grpc 1.9.1 → 1.10.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +2654 -953
- data/etc/roots.pem +282 -683
- data/include/grpc/compression.h +9 -26
- data/include/grpc/grpc.h +10 -24
- data/include/grpc/grpc_security.h +7 -1
- data/include/grpc/impl/codegen/compression_types.h +5 -62
- data/include/grpc/impl/codegen/grpc_types.h +10 -6
- data/include/grpc/module.modulemap +1 -10
- data/include/grpc/support/alloc.h +3 -2
- data/include/grpc/support/log.h +1 -2
- data/{src/core/lib/gpr/thd_internal.h → include/grpc/support/thd_id.h} +23 -9
- data/src/boringssl/err_data.c +550 -496
- data/src/core/ext/census/grpc_context.cc +2 -1
- data/src/core/ext/filters/client_channel/backup_poller.cc +5 -4
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +7 -7
- data/src/core/ext/filters/client_channel/client_channel.cc +162 -172
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +4 -2
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +10 -10
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +18 -14
- data/src/core/ext/filters/client_channel/http_proxy.cc +3 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +21 -105
- data/src/core/ext/filters/client_channel/lb_policy.h +166 -170
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +41 -36
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +1452 -1459
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +7 -8
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +27 -27
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +279 -304
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +358 -330
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.cc +30 -41
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +7 -14
- data/src/core/ext/filters/client_channel/lb_policy_factory.cc +8 -21
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +23 -27
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +58 -33
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +25 -12
- data/src/core/ext/filters/client_channel/parse_address.cc +10 -8
- data/src/core/ext/filters/client_channel/proxy_mapper_registry.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver.cc +6 -52
- data/src/core/ext/filters/client_channel/resolver.h +98 -55
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +266 -237
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +5 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +31 -27
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +244 -207
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +161 -148
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +47 -31
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +126 -126
- data/src/core/ext/filters/client_channel/resolver_factory.h +33 -32
- data/src/core/ext/filters/client_channel/resolver_registry.cc +110 -90
- data/src/core/ext/filters/client_channel/resolver_registry.h +49 -36
- data/src/core/ext/filters/client_channel/retry_throttle.cc +29 -22
- data/src/core/ext/filters/client_channel/subchannel.cc +173 -173
- data/src/core/ext/filters/client_channel/subchannel.h +38 -45
- data/src/core/ext/filters/client_channel/subchannel_index.cc +44 -40
- data/src/core/ext/filters/client_channel/uri_parser.cc +3 -3
- data/src/core/ext/filters/deadline/deadline_filter.cc +27 -18
- data/src/core/ext/filters/http/client/http_client_filter.cc +26 -23
- data/src/core/ext/filters/http/http_filters_plugin.cc +3 -2
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +78 -110
- data/src/core/ext/filters/http/server/http_server_filter.cc +29 -26
- data/src/core/ext/filters/load_reporting/server_load_reporting_filter.cc +9 -11
- data/src/core/ext/filters/load_reporting/server_load_reporting_plugin.cc +2 -1
- data/src/core/ext/filters/max_age/max_age_filter.cc +14 -14
- data/src/core/ext/filters/message_size/message_size_filter.cc +20 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -4
- data/src/core/ext/filters/workarounds/workaround_utils.cc +4 -4
- data/src/core/ext/transport/chttp2/alpn/alpn.cc +2 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +10 -10
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +4 -4
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +11 -12
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +16 -13
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +36 -9
- data/src/core/ext/transport/chttp2/transport/bin_decoder.h +3 -0
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +17 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +139 -145
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +16 -14
- data/src/core/ext/transport/chttp2/transport/flow_control.h +8 -7
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +35 -33
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +27 -25
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +12 -12
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +16 -15
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +19 -19
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +11 -11
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +23 -22
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +35 -35
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +10 -7
- data/src/core/ext/transport/chttp2/transport/http2_settings.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -1
- data/src/core/ext/transport/chttp2/transport/parsing.cc +35 -39
- data/src/core/ext/transport/chttp2/transport/stream_map.cc +8 -7
- data/src/core/ext/transport/chttp2/transport/varint.cc +5 -5
- data/src/core/ext/transport/chttp2/transport/writing.cc +18 -18
- data/src/core/ext/transport/inproc/inproc_transport.cc +43 -23
- data/src/core/lib/{gpr → avl}/avl.cc +61 -57
- data/{include/grpc/support → src/core/lib/avl}/avl.h +25 -35
- data/src/core/lib/backoff/backoff.cc +6 -5
- data/src/core/lib/channel/channel_args.cc +23 -109
- data/src/core/lib/channel/channel_args.h +5 -31
- data/src/core/lib/channel/channel_stack.cc +11 -8
- data/src/core/lib/channel/channel_stack_builder.cc +10 -7
- data/src/core/lib/channel/connected_channel.cc +18 -17
- data/src/core/lib/channel/handshaker.cc +8 -8
- data/src/core/lib/channel/handshaker_registry.cc +3 -2
- data/src/core/lib/compression/algorithm_metadata.h +13 -6
- data/src/core/lib/compression/compression.cc +72 -183
- data/src/core/lib/compression/compression_internal.cc +274 -0
- data/src/core/lib/compression/compression_internal.h +86 -0
- data/src/core/lib/compression/message_compress.cc +15 -15
- data/src/core/lib/compression/message_compress.h +4 -3
- data/src/core/lib/compression/stream_compression_gzip.cc +8 -8
- data/src/core/lib/compression/stream_compression_identity.cc +1 -1
- data/src/core/lib/debug/stats.cc +10 -8
- data/src/core/lib/debug/stats_data.cc +2 -1
- data/src/core/lib/debug/trace.cc +3 -3
- data/src/core/lib/gpr/alloc.cc +7 -11
- data/src/core/lib/gpr/arena.cc +34 -12
- data/src/core/lib/gpr/atm.cc +2 -1
- data/src/core/lib/gpr/cpu_linux.cc +3 -3
- data/src/core/lib/gpr/cpu_posix.cc +2 -1
- data/src/core/lib/gpr/env.h +1 -1
- data/src/core/lib/gpr/env_linux.cc +1 -1
- data/src/core/lib/gpr/env_windows.cc +4 -4
- data/src/core/lib/gpr/fork.cc +16 -2
- data/src/core/lib/gpr/host_port.cc +5 -4
- data/{include/grpc/support → src/core/lib/gpr}/host_port.h +5 -13
- data/src/core/lib/gpr/log.cc +5 -4
- data/src/core/lib/gpr/log_linux.cc +1 -1
- data/src/core/lib/gpr/mpscq.cc +1 -0
- data/src/core/lib/gpr/murmur_hash.cc +4 -4
- data/src/core/lib/gpr/string.cc +19 -16
- data/src/core/lib/gpr/string_posix.cc +3 -3
- data/src/core/lib/gpr/sync_posix.cc +5 -9
- data/src/core/lib/gpr/thd.cc +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/thd.h +20 -28
- data/src/core/lib/gpr/thd_posix.cc +6 -4
- data/src/core/lib/gpr/thd_windows.cc +3 -1
- data/src/core/lib/gpr/time.cc +6 -4
- data/src/core/lib/gpr/time_posix.cc +2 -2
- data/{include/grpc/support → src/core/lib/gpr}/tls.h +6 -6
- data/{include/grpc/support → src/core/lib/gpr}/tls_gcc.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/tls_msvc.h +3 -3
- data/src/core/lib/gpr/tls_pthread.cc +1 -1
- data/{include/grpc/support → src/core/lib/gpr}/tls_pthread.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/useful.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/abstract.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic.h +5 -5
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_atm.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_std.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/debug_location.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/inlined_vector.h +44 -22
- data/src/core/lib/{gpr++ → gprpp}/manual_constructor.h +2 -2
- data/src/core/lib/{gpr++ → gprpp}/memory.h +14 -5
- data/src/core/lib/{gpr++ → gprpp}/orphanable.h +39 -14
- data/src/core/lib/{gpr++ → gprpp}/ref_counted.h +42 -10
- data/src/core/lib/{gpr++ → gprpp}/ref_counted_ptr.h +18 -8
- data/src/core/lib/http/format_request.cc +3 -3
- data/src/core/lib/http/httpcli.cc +6 -7
- data/src/core/lib/http/httpcli_security_connector.cc +10 -10
- data/src/core/lib/http/parser.cc +16 -12
- data/src/core/lib/iomgr/call_combiner.cc +12 -13
- data/src/core/lib/iomgr/closure.h +4 -6
- data/src/core/lib/iomgr/combiner.cc +10 -21
- data/src/core/lib/iomgr/error.cc +50 -55
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +41 -52
- data/src/core/lib/iomgr/ev_epollex_linux.cc +80 -28
- data/src/core/lib/iomgr/ev_epollsig_linux.cc +23 -30
- data/src/core/lib/iomgr/ev_poll_posix.cc +52 -46
- data/src/core/lib/iomgr/ev_posix.cc +47 -6
- data/src/core/lib/iomgr/exec_ctx.cc +10 -10
- data/src/core/lib/iomgr/exec_ctx.h +1 -1
- data/src/core/lib/iomgr/executor.cc +16 -13
- data/src/core/lib/iomgr/fork_posix.cc +1 -3
- data/src/core/lib/iomgr/gethostname_host_name_max.cc +1 -1
- data/src/core/lib/iomgr/iocp_windows.cc +1 -2
- data/src/core/lib/iomgr/iomgr.cc +2 -2
- data/src/core/lib/iomgr/iomgr_uv.cc +2 -0
- data/src/core/lib/iomgr/iomgr_uv.h +1 -1
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +5 -4
- data/src/core/lib/iomgr/load_file.cc +3 -3
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -9
- data/src/core/lib/iomgr/resolve_address_uv.cc +2 -2
- data/src/core/lib/iomgr/resolve_address_windows.cc +3 -2
- data/src/core/lib/iomgr/resource_quota.cc +36 -34
- data/src/core/lib/iomgr/sockaddr_utils.cc +39 -23
- data/src/core/lib/iomgr/socket_factory_posix.cc +5 -5
- data/src/core/lib/iomgr/socket_mutator.cc +7 -7
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +7 -4
- data/src/core/lib/iomgr/socket_utils_linux.cc +3 -2
- data/src/core/lib/iomgr/tcp_client_posix.cc +7 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +0 -1
- data/src/core/lib/iomgr/tcp_posix.cc +47 -55
- data/src/core/lib/iomgr/tcp_server_posix.cc +12 -10
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +7 -5
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +4 -3
- data/src/core/lib/iomgr/tcp_windows.cc +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +16 -14
- data/src/core/lib/iomgr/timer_heap.cc +8 -7
- data/src/core/lib/iomgr/timer_manager.cc +4 -3
- data/src/core/lib/iomgr/udp_server.cc +24 -16
