.size();
|
|
2263
|
+
protocol = ssl->s3->alpn_selected;
|
|
2233
2264
|
}
|
|
2265
|
+
// ALPN protocols have one-byte lengths, so they must fit in |unsigned|.
|
|
2266
|
+
assert(protocol.size() < UINT_MAX);
|
|
2267
|
+
*out_data = protocol.data();
|
|
2268
|
+
*out_len = static_cast<unsigned>(protocol.size());
|
|
2234
2269
|
}
|
|
2235
2270
|
|
|
2236
2271
|
void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {
|
|
@@ -2562,7 +2597,13 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
|
|
|
2562
2597
|
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
|
|
2563
2598
|
}
|
|
2564
2599
|
|
|
2565
|
-
int SSL_want(const SSL *ssl) {
|
|
2600
|
+
int SSL_want(const SSL *ssl) {
|
|
2601
|
+
// Historically, OpenSSL did not track |SSL_ERROR_ZERO_RETURN| as an |rwstate|
|
|
2602
|
+
// value. We do, but map it back to |SSL_ERROR_NONE| to preserve the original
|
|
2603
|
+
// behavior.
|
|
2604
|
+
return ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN ? SSL_ERROR_NONE
|
|
2605
|
+
: ssl->s3->rwstate;
|
|
2606
|
+
}
|
|
2566
2607
|
|
|
2567
2608
|
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
|
|
2568
2609
|
RSA *(*cb)(SSL *ssl, int is_export,
|
|
@@ -2765,6 +2806,10 @@ void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) {
|
|
|
2765
2806
|
ssl->config->enforce_rsa_key_usage = !!enabled;
|
|
2766
2807
|
}
|
|
2767
2808
|
|
|
2809
|
+
int SSL_was_key_usage_invalid(const SSL *ssl) {
|
|
2810
|
+
return ssl->s3->was_key_usage_invalid;
|
|
2811
|
+
}
|
|
2812
|
+
|
|
2768
2813
|
void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
|
|
2769
2814
|
ssl->renegotiate_mode = mode;
|
|
2770
2815
|
|
|
@@ -2786,35 +2831,25 @@ int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
|
|
|
2786
2831
|
return 1;
|
|
2787
2832
|
}
|
|
2788
2833
|
|
|
2789
|
-
static uint64_t be_to_u64(const uint8_t in[8]) {
|
|
2790
|
-
return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) |
|
|
2791
|
-
(((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) |
|
|
2792
|
-
(((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) |
|
|
2793
|
-
(((uint64_t)in[6]) << 8) | ((uint64_t)in[7]);
|
|
2794
|
-
}
|
|
2795
|
-
|
|
2796
2834
|
uint64_t SSL_get_read_sequence(const SSL *ssl) {
|
|
2797
|
-
// TODO(davidben): Internally represent sequence numbers as uint64_t.
|
|
2798
2835
|
if (SSL_is_dtls(ssl)) {
|
|
2799
2836
|
// max_seq_num already includes the epoch.
|
|
2800
2837
|
assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
|
|
2801
2838
|
return ssl->d1->bitmap.max_seq_num;
|
|
2802
2839
|
}
|
|
2803
|
-
return
|
|
2840
|
+
return ssl->s3->read_sequence;
|
|
2804
2841
|
}
|
|
2805
2842
|
|
|
2806
2843
|
uint64_t SSL_get_write_sequence(const SSL *ssl) {
|
|
2807
|
-
uint64_t ret =
|
|
2844
|
+
uint64_t ret = ssl->s3->write_sequence;
|
|
2808
2845
|
if (SSL_is_dtls(ssl)) {
|
|
2809
2846
|
assert((ret >> 48) == 0);
|
|
2810
|
-
ret |=
|
|
2847
|
+
ret |= uint64_t{ssl->d1->w_epoch} << 48;
|
|
2811
2848
|
}
|
|
2812
2849
|
return ret;
|
|
2813
2850
|
}
|
|
2814
2851
|
|
|
2815
2852
|
uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
|
|
2816
|
-
// TODO(davidben): This checks the wrong session if there is a renegotiation
|
|
2817
|
-
// in progress.
