grpc 1.9.1 → 1.10.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +2654 -953
- data/etc/roots.pem +282 -683
- data/include/grpc/compression.h +9 -26
- data/include/grpc/grpc.h +10 -24
- data/include/grpc/grpc_security.h +7 -1
- data/include/grpc/impl/codegen/compression_types.h +5 -62
- data/include/grpc/impl/codegen/grpc_types.h +10 -6
- data/include/grpc/module.modulemap +1 -10
- data/include/grpc/support/alloc.h +3 -2
- data/include/grpc/support/log.h +1 -2
- data/{src/core/lib/gpr/thd_internal.h → include/grpc/support/thd_id.h} +23 -9
- data/src/boringssl/err_data.c +550 -496
- data/src/core/ext/census/grpc_context.cc +2 -1
- data/src/core/ext/filters/client_channel/backup_poller.cc +5 -4
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +7 -7
- data/src/core/ext/filters/client_channel/client_channel.cc +162 -172
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +4 -2
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +10 -10
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +18 -14
- data/src/core/ext/filters/client_channel/http_proxy.cc +3 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +21 -105
- data/src/core/ext/filters/client_channel/lb_policy.h +166 -170
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +41 -36
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +1452 -1459
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +7 -8
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +27 -27
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +279 -304
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +358 -330
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.cc +30 -41
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +7 -14
- data/src/core/ext/filters/client_channel/lb_policy_factory.cc +8 -21
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +23 -27
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +58 -33
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +25 -12
- data/src/core/ext/filters/client_channel/parse_address.cc +10 -8
- data/src/core/ext/filters/client_channel/proxy_mapper_registry.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver.cc +6 -52
- data/src/core/ext/filters/client_channel/resolver.h +98 -55
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +266 -237
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +5 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +31 -27
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +244 -207
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +161 -148
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +47 -31
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +126 -126
- data/src/core/ext/filters/client_channel/resolver_factory.h +33 -32
- data/src/core/ext/filters/client_channel/resolver_registry.cc +110 -90
- data/src/core/ext/filters/client_channel/resolver_registry.h +49 -36
- data/src/core/ext/filters/client_channel/retry_throttle.cc +29 -22
- data/src/core/ext/filters/client_channel/subchannel.cc +173 -173
- data/src/core/ext/filters/client_channel/subchannel.h +38 -45
- data/src/core/ext/filters/client_channel/subchannel_index.cc +44 -40
- data/src/core/ext/filters/client_channel/uri_parser.cc +3 -3
- data/src/core/ext/filters/deadline/deadline_filter.cc +27 -18
- data/src/core/ext/filters/http/client/http_client_filter.cc +26 -23
- data/src/core/ext/filters/http/http_filters_plugin.cc +3 -2
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +78 -110
- data/src/core/ext/filters/http/server/http_server_filter.cc +29 -26
- data/src/core/ext/filters/load_reporting/server_load_reporting_filter.cc +9 -11
- data/src/core/ext/filters/load_reporting/server_load_reporting_plugin.cc +2 -1
- data/src/core/ext/filters/max_age/max_age_filter.cc +14 -14
- data/src/core/ext/filters/message_size/message_size_filter.cc +20 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -4
- data/src/core/ext/filters/workarounds/workaround_utils.cc +4 -4
- data/src/core/ext/transport/chttp2/alpn/alpn.cc +2 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +10 -10
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +4 -4
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +11 -12
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +16 -13
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +36 -9
- data/src/core/ext/transport/chttp2/transport/bin_decoder.h +3 -0
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +17 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +139 -145
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +16 -14
- data/src/core/ext/transport/chttp2/transport/flow_control.h +8 -7
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +35 -33
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +27 -25
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +12 -12
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +16 -15
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +19 -19
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +11 -11
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +23 -22
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +35 -35
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +10 -7
- data/src/core/ext/transport/chttp2/transport/http2_settings.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -1
- data/src/core/ext/transport/chttp2/transport/parsing.cc +35 -39
- data/src/core/ext/transport/chttp2/transport/stream_map.cc +8 -7
- data/src/core/ext/transport/chttp2/transport/varint.cc +5 -5
- data/src/core/ext/transport/chttp2/transport/writing.cc +18 -18
- data/src/core/ext/transport/inproc/inproc_transport.cc +43 -23
- data/src/core/lib/{gpr → avl}/avl.cc +61 -57
- data/{include/grpc/support → src/core/lib/avl}/avl.h +25 -35
- data/src/core/lib/backoff/backoff.cc +6 -5
- data/src/core/lib/channel/channel_args.cc +23 -109
- data/src/core/lib/channel/channel_args.h +5 -31
- data/src/core/lib/channel/channel_stack.cc +11 -8
- data/src/core/lib/channel/channel_stack_builder.cc +10 -7
- data/src/core/lib/channel/connected_channel.cc +18 -17
- data/src/core/lib/channel/handshaker.cc +8 -8
- data/src/core/lib/channel/handshaker_registry.cc +3 -2
- data/src/core/lib/compression/algorithm_metadata.h +13 -6
- data/src/core/lib/compression/compression.cc +72 -183
- data/src/core/lib/compression/compression_internal.cc +274 -0
- data/src/core/lib/compression/compression_internal.h +86 -0
- data/src/core/lib/compression/message_compress.cc +15 -15
- data/src/core/lib/compression/message_compress.h +4 -3
- data/src/core/lib/compression/stream_compression_gzip.cc +8 -8
- data/src/core/lib/compression/stream_compression_identity.cc +1 -1
- data/src/core/lib/debug/stats.cc +10 -8
- data/src/core/lib/debug/stats_data.cc +2 -1
- data/src/core/lib/debug/trace.cc +3 -3
- data/src/core/lib/gpr/alloc.cc +7 -11
- data/src/core/lib/gpr/arena.cc +34 -12
- data/src/core/lib/gpr/atm.cc +2 -1
- data/src/core/lib/gpr/cpu_linux.cc +3 -3
- data/src/core/lib/gpr/cpu_posix.cc +2 -1
- data/src/core/lib/gpr/env.h +1 -1
- data/src/core/lib/gpr/env_linux.cc +1 -1
- data/src/core/lib/gpr/env_windows.cc +4 -4
- data/src/core/lib/gpr/fork.cc +16 -2
- data/src/core/lib/gpr/host_port.cc +5 -4
- data/{include/grpc/support → src/core/lib/gpr}/host_port.h +5 -13
- data/src/core/lib/gpr/log.cc +5 -4
- data/src/core/lib/gpr/log_linux.cc +1 -1
- data/src/core/lib/gpr/mpscq.cc +1 -0
- data/src/core/lib/gpr/murmur_hash.cc +4 -4
- data/src/core/lib/gpr/string.cc +19 -16
- data/src/core/lib/gpr/string_posix.cc +3 -3
- data/src/core/lib/gpr/sync_posix.cc +5 -9
- data/src/core/lib/gpr/thd.cc +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/thd.h +20 -28
- data/src/core/lib/gpr/thd_posix.cc +6 -4
- data/src/core/lib/gpr/thd_windows.cc +3 -1
- data/src/core/lib/gpr/time.cc +6 -4
- data/src/core/lib/gpr/time_posix.cc +2 -2
- data/{include/grpc/support → src/core/lib/gpr}/tls.h +6 -6
- data/{include/grpc/support → src/core/lib/gpr}/tls_gcc.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/tls_msvc.h +3 -3
- data/src/core/lib/gpr/tls_pthread.cc +1 -1
- data/{include/grpc/support → src/core/lib/gpr}/tls_pthread.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/useful.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/abstract.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic.h +5 -5
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_atm.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_std.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/debug_location.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/inlined_vector.h +44 -22
- data/src/core/lib/{gpr++ → gprpp}/manual_constructor.h +2 -2
- data/src/core/lib/{gpr++ → gprpp}/memory.h +14 -5
- data/src/core/lib/{gpr++ → gprpp}/orphanable.h +39 -14
- data/src/core/lib/{gpr++ → gprpp}/ref_counted.h +42 -10
- data/src/core/lib/{gpr++ → gprpp}/ref_counted_ptr.h +18 -8
- data/src/core/lib/http/format_request.cc +3 -3
- data/src/core/lib/http/httpcli.cc +6 -7
- data/src/core/lib/http/httpcli_security_connector.cc +10 -10
- data/src/core/lib/http/parser.cc +16 -12
- data/src/core/lib/iomgr/call_combiner.cc +12 -13
- data/src/core/lib/iomgr/closure.h +4 -6
- data/src/core/lib/iomgr/combiner.cc +10 -21
- data/src/core/lib/iomgr/error.cc +50 -55
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +41 -52
- data/src/core/lib/iomgr/ev_epollex_linux.cc +80 -28
- data/src/core/lib/iomgr/ev_epollsig_linux.cc +23 -30
- data/src/core/lib/iomgr/ev_poll_posix.cc +52 -46
- data/src/core/lib/iomgr/ev_posix.cc +47 -6
- data/src/core/lib/iomgr/exec_ctx.cc +10 -10
- data/src/core/lib/iomgr/exec_ctx.h +1 -1
- data/src/core/lib/iomgr/executor.cc +16 -13
- data/src/core/lib/iomgr/fork_posix.cc +1 -3
- data/src/core/lib/iomgr/gethostname_host_name_max.cc +1 -1
- data/src/core/lib/iomgr/iocp_windows.cc +1 -2
- data/src/core/lib/iomgr/iomgr.cc +2 -2
- data/src/core/lib/iomgr/iomgr_uv.cc +2 -0
- data/src/core/lib/iomgr/iomgr_uv.h +1 -1
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +5 -4
- data/src/core/lib/iomgr/load_file.cc +3 -3
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -9
- data/src/core/lib/iomgr/resolve_address_uv.cc +2 -2
- data/src/core/lib/iomgr/resolve_address_windows.cc +3 -2
- data/src/core/lib/iomgr/resource_quota.cc +36 -34
- data/src/core/lib/iomgr/sockaddr_utils.cc +39 -23
- data/src/core/lib/iomgr/socket_factory_posix.cc +5 -5
- data/src/core/lib/iomgr/socket_mutator.cc +7 -7
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +7 -4
- data/src/core/lib/iomgr/socket_utils_linux.cc +3 -2
- data/src/core/lib/iomgr/tcp_client_posix.cc +7 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +0 -1
- data/src/core/lib/iomgr/tcp_posix.cc +47 -55
- data/src/core/lib/iomgr/tcp_server_posix.cc +12 -10
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +7 -5
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +4 -3
- data/src/core/lib/iomgr/tcp_windows.cc +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +16 -14
- data/src/core/lib/iomgr/timer_heap.cc +8 -7
- data/src/core/lib/iomgr/timer_manager.cc +4 -3
- data/src/core/lib/iomgr/udp_server.cc +24 -16
- data/src/core/lib/iomgr/unix_sockets_posix.cc +15 -10
- data/src/core/lib/iomgr/wakeup_fd_cv.cc +6 -5
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +1 -2
- data/src/core/lib/json/json.cc +1 -1
- data/src/core/lib/json/json_reader.cc +8 -6
- data/src/core/lib/json/json_string.cc +19 -18
- data/src/core/lib/json/json_writer.cc +10 -8
- data/src/core/lib/profiling/basic_timers.cc +1 -1
- data/src/core/lib/profiling/timers.h +3 -20
- data/src/core/lib/security/context/security_context.cc +16 -14
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +17 -14
- data/src/core/lib/security/credentials/credentials.cc +9 -8
- data/src/core/lib/security/credentials/credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials_metadata.cc +2 -2
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +12 -13
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -4
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +5 -3
- data/src/core/lib/security/credentials/jwt/json_token.cc +4 -3
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +7 -7
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +21 -18
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +23 -18
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +11 -7
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +22 -21
- data/src/core/lib/security/{transport → security_connector}/security_connector.cc +46 -43
- data/src/core/lib/security/{transport → security_connector}/security_connector.h +3 -3
- data/src/core/lib/security/transport/client_auth_filter.cc +32 -34
- data/src/core/lib/security/transport/lb_targets_info.cc +7 -5
- data/src/core/lib/security/transport/secure_endpoint.cc +21 -21
- data/src/core/lib/security/transport/security_handshaker.cc +19 -18
- data/src/core/lib/security/transport/security_handshaker.h +1 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +21 -21
- data/src/core/lib/slice/b64.cc +19 -16
- data/src/core/lib/slice/percent_encoding.cc +5 -5
- data/src/core/lib/slice/slice.cc +35 -33
- data/src/core/lib/slice/slice_buffer.cc +16 -14
- data/src/core/lib/slice/slice_hash_table.cc +3 -2
- data/src/core/lib/slice/slice_intern.cc +21 -25
- data/src/core/lib/slice/slice_string_helpers.cc +45 -9
- data/src/core/lib/slice/slice_string_helpers.h +6 -0
- data/src/core/lib/surface/byte_buffer.cc +2 -2
- data/src/core/lib/surface/byte_buffer_reader.cc +6 -3
- data/src/core/lib/surface/call.cc +171 -260
- data/src/core/lib/surface/call_test_only.h +1 -13