- data/src/core/lib/iomgr/unix_sockets_posix.cc +15 -10
- data/src/core/lib/iomgr/wakeup_fd_cv.cc +6 -5
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +1 -2
- data/src/core/lib/json/json.cc +1 -1
- data/src/core/lib/json/json_reader.cc +8 -6
- data/src/core/lib/json/json_string.cc +19 -18
- data/src/core/lib/json/json_writer.cc +10 -8
- data/src/core/lib/profiling/basic_timers.cc +1 -1
- data/src/core/lib/profiling/timers.h +3 -20
- data/src/core/lib/security/context/security_context.cc +16 -14
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +17 -14
- data/src/core/lib/security/credentials/credentials.cc +9 -8
- data/src/core/lib/security/credentials/credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials_metadata.cc +2 -2
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +12 -13
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -4
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +5 -3
- data/src/core/lib/security/credentials/jwt/json_token.cc +4 -3
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +7 -7
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +21 -18
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +23 -18
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +11 -7
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +22 -21
- data/src/core/lib/security/{transport → security_connector}/security_connector.cc +46 -43
- data/src/core/lib/security/{transport → security_connector}/security_connector.h +3 -3
- data/src/core/lib/security/transport/client_auth_filter.cc +32 -34
- data/src/core/lib/security/transport/lb_targets_info.cc +7 -5
- data/src/core/lib/security/transport/secure_endpoint.cc +21 -21
- data/src/core/lib/security/transport/security_handshaker.cc +19 -18
- data/src/core/lib/security/transport/security_handshaker.h +1 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +21 -21
- data/src/core/lib/slice/b64.cc +19 -16
- data/src/core/lib/slice/percent_encoding.cc +5 -5
- data/src/core/lib/slice/slice.cc +35 -33
- data/src/core/lib/slice/slice_buffer.cc +16 -14
- data/src/core/lib/slice/slice_hash_table.cc +3 -2
- data/src/core/lib/slice/slice_intern.cc +21 -25
- data/src/core/lib/slice/slice_string_helpers.cc +45 -9
- data/src/core/lib/slice/slice_string_helpers.h +6 -0
- data/src/core/lib/surface/byte_buffer.cc +2 -2
- data/src/core/lib/surface/byte_buffer_reader.cc +6 -3
- data/src/core/lib/surface/call.cc +171 -260
- data/src/core/lib/surface/call_test_only.h +1 -13
- data/src/core/lib/surface/channel.cc +20 -43
- data/src/core/lib/surface/channel_init.cc +7 -7
- data/src/core/lib/surface/channel_ping.cc +2 -2
- data/src/core/lib/surface/completion_queue.cc +69 -75
- data/src/core/lib/surface/init.cc +4 -5
- data/src/core/lib/surface/init_secure.cc +1 -1
- data/src/core/lib/surface/lame_client.cc +1 -1
- data/src/core/lib/surface/server.cc +64 -59
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +6 -5
- data/src/core/lib/transport/byte_stream.cc +23 -14
- data/src/core/lib/transport/byte_stream.h +1 -1
- data/src/core/lib/transport/connectivity_state.cc +9 -13
- data/src/core/lib/transport/error_utils.cc +10 -7
- data/src/core/lib/transport/metadata.cc +27 -26
- data/src/core/lib/transport/metadata.h +1 -1
- data/src/core/lib/transport/pid_controller.cc +2 -1
- data/src/core/lib/transport/service_config.cc +5 -5
- data/src/core/lib/transport/static_metadata.cc +225 -222
- data/src/core/lib/transport/static_metadata.h +77 -76
- data/src/core/lib/transport/timeout_encoding.cc +3 -2
- data/src/core/lib/transport/transport.cc +6 -5
- data/src/core/lib/transport/transport_op_string.cc +0 -1
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -4
- data/src/core/tsi/alts_transport_security.cc +61 -0
- data/src/core/tsi/{gts_transport_security.h → alts_transport_security.h} +16 -8
- data/src/core/tsi/fake_transport_security.cc +59 -43
- data/src/core/tsi/ssl_transport_security.cc +122 -107
- data/src/core/tsi/transport_security.cc +3 -3
- data/src/core/tsi/transport_security_adapter.cc +16 -10
- data/src/ruby/bin/apis/pubsub_demo.rb +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +3 -4
- data/src/ruby/ext/grpc/rb_compression_options.c +13 -3
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -76
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +8 -120
- data/src/ruby/ext/grpc/rb_server.c +52 -28
- data/src/ruby/lib/grpc/generic/rpc_server.rb +7 -4
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/test/client.rb +1 -1
- data/src/ruby/pb/test/server.rb +1 -1
- data/src/ruby/spec/client_server_spec.rb +4 -2
- data/src/ruby/spec/generic/active_call_spec.rb +2 -1
- data/src/ruby/spec/generic/client_stub_spec.rb +32 -8
- data/src/ruby/spec/server_spec.rb +26 -7
- data/third_party/boringssl/crypto/asn1/a_bitstr.c +7 -2
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +15 -0
- data/third_party/boringssl/crypto/asn1/a_gentm.c +1 -1
- data/third_party/boringssl/crypto/asn1/a_print.c +0 -28
- data/third_party/boringssl/crypto/asn1/a_strnid.c +3 -0
- data/third_party/boringssl/crypto/asn1/a_time.c +17 -9
- data/third_party/boringssl/crypto/asn1/a_utctm.c +1 -1
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -49
- data/third_party/boringssl/crypto/asn1/asn1_locl.h +1 -1
- data/third_party/boringssl/crypto/asn1/tasn_dec.c +9 -9
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +0 -6
- data/third_party/boringssl/crypto/asn1/time_support.c +5 -5
- data/third_party/boringssl/crypto/base64/base64.c +65 -43
- data/third_party/boringssl/crypto/bio/bio.c +134 -110
- data/third_party/boringssl/crypto/bio/bio_mem.c +9 -9
- data/third_party/boringssl/crypto/bio/connect.c +17 -17
- data/third_party/boringssl/crypto/bio/fd.c +2 -1
- data/third_party/boringssl/crypto/bio/file.c +14 -14
- data/third_party/boringssl/crypto/bio/hexdump.c +15 -16
- data/third_party/boringssl/crypto/bio/internal.h +14 -14
- data/third_party/boringssl/crypto/bio/pair.c +45 -45
- data/third_party/boringssl/crypto/bio/printf.c +6 -10
- data/third_party/boringssl/crypto/{bn → bn_extra}/bn_asn1.c +9 -9
- data/third_party/boringssl/crypto/{bn → bn_extra}/convert.c +18 -223
- data/third_party/boringssl/crypto/buf/buf.c +20 -44
- data/third_party/boringssl/crypto/bytestring/ber.c +35 -35
- data/third_party/boringssl/crypto/bytestring/cbb.c +24 -24
- data/third_party/boringssl/crypto/bytestring/cbs.c +33 -37
- data/third_party/boringssl/crypto/bytestring/internal.h +38 -38
- data/third_party/boringssl/crypto/chacha/chacha.c +7 -7
- data/third_party/boringssl/crypto/{asn1/t_bitst.c → cipher_extra/cipher_extra.c} +49 -38
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/derive_key.c +0 -2
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +281 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +867 -0
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +326 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_null.c +0 -1
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc2.c +22 -10
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc4.c +0 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_ssl3.c +120 -64
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_tls.c +220 -141
- data/third_party/boringssl/crypto/{asn1/x_bignum.c → cipher_extra/internal.h} +61 -86
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +482 -0
- data/third_party/boringssl/crypto/cmac/cmac.c +20 -20
- data/third_party/boringssl/crypto/conf/conf.c +32 -20
- data/third_party/boringssl/crypto/conf/internal.h +3 -3
- data/third_party/boringssl/crypto/cpu-aarch64-linux.c +5 -5
- data/third_party/boringssl/crypto/cpu-arm-linux.c +44 -41
- data/third_party/boringssl/crypto/cpu-intel.c +68 -43
- data/third_party/boringssl/crypto/cpu-ppc64le.c +5 -7
- data/third_party/boringssl/crypto/crypto.c +54 -32
- data/third_party/boringssl/crypto/curve25519/curve25519.c +269 -269
- data/third_party/boringssl/crypto/curve25519/internal.h +28 -8
- data/third_party/boringssl/crypto/curve25519/spake25519.c +180 -106
- data/third_party/boringssl/crypto/curve25519/x25519-x86_64.c +9 -9
- data/third_party/boringssl/crypto/dh/check.c +33 -34
- data/third_party/boringssl/crypto/dh/dh.c +72 -36
- data/third_party/boringssl/crypto/dh/dh_asn1.c +1 -1
- data/third_party/boringssl/crypto/dh/params.c +1 -161
- data/third_party/boringssl/crypto/digest_extra/digest_extra.c +240 -0
- data/third_party/boringssl/crypto/dsa/dsa.c +127 -87
- data/third_party/boringssl/crypto/dsa/dsa_asn1.c +1 -1
- data/third_party/boringssl/crypto/{ec → ec_extra}/ec_asn1.c +83 -70
- data/third_party/boringssl/crypto/ecdh/ecdh.c +1 -1
- data/third_party/boringssl/crypto/{ecdsa → ecdsa_extra}/ecdsa_asn1.c +86 -31
- data/third_party/boringssl/crypto/engine/engine.c +6 -6
- data/third_party/boringssl/crypto/err/err.c +197 -106
- data/third_party/boringssl/crypto/err/internal.h +58 -0
- data/third_party/boringssl/crypto/evp/digestsign.c +86 -14
- data/third_party/boringssl/crypto/evp/evp.c +6 -11
- data/third_party/boringssl/crypto/evp/evp_asn1.c +17 -17
- data/third_party/boringssl/crypto/evp/evp_ctx.c +15 -11
- data/third_party/boringssl/crypto/evp/internal.h +66 -51
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +11 -11
- data/third_party/boringssl/crypto/evp/p_ec.c +10 -8
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +11 -12
- data/third_party/boringssl/crypto/evp/p_ed25519.c +71 -0
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +190 -0
- data/third_party/boringssl/crypto/evp/p_rsa.c +50 -95
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +28 -18
- data/third_party/boringssl/crypto/evp/pbkdf.c +49 -56
- data/third_party/boringssl/crypto/evp/print.c +5 -36
- data/third_party/boringssl/crypto/evp/scrypt.c +209 -0
- data/third_party/boringssl/crypto/ex_data.c +15 -45
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +100 -0
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +679 -0
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/internal.h +40 -27
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/rsaz_exp.h +0 -0
- data/third_party/boringssl/crypto/{cipher → fipsmodule/cipher}/internal.h +34 -67
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +88 -0
- data/third_party/boringssl/crypto/{des → fipsmodule/des}/internal.h +18 -4
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/internal.h +18 -18
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/md32_common.h +58 -64
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/internal.h +58 -52
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64-table.h +11 -11
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64.h +32 -32
- data/third_party/boringssl/crypto/{rand/internal.h → fipsmodule/is_fips.c} +10 -15
- data/third_party/boringssl/crypto/{modes → fipsmodule/modes}/internal.h +112 -119
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +92 -0
- data/third_party/boringssl/crypto/{rsa → fipsmodule/rsa}/internal.h +36 -49
- data/third_party/boringssl/crypto/hkdf/hkdf.c +6 -6
- data/third_party/boringssl/crypto/internal.h +301 -233
- data/third_party/boringssl/crypto/lhash/lhash.c +26 -45
- data/third_party/boringssl/crypto/mem.c +76 -33
