grpc 1.9.1 → 1.10.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +2654 -953
- data/etc/roots.pem +282 -683
- data/include/grpc/compression.h +9 -26
- data/include/grpc/grpc.h +10 -24
- data/include/grpc/grpc_security.h +7 -1
- data/include/grpc/impl/codegen/compression_types.h +5 -62
- data/include/grpc/impl/codegen/grpc_types.h +10 -6
- data/include/grpc/module.modulemap +1 -10
- data/include/grpc/support/alloc.h +3 -2
- data/include/grpc/support/log.h +1 -2
- data/{src/core/lib/gpr/thd_internal.h → include/grpc/support/thd_id.h} +23 -9
- data/src/boringssl/err_data.c +550 -496
- data/src/core/ext/census/grpc_context.cc +2 -1
- data/src/core/ext/filters/client_channel/backup_poller.cc +5 -4
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +7 -7
- data/src/core/ext/filters/client_channel/client_channel.cc +162 -172
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +4 -2
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +10 -10
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +18 -14
- data/src/core/ext/filters/client_channel/http_proxy.cc +3 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +21 -105
- data/src/core/ext/filters/client_channel/lb_policy.h +166 -170
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +41 -36
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +1452 -1459
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +7 -8
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +27 -27
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +279 -304
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +358 -330
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.cc +30 -41
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +7 -14
- data/src/core/ext/filters/client_channel/lb_policy_factory.cc +8 -21
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +23 -27
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +58 -33
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +25 -12
- data/src/core/ext/filters/client_channel/parse_address.cc +10 -8
- data/src/core/ext/filters/client_channel/proxy_mapper_registry.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver.cc +6 -52
- data/src/core/ext/filters/client_channel/resolver.h +98 -55
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +266 -237
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +5 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +31 -27
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +244 -207
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +161 -148
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +47 -31
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +126 -126
- data/src/core/ext/filters/client_channel/resolver_factory.h +33 -32
- data/src/core/ext/filters/client_channel/resolver_registry.cc +110 -90
- data/src/core/ext/filters/client_channel/resolver_registry.h +49 -36
- data/src/core/ext/filters/client_channel/retry_throttle.cc +29 -22
- data/src/core/ext/filters/client_channel/subchannel.cc +173 -173
- data/src/core/ext/filters/client_channel/subchannel.h +38 -45
- data/src/core/ext/filters/client_channel/subchannel_index.cc +44 -40
- data/src/core/ext/filters/client_channel/uri_parser.cc +3 -3
- data/src/core/ext/filters/deadline/deadline_filter.cc +27 -18
- data/src/core/ext/filters/http/client/http_client_filter.cc +26 -23
- data/src/core/ext/filters/http/http_filters_plugin.cc +3 -2
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +78 -110
- data/src/core/ext/filters/http/server/http_server_filter.cc +29 -26
- data/src/core/ext/filters/load_reporting/server_load_reporting_filter.cc +9 -11
- data/src/core/ext/filters/load_reporting/server_load_reporting_plugin.cc +2 -1
- data/src/core/ext/filters/max_age/max_age_filter.cc +14 -14
- data/src/core/ext/filters/message_size/message_size_filter.cc +20 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -4
- data/src/core/ext/filters/workarounds/workaround_utils.cc +4 -4
- data/src/core/ext/transport/chttp2/alpn/alpn.cc +2 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +10 -10
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +4 -4
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +11 -12
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +16 -13
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +36 -9
- data/src/core/ext/transport/chttp2/transport/bin_decoder.h +3 -0
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +17 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +139 -145
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +16 -14
- data/src/core/ext/transport/chttp2/transport/flow_control.h +8 -7
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +35 -33
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +27 -25
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +12 -12