- data/src/core/lib/surface/channel.cc +20 -43
- data/src/core/lib/surface/channel_init.cc +7 -7
- data/src/core/lib/surface/channel_ping.cc +2 -2
- data/src/core/lib/surface/completion_queue.cc +69 -75
- data/src/core/lib/surface/init.cc +4 -5
- data/src/core/lib/surface/init_secure.cc +1 -1
- data/src/core/lib/surface/lame_client.cc +1 -1
- data/src/core/lib/surface/server.cc +64 -59
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +6 -5
- data/src/core/lib/transport/byte_stream.cc +23 -14
- data/src/core/lib/transport/byte_stream.h +1 -1
- data/src/core/lib/transport/connectivity_state.cc +9 -13
- data/src/core/lib/transport/error_utils.cc +10 -7
- data/src/core/lib/transport/metadata.cc +27 -26
- data/src/core/lib/transport/metadata.h +1 -1
- data/src/core/lib/transport/pid_controller.cc +2 -1
- data/src/core/lib/transport/service_config.cc +5 -5
- data/src/core/lib/transport/static_metadata.cc +225 -222
- data/src/core/lib/transport/static_metadata.h +77 -76
- data/src/core/lib/transport/timeout_encoding.cc +3 -2
- data/src/core/lib/transport/transport.cc +6 -5
- data/src/core/lib/transport/transport_op_string.cc +0 -1
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -4
- data/src/core/tsi/alts_transport_security.cc +61 -0
- data/src/core/tsi/{gts_transport_security.h → alts_transport_security.h} +16 -8
- data/src/core/tsi/fake_transport_security.cc +59 -43
- data/src/core/tsi/ssl_transport_security.cc +122 -107
- data/src/core/tsi/transport_security.cc +3 -3
- data/src/core/tsi/transport_security_adapter.cc +16 -10
- data/src/ruby/bin/apis/pubsub_demo.rb +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +3 -4
- data/src/ruby/ext/grpc/rb_compression_options.c +13 -3
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -76
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +8 -120
- data/src/ruby/ext/grpc/rb_server.c +52 -28
- data/src/ruby/lib/grpc/generic/rpc_server.rb +7 -4
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/test/client.rb +1 -1
- data/src/ruby/pb/test/server.rb +1 -1
- data/src/ruby/spec/client_server_spec.rb +4 -2
- data/src/ruby/spec/generic/active_call_spec.rb +2 -1
- data/src/ruby/spec/generic/client_stub_spec.rb +32 -8
- data/src/ruby/spec/server_spec.rb +26 -7
- data/third_party/boringssl/crypto/asn1/a_bitstr.c +7 -2
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +15 -0
- data/third_party/boringssl/crypto/asn1/a_gentm.c +1 -1
- data/third_party/boringssl/crypto/asn1/a_print.c +0 -28
- data/third_party/boringssl/crypto/asn1/a_strnid.c +3 -0
- data/third_party/boringssl/crypto/asn1/a_time.c +17 -9
- data/third_party/boringssl/crypto/asn1/a_utctm.c +1 -1
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -49
- data/third_party/boringssl/crypto/asn1/asn1_locl.h +1 -1
- data/third_party/boringssl/crypto/asn1/tasn_dec.c +9 -9
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +0 -6
- data/third_party/boringssl/crypto/asn1/time_support.c +5 -5
- data/third_party/boringssl/crypto/base64/base64.c +65 -43
- data/third_party/boringssl/crypto/bio/bio.c +134 -110
- data/third_party/boringssl/crypto/bio/bio_mem.c +9 -9
- data/third_party/boringssl/crypto/bio/connect.c +17 -17
- data/third_party/boringssl/crypto/bio/fd.c +2 -1
- data/third_party/boringssl/crypto/bio/file.c +14 -14
- data/third_party/boringssl/crypto/bio/hexdump.c +15 -16
- data/third_party/boringssl/crypto/bio/internal.h +14 -14
- data/third_party/boringssl/crypto/bio/pair.c +45 -45
- data/third_party/boringssl/crypto/bio/printf.c +6 -10
- data/third_party/boringssl/crypto/{bn → bn_extra}/bn_asn1.c +9 -9
- data/third_party/boringssl/crypto/{bn → bn_extra}/convert.c +18 -223
- data/third_party/boringssl/crypto/buf/buf.c +20 -44
- data/third_party/boringssl/crypto/bytestring/ber.c +35 -35
- data/third_party/boringssl/crypto/bytestring/cbb.c +24 -24
- data/third_party/boringssl/crypto/bytestring/cbs.c +33 -37
- data/third_party/boringssl/crypto/bytestring/internal.h +38 -38
- data/third_party/boringssl/crypto/chacha/chacha.c +7 -7
- data/third_party/boringssl/crypto/{asn1/t_bitst.c → cipher_extra/cipher_extra.c} +49 -38
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/derive_key.c +0 -2
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +281 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +867 -0
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +326 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_null.c +0 -1
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc2.c +22 -10
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc4.c +0 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_ssl3.c +120 -64
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_tls.c +220 -141
- data/third_party/boringssl/crypto/{asn1/x_bignum.c → cipher_extra/internal.h} +61 -86
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +482 -0
- data/third_party/boringssl/crypto/cmac/cmac.c +20 -20
- data/third_party/boringssl/crypto/conf/conf.c +32 -20
- data/third_party/boringssl/crypto/conf/internal.h +3 -3
- data/third_party/boringssl/crypto/cpu-aarch64-linux.c +5 -5
- data/third_party/boringssl/crypto/cpu-arm-linux.c +44 -41
- data/third_party/boringssl/crypto/cpu-intel.c +68 -43
- data/third_party/boringssl/crypto/cpu-ppc64le.c +5 -7
- data/third_party/boringssl/crypto/crypto.c +54 -32
- data/third_party/boringssl/crypto/curve25519/curve25519.c +269 -269
- data/third_party/boringssl/crypto/curve25519/internal.h +28 -8
- data/third_party/boringssl/crypto/curve25519/spake25519.c +180 -106
- data/third_party/boringssl/crypto/curve25519/x25519-x86_64.c +9 -9
- data/third_party/boringssl/crypto/dh/check.c +33 -34
- data/third_party/boringssl/crypto/dh/dh.c +72 -36
- data/third_party/boringssl/crypto/dh/dh_asn1.c +1 -1
- data/third_party/boringssl/crypto/dh/params.c +1 -161
- data/third_party/boringssl/crypto/digest_extra/digest_extra.c +240 -0
- data/third_party/boringssl/crypto/dsa/dsa.c +127 -87
- data/third_party/boringssl/crypto/dsa/dsa_asn1.c +1 -1
- data/third_party/boringssl/crypto/{ec → ec_extra}/ec_asn1.c +83 -70
- data/third_party/boringssl/crypto/ecdh/ecdh.c +1 -1
- data/third_party/boringssl/crypto/{ecdsa → ecdsa_extra}/ecdsa_asn1.c +86 -31
- data/third_party/boringssl/crypto/engine/engine.c +6 -6
- data/third_party/boringssl/crypto/err/err.c +197 -106
- data/third_party/boringssl/crypto/err/internal.h +58 -0
- data/third_party/boringssl/crypto/evp/digestsign.c +86 -14
- data/third_party/boringssl/crypto/evp/evp.c +6 -11
- data/third_party/boringssl/crypto/evp/evp_asn1.c +17 -17
- data/third_party/boringssl/crypto/evp/evp_ctx.c +15 -11
- data/third_party/boringssl/crypto/evp/internal.h +66 -51
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +11 -11
- data/third_party/boringssl/crypto/evp/p_ec.c +10 -8
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +11 -12
- data/third_party/boringssl/crypto/evp/p_ed25519.c +71 -0
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +190 -0
- data/third_party/boringssl/crypto/evp/p_rsa.c +50 -95
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +28 -18
- data/third_party/boringssl/crypto/evp/pbkdf.c +49 -56
- data/third_party/boringssl/crypto/evp/print.c +5 -36
- data/third_party/boringssl/crypto/evp/scrypt.c +209 -0
- data/third_party/boringssl/crypto/ex_data.c +15 -45
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +100 -0
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +679 -0
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/internal.h +40 -27
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/rsaz_exp.h +0 -0
- data/third_party/boringssl/crypto/{cipher → fipsmodule/cipher}/internal.h +34 -67
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +88 -0
- data/third_party/boringssl/crypto/{des → fipsmodule/des}/internal.h +18 -4
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/internal.h +18 -18
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/md32_common.h +58 -64
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/internal.h +58 -52
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64-table.h +11 -11
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64.h +32 -32
- data/third_party/boringssl/crypto/{rand/internal.h → fipsmodule/is_fips.c} +10 -15
- data/third_party/boringssl/crypto/{modes → fipsmodule/modes}/internal.h +112 -119
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +92 -0
- data/third_party/boringssl/crypto/{rsa → fipsmodule/rsa}/internal.h +36 -49
- data/third_party/boringssl/crypto/hkdf/hkdf.c +6 -6
- data/third_party/boringssl/crypto/internal.h +301 -233
- data/third_party/boringssl/crypto/lhash/lhash.c +26 -45
- data/third_party/boringssl/crypto/mem.c +76 -33
- data/third_party/boringssl/crypto/obj/obj.c +44 -28
- data/third_party/boringssl/crypto/obj/obj_dat.h +102 -34
- data/third_party/boringssl/crypto/obj/obj_xref.c +6 -6
- data/third_party/boringssl/crypto/pem/pem_info.c +3 -5
- data/third_party/boringssl/crypto/pem/pem_lib.c +1 -6
- data/third_party/boringssl/crypto/pem/pem_pk8.c +1 -0
- data/third_party/boringssl/crypto/pem/pem_pkey.c +1 -1
- data/third_party/boringssl/crypto/pem/pem_xaux.c +0 -2
- data/third_party/boringssl/crypto/pkcs7/internal.h +49 -0
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +166 -0
- data/third_party/boringssl/crypto/{x509/pkcs7.c → pkcs7/pkcs7_x509.c} +27 -147
- data/third_party/boringssl/crypto/pkcs8/internal.h +34 -16
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +120 -39
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +144 -857
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +789 -0
- data/third_party/boringssl/crypto/poly1305/internal.h +4 -3
- data/third_party/boringssl/crypto/poly1305/poly1305.c +14 -14
- data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +11 -11
- data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +41 -41
- data/third_party/boringssl/crypto/pool/internal.h +2 -2
- data/third_party/boringssl/crypto/pool/pool.c +15 -15
- data/third_party/boringssl/crypto/{rand → rand_extra}/deterministic.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/forkunsafe.c +46 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/fuchsia.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/rand_extra.c +70 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/windows.c +5 -5
- data/third_party/boringssl/crypto/refcount_c11.c +2 -2
- data/third_party/boringssl/crypto/refcount_lock.c +1 -1
- data/third_party/boringssl/crypto/{rsa → rsa_extra}/rsa_asn1.c +12 -120
- data/third_party/boringssl/crypto/stack/stack.c +13 -13
- data/third_party/boringssl/crypto/thread_none.c +1 -1
- data/third_party/boringssl/crypto/thread_pthread.c +1 -1
- data/third_party/boringssl/crypto/thread_win.c +40 -40
- data/third_party/boringssl/crypto/x509/a_sign.c +5 -12
- data/third_party/boringssl/crypto/x509/a_verify.c +6 -18
- data/third_party/boringssl/crypto/x509/algorithm.c +22 -6
- data/third_party/boringssl/crypto/x509/asn1_gen.c +30 -7
- data/third_party/boringssl/crypto/x509/by_dir.c +2 -2
- data/third_party/boringssl/crypto/x509/by_file.c +2 -2
- data/third_party/boringssl/crypto/x509/rsa_pss.c +5 -5
- data/third_party/boringssl/crypto/x509/t_x509.c +2 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_lu.c +35 -4
- data/third_party/boringssl/crypto/x509/x509_set.c +10 -0
- data/third_party/boringssl/crypto/x509/x509_vfy.c +20 -17
- data/third_party/boringssl/crypto/x509/x_name.c +13 -16
- data/third_party/boringssl/crypto/x509/x_x509.c +3 -3
- data/third_party/boringssl/crypto/x509/x_x509a.c +0 -7
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +8 -0
- data/third_party/boringssl/crypto/x509v3/pcy_int.h +2 -2
- data/third_party/boringssl/crypto/x509v3/pcy_lib.c +0 -9
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -1
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +25 -15
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +21 -11
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +9 -3
- data/third_party/boringssl/crypto/x509v3/v3_info.c +22 -14
- data/third_party/boringssl/crypto/x509v3/v3_ncons.c +27 -11
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +0 -33
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +4 -4
- data/third_party/boringssl/include/openssl/aead.h +280 -191
- data/third_party/boringssl/include/openssl/aes.h +50 -50
- data/third_party/boringssl/include/openssl/arm_arch.h +12 -12
- data/third_party/boringssl/include/openssl/asn1.h +14 -77
- data/third_party/boringssl/include/openssl/asn1t.h +11 -15
- data/third_party/boringssl/include/openssl/base.h +78 -51
- data/third_party/boringssl/include/openssl/base64.h +68 -68
- data/third_party/boringssl/include/openssl/bio.h +472 -406
- data/third_party/boringssl/include/openssl/blowfish.h +1 -1
- data/third_party/boringssl/include/openssl/bn.h +454 -435
- data/third_party/boringssl/include/openssl/buf.h +27 -27
- data/third_party/boringssl/include/openssl/bytestring.h +282 -267
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/chacha.h +5 -5
- data/third_party/boringssl/include/openssl/cipher.h +209 -200
- data/third_party/boringssl/include/openssl/cmac.h +27 -27
- data/third_party/boringssl/include/openssl/conf.h +49 -46
- data/third_party/boringssl/include/openssl/cpu.h +60 -45
- data/third_party/boringssl/include/openssl/crypto.h +59 -35
- data/third_party/boringssl/include/openssl/curve25519.h +97 -92
- data/third_party/boringssl/include/openssl/des.h +25 -25
- data/third_party/boringssl/include/openssl/dh.h +98 -97
- data/third_party/boringssl/include/openssl/digest.h +143 -114