|
|
2818
2853
|
SSL_SESSION *session = SSL_get_session(ssl);
|
|
2819
2854
|
if (session == NULL) {
|
|
2820
2855
|
return 0;
|
|
@@ -3025,6 +3060,15 @@ SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
|
|
|
3025
3060
|
return session.release();
|
|
3026
3061
|
}
|
|
3027
3062
|
|
|
3063
|
+
int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) {
|
|
3064
|
+
num_tickets = std::min(num_tickets, kMaxTickets);
|
|
3065
|
+
static_assert(kMaxTickets <= 0xff, "Too many tickets.");
|
|
3066
|
+
ctx->num_tickets = static_cast<uint8_t>(num_tickets);
|
|
3067
|
+
return 1;
|
|
3068
|
+
}
|
|
3069
|
+
|
|
3070
|
+
size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { return ctx->num_tickets; }
|
|
3071
|
+
|
|
3028
3072
|
int SSL_set_tlsext_status_type(SSL *ssl, int type) {
|
|
3029
3073
|
if (!ssl->config) {
|
|
3030
3074
|
return 0;
|
|
@@ -3070,3 +3114,93 @@ int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {
|
|
|
3070
3114
|
ctx->legacy_ocsp_callback_arg = arg;
|
|
3071
3115
|
return 1;
|
|
3072
3116
|
}
|
|
3117
|
+
|
|
3118
|
+
namespace fips202205 {
|
|
3119
|
+
|
|
3120
|
+
// (References are to SP 800-52r2):
|
|
3121
|
+
|
|
3122
|
+
// Section 3.4.2.2
|
|
3123
|
+
// "at least one of the NIST-approved curves, P-256 (secp256r1) and P384
|
|
3124
|
+
// (secp384r1), shall be supported as described in RFC 8422."
|
|
3125
|
+
//
|
|
3126
|
+
// Section 3.3.1
|
|
3127
|
+
// "The server shall be configured to only use cipher suites that are
|
|
3128
|
+
// composed entirely of NIST approved algorithms"
|
|
3129
|
+
static const int kCurves[] = {NID_X9_62_prime256v1, NID_secp384r1};
|
|
3130
|
+
|
|
3131
|
+
static const uint16_t kSigAlgs[] = {
|
|
3132
|
+
SSL_SIGN_RSA_PKCS1_SHA256,
|
|
3133
|
+
SSL_SIGN_RSA_PKCS1_SHA384,
|
|
3134
|
+
SSL_SIGN_RSA_PKCS1_SHA512,
|
|
3135
|
+
// Table 4.1:
|
|
3136
|
+
// "The curve should be P-256 or P-384"
|
|
3137
|
+
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
|
3138
|
+
SSL_SIGN_ECDSA_SECP384R1_SHA384,
|
|
3139
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA256,
|
|
3140
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA384,
|
|
3141
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA512,
|
|
3142
|
+
};
|
|
3143
|
+
|
|
3144
|
+
static const char kTLS12Ciphers[] =
|
|
3145
|
+
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:"
|
|
3146
|
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:"
|
|
3147
|
+
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:"
|
|
3148
|
+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
|
|
3149
|
+
|
|
3150
|
+
static int Configure(SSL_CTX *ctx) {
|
|
3151
|
+
ctx->only_fips_cipher_suites_in_tls13 = true;
|
|
3152
|
+
|
|
3153
|
+
return
|
|
3154
|
+
// Section 3.1:
|
|
3155
|
+
// "Servers that support government-only applications shall be
|
|
3156
|
+
// configured to use TLS 1.2 and should be configured to use TLS 1.3
|
|
3157
|
+
// as well. These servers should not be configured to use TLS 1.1 and
|
|
3158
|
+
// shall not use TLS 1.0, SSL 3.0, or SSL 2.0.
|
|
3159
|
+
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
|
|
3160
|
+
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
|
|
3161
|
+
// Sections 3.3.1.1.1 and 3.3.1.1.2 are ambiguous about whether
|
|
3162
|
+
// HMAC-SHA-1 cipher suites are permitted with TLS 1.2. However, later the
|
|
3163
|
+
// Encrypt-then-MAC extension is required for all CBC cipher suites and so
|
|
3164
|
+
// it's easier to drop them.
|
|
3165
|
+
SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&
|
|
3166
|
+
SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
|
|
3167
|
+
SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,
|
|
3168
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
|
|
3169
|
+
SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,
|
|
3170
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs));
|
|
3171
|
+
}
|
|
3172
|
+
|
|
3173
|
+
static int Configure(SSL *ssl) {
|
|
3174
|
+
ssl->config->only_fips_cipher_suites_in_tls13 = true;
|
|
3175
|
+
|
|
3176
|
+
// See |Configure(SSL_CTX)|, above, for reasoning.