- data/third_party/boringssl/crypto/obj/obj.c +44 -28
- data/third_party/boringssl/crypto/obj/obj_dat.h +102 -34
- data/third_party/boringssl/crypto/obj/obj_xref.c +6 -6
- data/third_party/boringssl/crypto/pem/pem_info.c +3 -5
- data/third_party/boringssl/crypto/pem/pem_lib.c +1 -6
- data/third_party/boringssl/crypto/pem/pem_pk8.c +1 -0
- data/third_party/boringssl/crypto/pem/pem_pkey.c +1 -1
- data/third_party/boringssl/crypto/pem/pem_xaux.c +0 -2
- data/third_party/boringssl/crypto/pkcs7/internal.h +49 -0
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +166 -0
- data/third_party/boringssl/crypto/{x509/pkcs7.c → pkcs7/pkcs7_x509.c} +27 -147
- data/third_party/boringssl/crypto/pkcs8/internal.h +34 -16
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +120 -39
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +144 -857
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +789 -0
- data/third_party/boringssl/crypto/poly1305/internal.h +4 -3
- data/third_party/boringssl/crypto/poly1305/poly1305.c +14 -14
- data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +11 -11
- data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +41 -41
- data/third_party/boringssl/crypto/pool/internal.h +2 -2
- data/third_party/boringssl/crypto/pool/pool.c +15 -15
- data/third_party/boringssl/crypto/{rand → rand_extra}/deterministic.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/forkunsafe.c +46 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/fuchsia.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/rand_extra.c +70 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/windows.c +5 -5
- data/third_party/boringssl/crypto/refcount_c11.c +2 -2
- data/third_party/boringssl/crypto/refcount_lock.c +1 -1
- data/third_party/boringssl/crypto/{rsa → rsa_extra}/rsa_asn1.c +12 -120
- data/third_party/boringssl/crypto/stack/stack.c +13 -13
- data/third_party/boringssl/crypto/thread_none.c +1 -1
- data/third_party/boringssl/crypto/thread_pthread.c +1 -1
- data/third_party/boringssl/crypto/thread_win.c +40 -40
- data/third_party/boringssl/crypto/x509/a_sign.c +5 -12
- data/third_party/boringssl/crypto/x509/a_verify.c +6 -18
- data/third_party/boringssl/crypto/x509/algorithm.c +22 -6
- data/third_party/boringssl/crypto/x509/asn1_gen.c +30 -7
- data/third_party/boringssl/crypto/x509/by_dir.c +2 -2
- data/third_party/boringssl/crypto/x509/by_file.c +2 -2
- data/third_party/boringssl/crypto/x509/rsa_pss.c +5 -5
- data/third_party/boringssl/crypto/x509/t_x509.c +2 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_lu.c +35 -4
- data/third_party/boringssl/crypto/x509/x509_set.c +10 -0
- data/third_party/boringssl/crypto/x509/x509_vfy.c +20 -17
- data/third_party/boringssl/crypto/x509/x_name.c +13 -16
- data/third_party/boringssl/crypto/x509/x_x509.c +3 -3
- data/third_party/boringssl/crypto/x509/x_x509a.c +0 -7
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +8 -0
- data/third_party/boringssl/crypto/x509v3/pcy_int.h +2 -2
- data/third_party/boringssl/crypto/x509v3/pcy_lib.c +0 -9
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -1
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +25 -15
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +21 -11
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +9 -3
- data/third_party/boringssl/crypto/x509v3/v3_info.c +22 -14
- data/third_party/boringssl/crypto/x509v3/v3_ncons.c +27 -11
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +0 -33
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +4 -4
- data/third_party/boringssl/include/openssl/aead.h +280 -191
- data/third_party/boringssl/include/openssl/aes.h +50 -50
- data/third_party/boringssl/include/openssl/arm_arch.h +12 -12
- data/third_party/boringssl/include/openssl/asn1.h +14 -77
- data/third_party/boringssl/include/openssl/asn1t.h +11 -15
- data/third_party/boringssl/include/openssl/base.h +78 -51
- data/third_party/boringssl/include/openssl/base64.h +68 -68
- data/third_party/boringssl/include/openssl/bio.h +472 -406
- data/third_party/boringssl/include/openssl/blowfish.h +1 -1
- data/third_party/boringssl/include/openssl/bn.h +454 -435
- data/third_party/boringssl/include/openssl/buf.h +27 -27
- data/third_party/boringssl/include/openssl/bytestring.h +282 -267
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/chacha.h +5 -5
- data/third_party/boringssl/include/openssl/cipher.h +209 -200
- data/third_party/boringssl/include/openssl/cmac.h +27 -27
- data/third_party/boringssl/include/openssl/conf.h +49 -46
- data/third_party/boringssl/include/openssl/cpu.h +60 -45
- data/third_party/boringssl/include/openssl/crypto.h +59 -35
- data/third_party/boringssl/include/openssl/curve25519.h +97 -92
- data/third_party/boringssl/include/openssl/des.h +25 -25
- data/third_party/boringssl/include/openssl/dh.h +98 -97
- data/third_party/boringssl/include/openssl/digest.h +143 -114
- data/third_party/boringssl/include/openssl/dsa.h +217 -202
- data/third_party/boringssl/include/openssl/ec.h +132 -131
- data/third_party/boringssl/include/openssl/ec_key.h +132 -128
- data/third_party/boringssl/include/openssl/ecdh.h +9 -9
- data/third_party/boringssl/include/openssl/ecdsa.h +66 -66
- data/third_party/boringssl/include/openssl/engine.h +38 -38
- data/third_party/boringssl/include/openssl/err.h +189 -219
- data/third_party/boringssl/include/openssl/evp.h +473 -397
- data/third_party/boringssl/include/openssl/ex_data.h +46 -56
- data/third_party/boringssl/include/openssl/hkdf.h +17 -17
- data/third_party/boringssl/include/openssl/hmac.h +55 -43
- data/third_party/boringssl/include/openssl/is_boringssl.h +16 -0
- data/third_party/boringssl/include/openssl/lhash.h +67 -67
- data/third_party/boringssl/include/openssl/lhash_macros.h +4 -4
- data/third_party/boringssl/include/openssl/md4.h +14 -14
- data/third_party/boringssl/include/openssl/md5.h +14 -14
- data/third_party/boringssl/include/openssl/mem.h +39 -33
- data/third_party/boringssl/include/openssl/nid.h +43 -0
- data/third_party/boringssl/include/openssl/obj.h +93 -87
- data/third_party/boringssl/include/openssl/opensslconf.h +8 -1
- data/third_party/boringssl/include/openssl/pem.h +2 -122
- data/third_party/boringssl/include/openssl/pkcs7.h +68 -2
- data/third_party/boringssl/include/openssl/pkcs8.h +81 -66
- data/third_party/boringssl/include/openssl/poly1305.h +11 -11
- data/third_party/boringssl/include/openssl/pool.h +29 -25
- data/third_party/boringssl/include/openssl/rand.h +48 -45
- data/third_party/boringssl/include/openssl/rc4.h +9 -9
- data/third_party/boringssl/include/openssl/ripemd.h +13 -13
- data/third_party/boringssl/include/openssl/rsa.h +371 -340
- data/third_party/boringssl/include/openssl/sha.h +71 -71
- data/third_party/boringssl/include/openssl/span.h +191 -0
- data/third_party/boringssl/include/openssl/ssl.h +2639 -2519
- data/third_party/boringssl/include/openssl/ssl3.h +39 -122
- data/third_party/boringssl/include/openssl/stack.h +355 -164
- data/third_party/boringssl/include/openssl/thread.h +43 -43
- data/third_party/boringssl/include/openssl/tls1.h +60 -63
- data/third_party/boringssl/include/openssl/type_check.h +10 -14
- data/third_party/boringssl/include/openssl/x509.h +41 -116
- data/third_party/boringssl/include/openssl/x509_vfy.h +17 -25
- data/third_party/boringssl/include/openssl/x509v3.h +27 -21
- data/third_party/boringssl/ssl/{bio_ssl.c → bio_ssl.cc} +9 -5
- data/third_party/boringssl/ssl/{custom_extensions.c → custom_extensions.cc} +19 -12
- data/third_party/boringssl/ssl/{d1_both.c → d1_both.cc} +224 -193
- data/third_party/boringssl/ssl/{d1_lib.c → d1_lib.cc} +86 -79
- data/third_party/boringssl/ssl/{d1_pkt.c → d1_pkt.cc} +55 -87
- data/third_party/boringssl/ssl/{d1_srtp.c → d1_srtp.cc} +12 -16
- data/third_party/boringssl/ssl/{dtls_method.c → dtls_method.cc} +33 -50
- data/third_party/boringssl/ssl/{dtls_record.c → dtls_record.cc} +76 -64
- data/third_party/boringssl/ssl/handshake.cc +547 -0
- data/third_party/boringssl/ssl/handshake_client.cc +1828 -0
- data/third_party/boringssl/ssl/handshake_server.cc +1672 -0
- data/third_party/boringssl/ssl/internal.h +2027 -1280
- data/third_party/boringssl/ssl/s3_both.cc +603 -0
- data/third_party/boringssl/ssl/{s3_lib.c → s3_lib.cc} +22 -10
- data/third_party/boringssl/ssl/{s3_pkt.c → s3_pkt.cc} +171 -75
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +415 -0
- data/third_party/boringssl/ssl/{ssl_asn1.c → ssl_asn1.cc} +257 -261
- data/third_party/boringssl/ssl/{ssl_buffer.c → ssl_buffer.cc} +81 -97
- data/third_party/boringssl/ssl/{ssl_cert.c → ssl_cert.cc} +304 -414
- data/third_party/boringssl/ssl/{ssl_cipher.c → ssl_cipher.cc} +427 -505
- data/third_party/boringssl/ssl/{ssl_file.c → ssl_file.cc} +24 -16
- data/third_party/boringssl/ssl/ssl_key_share.cc +245 -0
- data/third_party/boringssl/ssl/{ssl_lib.c → ssl_lib.cc} +665 -828
- data/third_party/boringssl/ssl/ssl_privkey.cc +518 -0
- data/third_party/boringssl/ssl/{ssl_session.c → ssl_session.cc} +596 -471
- data/third_party/boringssl/ssl/{ssl_stat.c → ssl_stat.cc} +5 -224
- data/third_party/boringssl/ssl/{ssl_transcript.c → ssl_transcript.cc} +117 -140
- data/third_party/boringssl/ssl/ssl_versions.cc +439 -0
- data/third_party/boringssl/ssl/{ssl_x509.c → ssl_x509.cc} +751 -267
- data/third_party/boringssl/ssl/{t1_enc.c → t1_enc.cc} +120 -161
- data/third_party/boringssl/ssl/{t1_lib.c → t1_lib.cc} +859 -966
- data/third_party/boringssl/ssl/{tls13_both.c → tls13_both.cc} +202 -284
- data/third_party/boringssl/ssl/tls13_client.cc +842 -0
- data/third_party/boringssl/ssl/{tls13_enc.c → tls13_enc.cc} +108 -90
- data/third_party/boringssl/ssl/tls13_server.cc +967 -0
- data/third_party/boringssl/ssl/{tls_method.c → tls_method.cc} +94 -73
- data/third_party/boringssl/ssl/tls_record.cc +675 -0
- metadata +117 -168
- data/include/grpc/support/cmdline.h +0 -88
- data/include/grpc/support/subprocess.h +0 -44
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +0 -29
- data/src/core/ext/filters/client_channel/resolver_factory.cc +0 -40
- data/src/core/lib/gpr/cmdline.cc +0 -330
- data/src/core/lib/gpr/subprocess_posix.cc +0 -99
- data/src/core/lib/gpr/subprocess_windows.cc +0 -126
- data/src/core/lib/surface/alarm.cc +0 -137
- data/src/core/lib/surface/alarm_internal.h +0 -40
- data/src/core/tsi/gts_transport_security.cc +0 -40
- data/third_party/boringssl/crypto/aes/aes.c +0 -1142
- data/third_party/boringssl/crypto/aes/internal.h +0 -87
- data/third_party/boringssl/crypto/aes/key_wrap.c +0 -138
- data/third_party/boringssl/crypto/aes/mode_wrappers.c +0 -112
- data/third_party/boringssl/crypto/asn1/x_long.c +0 -200
- data/third_party/boringssl/crypto/bn/add.c +0 -377
- data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +0 -532
- data/third_party/boringssl/crypto/bn/bn.c +0 -365
- data/third_party/boringssl/crypto/bn/cmp.c +0 -239
- data/third_party/boringssl/crypto/bn/ctx.c +0 -313
- data/third_party/boringssl/crypto/bn/div.c +0 -728
- data/third_party/boringssl/crypto/bn/exponentiation.c +0 -1240
- data/third_party/boringssl/crypto/bn/gcd.c +0 -635
- data/third_party/boringssl/crypto/bn/generic.c +0 -707