- data/third_party/boringssl/include/openssl/dsa.h +217 -202
- data/third_party/boringssl/include/openssl/ec.h +132 -131
- data/third_party/boringssl/include/openssl/ec_key.h +132 -128
- data/third_party/boringssl/include/openssl/ecdh.h +9 -9
- data/third_party/boringssl/include/openssl/ecdsa.h +66 -66
- data/third_party/boringssl/include/openssl/engine.h +38 -38
- data/third_party/boringssl/include/openssl/err.h +189 -219
- data/third_party/boringssl/include/openssl/evp.h +473 -397
- data/third_party/boringssl/include/openssl/ex_data.h +46 -56
- data/third_party/boringssl/include/openssl/hkdf.h +17 -17
- data/third_party/boringssl/include/openssl/hmac.h +55 -43
- data/third_party/boringssl/include/openssl/is_boringssl.h +16 -0
- data/third_party/boringssl/include/openssl/lhash.h +67 -67
- data/third_party/boringssl/include/openssl/lhash_macros.h +4 -4
- data/third_party/boringssl/include/openssl/md4.h +14 -14
- data/third_party/boringssl/include/openssl/md5.h +14 -14
- data/third_party/boringssl/include/openssl/mem.h +39 -33
- data/third_party/boringssl/include/openssl/nid.h +43 -0
- data/third_party/boringssl/include/openssl/obj.h +93 -87
- data/third_party/boringssl/include/openssl/opensslconf.h +8 -1
- data/third_party/boringssl/include/openssl/pem.h +2 -122
- data/third_party/boringssl/include/openssl/pkcs7.h +68 -2
- data/third_party/boringssl/include/openssl/pkcs8.h +81 -66
- data/third_party/boringssl/include/openssl/poly1305.h +11 -11
- data/third_party/boringssl/include/openssl/pool.h +29 -25
- data/third_party/boringssl/include/openssl/rand.h +48 -45
- data/third_party/boringssl/include/openssl/rc4.h +9 -9
- data/third_party/boringssl/include/openssl/ripemd.h +13 -13
- data/third_party/boringssl/include/openssl/rsa.h +371 -340
- data/third_party/boringssl/include/openssl/sha.h +71 -71
- data/third_party/boringssl/include/openssl/span.h +191 -0
- data/third_party/boringssl/include/openssl/ssl.h +2639 -2519
- data/third_party/boringssl/include/openssl/ssl3.h +39 -122
- data/third_party/boringssl/include/openssl/stack.h +355 -164
- data/third_party/boringssl/include/openssl/thread.h +43 -43
- data/third_party/boringssl/include/openssl/tls1.h +60 -63
- data/third_party/boringssl/include/openssl/type_check.h +10 -14
- data/third_party/boringssl/include/openssl/x509.h +41 -116
- data/third_party/boringssl/include/openssl/x509_vfy.h +17 -25
- data/third_party/boringssl/include/openssl/x509v3.h +27 -21
- data/third_party/boringssl/ssl/{bio_ssl.c → bio_ssl.cc} +9 -5
- data/third_party/boringssl/ssl/{custom_extensions.c → custom_extensions.cc} +19 -12
- data/third_party/boringssl/ssl/{d1_both.c → d1_both.cc} +224 -193
- data/third_party/boringssl/ssl/{d1_lib.c → d1_lib.cc} +86 -79
- data/third_party/boringssl/ssl/{d1_pkt.c → d1_pkt.cc} +55 -87
- data/third_party/boringssl/ssl/{d1_srtp.c → d1_srtp.cc} +12 -16
- data/third_party/boringssl/ssl/{dtls_method.c → dtls_method.cc} +33 -50
- data/third_party/boringssl/ssl/{dtls_record.c → dtls_record.cc} +76 -64
- data/third_party/boringssl/ssl/handshake.cc +547 -0
- data/third_party/boringssl/ssl/handshake_client.cc +1828 -0
- data/third_party/boringssl/ssl/handshake_server.cc +1672 -0
- data/third_party/boringssl/ssl/internal.h +2027 -1280
- data/third_party/boringssl/ssl/s3_both.cc +603 -0
- data/third_party/boringssl/ssl/{s3_lib.c → s3_lib.cc} +22 -10
- data/third_party/boringssl/ssl/{s3_pkt.c → s3_pkt.cc} +171 -75
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +415 -0
- data/third_party/boringssl/ssl/{ssl_asn1.c → ssl_asn1.cc} +257 -261
- data/third_party/boringssl/ssl/{ssl_buffer.c → ssl_buffer.cc} +81 -97
- data/third_party/boringssl/ssl/{ssl_cert.c → ssl_cert.cc} +304 -414
- data/third_party/boringssl/ssl/{ssl_cipher.c → ssl_cipher.cc} +427 -505
- data/third_party/boringssl/ssl/{ssl_file.c → ssl_file.cc} +24 -16
- data/third_party/boringssl/ssl/ssl_key_share.cc +245 -0
- data/third_party/boringssl/ssl/{ssl_lib.c → ssl_lib.cc} +665 -828
- data/third_party/boringssl/ssl/ssl_privkey.cc +518 -0
- data/third_party/boringssl/ssl/{ssl_session.c → ssl_session.cc} +596 -471
- data/third_party/boringssl/ssl/{ssl_stat.c → ssl_stat.cc} +5 -224
- data/third_party/boringssl/ssl/{ssl_transcript.c → ssl_transcript.cc} +117 -140
- data/third_party/boringssl/ssl/ssl_versions.cc +439 -0
- data/third_party/boringssl/ssl/{ssl_x509.c → ssl_x509.cc} +751 -267
- data/third_party/boringssl/ssl/{t1_enc.c → t1_enc.cc} +120 -161
- data/third_party/boringssl/ssl/{t1_lib.c → t1_lib.cc} +859 -966
- data/third_party/boringssl/ssl/{tls13_both.c → tls13_both.cc} +202 -284
- data/third_party/boringssl/ssl/tls13_client.cc +842 -0
- data/third_party/boringssl/ssl/{tls13_enc.c → tls13_enc.cc} +108 -90
- data/third_party/boringssl/ssl/tls13_server.cc +967 -0
- data/third_party/boringssl/ssl/{tls_method.c → tls_method.cc} +94 -73
- data/third_party/boringssl/ssl/tls_record.cc +675 -0
- metadata +117 -168
- data/include/grpc/support/cmdline.h +0 -88
- data/include/grpc/support/subprocess.h +0 -44
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +0 -29
- data/src/core/ext/filters/client_channel/resolver_factory.cc +0 -40
- data/src/core/lib/gpr/cmdline.cc +0 -330
- data/src/core/lib/gpr/subprocess_posix.cc +0 -99
- data/src/core/lib/gpr/subprocess_windows.cc +0 -126
- data/src/core/lib/surface/alarm.cc +0 -137
- data/src/core/lib/surface/alarm_internal.h +0 -40
- data/src/core/tsi/gts_transport_security.cc +0 -40
- data/third_party/boringssl/crypto/aes/aes.c +0 -1142
- data/third_party/boringssl/crypto/aes/internal.h +0 -87
- data/third_party/boringssl/crypto/aes/key_wrap.c +0 -138
- data/third_party/boringssl/crypto/aes/mode_wrappers.c +0 -112
- data/third_party/boringssl/crypto/asn1/x_long.c +0 -200
- data/third_party/boringssl/crypto/bn/add.c +0 -377
- data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +0 -532
- data/third_party/boringssl/crypto/bn/bn.c +0 -365
- data/third_party/boringssl/crypto/bn/cmp.c +0 -239
- data/third_party/boringssl/crypto/bn/ctx.c +0 -313
- data/third_party/boringssl/crypto/bn/div.c +0 -728
- data/third_party/boringssl/crypto/bn/exponentiation.c +0 -1240
- data/third_party/boringssl/crypto/bn/gcd.c +0 -635
- data/third_party/boringssl/crypto/bn/generic.c +0 -707
- data/third_party/boringssl/crypto/bn/kronecker.c +0 -176
- data/third_party/boringssl/crypto/bn/montgomery.c +0 -409
- data/third_party/boringssl/crypto/bn/montgomery_inv.c +0 -207
- data/third_party/boringssl/crypto/bn/mul.c +0 -871
- data/third_party/boringssl/crypto/bn/prime.c +0 -861
- data/third_party/boringssl/crypto/bn/random.c +0 -343
- data/third_party/boringssl/crypto/bn/rsaz_exp.c +0 -254
- data/third_party/boringssl/crypto/bn/shift.c +0 -307
- data/third_party/boringssl/crypto/bn/sqrt.c +0 -506
- data/third_party/boringssl/crypto/cipher/aead.c +0 -156
- data/third_party/boringssl/crypto/cipher/cipher.c +0 -657
- data/third_party/boringssl/crypto/cipher/e_aes.c +0 -1771
- data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +0 -276
- data/third_party/boringssl/crypto/cipher/e_des.c +0 -205
- data/third_party/boringssl/crypto/cipher/tls_cbc.c +0 -482
- data/third_party/boringssl/crypto/des/des.c +0 -771
- data/third_party/boringssl/crypto/digest/digest.c +0 -251
- data/third_party/boringssl/crypto/digest/digests.c +0 -358
- data/third_party/boringssl/crypto/ec/ec.c +0 -847
- data/third_party/boringssl/crypto/ec/ec_key.c +0 -479
- data/third_party/boringssl/crypto/ec/ec_montgomery.c +0 -303
- data/third_party/boringssl/crypto/ec/oct.c +0 -416
- data/third_party/boringssl/crypto/ec/p224-64.c +0 -1143
- data/third_party/boringssl/crypto/ec/p256-64.c +0 -1701
- data/third_party/boringssl/crypto/ec/p256-x86_64.c +0 -561
- data/third_party/boringssl/crypto/ec/simple.c +0 -1118
- data/third_party/boringssl/crypto/ec/util-64.c +0 -109
- data/third_party/boringssl/crypto/ec/wnaf.c +0 -458
- data/third_party/boringssl/crypto/ecdsa/ecdsa.c +0 -479
- data/third_party/boringssl/crypto/hmac/hmac.c +0 -215
- data/third_party/boringssl/crypto/md4/md4.c +0 -236
- data/third_party/boringssl/crypto/md5/md5.c +0 -285
- data/third_party/boringssl/crypto/modes/cbc.c +0 -212
- data/third_party/boringssl/crypto/modes/cfb.c +0 -230
- data/third_party/boringssl/crypto/modes/ctr.c +0 -219
- data/third_party/boringssl/crypto/modes/gcm.c +0 -1071
- data/third_party/boringssl/crypto/modes/ofb.c +0 -95
- data/third_party/boringssl/crypto/modes/polyval.c +0 -94
- data/third_party/boringssl/crypto/pkcs8/p8_pkey.c +0 -85
- data/third_party/boringssl/crypto/rand/rand.c +0 -244
- data/third_party/boringssl/crypto/rand/urandom.c +0 -335
- data/third_party/boringssl/crypto/rsa/blinding.c +0 -265
- data/third_party/boringssl/crypto/rsa/padding.c +0 -708
- data/third_party/boringssl/crypto/rsa/rsa.c +0 -830
- data/third_party/boringssl/crypto/rsa/rsa_impl.c +0 -1100
- data/third_party/boringssl/crypto/sha/sha1-altivec.c +0 -346
- data/third_party/boringssl/crypto/sha/sha1.c +0 -355
- data/third_party/boringssl/crypto/sha/sha256.c +0 -329
- data/third_party/boringssl/crypto/sha/sha512.c +0 -609
- data/third_party/boringssl/crypto/x509/x509type.c +0 -126
- data/third_party/boringssl/include/openssl/stack_macros.h +0 -3987
- data/third_party/boringssl/ssl/handshake_client.c +0 -1883
- data/third_party/boringssl/ssl/handshake_server.c +0 -1950
- data/third_party/boringssl/ssl/s3_both.c +0 -895
- data/third_party/boringssl/ssl/ssl_aead_ctx.c +0 -335
- data/third_party/boringssl/ssl/ssl_ecdh.c +0 -465
- data/third_party/boringssl/ssl/ssl_privkey.c +0 -683
- data/third_party/boringssl/ssl/ssl_privkey_cc.cc +0 -76
- data/third_party/boringssl/ssl/tls13_client.c +0 -712
- data/third_party/boringssl/ssl/tls13_server.c +0 -680
- data/third_party/boringssl/ssl/tls_record.c +0 -556
@@ -0,0 +1,439 @@
|
|
1
|
+
/* Copyright (c) 2017, Google Inc.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
#include <openssl/ssl.h>
|
16
|
+
|
17
|
+
#include <assert.h>
|
18
|
+
|
19
|
+
#include <openssl/bytestring.h>
|
20
|
+
#include <openssl/err.h>
|
21
|
+
|
22
|
+
#include "internal.h"
|
23
|
+
#include "../crypto/internal.h"
|
24
|
+
|
25
|
+
|
26
|
+
namespace bssl {
|
27
|
+
|
28
|
+
bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
|
29
|
+
switch (version) {
|
30
|
+
case SSL3_VERSION:
|
31
|
+
case TLS1_VERSION:
|
32
|
+
case TLS1_1_VERSION:
|
33
|
+
case TLS1_2_VERSION:
|
34
|
+
*out = version;
|
35
|
+
return true;
|
36
|
+
|
37
|
+
case TLS1_3_DRAFT_VERSION:
|
38
|
+
case TLS1_3_EXPERIMENT_VERSION:
|
39
|
+
case TLS1_3_EXPERIMENT2_VERSION:
|
40
|
+
case TLS1_3_EXPERIMENT3_VERSION:
|
41
|
+
*out = TLS1_3_VERSION;
|
42
|
+
return true;
|
43
|
+
|
44
|
+
case DTLS1_VERSION:
|
45
|
+
// DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
|
46
|
+
*out = TLS1_1_VERSION;
|
47
|
+
return true;
|
48
|
+
|
49
|
+
case DTLS1_2_VERSION:
|
50
|
+
*out = TLS1_2_VERSION;
|
51
|
+
return true;
|
52
|
+
|
53
|
+
default:
|
54
|
+
return false;
|
55
|
+
}
|
56
|
+
}
|
57
|
+
|
58
|
+
// The follow arrays are the supported versions for TLS and DTLS, in order of
|
59
|
+
// decreasing preference.
|
60
|
+
|
61
|
+
static const uint16_t kTLSVersions[] = {
|
62
|
+
TLS1_3_EXPERIMENT3_VERSION,
|
63
|
+
TLS1_3_EXPERIMENT2_VERSION,
|
64
|
+
TLS1_3_EXPERIMENT_VERSION,
|
65
|
+
TLS1_3_DRAFT_VERSION,
|
66
|
+
TLS1_2_VERSION,
|
67
|
+
TLS1_1_VERSION,
|
68
|
+
TLS1_VERSION,
|
69
|
+
SSL3_VERSION,
|
70
|
+
};
|
71
|
+
|
72
|
+
static const uint16_t kDTLSVersions[] = {
|
73
|
+
DTLS1_2_VERSION,
|
74
|
+
DTLS1_VERSION,
|
75
|
+
};
|
76
|
+
|
77
|
+
static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
|
78
|
+
const uint16_t **out, size_t *out_num) {
|
79
|
+
if (method->is_dtls) {
|
80
|
+
*out = kDTLSVersions;
|
81
|
+
*out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
|
82
|
+
} else {
|
83
|
+
*out = kTLSVersions;
|
84
|
+
*out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
|
85
|
+
}
|
86
|
+
}
|
87
|
+
|
88
|
+
static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
|
89
|
+
uint16_t version) {
|
90
|
+
const uint16_t *versions;
|
91
|
+
size_t num_versions;
|
92
|
+
get_method_versions(method, &versions, &num_versions);
|
93
|
+
for (size_t i = 0; i < num_versions; i++) {
|
94
|
+
if (versions[i] == version) {
|
95
|
+
return true;
|
96
|
+
}
|
97
|
+
}
|
98
|
+
return false;
|
99
|
+
}
|
100
|
+
|
101
|
+
// The following functions map between API versions and wire versions. The
|
102
|
+
// public API works on wire versions, except that TLS 1.3 draft versions all
|
103
|
+
// appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is
|
104
|
+
// finalized.
|
105
|
+
|
106
|
+
static const char *ssl_version_to_string(uint16_t version) {
|
107
|
+
switch (version) {
|
108
|
+
case TLS1_3_DRAFT_VERSION:
|
109
|
+
case TLS1_3_EXPERIMENT_VERSION:
|
110
|
+
case TLS1_3_EXPERIMENT2_VERSION:
|
111
|
+
case TLS1_3_EXPERIMENT3_VERSION:
|
112
|
+
return "TLSv1.3";
|
113
|
+
|
114
|
+
case TLS1_2_VERSION:
|
115
|
+
return "TLSv1.2";
|
116
|
+
|
117
|
+
case TLS1_1_VERSION:
|
118
|
+
return "TLSv1.1";
|
119
|
+
|
120
|
+
case TLS1_VERSION:
|
121
|
+
return "TLSv1";
|
122
|
+
|
123
|
+
case SSL3_VERSION:
|
124
|
+
return "SSLv3";
|
125
|
+
|
126
|
+
case DTLS1_VERSION:
|
127
|
+
return "DTLSv1";
|
128
|
+
|
129
|
+
case DTLS1_2_VERSION:
|
130
|
+
return "DTLSv1.2";
|
131
|
+
|
132
|
+
default:
|
133
|
+
return "unknown";
|
134
|
+
}
|
135
|
+
}
|
136
|
+
|
137
|
+
static uint16_t wire_version_to_api(uint16_t version) {
|
138
|
+
switch (version) {
|
139
|
+
// Report TLS 1.3 draft versions as TLS 1.3 in the public API.