|
|
3177
|
+
return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
|
|
3178
|
+
SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
|
|
3179
|
+
SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&
|
|
3180
|
+
SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
|
|
3181
|
+
SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,
|
|
3182
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
|
|
3183
|
+
SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,
|
|
3184
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs));
|
|
3185
|
+
}
|
|
3186
|
+
|
|
3187
|
+
} // namespace fips202205
|
|
3188
|
+
|
|
3189
|
+
int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
|
|
3190
|
+
enum ssl_compliance_policy_t policy) {
|
|
3191
|
+
switch (policy) {
|
|
3192
|
+
case ssl_compliance_policy_fips_202205:
|
|
3193
|
+
return fips202205::Configure(ctx);
|
|
3194
|
+
default:
|
|
3195
|
+
return 0;
|
|
3196
|
+
}
|
|
3197
|
+
}
|
|
3198
|
+
|
|
3199
|
+
int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
|
|
3200
|
+
switch (policy) {
|
|
3201
|
+
case ssl_compliance_policy_fips_202205:
|
|
3202
|
+
return fips202205::Configure(ssl);
|
|
3203
|
+
default:
|
|
3204
|
+
return 0;
|
|
3205
|
+
}
|
|
3206
|
+
}
|
|
@@ -77,7 +77,7 @@ bool ssl_is_key_type_supported(int key_type) {
|
|
|
77
77
|
}
|
|
78
78
|
|
|
79
79
|
static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {
|
|
80
|
-
if (!ssl_is_key_type_supported(pkey
|
|
80
|
+
if (!ssl_is_key_type_supported(EVP_PKEY_id(pkey))) {
|
|
81
81
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
|
|
82
82
|
return false;
|
|
83
83
|
}
|
|
@@ -151,6 +151,20 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
|
151
151
|
return false;
|
|
152
152
|
}
|
|
153
153
|
|
|
154
|
+
if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
|
|
155
|
+
// TLS 1.0 and 1.1 do not negotiate algorithms and always sign one of two
|
|
156
|
+
// hardcoded algorithms.
|
|
157
|
+
return sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
|
|
158
|
+
sigalg == SSL_SIGN_ECDSA_SHA1;
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
// |SSL_SIGN_RSA_PKCS1_MD5_SHA1| is not a real SignatureScheme for TLS 1.2 and
|
|
162
|
+
// higher. It is an internal value we use to represent TLS 1.0/1.1's MD5/SHA1
|
|
163
|
+
// concatenation.
|
|
164
|
+
if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
|
|
165
|
+
return false;
|
|
166
|
+
}
|
|
167
|
+
|
|
154
168
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
155
169
|
// RSA keys may only be used with RSA-PSS.
|
|
156
170
|
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
|
|
@@ -201,6 +215,31 @@ enum ssl_private_key_result_t ssl_private_key_sign(
|
|
|
201
215
|
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
|
|
202
216
|
uint16_t sigalg, Span<const uint8_t> in) {
|
|
203
217
|
SSL *const ssl = hs->ssl;
|
|
218
|
+
SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
|
|
219
|
+
Array<uint8_t> spki;
|
|
220
|
+
if (hints) {
|
|
221
|
+
ScopedCBB spki_cbb;
|
|
222
|
+
if (!CBB_init(spki_cbb.get(), 64) ||
|
|
223
|
+
!EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) ||
|
|
224
|
+
!CBBFinishArray(spki_cbb.get(), &spki)) {
|
|
225
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
226
|
+
return ssl_private_key_failure;
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
|
|
230
|
+
// Replay the signature from handshake hints if available.
|
|
231
|
+
if (hints && !hs->hints_requested && //
|
|
232
|
+
sigalg == hints->signature_algorithm && //
|
|
233
|
+
in == hints->signature_input &&
|
|
234
|
+
MakeConstSpan(spki) == hints->signature_spki &&
|
|
235
|
+
!hints->signature.empty() && //
|
|
236
|
+
hints->signature.size() <= max_out) {
|
|
237
|
+
// Signature algorithm and input both match. Reuse the signature from hints.