- data/third_party/boringssl/crypto/bn/kronecker.c +0 -176
- data/third_party/boringssl/crypto/bn/montgomery.c +0 -409
- data/third_party/boringssl/crypto/bn/montgomery_inv.c +0 -207
- data/third_party/boringssl/crypto/bn/mul.c +0 -871
- data/third_party/boringssl/crypto/bn/prime.c +0 -861
- data/third_party/boringssl/crypto/bn/random.c +0 -343
- data/third_party/boringssl/crypto/bn/rsaz_exp.c +0 -254
- data/third_party/boringssl/crypto/bn/shift.c +0 -307
- data/third_party/boringssl/crypto/bn/sqrt.c +0 -506
- data/third_party/boringssl/crypto/cipher/aead.c +0 -156
- data/third_party/boringssl/crypto/cipher/cipher.c +0 -657
- data/third_party/boringssl/crypto/cipher/e_aes.c +0 -1771
- data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +0 -276
- data/third_party/boringssl/crypto/cipher/e_des.c +0 -205
- data/third_party/boringssl/crypto/cipher/tls_cbc.c +0 -482
- data/third_party/boringssl/crypto/des/des.c +0 -771
- data/third_party/boringssl/crypto/digest/digest.c +0 -251
- data/third_party/boringssl/crypto/digest/digests.c +0 -358
- data/third_party/boringssl/crypto/ec/ec.c +0 -847
- data/third_party/boringssl/crypto/ec/ec_key.c +0 -479
- data/third_party/boringssl/crypto/ec/ec_montgomery.c +0 -303
- data/third_party/boringssl/crypto/ec/oct.c +0 -416
- data/third_party/boringssl/crypto/ec/p224-64.c +0 -1143
- data/third_party/boringssl/crypto/ec/p256-64.c +0 -1701
- data/third_party/boringssl/crypto/ec/p256-x86_64.c +0 -561
- data/third_party/boringssl/crypto/ec/simple.c +0 -1118
- data/third_party/boringssl/crypto/ec/util-64.c +0 -109
- data/third_party/boringssl/crypto/ec/wnaf.c +0 -458
- data/third_party/boringssl/crypto/ecdsa/ecdsa.c +0 -479
- data/third_party/boringssl/crypto/hmac/hmac.c +0 -215
- data/third_party/boringssl/crypto/md4/md4.c +0 -236
- data/third_party/boringssl/crypto/md5/md5.c +0 -285
- data/third_party/boringssl/crypto/modes/cbc.c +0 -212
- data/third_party/boringssl/crypto/modes/cfb.c +0 -230
- data/third_party/boringssl/crypto/modes/ctr.c +0 -219
- data/third_party/boringssl/crypto/modes/gcm.c +0 -1071
- data/third_party/boringssl/crypto/modes/ofb.c +0 -95
- data/third_party/boringssl/crypto/modes/polyval.c +0 -94
- data/third_party/boringssl/crypto/pkcs8/p8_pkey.c +0 -85
- data/third_party/boringssl/crypto/rand/rand.c +0 -244
- data/third_party/boringssl/crypto/rand/urandom.c +0 -335
- data/third_party/boringssl/crypto/rsa/blinding.c +0 -265
- data/third_party/boringssl/crypto/rsa/padding.c +0 -708
- data/third_party/boringssl/crypto/rsa/rsa.c +0 -830
- data/third_party/boringssl/crypto/rsa/rsa_impl.c +0 -1100
- data/third_party/boringssl/crypto/sha/sha1-altivec.c +0 -346
- data/third_party/boringssl/crypto/sha/sha1.c +0 -355
- data/third_party/boringssl/crypto/sha/sha256.c +0 -329
- data/third_party/boringssl/crypto/sha/sha512.c +0 -609
- data/third_party/boringssl/crypto/x509/x509type.c +0 -126
- data/third_party/boringssl/include/openssl/stack_macros.h +0 -3987
- data/third_party/boringssl/ssl/handshake_client.c +0 -1883
- data/third_party/boringssl/ssl/handshake_server.c +0 -1950
- data/third_party/boringssl/ssl/s3_both.c +0 -895
- data/third_party/boringssl/ssl/ssl_aead_ctx.c +0 -335
- data/third_party/boringssl/ssl/ssl_ecdh.c +0 -465
- data/third_party/boringssl/ssl/ssl_privkey.c +0 -683
- data/third_party/boringssl/ssl/ssl_privkey_cc.cc +0 -76
- data/third_party/boringssl/ssl/tls13_client.c +0 -712
- data/third_party/boringssl/ssl/tls13_server.c +0 -680
- data/third_party/boringssl/ssl/tls_record.c +0 -556
|
@@ -22,37 +22,55 @@
|
|
|
22
22
|
#include <openssl/bio.h>
|
|
23
23
|
#include <openssl/err.h>
|
|
24
24
|
#include <openssl/mem.h>
|
|
25
|
-
#include <openssl/type_check.h>
|
|
26
25
|
|
|
27
26
|
#include "../crypto/internal.h"
|
|
28
27
|
#include "internal.h"
|
|
29
28
|
|
|
30
29
|
|
|
31
|
-
|
|
30
|
+
namespace bssl {
|
|
32
31
|
|
|
33
|
-
|
|
34
|
-
|
|
32
|
+
// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
|
|
33
|
+
// not overflow.
|
|
34
|
+
static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int");
|
|
35
35
|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
36
|
+
static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
|
|
37
|
+
"SSL3_ALIGN_PAYLOAD must be a power of 2");
|
|
38
|
+
|
|
39
|
+
// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
|
|
40
|
+
// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
|
|
41
|
+
// boundary. It returns one on success and zero on error.
|
|
42
|
+
static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) {
|
|
43
|
+
if (cap > 0xffff) {
|
|
41
44
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
42
45
|
return 0;
|
|
43
46
|
}
|
|
44
47
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
+
if (buf->cap >= cap) {
|
|
49
|
+
return 1;
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
// Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
|
|
53
|
+
//
|
|
54
|
+
// Since this buffer gets allocated quite frequently and doesn't contain any
|
|
55
|
+
// sensitive data, we allocate with malloc rather than |OPENSSL_malloc| and
|
|
56
|
+
// avoid zeroing on free.
|
|
57
|
+
uint8_t *new_buf = (uint8_t *)malloc(cap + SSL3_ALIGN_PAYLOAD - 1);
|
|
58
|
+
if (new_buf == NULL) {
|
|
48
59
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
49
60
|
return 0;
|
|
50
61
|
}
|
|
51
62
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
63
|
+
// Offset the buffer such that the record body is aligned.
|
|
64
|
+
size_t new_offset =
|
|
65
|
+
(0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
|
|
66
|
+
|
|
67
|
+
if (buf->buf != NULL) {
|
|
68
|
+
OPENSSL_memcpy(new_buf + new_offset, buf->buf + buf->offset, buf->len);
|
|
69
|
+
free(buf->buf); // Allocated with malloc().
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
buf->buf = new_buf;
|
|
73
|
+
buf->offset = new_offset;
|
|
56
74
|
buf->cap = cap;
|
|
57
75
|
return 1;
|
|
58
76
|
}
|
|
@@ -67,59 +85,32 @@ static void consume_buffer(SSL3_BUFFER *buf, size_t len) {
|
|
|
67
85
|
}
|
|
68
86
|
|
|
69
87
|
static void clear_buffer(SSL3_BUFFER *buf) {
|
|
70
|
-
|
|
88
|
+
free(buf->buf); // Allocated with malloc().
|
|
71
89
|
OPENSSL_memset(buf, 0, sizeof(SSL3_BUFFER));
|
|
72
90
|
}
|
|
73
91
|
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
/* setup_read_buffer initializes the read buffer if not already initialized. It
|
|
79
|
-
* returns one on success and zero on failure. */
|
|
80
|
-
static int setup_read_buffer(SSL *ssl) {
|
|
81
|
-
SSL3_BUFFER *buf = &ssl->s3->read_buffer;
|
|
82
|
-
|
|
83
|
-
if (buf->buf != NULL) {
|
|
84
|
-
return 1;
|
|
85
|
-
}
|
|
86
|
-
|
|
87
|
-
size_t header_len = ssl_record_prefix_len(ssl);
|
|
88
|
-
size_t cap = SSL3_RT_MAX_ENCRYPTED_LENGTH;
|
|
89
|
-
if (SSL_is_dtls(ssl)) {
|
|
90
|
-
cap += DTLS1_RT_HEADER_LENGTH;
|
|
91
|
-
} else {
|
|
92
|
-
cap += SSL3_RT_HEADER_LENGTH;
|
|
93
|
-
}
|
|
94
|
-
|
|
95
|
-
return setup_buffer(buf, header_len, cap);
|
|
96
|
-
}
|
|
97
|
-
|
|
98
|
-
uint8_t *ssl_read_buffer(SSL *ssl) {
|
|
99
|
-
return ssl->s3->read_buffer.buf + ssl->s3->read_buffer.offset;
|
|
100
|
-
}
|
|
101
|
-
|
|
102
|
-
size_t ssl_read_buffer_len(const SSL *ssl) {
|
|
103
|
-
return ssl->s3->read_buffer.len;
|
|
92
|
+
Span<uint8_t> ssl_read_buffer(SSL *ssl) {
|
|
93
|
+
return MakeSpan(ssl->s3->read_buffer.buf + ssl->s3->read_buffer.offset,
|
|
94
|
+
ssl->s3->read_buffer.len);
|
|
104
95
|
}
|
|
105
96
|
|
|
106
97
|
static int dtls_read_buffer_next_packet(SSL *ssl) {
|
|
107
98
|
SSL3_BUFFER *buf = &ssl->s3->read_buffer;
|
|
108
99
|
|
|
109
100
|
if (buf->len > 0) {
|
|
110
|
-
|
|
111
|
-
|
|
101
|
+
// It is an error to call |dtls_read_buffer_extend| when the read buffer is
|
|
102
|
+
// not empty.
|
|
112
103
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
113
104
|
return -1;
|
|
114
105
|
}
|
|
115
106
|
|
|
116
|
-
|
|
107
|
+
// Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int.
|
|
117
108
|
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap);
|
|
118
109
|
if (ret <= 0) {
|
|
119
110
|
ssl->rwstate = SSL_READING;
|
|
120
111
|
return ret;
|
|
121
112
|
}
|
|
122
|
-
|
|
113
|
+
// |BIO_read| was bound by |buf->cap|, so this cannot overflow.
|
|
123
114
|
buf->len = (uint16_t)ret;
|
|
124
115
|
return 1;
|
|
125
116
|
}
|
|
@@ -132,18 +123,18 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
|
|
|
132
123
|
return -1;
|
|
133
124
|
}
|
|
134
125
|
|
|
135
|
-
|
|
126
|
+
// Read until the target length is reached.
|
|
136
127
|
while (buf->len < len) {
|
|
137
|
-
|
|
138
|
-
|
|
128
|
+
// The amount of data to read is bounded by |buf->cap|, which must fit in an
|
|
129
|
+
// int.
|
|
139
130
|
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len,
|
|
140
131
|
(int)(len - buf->len));
|
|
141
132
|
if (ret <= 0) {
|
|
142
133
|
ssl->rwstate = SSL_READING;
|
|
143
134
|
return ret;
|
|
144
135
|
}
|
|
145
|
-
|
|
146
|
-
|
|
136
|
+
// |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
|
|
137
|
+
// overflow.
|
|
147
138
|
buf->len += (uint16_t)ret;
|
|
148
139
|
}
|
|
149
140
|
|
|
@@ -151,10 +142,19 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
|
|
|
151
142
|
}
|
|
152
143
|
|
|
153
144
|
int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
|
|
154
|
-
|
|
145
|
+
// |ssl_read_buffer_extend_to| implicitly discards any consumed data.
|
|
155
146
|
ssl_read_buffer_discard(ssl);
|
|
156
147
|
|
|
157
|
-
if (
|
|
148
|
+
if (SSL_is_dtls(ssl)) {
|
|
149
|
+
static_assert(
|
|
150
|
+
DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,
|
|
151
|
+
"DTLS read buffer is too large");
|
|
152
|
+
|
|
153
|
+
// The |len| parameter is ignored in DTLS.
|
|
154
|
+
len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
if (!ensure_buffer(&ssl->s3->read_buffer, ssl_record_prefix_len(ssl), len)) {
|
|
158
158
|
return -1;
|
|
159
159
|
}
|
|
160
160
|
|
|
@@ -165,15 +165,15 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
|
|
|
165
165
|
|
|
166
166
|
int ret;
|
|
167
167
|
if (SSL_is_dtls(ssl)) {
|
|
168
|
-
|
|
168
|
+
// |len| is ignored for a datagram transport.
|
|
169
169
|
ret = dtls_read_buffer_next_packet(ssl);
|
|
170
170
|
} else {
|
|
171
171
|
ret = tls_read_buffer_extend_to(ssl, len);
|
|
172
172
|
}
|
|
173
173
|
|
|
174
174
|
if (ret <= 0) {
|
|
175
|
-
|
|
176
|
-
|
|
175
|
+
// If the buffer was empty originally and remained empty after attempting to
|
|
176
|
+
// extend it, release the buffer until the next attempt.
|
|
177
177
|
ssl_read_buffer_discard(ssl);
|
|
178
178
|
}
|
|
179
179
|
return ret;
|
|
@@ -184,11 +184,11 @@ void ssl_read_buffer_consume(SSL *ssl, size_t len) {
|
|
|
184
184
|
|
|
185
185
|
consume_buffer(buf, len);
|
|
186
186
|
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
187
|
+
// The TLS stack never reads beyond the current record, so there will never be
|
|
188
|
+
// unconsumed data. If read-ahead is ever reimplemented,
|
|
189
|
+
// |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
|
|
190
|
+
// to the front of the buffer, to ensure there is enough space for the next
|
|
191
|
+
// record.