|
140
|
+
case TLS1_3_DRAFT_VERSION:
|
141
|
+
case TLS1_3_EXPERIMENT_VERSION:
|
142
|
+
case TLS1_3_EXPERIMENT2_VERSION:
|
143
|
+
case TLS1_3_EXPERIMENT3_VERSION:
|
144
|
+
return TLS1_3_VERSION;
|
145
|
+
default:
|
146
|
+
return version;
|
147
|
+
}
|
148
|
+
}
|
149
|
+
|
150
|
+
// api_version_to_wire maps |version| to some representative wire version. In
|
151
|
+
// particular, it picks an arbitrary TLS 1.3 representative. This should only be
|
152
|
+
// used in context where that does not matter.
|
153
|
+
static bool api_version_to_wire(uint16_t *out, uint16_t version) {
|
154
|
+
if (version == TLS1_3_DRAFT_VERSION ||
|
155
|
+
version == TLS1_3_EXPERIMENT_VERSION ||
|
156
|
+
version == TLS1_3_EXPERIMENT2_VERSION ||
|
157
|
+
version == TLS1_3_EXPERIMENT3_VERSION) {
|
158
|
+
return false;
|
159
|
+
}
|
160
|
+
if (version == TLS1_3_VERSION) {
|
161
|
+
version = TLS1_3_DRAFT_VERSION;
|
162
|
+
}
|
163
|
+
|
164
|
+
// Check it is a real protocol version.
|
165
|
+
uint16_t unused;
|
166
|
+
if (!ssl_protocol_version_from_wire(&unused, version)) {
|
167
|
+
return false;
|
168
|
+
}
|
169
|
+
|
170
|
+
*out = version;
|
171
|
+
return true;
|
172
|
+
}
|
173
|
+
|
174
|
+
static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
175
|
+
uint16_t version) {
|
176
|
+
if (!api_version_to_wire(&version, version) ||
|
177
|
+
!method_supports_version(method, version) ||
|
178
|
+
!ssl_protocol_version_from_wire(out, version)) {
|
179
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
|
180
|
+
return false;
|
181
|
+
}
|
182
|
+
|
183
|
+
return true;
|
184
|
+
}
|
185
|
+
|
186
|
+
static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
187
|
+
uint16_t version) {
|
188
|
+
// Zero is interpreted as the default minimum version.
|
189
|
+
if (version == 0) {
|
190
|
+
// SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
|
191
|
+
*out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
|
192
|
+
return true;
|
193
|
+
}
|
194
|
+
|
195
|
+
return set_version_bound(method, out, version);
|
196
|
+
}
|
197
|
+
|
198
|
+
static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
199
|
+
uint16_t version) {
|
200
|
+
// Zero is interpreted as the default maximum version.
|
201
|
+
if (version == 0) {
|
202
|
+
*out = TLS1_2_VERSION;
|
203
|
+
return true;
|
204
|
+
}
|
205
|
+
|
206
|
+
return set_version_bound(method, out, version);
|
207
|
+
}
|
208
|
+
|
209
|
+
const struct {
|
210
|
+
uint16_t version;
|
211
|
+
uint32_t flag;
|
212
|
+
} kProtocolVersions[] = {
|
213
|
+
{SSL3_VERSION, SSL_OP_NO_SSLv3},
|
214
|
+
{TLS1_VERSION, SSL_OP_NO_TLSv1},
|
215
|
+
{TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
|
216
|
+
{TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
|
217
|
+
{TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
|
218
|
+
};
|
219
|
+
|
220
|
+
bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
|
221
|
+
uint16_t *out_max_version) {
|
222
|
+
// For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
|
223
|
+
// DTLS 1.0 should be mapped to TLS 1.1.
|
224
|
+
uint32_t options = ssl->options;
|
225
|
+
if (SSL_is_dtls(ssl)) {
|
226
|
+
options &= ~SSL_OP_NO_TLSv1_1;
|
227
|
+
if (options & SSL_OP_NO_DTLSv1) {
|
228
|
+
options |= SSL_OP_NO_TLSv1_1;
|
229
|
+
}
|
230
|
+
}
|
231
|
+
|
232
|
+
uint16_t min_version = ssl->conf_min_version;
|
233
|
+
uint16_t max_version = ssl->conf_max_version;
|
234
|
+
|
235
|
+
// OpenSSL's API for controlling versions entails blacklisting individual
|
236
|
+
// protocols. This has two problems. First, on the client, the protocol can
|
237
|
+
// only express a contiguous range of versions. Second, a library consumer
|
238
|
+
// trying to set a maximum version cannot disable protocol versions that get
|
239
|
+
// added in a future version of the library.
|
240
|
+
//
|
241
|
+
// To account for both of these, OpenSSL interprets the client-side bitmask
|
242
|
+
// as a min/max range by picking the lowest contiguous non-empty range of
|
243
|
+
// enabled protocols. Note that this means it is impossible to set a maximum
|
244
|
+
// version of the higest supported TLS version in a future-proof way.
|
245
|
+
bool any_enabled = false;
|
246
|
+
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
|
247
|
+
// Only look at the versions already enabled.
|
248
|
+
if (min_version > kProtocolVersions[i].version) {
|
249
|
+
continue;
|
250
|
+
}
|
251
|
+
if (max_version < kProtocolVersions[i].version) {
|
252
|
+
break;
|
253
|
+
}
|
254
|
+
|
255
|
+
if (!(options & kProtocolVersions[i].flag)) {
|
256
|
+
// The minimum version is the first enabled version.
|
257
|
+
if (!any_enabled) {
|
258
|
+
any_enabled = true;
|
259
|
+
min_version = kProtocolVersions[i].version;
|
260
|
+
}
|
261
|
+
continue;
|
262
|
+
}
|
263
|
+
|
264
|
+
// If there is a disabled version after the first enabled one, all versions
|
265
|
+
// after it are implicitly disabled.
|
266
|
+
if (any_enabled) {
|
267
|
+
max_version = kProtocolVersions[i-1].version;
|
268
|
+
break;
|
269
|
+
}
|
270
|
+
}
|
271
|
+
|
272
|
+
if (!any_enabled) {
|
273
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
|
274
|
+
return false;
|
275
|
+
}
|
276
|
+
|
277
|
+
*out_min_version = min_version;
|
278
|
+
*out_max_version = max_version;
|
279
|
+
return true;
|
280
|
+
}
|
281
|
+
|
282
|
+
static uint16_t ssl_version(const SSL *ssl) {
|
283
|
+
// In early data, we report the predicted version.
|
284
|
+
if (SSL_in_early_data(ssl) && !ssl->server) {
|
285
|
+
return ssl->s3->hs->early_session->ssl_version;
|
286
|
+
}
|
287
|
+
return ssl->version;
|
288
|
+
}
|
289
|
+
|
290
|
+
uint16_t ssl3_protocol_version(const SSL *ssl) {
|
291
|
+
assert(ssl->s3->have_version);
|
292
|
+
uint16_t version;
|
293
|
+
if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
|
294
|
+
// |ssl->version| will always be set to a valid version.
|
295
|
+
assert(0);
|
296
|
+
return 0;
|
297
|
+
}
|
298
|
+
|
299
|
+
return version;
|
300
|
+
}
|
301
|
+
|
302
|
+
bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
|
303
|
+
SSL *const ssl = hs->ssl;
|
304
|
+
// As a client, only allow the configured TLS 1.3 variant. As a server,
|
305
|
+
// support all TLS 1.3 variants as long as tls13_variant is set to a
|
306
|
+
// non-default value.
|
307
|
+
if (ssl->server) {
|
308
|
+
if (ssl->tls13_variant == tls13_default &&
|
309
|
+
(version == TLS1_3_EXPERIMENT_VERSION ||
|
310
|
+
version == TLS1_3_EXPERIMENT2_VERSION ||
|
311
|
+
version == TLS1_3_EXPERIMENT3_VERSION)) {
|
312
|
+
return false;
|
313
|
+
}
|
314
|
+
} else {
|
315
|
+
if ((ssl->tls13_variant != tls13_experiment &&
|
316
|
+
version == TLS1_3_EXPERIMENT_VERSION) ||
|
317
|
+
(ssl->tls13_variant != tls13_experiment2 &&
|
318
|
+
version == TLS1_3_EXPERIMENT2_VERSION) ||
|
319
|
+
(ssl->tls13_variant != tls13_experiment3 &&
|
320
|
+
version == TLS1_3_EXPERIMENT3_VERSION) ||
|
321
|
+
(ssl->tls13_variant != tls13_default &&
|
322
|
+
version == TLS1_3_DRAFT_VERSION)) {
|
323
|
+
return false;
|
324
|
+
}
|
325
|
+
}
|
326
|
+
|
327
|
+
uint16_t protocol_version;
|
328
|
+
return method_supports_version(ssl->method, version) &&
|
329
|
+
ssl_protocol_version_from_wire(&protocol_version, version) &&
|
330
|
+
hs->min_version <= protocol_version &&
|
331
|
+
protocol_version <= hs->max_version;
|
332
|
+
}
|
333
|
+
|
334
|
+
bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
|
335
|
+
const uint16_t *versions;
|
336
|
+
size_t num_versions;
|
337
|
+
get_method_versions(hs->ssl->method, &versions, &num_versions);
|
338
|
+
for (size_t i = 0; i < num_versions; i++) {
|
339
|
+
if (ssl_supports_version(hs, versions[i]) &&
|
340
|
+
!CBB_add_u16(cbb, versions[i])) {
|
341
|
+
return false;
|
342
|
+
}
|
343
|
+
}
|
344
|
+
return true;
|
345
|
+
}
|
346
|
+
|
347
|
+
bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
348
|
+
uint16_t *out_version, const CBS *peer_versions) {
|
349
|
+
const uint16_t *versions;
|
350
|
+
size_t num_versions;
|
351
|
+
get_method_versions(hs->ssl->method, &versions, &num_versions);
|
352
|
+
for (size_t i = 0; i < num_versions; i++) {
|
353
|
+
if (!ssl_supports_version(hs, versions[i])) {
|
354
|
+
continue;
|
355
|
+
}
|
356
|
+
|
357
|
+
CBS copy = *peer_versions;
|
358
|
+
while (CBS_len(©) != 0) {
|
359
|
+
uint16_t version;
|
360
|
+
if (!CBS_get_u16(©, &version)) {
|
361
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
362
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
363
|
+
return false;
|
364
|
+
}
|
365
|
+
|
366
|
+
if (version == versions[i]) {
|
367
|
+
*out_version = version;
|
368
|
+
return true;
|
369
|
+
}
|
370
|
+
}
|
371
|
+
}
|
372
|
+
|
373
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
|
374
|
+
*out_alert = SSL_AD_PROTOCOL_VERSION;
|
375
|
+
return false;
|
376
|
+
}
|
377
|
+
|
378
|
+
bool ssl_is_resumption_experiment(uint16_t version) {
|
379
|
+
return version == TLS1_3_EXPERIMENT_VERSION ||
|
380
|
+
version == TLS1_3_EXPERIMENT2_VERSION ||
|
381
|
+
version == TLS1_3_EXPERIMENT3_VERSION;
|
382
|
+
}
|
383
|
+
|
384
|
+
bool ssl_is_resumption_variant(enum tls13_variant_t variant) {
|
385
|
+
return variant == tls13_experiment || variant == tls13_experiment2 ||
|
386
|
+
variant == tls13_experiment3;
|
387
|
+
}
|
388
|
+
|
389
|
+
bool ssl_is_resumption_client_ccs_experiment(uint16_t version) {
|
390
|
+
return version == TLS1_3_EXPERIMENT_VERSION ||
|
391
|
+
version == TLS1_3_EXPERIMENT2_VERSION;
|
392
|
+
}
|
393
|
+
|
394
|
+
bool ssl_is_resumption_record_version_experiment(uint16_t version) {
|
395
|
+
return version == TLS1_3_EXPERIMENT2_VERSION ||
|
396
|
+
version == TLS1_3_EXPERIMENT3_VERSION;
|
397
|
+
}
|
398
|
+
|
399
|
+
} // namespace bssl
|
400
|
+
|
401
|
+
using namespace bssl;
|
402
|
+
|
403
|
+
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
|
404
|
+
return set_min_version(ctx->method, &ctx->conf_min_version, version);
|
405
|
+
}
|
406
|
+
|
407
|
+
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
|
408
|
+
return set_max_version(ctx->method, &ctx->conf_max_version, version);
|
409
|
+
}
|
410
|
+
|
411
|
+
int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
|
412
|
+
return set_min_version(ssl->method, &ssl->conf_min_version, version);
|
413
|
+
}
|
414
|
+
|
415
|
+
int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
|
416
|
+
return set_max_version(ssl->method, &ssl->conf_max_version, version);
|
417
|
+
}
|
418
|
+
|
419
|
+
int SSL_version(const SSL *ssl) {
|
420
|
+
return wire_version_to_api(ssl_version(ssl));
|
421
|
+
}
|
422
|
+
|
423
|
+
const char *SSL_get_version(const SSL *ssl) {
|
424
|
+
return ssl_version_to_string(ssl_version(ssl));
|
425
|
+
}
|
426
|
+
|
427
|
+
const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
|
428
|
+
return ssl_version_to_string(session->ssl_version);
|
429
|
+
}
|
430
|
+
|
431
|
+
uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
|
432
|
+
return wire_version_to_api(session->ssl_version);
|
433
|
+
}
|
434
|
+
|
435
|
+
int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
|
436
|
+
// This picks a representative TLS 1.3 version, but this API should only be
|
437
|
+
// used on unit test sessions anyway.
|
438
|
+
return api_version_to_wire(&session->ssl_version, version);
|
439
|
+
}
|
@@ -152,9 +152,433 @@
|
|
152
152
|
#include <openssl/x509_vfy.h>
|
153
153
|
|
154
154
|
#include "internal.h"
|
155
|
+
#include "../crypto/internal.h"
|
155
156
|
|
156
157
|
|
158
|
+
namespace bssl {
|
159
|
+
|
160
|
+
// check_ssl_x509_method asserts that |ssl| has the X509-based method
|
161
|
+
// installed. Calling an X509-based method on an |ssl| with a different method
|
162
|
+
// will likely misbehave and possibly crash or leak memory.