|
|
238
|
+
*out_len = hints->signature.size();
|
|
239
|
+
OPENSSL_memcpy(out, hints->signature.data(), hints->signature.size());
|
|
240
|
+
return ssl_private_key_success;
|
|
241
|
+
}
|
|
242
|
+
|
|
204
243
|
const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method;
|
|
205
244
|
EVP_PKEY *privatekey = hs->config->cert->privatekey.get();
|
|
206
245
|
assert(!hs->can_release_private_key);
|
|
@@ -214,21 +253,33 @@ enum ssl_private_key_result_t ssl_private_key_sign(
|
|
|
214
253
|
if (hs->pending_private_key_op) {
|
|
215
254
|
ret = key_method->complete(ssl, out, out_len, max_out);
|
|
216
255
|
} else {
|
|
217
|
-
ret = key_method->sign(ssl, out, out_len, max_out,
|
|
218
|
-
|
|
256
|
+
ret = key_method->sign(ssl, out, out_len, max_out, sigalg, in.data(),
|
|
257
|
+
in.size());
|
|
219
258
|
}
|
|
220
259
|
if (ret == ssl_private_key_failure) {
|
|
221
260
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
|
|
222
261
|
}
|
|
223
262
|
hs->pending_private_key_op = ret == ssl_private_key_retry;
|
|
224
|
-
|
|
263
|
+
if (ret != ssl_private_key_success) {
|
|
264
|
+
return ret;
|
|
265
|
+
}
|
|
266
|
+
} else {
|
|
267
|
+
*out_len = max_out;
|
|
268
|
+
ScopedEVP_MD_CTX ctx;
|
|
269
|
+
if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) ||
|
|
270
|
+
!EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
|
|
271
|
+
return ssl_private_key_failure;
|
|
272
|
+
}
|
|
225
273
|
}
|
|
226
274
|
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
275
|
+
// Save the hint if applicable.
|
|
276
|
+
if (hints && hs->hints_requested) {
|
|
277
|
+
hints->signature_algorithm = sigalg;
|
|
278
|
+
hints->signature_spki = std::move(spki);
|
|
279
|
+
if (!hints->signature_input.CopyFrom(in) ||
|
|
280
|
+
!hints->signature.CopyFrom(MakeConstSpan(out, *out_len))) {
|
|
281
|
+
return ssl_private_key_failure;
|
|
282
|
+
}
|
|
232
283
|
}
|
|
233
284
|
return ssl_private_key_success;
|
|
234
285
|
}
|
|
@@ -494,9 +545,83 @@ int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {
|
|
|
494
545
|
return alg != nullptr && alg->is_rsa_pss;
|
|
495
546
|
}
|
|
496
547
|
|
|
548
|
+
static int compare_uint16_t(const void *p1, const void *p2) {
|
|
549
|
+
uint16_t u1 = *((const uint16_t *)p1);
|
|
550
|
+
uint16_t u2 = *((const uint16_t *)p2);
|
|
551
|
+
if (u1 < u2) {
|
|
552
|
+
return -1;
|
|
553
|
+
} else if (u1 > u2) {
|
|
554
|
+
return 1;
|
|
555
|
+
} else {
|
|
556
|
+
return 0;
|
|
557
|
+
}
|
|
558
|
+
}
|
|
559
|
+
|
|
560
|
+
static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
|
|
561
|
+
if (in_sigalgs.size() < 2) {
|
|
562
|
+
return true;
|
|
563
|
+
}
|
|
564
|
+
|
|
565
|
+
Array<uint16_t> sigalgs;
|
|
566
|
+
if (!sigalgs.CopyFrom(in_sigalgs)) {
|
|
567
|
+
return false;
|
|
568
|
+
}
|
|
569
|
+
|
|
570
|
+
qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
|
|
571
|
+
|
|
572
|
+
for (size_t i = 1; i < sigalgs.size(); i++) {
|
|
573
|
+
if (sigalgs[i - 1] == sigalgs[i]) {
|
|
574
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
|
|
575
|
+
return false;
|
|
576
|
+
}
|
|
577
|
+
}
|
|
578
|
+
|
|
579
|
+
return true;
|
|
580
|
+
}
|
|
581
|
+
|
|
582
|
+
static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
|
|
583
|
+
if (!sigalgs_unique(prefs)) {
|
|
584
|
+
return false;
|
|
585
|
+
}
|
|
586
|
+
|
|
587
|
+
// Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
|
|
588
|
+
Array<uint16_t> filtered;
|
|
589
|
+
if (!filtered.Init(prefs.size())) {
|
|
590
|
+
return false;
|
|
591
|
+
}
|
|
592
|
+
size_t added = 0;
|
|
593
|
+
for (uint16_t pref : prefs) {
|
|
594
|
+
if (pref == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
|
|
595
|
+
// Though not intended to be used with this API, we treat
|
|
596
|
+
// |SSL_SIGN_RSA_PKCS1_MD5_SHA1| as a real signature algorithm in
|
|
597
|
+
// |SSL_PRIVATE_KEY_METHOD|. Not accepting it here makes for a confusing
|
|
598
|
+
// abstraction.