|
|
192
192
|
assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0);
|
|
193
193
|
}
|
|
194
194
|
|
|
@@ -207,15 +207,16 @@ int ssl_write_buffer_is_pending(const SSL *ssl) {
|
|
|
207
207
|
return ssl->s3->write_buffer.len > 0;
|
|
208
208
|
}
|
|
209
209
|
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
210
|
+
static_assert(SSL3_RT_HEADER_LENGTH * 2 +
|
|
211
|
+
SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD * 2 +
|
|
212
|
+
SSL3_RT_MAX_PLAIN_LENGTH <=
|
|
213
|
+
0xffff,
|
|
214
|
+
"maximum TLS write buffer is too large");
|
|
214
215
|
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
216
|
+
static_assert(DTLS1_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD +
|
|
217
|
+
SSL3_RT_MAX_PLAIN_LENGTH <=
|
|
218
|
+
0xffff,
|
|
219
|
+
"maximum DTLS write buffer is too large");
|
|
219
220
|
|
|
220
221
|
int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len) {
|
|
221
222
|
SSL3_BUFFER *buf = &ssl->s3->write_buffer;
|
|
@@ -225,26 +226,7 @@ int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len) {
|
|
|
225
226
|
return 0;
|
|
226
227
|
}
|
|
227
228
|
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
/* TODO(davidben): This matches the original behavior in keeping the malloc
|
|
231
|
-
* size consistent. Does this matter? |cap| could just be |max_len|. */
|
|
232
|
-
size_t cap = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
|
|
233
|
-
if (SSL_is_dtls(ssl)) {
|
|
234
|
-
cap += DTLS1_RT_HEADER_LENGTH;
|
|
235
|
-
} else {
|
|
236
|
-
cap += SSL3_RT_HEADER_LENGTH;
|
|
237
|
-
if (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) {
|
|
238
|
-
cap += SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
|
|
239
|
-
}
|
|
240
|
-
}
|
|
241
|
-
|
|
242
|
-
if (max_len > cap) {
|
|
243
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
|
|
244
|
-
return 0;
|
|
245
|
-
}
|
|
246
|
-
|
|
247
|
-
if (!setup_buffer(buf, header_len, cap)) {
|
|
229
|
+
if (!ensure_buffer(buf, ssl_seal_align_prefix_len(ssl), max_len)) {
|
|
248
230
|
return 0;
|
|
249
231
|
}
|
|
250
232
|
*out_ptr = buf->buf + buf->offset;
|
|
@@ -284,9 +266,9 @@ static int dtls_write_buffer_flush(SSL *ssl) {
|
|
|
284
266
|
int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len);
|
|
285
267
|
if (ret <= 0) {
|
|
286
268
|
ssl->rwstate = SSL_WRITING;
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
269
|
+
// If the write failed, drop the write buffer anyway. Datagram transports
|
|
270
|
+
// can't write half a packet, so the caller is expected to retry from the
|
|
271
|
+
// top.
|
|
290
272
|
ssl_write_buffer_clear(ssl);
|
|
291
273
|
return ret;
|
|
292
274
|
}
|
|
@@ -310,3 +292,5 @@ int ssl_write_buffer_flush(SSL *ssl) {
|
|
|
310
292
|
void ssl_write_buffer_clear(SSL *ssl) {
|
|
311
293
|
clear_buffer(&ssl->s3->write_buffer);
|
|
312
294
|
}
|
|
295
|
+
|
|
296
|
+
} // namespace bssl
|
|
@@ -118,31 +118,25 @@
|
|
|
118
118
|
#include <limits.h>
|
|
119
119
|
#include <string.h>
|
|
120
120
|
|
|
121
|
+
#include <utility>
|
|
122
|
+
|
|
121
123
|
#include <openssl/bn.h>
|
|
122
124
|
#include <openssl/buf.h>
|
|
123
125
|
#include <openssl/bytestring.h>
|
|
124
|
-
#include <openssl/dh.h>
|
|
125
126
|
#include <openssl/ec_key.h>
|
|
126
127
|
#include <openssl/err.h>
|
|
127
128
|
#include <openssl/mem.h>
|
|
128
129
|
#include <openssl/sha.h>
|
|
129
130
|
#include <openssl/x509.h>
|
|
130
|
-
#include <openssl/x509v3.h>
|
|
131
131
|
|
|
132
132
|
#include "../crypto/internal.h"
|
|
133
133
|
#include "internal.h"
|
|
134
134
|
|
|
135
135
|
|
|
136
|
-
|
|
137
|
-
/* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
|
|
138
|
-
* reserved app_data slot. Before ex_data was introduced, app_data was used.
|
|
139
|
-
* Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
|
|
140
|
-
* works. */
|
|
141
|
-
return 0;
|
|
142
|
-
}
|
|
136
|
+
namespace bssl {
|
|
143
137
|
|
|
144
138
|
CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method) {
|
|
145
|
-
CERT *ret = OPENSSL_malloc(sizeof(CERT));
|
|
139
|
+
CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
|
|
146
140
|
if (ret == NULL) {
|
|
147
141
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
148
142
|
return NULL;
|
|
@@ -159,7 +153,7 @@ static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {
|
|
|
159
153
|
}
|
|
160
154
|
|
|
161
155
|
CERT *ssl_cert_dup(CERT *cert) {
|
|
162
|
-
CERT *ret = OPENSSL_malloc(sizeof(CERT));
|
|
156
|
+
CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
|
|
163
157
|
if (ret == NULL) {
|
|
164
158
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
165
159
|
return NULL;
|
|
@@ -177,18 +171,9 @@ CERT *ssl_cert_dup(CERT *cert) {
|
|
|
177
171
|
ret->key_method = cert->key_method;
|
|
178
172
|
ret->x509_method = cert->x509_method;
|
|
179
173
|
|
|
180
|
-
if (cert->dh_tmp != NULL) {
|
|
181
|
-
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
|
|
182
|
-
if (ret->dh_tmp == NULL) {
|
|
183
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
|
|
184
|
-
goto err;
|
|
185
|
-
}
|
|
186
|
-
}
|
|
187
|
-
ret->dh_tmp_cb = cert->dh_tmp_cb;
|
|
188
|
-
|
|
189
174
|
if (cert->sigalgs != NULL) {
|
|
190
|
-
ret->sigalgs =
|
|
191
|
-
|
|
175
|
+
ret->sigalgs = (uint16_t *)BUF_memdup(
|
|
176
|
+
cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0]));
|
|
192
177
|
if (ret->sigalgs == NULL) {
|
|
193
178
|
goto err;
|
|
194
179
|
}
|
|
@@ -198,10 +183,7 @@ CERT *ssl_cert_dup(CERT *cert) {
|
|
|
198
183
|
ret->cert_cb = cert->cert_cb;
|
|
199
184
|
ret->cert_cb_arg = cert->cert_cb_arg;
|
|
200
185
|
|
|
201
|
-
|
|
202
|
-
X509_STORE_up_ref(cert->verify_store);
|
|
203
|
-
ret->verify_store = cert->verify_store;
|
|
204
|
-
}
|
|
186
|
+
ret->x509_method->cert_dup(ret, cert);
|
|
205
187
|
|
|
206
188
|
if (cert->signed_cert_timestamp_list != NULL) {
|
|
207
189
|
CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list);
|
|
@@ -216,6 +198,8 @@ CERT *ssl_cert_dup(CERT *cert) {
|
|
|
216
198
|
ret->sid_ctx_length = cert->sid_ctx_length;
|
|
217
199
|
OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));
|
|
218
200
|
|
|
201
|
+
ret->enable_early_data = cert->enable_early_data;
|
|
202
|
+
|
|
219
203
|
return ret;
|
|
220
204
|
|
|
221
205
|
err:
|
|
@@ -223,7 +207,7 @@ err:
|
|
|
223
207
|
return NULL;
|
|
224
208
|
}
|
|
225
209
|
|
|
226
|
-
|
|
210
|
+
// Free up and clear all certificates and chains
|
|
227
211
|
void ssl_cert_clear_certs(CERT *cert) {
|
|
228
212
|
if (cert == NULL) {
|
|
229
213
|
return;
|
|
@@ -238,335 +222,226 @@ void ssl_cert_clear_certs(CERT *cert) {
|
|
|
238
222
|
cert->key_method = NULL;
|
|
239
223
|
}
|
|
240
224
|
|
|
241
|
-
void ssl_cert_free(CERT *
|
|
242
|
-
if (
|
|
225
|
+
void ssl_cert_free(CERT *cert) {
|
|
226
|
+
if (cert == NULL) {
|
|
243
227
|
return;
|
|
244
228
|
}
|
|
245
229
|
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
CRYPTO_BUFFER_free(c->signed_cert_timestamp_list);
|
|
252
|
-
CRYPTO_BUFFER_free(c->ocsp_response);
|
|
230
|
+
ssl_cert_clear_certs(cert);
|
|
231
|
+
cert->x509_method->cert_free(cert);
|
|
232
|
+
OPENSSL_free(cert->sigalgs);
|
|
233
|
+
CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);
|
|
234
|
+
CRYPTO_BUFFER_free(cert->ocsp_response);
|
|
253
235
|
|
|
254
|
-
OPENSSL_free(
|
|
236
|
+
OPENSSL_free(cert);
|
|
255
237
|
}
|
|
256
238
|
|
|
257
|
-
static void ssl_cert_set_cert_cb(CERT *
|
|
239
|
+
static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),
|
|
258
240
|
void *arg) {
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
}
|
|
262
|
-
|
|
263
|
-
|
|
241
|
+
cert->cert_cb = cb;
|
|
242
|
+
cert->cert_cb_arg = arg;
|
|
243
|
+
}
|
|
244
|
+
|
|
245
|
+
enum leaf_cert_and_privkey_result_t {
|
|
246
|
+
leaf_cert_and_privkey_error,
|
|
247
|
+
leaf_cert_and_privkey_ok,
|
|
248
|
+
leaf_cert_and_privkey_mismatch,
|
|
249
|
+
};
|
|
250
|
+
|
|
251
|
+
// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
|
|
252
|
+
// and the private key in |privkey| are suitable and coherent. It returns
|
|
253
|
+
// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
|
|
254
|
+
// found. If the certificate and private key are valid, but incoherent, it
|
|
255
|
+
// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
|
|
256
|
+
// |leaf_cert_and_privkey_ok|.
|
|
257
|
+
static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
|
|
258
|
+
CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {
|
|
264
259
|
CBS cert_cbs;
|
|
265
|
-
CRYPTO_BUFFER_init_CBS(
|
|
266
|
-
EVP_PKEY
|
|
267
|
-
if (pubkey
|
|
268
|
-
|
|
260
|
+
CRYPTO_BUFFER_init_CBS(leaf_buffer, &cert_cbs);
|
|
261
|
+
UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
|
|
262
|
+
if (!pubkey) {
|
|
263
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
264
|
+
return leaf_cert_and_privkey_error;
|
|
269
265
|
}
|
|
270
266
|
|
|
271
267
|
if (!ssl_is_key_type_supported(pubkey->type)) {
|
|
272
268
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
|
|
273
|
-
|
|
274
|
-
return 0;
|
|
269
|
+
return leaf_cert_and_privkey_error;
|
|
275
270
|
}
|
|
276
271
|
|
|
277
|
-
|
|
278
|
-
|
|
272
|
+
// An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
|
|
273
|
+
// certificates, so sanity-check the key usage extension.