|
163
|
+
static void check_ssl_x509_method(const SSL *ssl) {
|
164
|
+
assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);
|
165
|
+
}
|
166
|
+
|
167
|
+
// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
|
168
|
+
// |SSL_CTX|.
|
169
|
+
static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {
|
170
|
+
assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);
|
171
|
+
}
|
172
|
+
|
173
|
+
// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
|
174
|
+
// contents of |x509|.
|
175
|
+
static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
|
176
|
+
uint8_t *buf = NULL;
|
177
|
+
int cert_len = i2d_X509(x509, &buf);
|
178
|
+
if (cert_len <= 0) {
|
179
|
+
return 0;
|
180
|
+
}
|
181
|
+
|
182
|
+
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(buf, cert_len, NULL));
|
183
|
+
OPENSSL_free(buf);
|
184
|
+
|
185
|
+
return buffer;
|
186
|
+
}
|
187
|
+
|
188
|
+
// new_leafless_chain returns a fresh stack of buffers set to {NULL}.
|
189
|
+
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
|
190
|
+
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
|
191
|
+
if (chain == NULL) {
|
192
|
+
return NULL;
|
193
|
+
}
|
194
|
+
|
195
|
+
if (!sk_CRYPTO_BUFFER_push(chain, NULL)) {
|
196
|
+
sk_CRYPTO_BUFFER_free(chain);
|
197
|
+
return NULL;
|
198
|
+
}
|
199
|
+
|
200
|
+
return chain;
|
201
|
+
}
|
202
|
+
|
203
|
+
// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
|
204
|
+
// forms of elements of |chain|. It returns one on success or zero on error, in
|
205
|
+
// which case no change to |cert->chain| is made. It preverses the existing
|
206
|
+
// leaf from |cert->chain|, if any.
|
207
|
+
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
|
208
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
|
209
|
+
|
210
|
+
if (cert->chain != NULL) {
|
211
|
+
new_chain.reset(sk_CRYPTO_BUFFER_new_null());
|
212
|
+
if (!new_chain) {
|
213
|
+
return 0;
|
214
|
+
}
|
215
|
+
|
216
|
+
CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain, 0);
|
217
|
+
if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) {
|
218
|
+
return 0;
|
219
|
+
}
|
220
|
+
// |leaf| might be NULL if it's a “leafless” chain.
|
221
|
+
if (leaf != NULL) {
|
222
|
+
CRYPTO_BUFFER_up_ref(leaf);
|
223
|
+
}
|
224
|
+
}
|
225
|
+
|
226
|
+
for (X509 *x509 : chain) {
|
227
|
+
if (!new_chain) {
|
228
|
+
new_chain.reset(new_leafless_chain());
|
229
|
+
if (!new_chain) {
|
230
|
+
return 0;
|
231
|
+
}
|
232
|
+
}
|
233
|
+
|
234
|
+
UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
|
235
|
+
if (!buffer ||
|
236
|
+
!PushToStack(new_chain.get(), std::move(buffer))) {
|
237
|
+
return 0;
|
238
|
+
}
|
239
|
+
}
|
240
|
+
|
241
|
+
sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
|
242
|
+
cert->chain = new_chain.release();
|
243
|
+
|
244
|
+
return 1;
|
245
|
+
}
|
246
|
+
|
247
|
+
static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) {
|
248
|
+
X509_free(cert->x509_leaf);
|
249
|
+
cert->x509_leaf = NULL;
|
250
|
+
}
|
251
|
+
|
252
|
+
static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {
|
253
|
+
sk_X509_pop_free(cert->x509_chain, X509_free);
|
254
|
+
cert->x509_chain = NULL;
|
255
|
+
}
|
256
|
+
|
257
|
+
static int ssl_crypto_x509_check_client_CA_list(
|
258
|
+
STACK_OF(CRYPTO_BUFFER) *names) {
|
259
|
+
for (const CRYPTO_BUFFER *buffer : names) {
|
260
|
+
const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
|
261
|
+
X509_NAME *name = d2i_X509_NAME(NULL, &inp, CRYPTO_BUFFER_len(buffer));
|
262
|
+
const int ok = name != NULL && inp == CRYPTO_BUFFER_data(buffer) +
|
263
|
+
CRYPTO_BUFFER_len(buffer);
|
264
|
+
X509_NAME_free(name);
|
265
|
+
if (!ok) {
|
266
|
+
return 0;
|
267
|
+
}
|
268
|
+
}
|
269
|
+
|
270
|
+
return 1;
|
271
|
+
}
|
272
|
+
|
273
|
+
static void ssl_crypto_x509_cert_clear(CERT *cert) {
|
274
|
+
ssl_crypto_x509_cert_flush_cached_leaf(cert);
|
275
|
+
ssl_crypto_x509_cert_flush_cached_chain(cert);
|
276
|
+
|
277
|
+
X509_free(cert->x509_stash);
|
278
|
+
cert->x509_stash = NULL;
|
279
|
+
}
|
280
|
+
|
281
|
+
static void ssl_crypto_x509_cert_free(CERT *cert) {
|
282
|
+
ssl_crypto_x509_cert_clear(cert);
|
283
|
+
X509_STORE_free(cert->verify_store);
|
284
|
+
}
|
285
|
+
|
286
|
+
static void ssl_crypto_x509_cert_dup(CERT *new_cert, const CERT *cert) {
|
287
|
+
if (cert->verify_store != NULL) {
|
288
|
+
X509_STORE_up_ref(cert->verify_store);
|
289
|
+
new_cert->verify_store = cert->verify_store;
|
290
|
+
}
|
291
|
+
}
|
292
|
+
|
293
|
+
static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
|
294
|
+
bssl::UniquePtr<STACK_OF(X509)> chain;
|
295
|
+
if (sk_CRYPTO_BUFFER_num(sess->certs) > 0) {
|
296
|
+
chain.reset(sk_X509_new_null());
|
297
|
+
if (!chain) {
|
298
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
299
|
+
return 0;
|
300
|
+
}
|
301
|
+
}
|
302
|
+
|
303
|
+
X509 *leaf = nullptr;
|
304
|
+
for (CRYPTO_BUFFER *cert : sess->certs) {
|
305
|
+
UniquePtr<X509> x509(X509_parse_from_buffer(cert));
|
306
|
+
if (!x509) {
|
307
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
308
|
+
return 0;
|
309
|
+
}
|
310
|
+
if (leaf == nullptr) {
|
311
|
+
leaf = x509.get();
|
312
|
+
}
|
313
|
+
if (!PushToStack(chain.get(), std::move(x509))) {
|
314
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
315
|
+
return 0;
|
316
|
+
}
|
317
|
+
}
|
318
|
+
|
319
|
+
sk_X509_pop_free(sess->x509_chain, X509_free);
|
320
|
+
sess->x509_chain = chain.release();
|
321
|
+
sk_X509_pop_free(sess->x509_chain_without_leaf, X509_free);
|
322
|
+
sess->x509_chain_without_leaf = NULL;
|
323
|
+
|
324
|
+
X509_free(sess->x509_peer);
|
325
|
+
if (leaf != NULL) {
|
326
|
+
X509_up_ref(leaf);
|
327
|
+
}
|
328
|
+
sess->x509_peer = leaf;
|
329
|
+
return 1;
|
330
|
+
}
|
331
|
+
|
332
|
+
static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
|
333
|
+
const SSL_SESSION *session) {
|
334
|
+
if (session->x509_peer != NULL) {
|
335
|
+
X509_up_ref(session->x509_peer);
|
336
|
+
new_session->x509_peer = session->x509_peer;
|
337
|
+
}
|
338
|
+
if (session->x509_chain != NULL) {
|
339
|
+
new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
|
340
|
+
if (new_session->x509_chain == NULL) {
|
341
|
+
return 0;
|
342
|
+
}
|
343
|
+
}
|
344
|
+
|
345
|
+
return 1;
|
346
|
+
}
|
347
|
+
|
348
|
+
static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
|
349
|
+
X509_free(session->x509_peer);
|
350
|
+
session->x509_peer = NULL;
|
351
|
+
sk_X509_pop_free(session->x509_chain, X509_free);
|
352
|
+
session->x509_chain = NULL;
|
353
|
+
sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
|
354
|
+
session->x509_chain_without_leaf = NULL;
|
355
|
+
}
|
356
|
+
|
357
|
+
static int ssl_verify_alarm_type(long type) {
|
358
|
+
switch (type) {
|
359
|
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
360
|
+
case X509_V_ERR_UNABLE_TO_GET_CRL:
|
361
|
+
case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
|
362
|
+
return SSL_AD_UNKNOWN_CA;
|
363
|
+
|
364
|
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
|
365
|
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
|
366
|
+
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
|
367
|
+
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
368
|
+
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
369
|
+
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
|
370
|
+
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
|
371
|
+
case X509_V_ERR_CERT_NOT_YET_VALID:
|
372
|
+
case X509_V_ERR_CRL_NOT_YET_VALID:
|
373
|
+
case X509_V_ERR_CERT_UNTRUSTED:
|
374
|
+
case X509_V_ERR_CERT_REJECTED:
|
375
|
+
case X509_V_ERR_HOSTNAME_MISMATCH:
|
376
|
+
case X509_V_ERR_EMAIL_MISMATCH:
|
377
|
+
case X509_V_ERR_IP_ADDRESS_MISMATCH:
|
378
|
+
return SSL_AD_BAD_CERTIFICATE;
|
379
|
+
|
380
|
+
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
|
381
|
+
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
|
382
|
+
return SSL_AD_DECRYPT_ERROR;
|
383
|
+
|
384
|
+
case X509_V_ERR_CERT_HAS_EXPIRED:
|
385
|
+
case X509_V_ERR_CRL_HAS_EXPIRED:
|
386
|
+
return SSL_AD_CERTIFICATE_EXPIRED;
|
387
|
+
|
388
|
+
case X509_V_ERR_CERT_REVOKED:
|
389
|
+
return SSL_AD_CERTIFICATE_REVOKED;
|
390
|
+
|
391
|
+
case X509_V_ERR_UNSPECIFIED:
|
392
|
+
case X509_V_ERR_OUT_OF_MEM:
|
393
|
+
case X509_V_ERR_INVALID_CALL:
|
394
|
+
case X509_V_ERR_STORE_LOOKUP:
|
395
|
+
return SSL_AD_INTERNAL_ERROR;
|
396
|
+
|
397
|
+
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
398
|
+
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
399
|
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
400
|
+
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
401
|
+
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
|
402
|
+
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
403
|
+
case X509_V_ERR_INVALID_CA:
|
404
|
+
return SSL_AD_UNKNOWN_CA;
|
405
|
+
|
406
|
+
case X509_V_ERR_APPLICATION_VERIFICATION:
|
407
|
+
return SSL_AD_HANDSHAKE_FAILURE;
|
408
|
+
|
409
|
+
case X509_V_ERR_INVALID_PURPOSE:
|
410
|
+
return SSL_AD_UNSUPPORTED_CERTIFICATE;
|
411
|
+
|
412
|
+
default:
|
413
|
+
return SSL_AD_CERTIFICATE_UNKNOWN;
|
414
|
+
}
|
415
|
+
}
|
416
|
+
|
417
|
+
static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
|
418
|
+
SSL *ssl,
|
419
|
+
uint8_t *out_alert) {
|
420
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
421
|
+
STACK_OF(X509) *const cert_chain = session->x509_chain;
|
422
|
+
if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
|
423
|
+
return 0;
|
424
|
+
}
|
425
|
+
|
426
|
+
X509_STORE *verify_store = ssl->ctx->cert_store;
|
427
|
+
if (ssl->cert->verify_store != NULL) {
|
428
|
+
verify_store = ssl->cert->verify_store;
|
429
|
+
}
|
430
|
+
|
431
|
+
X509 *leaf = sk_X509_value(cert_chain, 0);
|
432
|
+
ScopedX509_STORE_CTX ctx;
|
433
|
+
if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
|
434
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
435
|
+
return 0;
|
436
|
+
}
|
437
|
+
if (!X509_STORE_CTX_set_ex_data(ctx.get(),
|
438
|
+
SSL_get_ex_data_X509_STORE_CTX_idx(), ssl)) {
|
439
|
+
return 0;
|
440
|
+
}
|
441
|
+
|
442
|
+
// We need to inherit the verify parameters. These can be determined by the
|
443
|
+
// context: if its a server it will verify SSL client certificates or vice
|
444
|
+
// versa.
|
445
|
+
X509_STORE_CTX_set_default(ctx.get(),
|
446
|
+
ssl->server ? "ssl_client" : "ssl_server");
|
447
|
+
|
448
|
+
// Anything non-default in "param" should overwrite anything in the ctx.
|
449
|
+
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);
|
450
|
+
|
451
|
+
if (ssl->verify_callback) {
|
452
|
+
X509_STORE_CTX_set_verify_cb(ctx.get(), ssl->verify_callback);
|
453
|
+
}
|
454
|
+
|
455
|
+
int verify_ret;
|
456
|
+
if (ssl->ctx->app_verify_callback != NULL) {
|
457
|
+
verify_ret =
|
458
|
+
ssl->ctx->app_verify_callback(ctx.get(), ssl->ctx->app_verify_arg);
|
459
|
+
} else {
|
460
|
+
verify_ret = X509_verify_cert(ctx.get());
|
461
|
+
}
|
462
|
+
|
463
|
+
session->verify_result = ctx->error;
|
464
|
+
|
465
|
+
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
|
466
|
+
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
|
467
|
+
*out_alert = ssl_verify_alarm_type(ctx->error);
|
468
|
+
return 0;
|
469
|
+
}
|
470
|
+
|
471
|
+
ERR_clear_error();
|
472
|
+
return 1;
|
473
|
+
}
|
474
|
+
|
475
|
+
static void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {
|
476
|
+
sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);
|
477
|
+
hs->cached_x509_ca_names = NULL;
|
478
|
+
}
|
479
|
+
|
480
|
+
static int ssl_crypto_x509_ssl_new(SSL *ssl) {
|
481
|
+
ssl->param = X509_VERIFY_PARAM_new();
|
482
|
+
if (ssl->param == NULL) {
|
483
|
+
return 0;
|
484
|
+
}
|
485
|
+
X509_VERIFY_PARAM_inherit(ssl->param, ssl->ctx->param);
|
486
|
+
return 1;
|
487
|
+
}
|
488
|
+
|
489
|
+
static void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL *ssl) {
|
490
|
+
sk_X509_NAME_pop_free(ssl->cached_x509_client_CA, X509_NAME_free);
|
491
|
+
ssl->cached_x509_client_CA = NULL;
|
492
|
+
}
|
493
|
+
|
494
|
+
static void ssl_crypto_x509_ssl_free(SSL *ssl) {
|
495
|
+
ssl_crypto_x509_ssl_flush_cached_client_CA(ssl);
|
496
|
+
X509_VERIFY_PARAM_free(ssl->param);
|
497
|
+
}
|
498
|
+
|
499
|
+
static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
|
500
|
+
// Only build a chain if there are no intermediates configured and the feature
|
501
|
+
// isn't disabled.