|
|
599
|
+
continue;
|
|
600
|
+
}
|
|
601
|
+
if (get_signature_algorithm(pref) == nullptr) {
|
|
602
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
|
|
603
|
+
return false;
|
|
604
|
+
}
|
|
605
|
+
filtered[added] = pref;
|
|
606
|
+
added++;
|
|
607
|
+
}
|
|
608
|
+
filtered.Shrink(added);
|
|
609
|
+
|
|
610
|
+
// This can happen if |prefs| contained only |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
|
|
611
|
+
// Leaving it empty would revert to the default, so treat this as an error
|
|
612
|
+
// condition.
|
|
613
|
+
if (!prefs.empty() && filtered.empty()) {
|
|
614
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
|
|
615
|
+
return false;
|
|
616
|
+
}
|
|
617
|
+
|
|
618
|
+
*out = std::move(filtered);
|
|
619
|
+
return true;
|
|
620
|
+
}
|
|
621
|
+
|
|
497
622
|
int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
|
|
498
623
|
size_t num_prefs) {
|
|
499
|
-
return ctx->cert->sigalgs
|
|
624
|
+
return set_sigalg_prefs(&ctx->cert->sigalgs, MakeConstSpan(prefs, num_prefs));
|
|
500
625
|
}
|
|
501
626
|
|
|
502
627
|
int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
|
|
@@ -504,7 +629,8 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
|
|
|
504
629
|
if (!ssl->config) {
|
|
505
630
|
return 0;
|
|
506
631
|
}
|
|
507
|
-
return ssl->config->cert->sigalgs
|
|
632
|
+
return set_sigalg_prefs(&ssl->config->cert->sigalgs,
|
|
633
|
+
MakeConstSpan(prefs, num_prefs));
|
|
508
634
|
}
|
|
509
635
|
|
|
510
636
|
static constexpr struct {
|
|
@@ -560,50 +686,16 @@ static bool parse_sigalg_pairs(Array<uint16_t> *out, const int *values,
|
|
|
560
686
|
return true;
|
|
561
687
|
}
|
|
562
688
|
|
|
563
|
-
static int compare_uint16_t(const void *p1, const void *p2) {
|
|
564
|
-
uint16_t u1 = *((const uint16_t *)p1);
|
|
565
|
-
uint16_t u2 = *((const uint16_t *)p2);
|
|
566
|
-
if (u1 < u2) {
|
|
567
|
-
return -1;
|
|
568
|
-
} else if (u1 > u2) {
|
|
569
|
-
return 1;
|
|
570
|
-
} else {
|
|
571
|
-
return 0;
|
|
572
|
-
}
|
|
573
|
-
}
|
|
574
|
-
|
|
575
|
-
static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
|
|
576
|
-
if (in_sigalgs.size() < 2) {
|
|
577
|
-
return true;
|
|
578
|
-
}
|
|
579
|
-
|
|
580
|
-
Array<uint16_t> sigalgs;
|
|
581
|
-
if (!sigalgs.CopyFrom(in_sigalgs)) {
|
|
582
|
-
return false;
|
|
583
|
-
}
|
|
584
|
-
|
|
585
|
-
qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
|
|
586
|
-
|
|
587
|
-
for (size_t i = 1; i < sigalgs.size(); i++) {
|
|
588
|
-
if (sigalgs[i - 1] == sigalgs[i]) {
|
|
589
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
|
|
590
|
-
return false;
|
|
591
|
-
}
|
|
592
|
-
}
|
|
593
|
-
|
|
594
|
-
return true;
|
|
595
|
-
}
|
|
596
|
-
|
|
597
689
|
int SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values, size_t num_values) {
|
|
598
690
|
Array<uint16_t> sigalgs;
|
|
599
|
-
if (!parse_sigalg_pairs(&sigalgs, values, num_values)
|
|
600
|
-
!sigalgs_unique(sigalgs)) {
|
|
691
|
+
if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
|
|
601
692
|
return 0;
|
|
602
693
|
}
|
|
603
694
|
|
|
604
695
|
if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),