|
|
279
274
|
if (pubkey->type == EVP_PKEY_EC &&
|
|
280
275
|
!ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {
|
|
281
276
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
|
|
282
|
-
|
|
283
|
-
return 0;
|
|
284
|
-
}
|
|
285
|
-
|
|
286
|
-
if (cert->privatekey != NULL) {
|
|
287
|
-
/* Sanity-check that the private key and the certificate match, unless the
|
|
288
|
-
* key is opaque (in case of, say, a smartcard). */
|
|
289
|
-
if (!EVP_PKEY_is_opaque(cert->privatekey) &&
|
|
290
|
-
!ssl_compare_public_and_private_key(pubkey, cert->privatekey)) {
|
|
291
|
-
/* don't fail for a cert/key mismatch, just free current private key
|
|
292
|
-
* (when switching to a different cert & key, first this function should
|
|
293
|
-
* be used, then ssl_set_pkey */
|
|
294
|
-
EVP_PKEY_free(cert->privatekey);
|
|
295
|
-
cert->privatekey = NULL;
|
|
296
|
-
/* clear error queue */
|
|
297
|
-
ERR_clear_error();
|
|
298
|
-
}
|
|
299
|
-
}
|
|
300
|
-
|
|
301
|
-
EVP_PKEY_free(pubkey);
|
|
302
|
-
|
|
303
|
-
cert->x509_method->cert_flush_cached_leaf(cert);
|
|
304
|
-
|
|
305
|
-
if (cert->chain != NULL) {
|
|
306
|
-
CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain, 0));
|
|
307
|
-
sk_CRYPTO_BUFFER_set(cert->chain, 0, buffer);
|
|
308
|
-
CRYPTO_BUFFER_up_ref(buffer);
|
|
309
|
-
return 1;
|
|
310
|
-
}
|
|
311
|
-
|
|
312
|
-
cert->chain = sk_CRYPTO_BUFFER_new_null();
|
|
313
|
-
if (cert->chain == NULL) {
|
|
314
|
-
return 0;
|
|
277
|
+
return leaf_cert_and_privkey_error;
|
|
315
278
|
}
|
|
316
279
|
|
|
317
|
-
if (
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
280
|
+
if (privkey != NULL &&
|
|
281
|
+
// Sanity-check that the private key and the certificate match.
|
|
282
|
+
!ssl_compare_public_and_private_key(pubkey.get(), privkey)) {
|
|
283
|
+
ERR_clear_error();
|
|
284
|
+
return leaf_cert_and_privkey_mismatch;
|
|
321
285
|
}
|
|
322
|
-
CRYPTO_BUFFER_up_ref(buffer);
|
|
323
286
|
|
|
324
|
-
return
|
|
287
|
+
return leaf_cert_and_privkey_ok;
|
|
325
288
|
}
|
|
326
289
|
|
|
327
|
-
int
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
if (
|
|
290
|
+
static int cert_set_chain_and_key(
|
|
291
|
+
CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,
|
|
292
|
+
EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {
|
|
293
|
+
if (num_certs == 0 ||
|
|
294
|
+
(privkey == NULL && privkey_method == NULL)) {
|
|
295
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
|
|
331
296
|
return 0;
|
|
332
297
|
}
|
|
333
298
|
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
return ok;
|
|
337
|
-
}
|
|
338
|
-
|
|
339
|
-
int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
|
|
340
|
-
CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new(der, der_len, NULL);
|
|
341
|
-
if (buffer == NULL) {
|
|
299
|
+
if (privkey != NULL && privkey_method != NULL) {
|
|
300
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);
|
|
342
301
|
return 0;
|
|
343
302
|
}
|
|
344
303
|
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
|
|
353
|
-
return 0;
|
|
354
|
-
}
|
|
355
|
-
|
|
356
|
-
X509_STORE *verify_store = ssl->ctx->cert_store;
|
|
357
|
-
if (ssl->cert->verify_store != NULL) {
|
|
358
|
-
verify_store = ssl->cert->verify_store;
|
|
304
|
+
switch (check_leaf_cert_and_privkey(certs[0], privkey)) {
|
|
305
|
+
case leaf_cert_and_privkey_error:
|
|
306
|
+
return 0;
|
|
307
|
+
case leaf_cert_and_privkey_mismatch:
|
|
308
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);
|
|
309
|
+
return 0;
|
|
310
|
+
case leaf_cert_and_privkey_ok:
|
|
311
|
+
break;
|
|
359
312
|
}
|
|
360
313
|
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
X509_STORE_CTX ctx;
|
|
364
|
-
if (!X509_STORE_CTX_init(&ctx, verify_store, leaf, cert_chain)) {
|
|
365
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
|
314
|
+
STACK_OF(CRYPTO_BUFFER) *certs_sk = sk_CRYPTO_BUFFER_new_null();
|
|
315
|
+
if (certs_sk == NULL) {
|
|
366
316
|
return 0;
|
|
367
317
|
}
|
|
368
|
-
if (!X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(),
|
|
369
|
-
ssl)) {
|
|
370
|
-
goto err;
|
|
371
|
-
}
|
|
372
|
-
|
|
373
|
-
/* We need to inherit the verify parameters. These can be determined by the
|
|
374
|
-
* context: if its a server it will verify SSL client certificates or vice
|
|
375
|
-
* versa. */
|
|
376
|
-
X509_STORE_CTX_set_default(&ctx, ssl->server ? "ssl_client" : "ssl_server");
|
|
377
|
-
|
|
378
|
-
/* Anything non-default in "param" should overwrite anything in the ctx. */
|
|
379
|
-
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), ssl->param);
|
|
380
318
|
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
int verify_ret;
|
|
386
|
-
if (ssl->ctx->app_verify_callback != NULL) {
|
|
387
|
-
verify_ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);
|
|
388
|
-
} else {
|
|
389
|
-
verify_ret = X509_verify_cert(&ctx);
|
|
390
|
-
}
|
|
391
|
-
|
|
392
|
-
*out_verify_result = ctx.error;
|
|
393
|
-
|
|
394
|
-
/* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
|
|
395
|
-
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
|
|
396
|
-
ssl3_send_alert(ssl, SSL3_AL_FATAL, ssl_verify_alarm_type(ctx.error));
|
|
397
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
|
|
398
|
-
goto err;
|
|
399
|
-
}
|
|
400
|
-
|
|
401
|
-
ERR_clear_error();
|
|
402
|
-
ret = 1;
|
|
403
|
-
|
|
404
|
-
err:
|
|
405
|
-
X509_STORE_CTX_cleanup(&ctx);
|
|
406
|
-
return ret;
|
|
407
|
-
}
|
|
408
|
-
|
|
409
|
-
static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
|
|
410
|
-
STACK_OF(X509_NAME) *name_list) {
|
|
411
|
-
sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
|
|
412
|
-
*ca_list = name_list;
|
|
413
|
-
}
|
|
414
|
-
|
|
415
|
-
STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
|
|
416
|
-
STACK_OF(X509_NAME) *ret = sk_X509_NAME_new_null();
|
|
417
|
-
if (ret == NULL) {
|
|
418
|
-
return NULL;
|
|
419
|
-
}
|
|
420
|
-
|
|
421
|
-
for (size_t i = 0; i < sk_X509_NAME_num(list); i++) {
|
|
422
|
-
X509_NAME *name = X509_NAME_dup(sk_X509_NAME_value(list, i));
|
|
423
|
-
if (name == NULL || !sk_X509_NAME_push(ret, name)) {
|
|
424
|
-
X509_NAME_free(name);
|
|
425
|
-
sk_X509_NAME_pop_free(ret, X509_NAME_free);
|
|
426
|
-
return NULL;
|
|
319
|
+
for (size_t i = 0; i < num_certs; i++) {
|
|
320
|
+
if (!sk_CRYPTO_BUFFER_push(certs_sk, certs[i])) {
|
|
321
|
+
sk_CRYPTO_BUFFER_pop_free(certs_sk, CRYPTO_BUFFER_free);
|
|
322
|
+
return 0;
|
|
427
323
|
}
|
|
324
|
+
CRYPTO_BUFFER_up_ref(certs[i]);
|
|
428
325
|
}
|
|
429
326
|
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
|
|
327
|
+
EVP_PKEY_free(cert->privatekey);
|
|
328
|
+
cert->privatekey = privkey;
|
|
329
|
+
if (privkey != NULL) {
|
|
330
|
+
EVP_PKEY_up_ref(privkey);
|
|
331
|
+
}
|
|
332
|
+
cert->key_method = privkey_method;
|
|
436
333
|
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
}
|
|
334
|
+
sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
|
|
335
|
+
cert->chain = certs_sk;
|
|
440
336
|
|
|
441
|
-
|
|
442
|
-
return ctx->client_CA;
|
|
337
|
+
return 1;
|
|
443
338
|
}
|
|
444
339
|
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
if (ssl->client_CA != NULL) {
|
|
460
|
-
return ssl->client_CA;
|
|
340
|
+
int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
|
|
341
|
+
switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey)) {
|
|
342
|
+
case leaf_cert_and_privkey_error:
|
|
343
|
+
return 0;
|
|
344
|
+
case leaf_cert_and_privkey_mismatch:
|
|
345
|
+
// don't fail for a cert/key mismatch, just free current private key
|
|
346
|
+
// (when switching to a different cert & key, first this function should
|
|
347
|
+
// be used, then |ssl_set_pkey|.
|
|
348
|
+
EVP_PKEY_free(cert->privatekey);
|
|
349
|
+
cert->privatekey = NULL;
|
|
350
|
+
break;
|
|
351
|
+
case leaf_cert_and_privkey_ok:
|
|
352
|
+
break;
|
|
461
353
|
}
|
|
462
|
-
return ssl->ctx->client_CA;
|
|
463
|
-
}
|
|
464
354
|
|
|
465
|
-
|
|
466
|
-
X509_NAME *name;
|
|
355
|
+
cert->x509_method->cert_flush_cached_leaf(cert);
|
|
467
356
|
|
|
468
|
-
if (
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
*sk = sk_X509_NAME_new_null();
|
|
473
|
-
if (*sk == NULL) {
|
|
474
|
-
return 0;
|
|
475
|
-
}
|
|
357
|
+
if (cert->chain != NULL) {
|
|
358
|
+
CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain, 0));
|
|
359
|
+
sk_CRYPTO_BUFFER_set(cert->chain, 0, buffer.release());
|
|
360
|
+
return 1;
|
|
476
361
|
}
|
|
477
362
|
|
|
478
|
-
|
|
479
|
-
if (
|
|
363
|
+
cert->chain = sk_CRYPTO_BUFFER_new_null();
|
|
364
|
+
if (cert->chain == NULL) {
|
|
480
365
|
return 0;
|
|
481
366
|
}
|
|
482
367
|
|
|
483
|
-
if (!
|
|
484
|
-
|
|
368
|
+
if (!PushToStack(cert->chain, std::move(buffer))) {
|
|
369
|
+
sk_CRYPTO_BUFFER_free(cert->chain);
|
|
370
|
+
cert->chain = NULL;
|
|
485
371
|
return 0;
|
|
486
372
|
}
|
|
487
373
|
|
|
488
374
|
return 1;
|
|
489
375
|
}
|
|
490
376
|
|
|
491
|
-
int SSL_add_client_CA(SSL *ssl, X509 *x509) {
|
|
492
|
-
return add_client_CA(&ssl->client_CA, x509);
|
|
493
|
-
}
|
|
494
|
-
|
|
495
|
-
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
|
|
496
|
-
return add_client_CA(&ctx->client_CA, x509);
|
|
497
|
-
}
|
|
498
|
-
|
|
499
377
|
int ssl_has_certificate(const SSL *ssl) {
|
|
500
378
|
return ssl->cert->chain != NULL &&
|
|
501
379
|
sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0) != NULL &&
|
|
502
380
|
ssl_has_private_key(ssl);
|
|
503
381
|
}
|
|
504
382
|
|
|
505
|
-
|
|
506
|
-
|
|
507
|
-
|
|
508
|
-
|
|
509
|
-
|
|
510
|
-
|
|
511
|
-
|
|
512
|
-
STACK_OF(CRYPTO_BUFFER) *ret = sk_CRYPTO_BUFFER_new_null();
|
|
513
|
-
if (ret == NULL) {
|
|
514
|
-
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
515
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
516
|
-
return NULL;
|
|
517
|
-
}
|
|
383
|
+
bool ssl_parse_cert_chain(uint8_t *out_alert,
|
|
384
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain,
|
|
385
|
+
UniquePtr<EVP_PKEY> *out_pubkey,
|
|
386
|
+
uint8_t *out_leaf_sha256, CBS *cbs,
|
|
387
|
+
CRYPTO_BUFFER_POOL *pool) {
|
|
388
|
+
out_chain->reset();
|
|
389
|
+
out_pubkey->reset();
|
|
518
390
|
|
|
519
391
|
CBS certificate_list;
|
|
520
392
|
if (!CBS_get_u24_length_prefixed(cbs, &certificate_list)) {
|
|
521
393
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
522
394
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
523
|
-
|
|
395
|
+
return false;
|
|
524
396
|
}
|
|
525
397
|
|
|
398
|
+
if (CBS_len(&certificate_list) == 0) {
|
|
399
|
+
return true;
|
|
400
|
+
}
|
|
401
|
+
|
|
402
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> chain(sk_CRYPTO_BUFFER_new_null());
|
|
403
|
+
if (!chain) {
|
|
404
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
405
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
406
|
+
return false;
|
|
407
|
+
}
|
|
408
|
+
|
|
409
|
+
UniquePtr<EVP_PKEY> pubkey;
|
|
526
410
|
while (CBS_len(&certificate_list) > 0) {
|
|
527
411
|
CBS certificate;
|
|
528
412
|
if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||
|
|
529
413
|
CBS_len(&certificate) == 0) {
|
|
530
414
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
531
415
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
|
|
532
|
-
|
|
416
|
+
return false;
|
|
533
417
|
}
|
|
534
418
|
|
|
535
|
-
if (sk_CRYPTO_BUFFER_num(
|
|
536
|
-
|
|
537
|
-
if (
|
|
419
|
+
if (sk_CRYPTO_BUFFER_num(chain.get()) == 0) {
|
|
420
|
+
pubkey = ssl_cert_parse_pubkey(&certificate);
|
|
421
|
+
if (!pubkey) {
|
|
538
422
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
539
|
-
|
|
423
|
+
return false;
|
|
540
424
|
}
|
|
541
425
|
|
|
542
|
-
|
|
426
|
+
// Retain the hash of the leaf certificate if requested.