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +16 -15
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +19 -19
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +11 -11
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +23 -22
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +35 -35
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +10 -7
- data/src/core/ext/transport/chttp2/transport/http2_settings.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -1
- data/src/core/ext/transport/chttp2/transport/parsing.cc +35 -39
- data/src/core/ext/transport/chttp2/transport/stream_map.cc +8 -7
- data/src/core/ext/transport/chttp2/transport/varint.cc +5 -5
- data/src/core/ext/transport/chttp2/transport/writing.cc +18 -18
- data/src/core/ext/transport/inproc/inproc_transport.cc +43 -23
- data/src/core/lib/{gpr → avl}/avl.cc +61 -57
- data/{include/grpc/support → src/core/lib/avl}/avl.h +25 -35
- data/src/core/lib/backoff/backoff.cc +6 -5
- data/src/core/lib/channel/channel_args.cc +23 -109
- data/src/core/lib/channel/channel_args.h +5 -31
- data/src/core/lib/channel/channel_stack.cc +11 -8
- data/src/core/lib/channel/channel_stack_builder.cc +10 -7
- data/src/core/lib/channel/connected_channel.cc +18 -17
- data/src/core/lib/channel/handshaker.cc +8 -8
- data/src/core/lib/channel/handshaker_registry.cc +3 -2
- data/src/core/lib/compression/algorithm_metadata.h +13 -6
- data/src/core/lib/compression/compression.cc +72 -183
- data/src/core/lib/compression/compression_internal.cc +274 -0
- data/src/core/lib/compression/compression_internal.h +86 -0
- data/src/core/lib/compression/message_compress.cc +15 -15
- data/src/core/lib/compression/message_compress.h +4 -3
- data/src/core/lib/compression/stream_compression_gzip.cc +8 -8
- data/src/core/lib/compression/stream_compression_identity.cc +1 -1
- data/src/core/lib/debug/stats.cc +10 -8
- data/src/core/lib/debug/stats_data.cc +2 -1
- data/src/core/lib/debug/trace.cc +3 -3
- data/src/core/lib/gpr/alloc.cc +7 -11
- data/src/core/lib/gpr/arena.cc +34 -12
- data/src/core/lib/gpr/atm.cc +2 -1
- data/src/core/lib/gpr/cpu_linux.cc +3 -3
- data/src/core/lib/gpr/cpu_posix.cc +2 -1
- data/src/core/lib/gpr/env.h +1 -1
- data/src/core/lib/gpr/env_linux.cc +1 -1
- data/src/core/lib/gpr/env_windows.cc +4 -4
- data/src/core/lib/gpr/fork.cc +16 -2
- data/src/core/lib/gpr/host_port.cc +5 -4
- data/{include/grpc/support → src/core/lib/gpr}/host_port.h +5 -13
- data/src/core/lib/gpr/log.cc +5 -4
- data/src/core/lib/gpr/log_linux.cc +1 -1
- data/src/core/lib/gpr/mpscq.cc +1 -0
- data/src/core/lib/gpr/murmur_hash.cc +4 -4
- data/src/core/lib/gpr/string.cc +19 -16
- data/src/core/lib/gpr/string_posix.cc +3 -3
- data/src/core/lib/gpr/sync_posix.cc +5 -9
- data/src/core/lib/gpr/thd.cc +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/thd.h +20 -28
- data/src/core/lib/gpr/thd_posix.cc +6 -4
- data/src/core/lib/gpr/thd_windows.cc +3 -1
- data/src/core/lib/gpr/time.cc +6 -4
- data/src/core/lib/gpr/time_posix.cc +2 -2
- data/{include/grpc/support → src/core/lib/gpr}/tls.h +6 -6
- data/{include/grpc/support → src/core/lib/gpr}/tls_gcc.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/tls_msvc.h +3 -3
- data/src/core/lib/gpr/tls_pthread.cc +1 -1
- data/{include/grpc/support → src/core/lib/gpr}/tls_pthread.h +3 -3
- data/{include/grpc/support → src/core/lib/gpr}/useful.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/abstract.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic.h +5 -5
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_atm.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/atomic_with_std.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/debug_location.h +3 -3
- data/src/core/lib/{gpr++ → gprpp}/inlined_vector.h +44 -22
- data/src/core/lib/{gpr++ → gprpp}/manual_constructor.h +2 -2
- data/src/core/lib/{gpr++ → gprpp}/memory.h +14 -5
- data/src/core/lib/{gpr++ → gprpp}/orphanable.h +39 -14
- data/src/core/lib/{gpr++ → gprpp}/ref_counted.h +42 -10
- data/src/core/lib/{gpr++ → gprpp}/ref_counted_ptr.h +18 -8
- data/src/core/lib/http/format_request.cc +3 -3
- data/src/core/lib/http/httpcli.cc +6 -7
- data/src/core/lib/http/httpcli_security_connector.cc +10 -10
- data/src/core/lib/http/parser.cc +16 -12
- data/src/core/lib/iomgr/call_combiner.cc +12 -13
- data/src/core/lib/iomgr/closure.h +4 -6
- data/src/core/lib/iomgr/combiner.cc +10 -21
- data/src/core/lib/iomgr/error.cc +50 -55
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +41 -52
- data/src/core/lib/iomgr/ev_epollex_linux.cc +80 -28
- data/src/core/lib/iomgr/ev_epollsig_linux.cc +23 -30
- data/src/core/lib/iomgr/ev_poll_posix.cc +52 -46
- data/src/core/lib/iomgr/ev_posix.cc +47 -6
- data/src/core/lib/iomgr/exec_ctx.cc +10 -10
- data/src/core/lib/iomgr/exec_ctx.h +1 -1