|
|
605
696
|
sigalgs.size()) ||
|
|
606
|
-
!ctx
|
|
697
|
+
!SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),
|
|
698
|
+
sigalgs.size())) {
|
|
607
699
|
return 0;
|
|
608
700
|
}
|
|
609
701
|
|
|
@@ -617,13 +709,12 @@ int SSL_set1_sigalgs(SSL *ssl, const int *values, size_t num_values) {
|
|
|
617
709
|
}
|
|
618
710
|
|
|
619
711
|
Array<uint16_t> sigalgs;
|
|
620
|
-
if (!parse_sigalg_pairs(&sigalgs, values, num_values)
|
|
621
|
-
!sigalgs_unique(sigalgs)) {
|
|
712
|
+
if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {
|
|
622
713
|
return 0;
|
|
623
714
|
}
|
|
624
715
|
|
|
625
716
|
if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||
|
|
626
|
-
!ssl
|
|
717
|
+
!SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {
|
|
627
718
|
return 0;
|
|
628
719
|
}
|
|
629
720
|
|
|
@@ -663,7 +754,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
|
|
|
663
754
|
|
|
664
755
|
// Note that the loop runs to len+1, i.e. it'll process the terminating NUL.
|
|
665
756
|
for (size_t offset = 0; offset < len+1; offset++) {
|
|
666
|
-
const char c = str[offset];
|
|
757
|
+
const unsigned char c = str[offset];
|
|
667
758
|
|
|
668
759
|
switch (c) {
|
|
669
760
|
case '+':
|
|
@@ -768,8 +859,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
|
|
|
768
859
|
return false;
|
|
769
860
|
}
|
|
770
861
|
|
|
771
|
-
if ((c
|
|
772
|
-
(c >= 'A' && c <= 'Z') || c == '-' || c == '_') {
|
|
862
|
+
if (OPENSSL_isalnum(c) || c == '-' || c == '_') {
|
|
773
863
|
buf[buf_used++] = c;
|
|
774
864
|
} else {
|
|
775
865
|
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
|
|
@@ -786,8 +876,7 @@ static bool parse_sigalgs_list(Array<uint16_t> *out, const char *str) {
|
|
|
786
876
|
|
|
787
877
|
int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {
|
|
788
878
|
Array<uint16_t> sigalgs;
|
|
789
|
-
if (!parse_sigalgs_list(&sigalgs, str)
|
|
790
|
-
!sigalgs_unique(sigalgs)) {
|
|
879
|
+
if (!parse_sigalgs_list(&sigalgs, str)) {
|
|
791
880
|
return 0;
|
|
792
881
|
}
|
|
793
882
|
|
|
@@ -808,8 +897,7 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
|
|
|
808
897
|
}
|
|
809
898
|
|
|
810
899
|
Array<uint16_t> sigalgs;
|
|
811
|
-
if (!parse_sigalgs_list(&sigalgs, str)
|
|
812
|
-
!sigalgs_unique(sigalgs)) {
|
|
900
|
+
if (!parse_sigalgs_list(&sigalgs, str)) {
|
|
813
901
|
return 0;
|
|
814
902
|
}
|
|
815
903
|
|
|
@@ -823,7 +911,8 @@ int SSL_set1_sigalgs_list(SSL *ssl, const char *str) {
|
|
|
823
911
|
|
|
824
912
|
int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
|
|
825
913
|
size_t num_prefs) {
|
|
826
|
-
return ctx->verify_sigalgs
|
|
914
|
+
return set_sigalg_prefs(&ctx->verify_sigalgs,
|
|
915
|
+
MakeConstSpan(prefs, num_prefs));
|
|
827
916
|
}
|
|
828
917
|
|
|
829
918
|
int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
|
|
@@ -833,5 +922,6 @@ int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
|
|
|
833
922
|
return 0;
|
|
834
923
|
}
|
|
835
924
|
|
|
836
|
-
return ssl->config->verify_sigalgs
|
|
925
|
+
return set_sigalg_prefs(&ssl->config->verify_sigalgs,
|
|
926
|
+
MakeConstSpan(prefs, num_prefs));
|
|
837
927
|
}
|