|
|
543
427
|
if (out_leaf_sha256 != NULL) {
|
|
544
428
|
SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
|
|
545
429
|
}
|
|
546
430
|
}
|
|
547
431
|
|
|
548
|
-
CRYPTO_BUFFER
|
|
549
|
-
CRYPTO_BUFFER_new_from_CBS(&certificate, pool);
|
|
550
|
-
if (buf
|
|
551
|
-
|
|
552
|
-
goto err;
|
|
553
|
-
}
|
|
554
|
-
|
|
555
|
-
if (!sk_CRYPTO_BUFFER_push(ret, buf)) {
|
|
432
|
+
UniquePtr<CRYPTO_BUFFER> buf(
|
|
433
|
+
CRYPTO_BUFFER_new_from_CBS(&certificate, pool));
|
|
434
|
+
if (!buf ||
|
|
435
|
+
!PushToStack(chain.get(), std::move(buf))) {
|
|
556
436
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
557
|
-
CRYPTO_BUFFER_free(buf);
|
|
558
437
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
559
|
-
|
|
438
|
+
return false;
|
|
560
439
|
}
|
|
561
440
|
}
|
|
562
441
|
|
|
563
|
-
|
|
564
|
-
|
|
565
|
-
|
|
566
|
-
EVP_PKEY_free(*out_pubkey);
|
|
567
|
-
*out_pubkey = NULL;
|
|
568
|
-
sk_CRYPTO_BUFFER_pop_free(ret, CRYPTO_BUFFER_free);
|
|
569
|
-
return NULL;
|
|
442
|
+
*out_chain = std::move(chain);
|
|
443
|
+
*out_pubkey = std::move(pubkey);
|
|
444
|
+
return true;
|
|
570
445
|
}
|
|
571
446
|
|
|
572
447
|
int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
|
|
@@ -576,7 +451,8 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
|
|
|
576
451
|
|
|
577
452
|
CBB certs;
|
|
578
453
|
if (!CBB_add_u24_length_prefixed(cbb, &certs)) {
|
|
579
|
-
|
|
454
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
455
|
+
return 0;
|
|
580
456
|
}
|
|
581
457
|
|
|
582
458
|
STACK_OF(CRYPTO_BUFFER) *chain = ssl->cert->chain;
|
|
@@ -587,20 +463,17 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
|
|
|
587
463
|
!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
|
|
588
464
|
CRYPTO_BUFFER_len(buffer)) ||
|
|
589
465
|
!CBB_flush(&certs)) {
|
|
590
|
-
|
|
466
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
467
|
+
return 0;
|
|
591
468
|
}
|
|
592
469
|
}
|
|
593
470
|
|
|
594
471
|
return CBB_flush(cbb);
|
|
595
|
-
|
|
596
|
-
err:
|
|
597
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
598
|
-
return 0;
|
|
599
472
|
}
|
|
600
473
|
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
474
|
+
// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
|
|
475
|
+
// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
|
|
476
|
+
// subjectPublicKeyInfo.
|
|
604
477
|
static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
|
|
605
478
|
/* From RFC 5280, section 4.1
|
|
606
479
|
* Certificate ::= SEQUENCE {
|
|
@@ -623,19 +496,19 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
|
|
|
623
496
|
if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
|
|
624
497
|
CBS_len(&buf) != 0 ||
|
|
625
498
|
!CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
|
|
626
|
-
|
|
499
|
+
// version
|
|
627
500
|
!CBS_get_optional_asn1(
|
|
628
501
|
out_tbs_cert, NULL, NULL,
|
|
629
502
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
|
|
630
|
-
|
|
503
|
+
// serialNumber
|
|
631
504
|
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
|
|
632
|
-
|
|
505
|
+
// signature algorithm
|
|
633
506
|
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
|
|
634
|
-
|
|
507
|
+
// issuer
|
|
635
508
|
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
|
|
636
|
-
|
|
509
|
+
// validity
|
|
637
510
|
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
|
|
638
|
-
|
|
511
|
+
// subject
|
|
639
512
|
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
|
|
640
513
|
return 0;
|
|
641
514
|
}
|
|
@@ -643,18 +516,24 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
|
|
|
643
516
|
return 1;
|
|
644
517
|
}
|
|
645
518
|
|
|
646
|
-
EVP_PKEY
|
|
519
|
+
UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
|
|
647
520
|
CBS buf = *in, tbs_cert;
|
|
648
521
|
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert)) {
|
|
649
522
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
650
|
-
return
|
|
523
|
+
return nullptr;
|
|
651
524
|
}
|
|
652
525
|
|
|
653
|
-
return EVP_parse_public_key(&tbs_cert);
|
|
526
|
+
return UniquePtr<EVP_PKEY>(EVP_parse_public_key(&tbs_cert));
|
|
654
527
|
}
|
|
655
528
|
|
|
656
529
|
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
|
|
657
530
|
const EVP_PKEY *privkey) {
|
|
531
|
+
if (EVP_PKEY_is_opaque(privkey)) {
|
|
532
|
+
// We cannot check an opaque private key and have to trust that it
|
|
533
|
+
// matches.
|
|
534
|
+
return 1;
|
|
535
|
+
}
|
|
536
|
+
|
|
658
537
|
int ret = 0;
|
|
659
538
|
|
|
660
539
|
switch (EVP_PKEY_cmp(pubkey, privkey)) {
|
|
@@ -669,6 +548,7 @@ int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
|
|
|
669
548
|
break;
|
|
670
549
|
case -2:
|
|
671
550
|
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
|
|
551
|
+
break;
|
|
672
552
|
default:
|
|
673
553
|
assert(0);
|
|
674
554
|
break;
|
|
@@ -691,15 +571,13 @@ int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
|
|
|
691
571
|
|
|
692
572
|
CBS cert_cbs;
|
|
693
573
|
CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain, 0), &cert_cbs);
|
|
694
|
-
EVP_PKEY
|
|
574
|
+
UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
|
|
695
575
|
if (!pubkey) {
|
|
696
576
|
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
|
|
697
577
|
return 0;
|
|
698
578
|
}
|
|
699
579
|
|
|
700
|
-
|
|
701
|
-
EVP_PKEY_free(pubkey);
|
|
702
|
-
return ok;
|
|
580
|
+
return ssl_compare_public_and_private_key(pubkey.get(), privkey);
|
|
703
581
|
}
|
|
704
582
|
|
|
705
583
|
int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
@@ -708,20 +586,21 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
|
708
586
|
CBS tbs_cert, outer_extensions;
|
|
709
587
|
int has_extensions;
|
|
710
588
|
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||
|
|
711
|
-
|
|
589
|
+
// subjectPublicKeyInfo
|
|
712
590
|
!CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
|
|
713
|
-
|
|
591
|
+
// issuerUniqueID
|
|
714
592
|
!CBS_get_optional_asn1(
|
|
715
593
|
&tbs_cert, NULL, NULL,
|
|
716
594
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
|
|
717
|
-
|
|
595
|
+
// subjectUniqueID
|
|
718
596
|
!CBS_get_optional_asn1(
|
|
719
597
|
&tbs_cert, NULL, NULL,
|
|
720
598
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
|
|
721
599
|
!CBS_get_optional_asn1(
|
|
722
600
|
&tbs_cert, &outer_extensions, &has_extensions,
|
|
723
601
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {
|
|
724
|
-
|
|
602
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
603
|
+
return 0;
|
|
725
604
|
}
|
|
726
605
|
|
|
727
606
|
if (!has_extensions) {
|
|
@@ -730,7 +609,8 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
|
730
609
|
|
|
731
610
|
CBS extensions;
|
|
732
611
|
if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {
|
|
733
|
-
|
|
612
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
613
|
+
return 0;
|
|
734
614
|
}
|
|
735
615
|
|
|
736
616
|
while (CBS_len(&extensions) > 0) {
|
|
@@ -741,7 +621,8 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
|
741
621
|
!CBS_get_asn1(&extension, NULL, CBS_ASN1_BOOLEAN)) ||
|
|
742
622
|
!CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||
|
|
743
623
|
CBS_len(&extension) != 0) {
|
|
744
|
-
|
|
624
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
625
|
+
return 0;
|
|
745
626
|
}
|
|
746
627
|
|
|
747
628
|
static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};
|
|
@@ -754,13 +635,15 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
|
754
635
|
CBS bit_string;
|
|
755
636
|
if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||
|
|
756
637
|
CBS_len(&contents) != 0) {
|
|
757
|
-
|
|
638
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
639
|
+
return 0;
|
|
758
640
|
}
|
|
759
641
|
|
|
760
|
-
|
|
761
|
-
|
|
642
|
+
// This is the KeyUsage extension. See
|
|
643
|
+
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
|
|
762
644
|
if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
|
|
763
|
-
|
|
645
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
646
|
+
return 0;
|
|
764
647
|
}
|
|
765
648
|
|
|
766
649
|
if (!CBS_asn1_bitstring_has_bit(&bit_string, 0)) {
|
|
@@ -771,33 +654,27 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
|
|
|
771
654
|
return 1;
|
|
772
655
|
}
|
|
773
656
|
|
|
774
|
-
|
|
657
|
+
// No KeyUsage extension found.