|
502
|
+
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
|
503
|
+
!ssl_has_certificate(ssl) ||
|
504
|
+
ssl->cert->chain == NULL ||
|
505
|
+
sk_CRYPTO_BUFFER_num(ssl->cert->chain) > 1) {
|
506
|
+
return 1;
|
507
|
+
}
|
508
|
+
|
509
|
+
UniquePtr<X509> leaf(
|
510
|
+
X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0)));
|
511
|
+
if (!leaf) {
|
512
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
513
|
+
return 0;
|
514
|
+
}
|
515
|
+
|
516
|
+
ScopedX509_STORE_CTX ctx;
|
517
|
+
if (!X509_STORE_CTX_init(ctx.get(), ssl->ctx->cert_store, leaf.get(), NULL)) {
|
518
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
519
|
+
return 0;
|
520
|
+
}
|
521
|
+
|
522
|
+
// Attempt to build a chain, ignoring the result.
|
523
|
+
X509_verify_cert(ctx.get());
|
524
|
+
ERR_clear_error();
|
525
|
+
|
526
|
+
// Remove the leaf from the generated chain.
|
527
|
+
X509_free(sk_X509_shift(ctx->chain));
|
528
|
+
|
529
|
+
if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) {
|
530
|
+
return 0;
|
531
|
+
}
|
532
|
+
|
533
|
+
ssl_crypto_x509_cert_flush_cached_chain(ssl->cert);
|
534
|
+
|
535
|
+
return 1;
|
536
|
+
}
|
537
|
+
|
538
|
+
static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {
|
539
|
+
sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);
|
540
|
+
ctx->cached_x509_client_CA = NULL;
|
541
|
+
}
|
542
|
+
|
543
|
+
static int ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
|
544
|
+
ctx->cert_store = X509_STORE_new();
|
545
|
+
ctx->param = X509_VERIFY_PARAM_new();
|
546
|
+
return (ctx->cert_store != NULL && ctx->param != NULL);
|
547
|
+
}
|
548
|
+
|
549
|
+
static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
|
550
|
+
ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
|
551
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
552
|
+
X509_STORE_free(ctx->cert_store);
|
553
|
+
}
|
554
|
+
|
555
|
+
const SSL_X509_METHOD ssl_crypto_x509_method = {
|
556
|
+
ssl_crypto_x509_check_client_CA_list,
|
557
|
+
ssl_crypto_x509_cert_clear,
|
558
|
+
ssl_crypto_x509_cert_free,
|
559
|
+
ssl_crypto_x509_cert_dup,
|
560
|
+
ssl_crypto_x509_cert_flush_cached_chain,
|
561
|
+
ssl_crypto_x509_cert_flush_cached_leaf,
|
562
|
+
ssl_crypto_x509_session_cache_objects,
|
563
|
+
ssl_crypto_x509_session_dup,
|
564
|
+
ssl_crypto_x509_session_clear,
|
565
|
+
ssl_crypto_x509_session_verify_cert_chain,
|
566
|
+
ssl_crypto_x509_hs_flush_cached_ca_names,
|
567
|
+
ssl_crypto_x509_ssl_new,
|
568
|
+
ssl_crypto_x509_ssl_free,
|
569
|
+
ssl_crypto_x509_ssl_flush_cached_client_CA,
|
570
|
+
ssl_crypto_x509_ssl_auto_chain_if_needed,
|
571
|
+
ssl_crypto_x509_ssl_ctx_new,
|
572
|
+
ssl_crypto_x509_ssl_ctx_free,
|
573
|
+
ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
|
574
|
+
};
|
575
|
+
|
576
|
+
} // namespace bssl
|
577
|
+
|
578
|
+
using namespace bssl;
|
579
|
+
|
157
580
|
X509 *SSL_get_peer_certificate(const SSL *ssl) {
|
581
|
+
check_ssl_x509_method(ssl);
|
158
582
|
if (ssl == NULL) {
|
159
583
|
return NULL;
|
160
584
|
}
|
@@ -167,6 +591,7 @@ X509 *SSL_get_peer_certificate(const SSL *ssl) {
|
|
167
591
|
}
|
168
592
|
|
169
593
|
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
|
594
|
+
check_ssl_x509_method(ssl);
|
170
595
|
if (ssl == NULL) {
|
171
596
|
return NULL;
|
172
597
|
}
|
@@ -180,8 +605,8 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
|
|
180
605
|
return session->x509_chain;
|
181
606
|
}
|
182
607
|
|
183
|
-
|
184
|
-
|
608
|
+
// OpenSSL historically didn't include the leaf certificate in the returned
|
609
|
+
// certificate chain, but only for servers.
|
185
610
|
if (session->x509_chain_without_leaf == NULL) {
|
186
611
|
session->x509_chain_without_leaf = sk_X509_new_null();
|
187
612
|
if (session->x509_chain_without_leaf == NULL) {
|
@@ -203,6 +628,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
|
|
203
628
|
}
|
204
629
|
|
205
630
|
STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
|
631
|
+
check_ssl_x509_method(ssl);
|
206
632
|
SSL_SESSION *session = SSL_get_session(ssl);
|
207
633
|
if (session == NULL) {
|
208
634
|
return NULL;
|
@@ -212,54 +638,74 @@ STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
|
|
212
638
|
}
|
213
639
|
|
214
640
|
int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose) {
|
641
|
+
check_ssl_ctx_x509_method(ctx);
|
215
642
|
return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
|
216
643
|
}
|
217
644
|
|
218
645
|
int SSL_set_purpose(SSL *ssl, int purpose) {
|
646
|
+
check_ssl_x509_method(ssl);
|
219
647
|
return X509_VERIFY_PARAM_set_purpose(ssl->param, purpose);
|
220
648
|
}
|
221
649
|
|
222
650
|
int SSL_CTX_set_trust(SSL_CTX *ctx, int trust) {
|
651
|
+
check_ssl_ctx_x509_method(ctx);
|
223
652
|
return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
|
224
653
|
}
|
225
654
|
|
226
655
|
int SSL_set_trust(SSL *ssl, int trust) {
|
656
|
+
check_ssl_x509_method(ssl);
|
227
657
|
return X509_VERIFY_PARAM_set_trust(ssl->param, trust);
|
228
658
|
}
|
229
659
|
|
230
660
|
int SSL_CTX_set1_param(SSL_CTX *ctx, const X509_VERIFY_PARAM *param) {
|
661
|
+
check_ssl_ctx_x509_method(ctx);
|
231
662
|
return X509_VERIFY_PARAM_set1(ctx->param, param);
|
232
663
|
}
|
233
664
|
|
234
665
|
int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {
|
666
|
+
check_ssl_x509_method(ssl);
|
235
667
|
return X509_VERIFY_PARAM_set1(ssl->param, param);
|
236
668
|
}
|
237
669
|
|
238
|
-
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) {
|
670
|
+
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) {
|
671
|
+
check_ssl_ctx_x509_method(ctx);
|
672
|
+
return ctx->param;
|
673
|
+
}
|
239
674
|
|
240
|
-
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) {
|
675
|
+
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) {
|
676
|
+
check_ssl_x509_method(ssl);
|
677
|
+
return ssl->param;
|
678
|
+
}
|
241
679
|
|
242
680
|
int SSL_get_verify_depth(const SSL *ssl) {
|
681
|
+
check_ssl_x509_method(ssl);
|
243
682
|
return X509_VERIFY_PARAM_get_depth(ssl->param);
|
244
683
|
}
|
245
684
|
|
246
685
|
int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {
|
686
|
+
check_ssl_x509_method(ssl);
|
247
687
|
return ssl->verify_callback;
|
248
688
|
}
|
249
689
|
|
250
|
-
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) {
|
690
|
+
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) {
|
691
|
+
check_ssl_ctx_x509_method(ctx);
|
692
|
+
return ctx->verify_mode;
|
693
|
+
}
|
251
694
|
|
252
695
|
int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) {
|
696
|
+
check_ssl_ctx_x509_method(ctx);
|
253
697
|
return X509_VERIFY_PARAM_get_depth(ctx->param);
|
254
698
|
}
|
255
699
|
|
256
700
|
int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
|
257
701
|
int ok, X509_STORE_CTX *store_ctx) {
|
702
|
+
check_ssl_ctx_x509_method(ctx);
|
258
703
|
return ctx->default_verify_callback;
|
259
704
|
}
|
260
705
|
|
261
706
|
void SSL_set_verify(SSL *ssl, int mode,
|
262
707
|
int (*callback)(int ok, X509_STORE_CTX *store_ctx)) {
|
708
|
+
check_ssl_x509_method(ssl);
|
263
709
|
ssl->verify_mode = mode;
|
264
710
|
if (callback != NULL) {
|
265
711
|
ssl->verify_callback = callback;
|
@@ -267,6 +713,7 @@ void SSL_set_verify(SSL *ssl, int mode,
|
|
267
713
|
}
|
268
714
|
|
269
715
|
void SSL_set_verify_depth(SSL *ssl, int depth) {
|
716
|
+
check_ssl_x509_method(ssl);
|
270
717
|
X509_VERIFY_PARAM_set_depth(ssl->param, depth);
|
271
718
|
}
|
272
719
|
|
@@ -274,36 +721,43 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
|
|
274
721
|
int (*cb)(X509_STORE_CTX *store_ctx,
|
275
722
|
void *arg),
|
276
723
|
void *arg) {
|
724
|
+
check_ssl_ctx_x509_method(ctx);
|
277
725
|
ctx->app_verify_callback = cb;
|
278
726
|
ctx->app_verify_arg = arg;
|
279
727
|
}
|
280
728
|
|
281
729
|
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
|
282
730
|
int (*cb)(int, X509_STORE_CTX *)) {
|
731
|
+
check_ssl_ctx_x509_method(ctx);
|
283
732
|
ctx->verify_mode = mode;
|
284
733
|
ctx->default_verify_callback = cb;
|
285
734
|
}
|
286
735
|
|
287
736
|
void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) {
|
737
|
+
check_ssl_ctx_x509_method(ctx);
|
288
738
|
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
|
289
739
|
}
|
290
740
|
|
291
741
|
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) {
|
742
|
+
check_ssl_ctx_x509_method(ctx);
|
292
743
|
return X509_STORE_set_default_paths(ctx->cert_store);
|
293
744
|
}
|
294
745
|
|
295
746
|
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file,
|
296
747
|
const char *ca_dir) {
|
748
|
+
check_ssl_ctx_x509_method(ctx);
|
297
749
|
return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir);
|
298
750
|
}
|
299
751
|
|
300
752
|
void SSL_set_verify_result(SSL *ssl, long result) {
|
753
|
+
check_ssl_x509_method(ssl);
|
301
754
|
if (result != X509_V_OK) {
|
302
755
|
abort();
|
303
756
|
}
|
304
757
|
}
|
305
758
|
|
306
759
|
long SSL_get_verify_result(const SSL *ssl) {
|
760
|
+
check_ssl_x509_method(ssl);
|
307
761
|
SSL_SESSION *session = SSL_get_session(ssl);
|
308
762
|
if (session == NULL) {
|
309
763
|
return X509_V_ERR_INVALID_CALL;
|
@@ -312,154 +766,42 @@ long SSL_get_verify_result(const SSL *ssl) {
|
|
312
766
|
}
|
313
767
|
|
314
768
|
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
|
769
|
+
check_ssl_ctx_x509_method(ctx);
|
315
770
|
return ctx->cert_store;
|
316
771
|
}
|
317
772
|
|
318
773
|
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {
|
774
|
+
check_ssl_ctx_x509_method(ctx);
|
319
775
|
X509_STORE_free(ctx->cert_store);
|
320
776
|
ctx->cert_store = store;
|
321
777
|
}
|
322
778
|
|
323
|
-
static void ssl_crypto_x509_flush_cached_leaf(CERT *cert) {
|
324
|
-
X509_free(cert->x509_leaf);
|
325
|
-
cert->x509_leaf = NULL;
|
326
|
-
}
|
327
|
-
|
328
|
-
static void ssl_crypto_x509_flush_cached_chain(CERT *cert) {
|
329
|
-
sk_X509_pop_free(cert->x509_chain, X509_free);
|
330
|
-
cert->x509_chain = NULL;
|
331
|
-
}
|
332
|
-
|
333
|
-
static void ssl_crypto_x509_clear(CERT *cert) {
|
334
|
-
ssl_crypto_x509_flush_cached_leaf(cert);
|
335
|
-
ssl_crypto_x509_flush_cached_chain(cert);
|
336
|
-
|
337
|
-
X509_free(cert->x509_stash);
|
338
|
-
cert->x509_stash = NULL;
|
339
|
-
}
|
340
|
-
|
341
|
-
static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
|
342
|
-
STACK_OF(X509) *chain = NULL;
|
343
|
-
const size_t num_certs = sk_CRYPTO_BUFFER_num(sess->certs);
|
344
|
-
|
345
|
-
if (num_certs > 0) {
|
346
|
-
chain = sk_X509_new_null();
|
347
|
-
if (chain == NULL) {
|
348
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
349
|
-
goto err;
|
350
|
-
}
|
351
|
-
}
|
352
|
-
|
353
|
-
X509 *leaf = NULL;
|
354
|
-
for (size_t i = 0; i < num_certs; i++) {
|
355
|
-
X509 *x509 = X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(sess->certs, i));
|
356
|
-
if (x509 == NULL) {
|
357
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
358
|
-
goto err;
|
359
|
-
}
|
360
|
-
if (!sk_X509_push(chain, x509)) {
|
361
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
362
|
-
X509_free(x509);
|
363
|
-
goto err;
|
364
|
-
}
|
365
|
-
if (i == 0) {
|
366
|
-
leaf = x509;
|
367
|
-
}
|
368
|
-
}
|
369
|
-
|
370
|
-
sk_X509_pop_free(sess->x509_chain, X509_free);
|
371
|
-
sess->x509_chain = chain;
|
372
|
-
sk_X509_pop_free(sess->x509_chain_without_leaf, X509_free);
|
373
|
-
sess->x509_chain_without_leaf = NULL;
|
374
|
-
|
375
|
-
X509_free(sess->x509_peer);
|
376
|
-
if (leaf != NULL) {
|
377
|
-
X509_up_ref(leaf);
|
378
|
-
}
|
379
|
-
sess->x509_peer = leaf;
|
380
|
-
|
381
|
-
return 1;
|
382
|
-
|
383
|
-
err:
|
384
|
-
sk_X509_pop_free(chain, X509_free);
|
385
|
-
return 0;
|
386
|
-
}
|
387
|
-
|
388
|
-
static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
|
389
|
-
const SSL_SESSION *session) {
|
390
|
-
if (session->x509_peer != NULL) {
|
391
|
-
X509_up_ref(session->x509_peer);
|
392
|
-
new_session->x509_peer = session->x509_peer;
|
393
|
-
}
|
394
|
-
if (session->x509_chain != NULL) {
|
395
|
-
new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
|
396
|
-
if (new_session->x509_chain == NULL) {
|
397
|
-
return 0;
|
398
|
-
}
|
399
|
-
}
|
400
|
-
|
401
|
-
return 1;
|
402
|
-
}
|
403
|
-
|
404
|
-
static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
|
405
|
-
X509_free(session->x509_peer);
|
406
|
-
session->x509_peer = NULL;
|
407
|
-
sk_X509_pop_free(session->x509_chain, X509_free);
|
408
|
-
session->x509_chain = NULL;
|
409
|
-
sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
|
410
|
-
session->x509_chain_without_leaf = NULL;
|
411
|
-
}
|
412
|
-
|
413
|
-
const SSL_X509_METHOD ssl_crypto_x509_method = {
|
414
|
-
ssl_crypto_x509_clear,
|
415
|
-
ssl_crypto_x509_flush_cached_chain,
|
416
|
-
ssl_crypto_x509_flush_cached_leaf,
|
417
|
-
ssl_crypto_x509_session_cache_objects,
|
418
|
-
ssl_crypto_x509_session_dup,
|
419
|
-
ssl_crypto_x509_session_clear,
|
420
|
-
};
|
421
|
-
|
422
|
-
/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
|
423
|
-
* contents of |x509|. */
|
424
|
-
static CRYPTO_BUFFER *x509_to_buffer(X509 *x509) {
|
425
|
-
uint8_t *buf = NULL;
|
426
|
-
int cert_len = i2d_X509(x509, &buf);
|
427
|
-
if (cert_len <= 0) {
|
428
|
-
return 0;
|
429
|
-
}
|
430
|
-
|
431
|
-
CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new(buf, cert_len, NULL);
|
432
|
-
OPENSSL_free(buf);
|
433
|
-
|
434
|
-
return buffer;
|
435
|
-
}
|
436
|
-
|
437
779
|
static int ssl_use_certificate(CERT *cert, X509 *x) {
|
438
780
|
if (x == NULL) {
|
439
781
|
OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
|
440
782
|
return 0;
|
441
783
|
}
|
442
784
|
|
443
|
-
CRYPTO_BUFFER
|
444
|
-
if (buffer
|
785
|
+
UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x);
|
786
|
+
if (!buffer) {
|
445
787
|
return 0;
|
446
788
|
}
|
447
789
|
|
448
|
-
|
449
|
-
CRYPTO_BUFFER_free(buffer);
|
450
|
-
return ok;
|
790
|
+
return ssl_set_cert(cert, std::move(buffer));
|
451
791
|
}
|
452
792
|
|
453
793
|
int SSL_use_certificate(SSL *ssl, X509 *x) {
|
794
|
+
check_ssl_x509_method(ssl);
|
454
795
|
return ssl_use_certificate(ssl->cert, x);
|
455
796
|
}
|
456
797
|
|
457
798
|
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
|
799
|
+
check_ssl_ctx_x509_method(ctx);
|
458
800
|
return ssl_use_certificate(ctx->cert, x);
|
459
801
|
}
|
460
802
|
|
461
|
-
|
462
|
-
|
803
|
+
// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
|
804
|
+
// first element of |cert->chain|.