|
|
775
658
|
return 1;
|
|
776
|
-
|
|
777
|
-
parse_err:
|
|
778
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
|
|
779
|
-
return 0;
|
|
780
659
|
}
|
|
781
660
|
|
|
782
|
-
|
|
783
|
-
|
|
784
|
-
|
|
661
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
|
|
662
|
+
uint8_t *out_alert,
|
|
663
|
+
CBS *cbs) {
|
|
664
|
+
CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;
|
|
785
665
|
|
|
786
|
-
STACK_OF(
|
|
787
|
-
|
|
788
|
-
STACK_OF(X509_NAME) *ret = sk_X509_NAME_new(ca_dn_cmp);
|
|
789
|
-
X509_NAME *name = NULL;
|
|
790
|
-
if (ret == NULL) {
|
|
666
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ret(sk_CRYPTO_BUFFER_new_null());
|
|
667
|
+
if (!ret) {
|
|
791
668
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
792
669
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
793
|
-
return
|
|
670
|
+
return nullptr;
|
|
794
671
|
}
|
|
795
672
|
|
|
796
673
|
CBS child;
|
|
797
674
|
if (!CBS_get_u16_length_prefixed(cbs, &child)) {
|
|
798
675
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
799
676
|
OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);
|
|
800
|
-
|
|
677
|
+
return nullptr;
|
|
801
678
|
}
|
|
802
679
|
|
|
803
680
|
while (CBS_len(&child) > 0) {
|
|
@@ -805,33 +682,26 @@ STACK_OF(X509_NAME) *
|
|
|
805
682
|
if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {
|
|
806
683
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
807
684
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);
|
|
808
|
-
|
|
809
|
-
}
|
|
810
|
-
|
|
811
|
-
const uint8_t *ptr = CBS_data(&distinguished_name);
|
|
812
|
-
/* A u16 length cannot overflow a long. */
|
|
813
|
-
name = d2i_X509_NAME(NULL, &ptr, (long)CBS_len(&distinguished_name));
|
|
814
|
-
if (name == NULL ||
|
|
815
|
-
ptr != CBS_data(&distinguished_name) + CBS_len(&distinguished_name)) {
|
|
816
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
817
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
818
|
-
goto err;
|
|
685
|
+
return nullptr;
|
|
819
686
|
}
|
|
820
687
|
|
|
821
|
-
|
|
688
|
+
UniquePtr<CRYPTO_BUFFER> buffer(
|
|
689
|
+
CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool));
|
|
690
|
+
if (!buffer ||
|
|
691
|
+
!PushToStack(ret.get(), std::move(buffer))) {
|
|
822
692
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
823
693
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
824
|
-
|
|
694
|
+
return nullptr;
|
|
825
695
|
}
|
|
826
|
-
name = NULL;
|
|
827
696
|
}
|
|
828
697
|
|
|
829
|
-
|
|
698
|
+
if (!ssl->ctx->x509_method->check_client_CA_list(ret.get())) {
|
|
699
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
700
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
701
|
+
return nullptr;
|
|
702
|
+
}
|
|
830
703
|
|
|
831
|
-
|
|
832
|
-
X509_NAME_free(name);
|
|
833
|
-
sk_X509_NAME_pop_free(ret, X509_NAME_free);
|
|
834
|
-
return NULL;
|
|
704
|
+
return ret;
|
|
835
705
|
}
|
|
836
706
|
|
|
837
707
|
int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
|
|
@@ -840,21 +710,18 @@ int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
|
|
|
840
710
|
return 0;
|
|
841
711
|
}
|
|
842
712
|
|
|
843
|
-
STACK_OF(
|
|
844
|
-
if (
|
|
713
|
+
STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;
|
|
714
|
+
if (names == NULL) {
|
|
715
|
+
names = ssl->ctx->client_CA;
|
|
716
|
+
}
|
|
717
|
+
if (names == NULL) {
|
|
845
718
|
return CBB_flush(cbb);
|
|
846
719
|
}
|
|
847
720
|
|
|
848
|
-
for (
|
|
849
|
-
X509_NAME *name = sk_X509_NAME_value(sk, i);
|
|
850
|
-
int len = i2d_X509_NAME(name, NULL);
|
|
851
|
-
if (len < 0) {
|
|
852
|
-
return 0;
|
|
853
|
-
}
|
|
854
|
-
uint8_t *ptr;
|
|
721
|
+
for (const CRYPTO_BUFFER *name : names) {
|
|
855
722
|
if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||
|
|
856
|
-
!
|
|
857
|
-
|
|
723
|
+
!CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),
|
|
724
|
+
CRYPTO_BUFFER_len(name))) {
|
|
858
725
|
return 0;
|
|
859
726
|
}
|
|
860
727
|
}
|
|
@@ -862,71 +729,34 @@ int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
|
|
|
862
729
|
return CBB_flush(cbb);
|
|
863
730
|
}
|
|
864
731
|
|
|
865
|
-
static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store, int take_ref) {
|
|
866
|
-
X509_STORE_free(*store_ptr);
|
|
867
|
-
*store_ptr = new_store;
|
|
868
|
-
|
|
869
|
-
if (new_store != NULL && take_ref) {
|
|
870
|
-
X509_STORE_up_ref(new_store);
|
|
871
|
-
}
|
|
872
|
-
|
|
873
|
-
return 1;
|
|
874
|
-
}
|
|
875
|
-
|
|
876
|
-
int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
|
|
877
|
-
return set_cert_store(&ctx->cert->verify_store, store, 0);
|
|
878
|
-
}
|
|
879
|
-
|
|
880
|
-
int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
|
|
881
|
-
return set_cert_store(&ctx->cert->verify_store, store, 1);
|
|
882
|
-
}
|
|
883
|
-
|
|
884
|
-
int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {
|
|
885
|
-
return set_cert_store(&ssl->cert->verify_store, store, 0);
|
|
886
|
-
}
|
|
887
|
-
|
|
888
|
-
int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
|
|
889
|
-
return set_cert_store(&ssl->cert->verify_store, store, 1);
|
|
890
|
-
}
|
|
891
|
-
|
|
892
|
-
void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
|
|
893
|
-
void *arg) {
|
|
894
|
-
ssl_cert_set_cert_cb(ctx->cert, cb, arg);
|
|
895
|
-
}
|
|
896
|
-
|
|
897
|
-
void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
|
|
898
|
-
ssl_cert_set_cert_cb(ssl->cert, cb, arg);
|
|
899
|
-
}
|
|
900
|
-
|
|
901
732
|
int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
|
|
902
733
|
const CRYPTO_BUFFER *leaf) {
|
|
903
734
|
SSL *const ssl = hs->ssl;
|
|
904
735
|
assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION);
|
|
905
736
|
|
|
906
|
-
|
|
907
|
-
|
|
908
|
-
assert(expected_type != EVP_PKEY_NONE);
|
|
909
|
-
if (pkey->type != expected_type) {
|
|
737
|
+
// Check the certificate's type matches the cipher.
|
|
738
|
+
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
|
|
910
739
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
|
|
911
740
|
return 0;
|
|
912
741
|
}
|
|
913
742
|
|
|
914
|
-
|
|
743
|
+
// Check key usages for all key types but RSA. This is needed to distinguish
|
|
744
|
+
// ECDH certificates, which we do not support, from ECDSA certificates. In
|
|
745
|
+
// principle, we should check RSA key usages based on cipher, but this breaks
|
|
746
|
+
// buggy antivirus deployments. Other key types are always used for signing.
|
|
747
|
+
//
|
|
748
|
+
// TODO(davidben): Get more recent data on RSA key usages.
|
|
749
|
+
if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
|
|
915
750
|
CBS leaf_cbs;
|
|
916
751
|
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
|
|
917
|
-
/* ECDSA and ECDH certificates use the same public key format. Instead,
|
|
918
|
-
* they are distinguished by the key usage extension in the certificate. */
|
|
919
752
|
if (!ssl_cert_check_digital_signature_key_usage(&leaf_cbs)) {
|
|
920
753
|
return 0;
|
|
921
754
|
}
|
|
755
|
+
}
|
|
922
756
|
|
|
757
|
+
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
|
|
758
|
+
// Check the key's group and point format are acceptable.
|
|
923
759
|
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
|
|
924
|
-
if (ec_key == NULL) {
|
|
925
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);
|
|
926
|
-
return 0;
|
|
927
|
-
}
|
|
928
|
-
|
|
929
|
-
/* Check the key's group and point format are acceptable. */
|
|
930
760
|
uint16_t group_id;
|
|
931
761
|
if (!ssl_nid_to_group_id(
|
|
932
762
|
&group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||
|
|
@@ -940,36 +770,84 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
|
|
|
940
770
|
return 1;
|
|
941
771
|
}
|
|
942
772
|
|
|
943
|
-
|
|
944
|
-
|
|
773
|
+
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
|
|
774
|
+
SSL *const ssl = hs->ssl;
|
|
775
|
+
if (!ssl_has_certificate(ssl)) {
|
|
776
|
+
// Nothing to do.
|
|
945
777
|
return 1;
|
|
946
778
|
}
|
|
947
779
|
|
|
948
|
-
|
|
949
|
-
|
|
950
|
-
int ret = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);
|
|
951
|
-
if (ret < 0) {
|
|
952
|
-
return -1;
|
|
780
|
+
if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl)) {
|
|
781
|
+
return 0;
|
|
953
782
|
}
|
|
954
783
|
|
|
955
|
-
|
|
956
|
-
|
|
957
|
-
|
|
958
|
-
|
|
959
|
-
|
|
784
|
+
CBS leaf;
|
|
785
|
+
CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0), &leaf);
|
|
786
|
+
|
|
787
|
+
hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);
|
|
788
|
+
return hs->local_pubkey != NULL;
|
|
789
|
+
}
|
|
790
|
+
|
|
791
|
+
} // namespace bssl
|
|
792
|
+
|
|
793
|
+
using namespace bssl;
|
|
794
|
+
|
|
795
|
+
int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,
|
|
796
|
+
size_t num_certs, EVP_PKEY *privkey,
|
|
797
|
+
const SSL_PRIVATE_KEY_METHOD *privkey_method) {
|
|
798
|
+
return cert_set_chain_and_key(ssl->cert, certs, num_certs, privkey,
|
|
799
|
+
privkey_method);
|
|
800
|
+
}
|
|
801
|
+
|
|
802
|
+
int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
|
|
803
|
+
size_t num_certs, EVP_PKEY *privkey,
|
|
804
|
+
const SSL_PRIVATE_KEY_METHOD *privkey_method) {
|
|
805
|
+
return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey,
|
|
806
|
+
privkey_method);
|
|
807
|
+
}
|
|
808
|
+
|
|
809
|
+
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
|
|
810
|
+
const uint8_t *der) {
|
|
811
|
+
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));
|
|
812
|
+
if (!buffer) {
|
|
813
|
+
return 0;
|
|
960
814
|
}
|
|
961
815
|
|
|
962
|
-
|
|
963
|
-
|
|
964
|
-
|
|
816
|
+
return ssl_set_cert(ctx->cert, std::move(buffer));
|
|
817
|
+
}
|
|
818
|
+
|
|
819
|
+
int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
|
|
820
|
+
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));
|
|
821
|
+
if (!buffer) {
|
|
822
|
+
return 0;
|
|
823
|
+
}
|
|
824
|
+
|
|
825
|
+
return ssl_set_cert(ssl->cert, std::move(buffer));
|
|
826
|
+
}
|
|
827
|
+
|
|
828
|
+
void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
|
|
829
|
+
void *arg) {
|
|
830
|
+
ssl_cert_set_cert_cb(ctx->cert, cb, arg);
|
|
965
831
|
}
|
|
966
832
|
|
|
967
|
-
void
|
|
968
|
-
|
|
969
|
-
|
|
970
|
-
|
|
971
|
-
|
|
972
|
-
|
|
833
|
+
void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
|
|
834
|
+
ssl_cert_set_cert_cb(ssl->cert, cb, arg);
|
|
835
|
+
}
|
|
836
|
+
|
|
837
|
+
STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {
|
|
838
|
+
SSL_SESSION *session = SSL_get_session(ssl);
|
|
839
|
+
if (session == NULL) {
|
|
840
|
+
return NULL;
|
|
841
|
+
}
|
|
842
|
+
|
|
843
|
+
return session->certs;
|
|
844
|
+
}
|
|
845
|
+
|
|
846
|
+
STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
|
|
847
|
+
if (ssl->s3->hs == NULL) {
|
|
848
|
+
return NULL;
|
|
849
|
+
}
|
|
850
|
+
return ssl->s3->hs->ca_names.get();
|
|
973
851
|
}
|
|
974
852
|
|
|
975
853
|
static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,
|
|
@@ -1010,3 +888,15 @@ int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,
|
|
|
1010
888
|
ssl->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);
|
|
1011
889
|
return ssl->cert->ocsp_response != NULL;
|
|
1012
890
|
}
|
|
891
|
+
|
|
892
|
+
void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {
|
|
893
|
+
ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);
|
|
894
|
+
sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free);
|
|
895
|
+
ctx->client_CA = name_list;
|
|
896
|
+
}
|
|
897
|
+
|
|
898
|
+
void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {
|
|
899
|
+
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl);
|
|
900
|
+
sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free);
|
|
901
|
+
ssl->client_CA = name_list;
|
|
902
|
+
}
|