|
463
805
|
static int ssl_cert_cache_leaf_cert(CERT *cert) {
|
464
806
|
assert(cert->x509_method);
|
465
807
|
|
@@ -487,84 +829,23 @@ static X509 *ssl_cert_get0_leaf(CERT *cert) {
|
|
487
829
|
}
|
488
830
|
|
489
831
|
X509 *SSL_get_certificate(const SSL *ssl) {
|
832
|
+
check_ssl_x509_method(ssl);
|
490
833
|
return ssl_cert_get0_leaf(ssl->cert);
|
491
834
|
}
|
492
835
|
|
493
836
|
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
|
837
|
+
check_ssl_ctx_x509_method(ctx);
|
838
|
+
MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
|
494
839
|
return ssl_cert_get0_leaf(ctx->cert);
|
495
840
|
}
|
496
841
|
|
497
|
-
/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */
|
498
|
-
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
|
499
|
-
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
|
500
|
-
if (chain == NULL) {
|
501
|
-
return NULL;
|
502
|
-
}
|
503
|
-
|
504
|
-
if (!sk_CRYPTO_BUFFER_push(chain, NULL)) {
|
505
|
-
sk_CRYPTO_BUFFER_free(chain);
|
506
|
-
return NULL;
|
507
|
-
}
|
508
|
-
|
509
|
-
return chain;
|
510
|
-
}
|
511
|
-
|
512
|
-
/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
|
513
|
-
* forms of elements of |chain|. It returns one on success or zero on error, in
|
514
|
-
* which case no change to |cert->chain| is made. It preverses the existing
|
515
|
-
* leaf from |cert->chain|, if any. */
|
516
|
-
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
|
517
|
-
STACK_OF(CRYPTO_BUFFER) *new_chain = NULL;
|
518
|
-
|
519
|
-
if (cert->chain != NULL) {
|
520
|
-
new_chain = sk_CRYPTO_BUFFER_new_null();
|
521
|
-
if (new_chain == NULL) {
|
522
|
-
return 0;
|
523
|
-
}
|
524
|
-
|
525
|
-
CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain, 0);
|
526
|
-
if (!sk_CRYPTO_BUFFER_push(new_chain, leaf)) {
|
527
|
-
goto err;
|
528
|
-
}
|
529
|
-
/* |leaf| might be NULL if it's a “leafless” chain. */
|
530
|
-
if (leaf != NULL) {
|
531
|
-
CRYPTO_BUFFER_up_ref(leaf);
|
532
|
-
}
|
533
|
-
}
|
534
|
-
|
535
|
-
for (size_t i = 0; i < sk_X509_num(chain); i++) {
|
536
|
-
if (new_chain == NULL) {
|
537
|
-
new_chain = new_leafless_chain();
|
538
|
-
if (new_chain == NULL) {
|
539
|
-
goto err;
|
540
|
-
}
|
541
|
-
}
|
542
|
-
|
543
|
-
CRYPTO_BUFFER *buffer = x509_to_buffer(sk_X509_value(chain, i));
|
544
|
-
if (buffer == NULL ||
|
545
|
-
!sk_CRYPTO_BUFFER_push(new_chain, buffer)) {
|
546
|
-
CRYPTO_BUFFER_free(buffer);
|
547
|
-
goto err;
|
548
|
-
}
|
549
|
-
}
|
550
|
-
|
551
|
-
sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);
|
552
|
-
cert->chain = new_chain;
|
553
|
-
|
554
|
-
return 1;
|
555
|
-
|
556
|
-
err:
|
557
|
-
sk_CRYPTO_BUFFER_pop_free(new_chain, CRYPTO_BUFFER_free);
|
558
|
-
return 0;
|
559
|
-
}
|
560
|
-
|
561
842
|
static int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {
|
562
843
|
if (!ssl_cert_set_chain(cert, chain)) {
|
563
844
|
return 0;
|
564
845
|
}
|
565
846
|
|
566
847
|
sk_X509_pop_free(chain, X509_free);
|
567
|
-
|
848
|
+
ssl_crypto_x509_cert_flush_cached_chain(cert);
|
568
849
|
return 1;
|
569
850
|
}
|
570
851
|
|
@@ -573,31 +854,25 @@ static int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
|
|
573
854
|
return 0;
|
574
855
|
}
|
575
856
|
|
576
|
-
|
857
|
+
ssl_crypto_x509_cert_flush_cached_chain(cert);
|
577
858
|
return 1;
|
578
859
|
}
|
579
860
|
|
580
861
|
static int ssl_cert_append_cert(CERT *cert, X509 *x509) {
|
581
862
|
assert(cert->x509_method);
|
582
863
|
|
583
|
-
CRYPTO_BUFFER
|
584
|
-
if (buffer
|
864
|
+
UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
|
865
|
+
if (!buffer) {
|
585
866
|
return 0;
|
586
867
|
}
|
587
868
|
|
588
869
|
if (cert->chain != NULL) {
|
589
|
-
|
590
|
-
CRYPTO_BUFFER_free(buffer);
|
591
|
-
return 0;
|
592
|
-
}
|
593
|
-
|
594
|
-
return 1;
|
870
|
+
return PushToStack(cert->chain, std::move(buffer));
|
595
871
|
}
|
596
872
|
|
597
873
|
cert->chain = new_leafless_chain();
|
598
874
|
if (cert->chain == NULL ||
|
599
|
-
!
|
600
|
-
CRYPTO_BUFFER_free(buffer);
|
875
|
+
!PushToStack(cert->chain, std::move(buffer))) {
|
601
876
|
sk_CRYPTO_BUFFER_free(cert->chain);
|
602
877
|
cert->chain = NULL;
|
603
878
|
return 0;
|
@@ -613,7 +888,7 @@ static int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {
|
|
613
888
|
|
614
889
|
X509_free(cert->x509_stash);
|
615
890
|
cert->x509_stash = x509;
|
616
|
-
|
891
|
+
ssl_crypto_x509_cert_flush_cached_chain(cert);
|
617
892
|
return 1;
|
618
893
|
}
|
619
894
|
|
@@ -622,103 +897,72 @@ static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {
|
|
622
897
|
return 0;
|
623
898
|
}
|
624
899
|
|
625
|
-
|
900
|
+
ssl_crypto_x509_cert_flush_cached_chain(cert);
|
626
901
|
return 1;
|
627
902
|
}
|
628
903
|
|
629
904
|
int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
|
905
|
+
check_ssl_ctx_x509_method(ctx);
|
630
906
|
return ssl_cert_set0_chain(ctx->cert, chain);
|
631
907
|
}
|
632
908
|
|
633
909
|
int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
|
910
|
+
check_ssl_ctx_x509_method(ctx);
|
634
911
|
return ssl_cert_set1_chain(ctx->cert, chain);
|
635
912
|
}
|
636
913
|
|
637
914
|
int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {
|
915
|
+
check_ssl_x509_method(ssl);
|
638
916
|
return ssl_cert_set0_chain(ssl->cert, chain);
|
639
917
|
}
|
640
918
|
|
641
919
|
int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {
|
920
|
+
check_ssl_x509_method(ssl);
|
642
921
|
return ssl_cert_set1_chain(ssl->cert, chain);
|
643
922
|
}
|
644
923
|
|
645
924
|
int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {
|
925
|
+
check_ssl_ctx_x509_method(ctx);
|
646
926
|
return ssl_cert_add0_chain_cert(ctx->cert, x509);
|
647
927
|
}
|
648
928
|
|
649
929
|
int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {
|
930
|
+
check_ssl_ctx_x509_method(ctx);
|
650
931
|
return ssl_cert_add1_chain_cert(ctx->cert, x509);
|
651
932
|
}
|
652
933
|
|
653
934
|
int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {
|
935
|
+
check_ssl_ctx_x509_method(ctx);
|
654
936
|
return SSL_CTX_add0_chain_cert(ctx, x509);
|
655
937
|
}
|
656
938
|
|
657
939
|
int SSL_add0_chain_cert(SSL *ssl, X509 *x509) {
|
940
|
+
check_ssl_x509_method(ssl);
|
658
941
|
return ssl_cert_add0_chain_cert(ssl->cert, x509);
|
659
942
|
}
|
660
943
|
|
661
944
|
int SSL_add1_chain_cert(SSL *ssl, X509 *x509) {
|
945
|
+
check_ssl_x509_method(ssl);
|
662
946
|
return ssl_cert_add1_chain_cert(ssl->cert, x509);
|
663
947
|
}
|
664
948
|
|
665
949
|
int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {
|
950
|
+
check_ssl_ctx_x509_method(ctx);
|
666
951
|
return SSL_CTX_set0_chain(ctx, NULL);
|
667
952
|
}
|
668
953
|
|
669
954
|
int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {
|
955
|
+
check_ssl_ctx_x509_method(ctx);
|
670
956
|
return SSL_CTX_clear_chain_certs(ctx);
|
671
957
|
}
|
672
958
|
|
673
959
|
int SSL_clear_chain_certs(SSL *ssl) {
|
960
|
+
check_ssl_x509_method(ssl);
|
674
961
|
return SSL_set0_chain(ssl, NULL);
|
675
962
|
}
|
676
963
|
|
677
|
-
|
678
|
-
|
679
|
-
* isn't disabled. */
|
680
|
-
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
|
681
|
-
!ssl_has_certificate(ssl) ||
|
682
|
-
ssl->cert->chain == NULL ||
|
683
|
-
sk_CRYPTO_BUFFER_num(ssl->cert->chain) > 1) {
|
684
|
-
return 1;
|
685
|
-
}
|
686
|
-
|
687
|
-
X509 *leaf =
|
688
|
-
X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0));
|
689
|
-
if (!leaf) {
|
690
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
691
|
-
return 0;
|
692
|
-
}
|
693
|
-
|
694
|
-
X509_STORE_CTX ctx;
|
695
|
-
if (!X509_STORE_CTX_init(&ctx, ssl->ctx->cert_store, leaf, NULL)) {
|
696
|
-
X509_free(leaf);
|
697
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
698
|
-
return 0;
|
699
|
-
}
|
700
|
-
|
701
|
-
/* Attempt to build a chain, ignoring the result. */
|
702
|
-
X509_verify_cert(&ctx);
|
703
|
-
X509_free(leaf);
|
704
|
-
ERR_clear_error();
|
705
|
-
|
706
|
-
/* Remove the leaf from the generated chain. */
|
707
|
-
X509_free(sk_X509_shift(ctx.chain));
|
708
|
-
|
709
|
-
const int ok = ssl_cert_set_chain(ssl->cert, ctx.chain);
|
710
|
-
X509_STORE_CTX_cleanup(&ctx);
|
711
|
-
if (!ok) {
|
712
|
-
return 0;
|
713
|
-
}
|
714
|
-
|
715
|
-
ssl_crypto_x509_flush_cached_chain(ssl->cert);
|
716
|
-
|
717
|
-
return 1;
|
718
|
-
}
|
719
|
-
|
720
|
-
/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
|
721
|
-
* |cert->chain|. */
|
964
|
+
// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
|
965
|
+
// |cert->chain|.
|
722
966
|
static int ssl_cert_cache_chain_certs(CERT *cert) {
|
723
967
|
assert(cert->x509_method);
|
724
968
|
|
@@ -728,30 +972,27 @@ static int ssl_cert_cache_chain_certs(CERT *cert) {
|
|
728
972
|
return 1;
|
729
973
|
}
|
730
974
|
|
731
|
-
STACK_OF(X509)
|
732
|
-
if (chain
|
975
|
+
UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
|
976
|
+
if (!chain) {
|
733
977
|
return 0;
|
734
978
|
}
|
735
979
|
|
736
980
|
for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain); i++) {
|
737
981
|
CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cert->chain, i);
|
738
|
-
X509
|
739
|
-
if (x509
|
740
|
-
!
|
741
|
-
|
742
|
-
goto err;
|
982
|
+
UniquePtr<X509> x509(X509_parse_from_buffer(buffer));
|
983
|
+
if (!x509 ||
|
984
|
+
!PushToStack(chain.get(), std::move(x509))) {
|
985
|
+
return 0;
|
743
986
|
}
|
744
987
|
}
|
745
988
|
|
746
|
-
cert->x509_chain = chain;
|
989
|
+
cert->x509_chain = chain.release();
|
747
990
|
return 1;
|
748
|
-
|
749
|
-
err:
|
750
|
-
sk_X509_pop_free(chain, X509_free);
|
751
|
-
return 0;
|
752
991
|
}
|
753
992
|
|
754
993
|
int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
|
994
|
+
check_ssl_ctx_x509_method(ctx);
|
995
|
+
MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
|
755
996
|
if (!ssl_cert_cache_chain_certs(ctx->cert)) {
|
756
997
|
*out_chain = NULL;
|
757
998
|
return 0;
|
@@ -767,6 +1008,7 @@ int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
|
|
767
1008
|
}
|
768
1009
|
|
769
1010
|
int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
|
1011
|
+
check_ssl_x509_method(ssl);
|
770
1012
|
if (!ssl_cert_cache_chain_certs(ssl->cert)) {
|
771
1013
|
*out_chain = NULL;
|
772
1014
|
return 0;
|
@@ -777,7 +1019,7 @@ int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
|
|
777
1019
|
}
|
778
1020
|
|
779
1021
|
static SSL_SESSION *ssl_session_new_with_crypto_x509(void) {
|
780
|
-
return ssl_session_new(&ssl_crypto_x509_method);
|
1022
|
+
return ssl_session_new(&ssl_crypto_x509_method).release();
|
781
1023
|
}
|
782
1024
|
|
783
1025
|
SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out) {
|
@@ -800,16 +1042,258 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
|
|
800
1042
|
CBS cbs;
|
801
1043
|
CBS_init(&cbs, *pp, length);
|
802
1044
|
|
803
|
-
SSL_SESSION
|
804
|
-
|
805
|
-
if (ret
|
1045
|
+
UniquePtr<SSL_SESSION> ret = SSL_SESSION_parse(&cbs, &ssl_crypto_x509_method,
|
1046
|
+
NULL /* no buffer pool */);
|
1047
|
+
if (!ret) {
|
806
1048
|
return NULL;
|
807
1049
|
}
|
808
1050
|
|
809
1051
|
if (a) {
|
810
1052
|
SSL_SESSION_free(*a);
|
811
|
-
*a = ret;
|
1053
|
+
*a = ret.get();
|
812
1054
|
}
|
813
1055
|
*pp = CBS_data(&cbs);
|
814
|
-
return ret;
|
1056
|
+
return ret.release();
|
1057
|
+
}
|
1058
|
+
|
1059
|
+
STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
|
1060
|
+
return sk_X509_NAME_deep_copy(list, X509_NAME_dup, X509_NAME_free);
|
1061
|
+
}
|
1062
|
+
|
1063
|
+
static void set_client_CA_list(STACK_OF(CRYPTO_BUFFER) **ca_list,
|
1064
|
+
const STACK_OF(X509_NAME) *name_list,
|
1065
|
+
CRYPTO_BUFFER_POOL *pool) {
|
1066
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> buffers(sk_CRYPTO_BUFFER_new_null());
|
1067
|
+
if (!buffers) {
|
1068
|
+
return;
|
1069
|
+
}
|
1070
|
+
|
1071
|
+
for (X509_NAME *name : name_list) {
|
1072
|
+
uint8_t *outp = NULL;
|
1073
|
+
int len = i2d_X509_NAME(name, &outp);
|
1074
|
+
if (len < 0) {
|
1075
|
+
return;
|
1076
|
+
}
|
1077
|
+
|
1078
|
+
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
|
1079
|
+
OPENSSL_free(outp);
|
1080
|
+
if (!buffer ||
|
1081
|
+
!PushToStack(buffers.get(), std::move(buffer))) {
|
1082
|
+
return;
|
1083
|
+
}
|
1084
|
+
}
|
1085
|
+
|
1086
|
+
sk_CRYPTO_BUFFER_pop_free(*ca_list, CRYPTO_BUFFER_free);
|
1087
|
+
*ca_list = buffers.release();
|
1088
|
+
}
|
1089
|
+
|
1090
|
+
void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {
|
1091
|
+
check_ssl_x509_method(ssl);
|
1092
|
+
ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl);
|
1093
|
+
set_client_CA_list(&ssl->client_CA, name_list, ssl->ctx->pool);
|
1094
|
+
sk_X509_NAME_pop_free(name_list, X509_NAME_free);
|
1095
|
+
}
|
1096
|
+
|
1097
|
+
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
|
1098
|
+
check_ssl_ctx_x509_method(ctx);
|
1099
|
+
ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);
|
1100
|
+
set_client_CA_list(&ctx->client_CA, name_list, ctx->pool);
|
1101
|
+
sk_X509_NAME_pop_free(name_list, X509_NAME_free);
|
1102
|
+
}
|
1103
|
+
|
1104
|
+
static STACK_OF(X509_NAME) *
|
1105
|
+
buffer_names_to_x509(const STACK_OF(CRYPTO_BUFFER) *names,
|
1106
|
+
STACK_OF(X509_NAME) **cached) {
|
1107
|
+
if (names == NULL) {
|
1108
|
+
return NULL;
|
1109
|
+
}
|
1110
|
+
|
1111
|
+
if (*cached != NULL) {
|
1112
|
+
return *cached;
|
1113
|
+
}
|
1114
|
+
|
1115
|
+
UniquePtr<STACK_OF(X509_NAME)> new_cache(sk_X509_NAME_new_null());
|
1116
|
+
if (!new_cache) {
|
1117
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
1118
|
+
return NULL;
|
1119
|
+
}
|
1120
|
+
|
1121
|
+
for (const CRYPTO_BUFFER *buffer : names) {
|
1122
|
+
const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
|
1123
|
+
UniquePtr<X509_NAME> name(
|
1124
|
+
d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));
|
1125
|
+
if (!name ||
|
1126
|
+
inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer) ||
|
1127
|
+
!PushToStack(new_cache.get(), std::move(name))) {
|
1128
|
+
return NULL;
|
1129
|
+
}
|
1130
|
+
}
|
1131
|
+
|
1132
|
+
*cached = new_cache.release();
|
1133
|
+
return *cached;
|
1134
|
+
}
|
1135
|
+
|
1136
|
+
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
|
1137
|
+
check_ssl_x509_method(ssl);
|
1138
|
+
// For historical reasons, this function is used both to query configuration
|
1139
|
+
// state on a server as well as handshake state on a client. However, whether
|
1140
|
+
// |ssl| is a client or server is not known until explicitly configured with
|
1141
|
+
// |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
|
1142
|
+
// indeterminate mode and |ssl->server| is unset.
|
1143
|
+
if (ssl->do_handshake != NULL && !ssl->server) {
|
1144
|
+
if (ssl->s3->hs != NULL) {
|
1145
|
+
return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),
|
1146
|
+
&ssl->s3->hs->cached_x509_ca_names);
|
1147
|
+
}
|
1148
|
+
|
1149
|
+
return NULL;
|
1150
|
+
}
|
1151
|
+
|
1152
|
+
if (ssl->client_CA != NULL) {
|
1153
|
+
return buffer_names_to_x509(
|
1154
|
+
ssl->client_CA, (STACK_OF(X509_NAME) **)&ssl->cached_x509_client_CA);
|
1155
|
+
}
|
1156
|
+
return SSL_CTX_get_client_CA_list(ssl->ctx);
|
1157
|
+
}
|
1158
|
+
|
1159
|
+
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
|
1160
|
+
check_ssl_ctx_x509_method(ctx);
|
1161
|
+
// This is a logically const operation that may be called on multiple threads,
|
1162
|
+
// so it needs to lock around updating |cached_x509_client_CA|.
|
1163
|
+
MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
|
1164
|
+
return buffer_names_to_x509(
|
1165
|
+
ctx->client_CA,
|
1166
|
+
const_cast<STACK_OF(X509_NAME) **>(&ctx->cached_x509_client_CA));
|
1167
|
+
}
|
1168
|
+
|
1169
|
+
static int add_client_CA(STACK_OF(CRYPTO_BUFFER) **names, X509 *x509,
|
1170
|
+
CRYPTO_BUFFER_POOL *pool) {
|
1171
|
+
if (x509 == NULL) {
|
1172
|
+
return 0;
|
1173
|
+
}
|
1174
|
+
|
1175
|
+
uint8_t *outp = NULL;
|
1176
|
+
int len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);
|
1177
|
+
if (len < 0) {
|
1178
|
+
return 0;
|
1179
|
+
}
|
1180
|
+
|
1181
|
+
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
|
1182
|
+
OPENSSL_free(outp);
|
1183
|
+
if (!buffer) {
|
1184
|
+
return 0;
|
1185
|
+
}
|
1186
|
+
|
1187
|
+
int alloced = 0;
|
1188
|
+
if (*names == NULL) {
|
1189
|
+
*names = sk_CRYPTO_BUFFER_new_null();
|
1190
|
+
alloced = 1;
|
1191
|
+
|
1192
|
+
if (*names == NULL) {
|
1193
|
+
return 0;
|
1194
|
+
}
|
1195
|
+
}
|
1196
|
+
|
1197
|
+
if (!PushToStack(*names, std::move(buffer))) {
|
1198
|
+
if (alloced) {
|
1199
|
+
sk_CRYPTO_BUFFER_pop_free(*names, CRYPTO_BUFFER_free);
|
1200
|
+
*names = NULL;
|
1201
|
+
}
|
1202
|
+
return 0;
|
1203
|
+
}
|
1204
|
+
|
1205
|
+
return 1;
|
1206
|
+
}
|
1207
|
+
|
1208
|
+
int SSL_add_client_CA(SSL *ssl, X509 *x509) {
|
1209
|
+
check_ssl_x509_method(ssl);
|
1210
|
+
if (!add_client_CA(&ssl->client_CA, x509, ssl->ctx->pool)) {
|
1211
|
+
return 0;
|
1212
|
+
}
|
1213
|
+
|
1214
|
+
ssl_crypto_x509_ssl_flush_cached_client_CA(ssl);
|
1215
|
+
return 1;
|
1216
|
+
}
|
1217
|
+
|
1218
|
+
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
|
1219
|
+
check_ssl_ctx_x509_method(ctx);
|
1220
|
+
if (!add_client_CA(&ctx->client_CA, x509, ctx->pool)) {
|
1221
|
+
return 0;
|
1222
|
+
}
|
1223
|
+
|
1224
|
+
ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
|
1225
|
+
return 1;
|
1226
|
+
}
|
1227
|
+
|
1228
|
+
static int do_client_cert_cb(SSL *ssl, void *arg) {
|
1229
|
+
if (ssl_has_certificate(ssl) || ssl->ctx->client_cert_cb == NULL) {
|
1230
|
+
return 1;
|
1231
|
+
}
|
1232
|
+
|
1233
|
+
X509 *x509 = NULL;
|
1234
|
+
EVP_PKEY *pkey = NULL;
|
1235
|
+
int ret = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);
|
1236
|
+
if (ret < 0) {
|
1237
|
+
return -1;
|
1238
|
+
}
|
1239
|
+
UniquePtr<X509> free_x509(x509);
|
1240
|
+
UniquePtr<EVP_PKEY> free_pkey(pkey);
|
1241
|
+
|
1242
|
+
if (ret != 0) {
|
1243
|
+
if (!SSL_use_certificate(ssl, x509) ||
|
1244
|
+
!SSL_use_PrivateKey(ssl, pkey)) {
|
1245
|
+
return 0;
|
1246
|
+
}
|
1247
|
+
}
|
1248
|
+
|
1249
|
+
return 1;
|
1250
|
+
}
|
1251
|
+
|
1252
|
+
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
|
1253
|
+
X509 **out_x509,
|
1254
|
+
EVP_PKEY **out_pkey)) {
|
1255
|
+
check_ssl_ctx_x509_method(ctx);
|
1256
|
+
// Emulate the old client certificate callback with the new one.
|
1257
|
+
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
|
1258
|
+
ctx->client_cert_cb = cb;
|
1259
|
+
}
|
1260
|
+
|
1261
|
+
static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store,
|
1262
|
+
int take_ref) {
|
1263
|
+
X509_STORE_free(*store_ptr);
|
1264
|
+
*store_ptr = new_store;
|
1265
|
+
|
1266
|
+
if (new_store != NULL && take_ref) {
|
1267
|
+
X509_STORE_up_ref(new_store);
|
1268
|
+
}
|
1269
|
+
|
1270
|
+
return 1;
|
1271
|
+
}
|
1272
|
+
|
1273
|
+
int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
|
1274
|
+
// The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
|
1275
|
+
// reserved app_data slot. Before ex_data was introduced, app_data was used.
|
1276
|
+
// Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
|
1277
|
+
// works.
|
1278
|
+
return 0;
|
1279
|
+
}
|
1280
|
+
|
1281
|
+
int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
|
1282
|
+
check_ssl_ctx_x509_method(ctx);
|
1283
|
+
return set_cert_store(&ctx->cert->verify_store, store, 0);
|
1284
|
+
}
|
1285
|
+
|
1286
|
+
int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
|
1287
|
+
check_ssl_ctx_x509_method(ctx);
|
1288
|
+
return set_cert_store(&ctx->cert->verify_store, store, 1);
|
1289
|
+
}
|
1290
|
+
|
1291
|
+
int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {
|
1292
|
+
check_ssl_x509_method(ssl);
|
1293
|
+
return set_cert_store(&ssl->cert->verify_store, store, 0);
|
1294
|
+
}
|
1295
|
+
|
1296
|
+
int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
|
1297
|
+
check_ssl_x509_method(ssl);
|
1298
|
+
return set_cert_store(&ssl->cert->verify_store, store, 1);
|
815
1299
|
}
|