- data/src/core/lib/iomgr/executor.cc +16 -13
- data/src/core/lib/iomgr/fork_posix.cc +1 -3
- data/src/core/lib/iomgr/gethostname_host_name_max.cc +1 -1
- data/src/core/lib/iomgr/iocp_windows.cc +1 -2
- data/src/core/lib/iomgr/iomgr.cc +2 -2
- data/src/core/lib/iomgr/iomgr_uv.cc +2 -0
- data/src/core/lib/iomgr/iomgr_uv.h +1 -1
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +5 -4
- data/src/core/lib/iomgr/load_file.cc +3 -3
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -9
- data/src/core/lib/iomgr/resolve_address_uv.cc +2 -2
- data/src/core/lib/iomgr/resolve_address_windows.cc +3 -2
- data/src/core/lib/iomgr/resource_quota.cc +36 -34
- data/src/core/lib/iomgr/sockaddr_utils.cc +39 -23
- data/src/core/lib/iomgr/socket_factory_posix.cc +5 -5
- data/src/core/lib/iomgr/socket_mutator.cc +7 -7
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +7 -4
- data/src/core/lib/iomgr/socket_utils_linux.cc +3 -2
- data/src/core/lib/iomgr/tcp_client_posix.cc +7 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +0 -1
- data/src/core/lib/iomgr/tcp_posix.cc +47 -55
- data/src/core/lib/iomgr/tcp_server_posix.cc +12 -10
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +7 -5
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +4 -3
- data/src/core/lib/iomgr/tcp_windows.cc +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +16 -14
- data/src/core/lib/iomgr/timer_heap.cc +8 -7
- data/src/core/lib/iomgr/timer_manager.cc +4 -3
- data/src/core/lib/iomgr/udp_server.cc +24 -16
- data/src/core/lib/iomgr/unix_sockets_posix.cc +15 -10
- data/src/core/lib/iomgr/wakeup_fd_cv.cc +6 -5
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +1 -2
- data/src/core/lib/json/json.cc +1 -1
- data/src/core/lib/json/json_reader.cc +8 -6
- data/src/core/lib/json/json_string.cc +19 -18
- data/src/core/lib/json/json_writer.cc +10 -8
- data/src/core/lib/profiling/basic_timers.cc +1 -1
- data/src/core/lib/profiling/timers.h +3 -20
- data/src/core/lib/security/context/security_context.cc +16 -14
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +17 -14
- data/src/core/lib/security/credentials/credentials.cc +9 -8
- data/src/core/lib/security/credentials/credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials_metadata.cc +2 -2
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +12 -13
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -4
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +5 -3
- data/src/core/lib/security/credentials/jwt/json_token.cc +4 -3
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +7 -7
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +21 -18
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +23 -18
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +11 -7
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +22 -21
- data/src/core/lib/security/{transport → security_connector}/security_connector.cc +46 -43
- data/src/core/lib/security/{transport → security_connector}/security_connector.h +3 -3
- data/src/core/lib/security/transport/client_auth_filter.cc +32 -34
- data/src/core/lib/security/transport/lb_targets_info.cc +7 -5
- data/src/core/lib/security/transport/secure_endpoint.cc +21 -21
- data/src/core/lib/security/transport/security_handshaker.cc +19 -18
- data/src/core/lib/security/transport/security_handshaker.h +1 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +21 -21
- data/src/core/lib/slice/b64.cc +19 -16
- data/src/core/lib/slice/percent_encoding.cc +5 -5
- data/src/core/lib/slice/slice.cc +35 -33
- data/src/core/lib/slice/slice_buffer.cc +16 -14
- data/src/core/lib/slice/slice_hash_table.cc +3 -2
- data/src/core/lib/slice/slice_intern.cc +21 -25
- data/src/core/lib/slice/slice_string_helpers.cc +45 -9
- data/src/core/lib/slice/slice_string_helpers.h +6 -0
- data/src/core/lib/surface/byte_buffer.cc +2 -2
- data/src/core/lib/surface/byte_buffer_reader.cc +6 -3
- data/src/core/lib/surface/call.cc +171 -260
- data/src/core/lib/surface/call_test_only.h +1 -13
- data/src/core/lib/surface/channel.cc +20 -43
- data/src/core/lib/surface/channel_init.cc +7 -7
- data/src/core/lib/surface/channel_ping.cc +2 -2
- data/src/core/lib/surface/completion_queue.cc +69 -75
- data/src/core/lib/surface/init.cc +4 -5
- data/src/core/lib/surface/init_secure.cc +1 -1
- data/src/core/lib/surface/lame_client.cc +1 -1
- data/src/core/lib/surface/server.cc +64 -59
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +6 -5
- data/src/core/lib/transport/byte_stream.cc +23 -14
- data/src/core/lib/transport/byte_stream.h +1 -1
- data/src/core/lib/transport/connectivity_state.cc +9 -13
- data/src/core/lib/transport/error_utils.cc +10 -7
- data/src/core/lib/transport/metadata.cc +27 -26
- data/src/core/lib/transport/metadata.h +1 -1
- data/src/core/lib/transport/pid_controller.cc +2 -1
- data/src/core/lib/transport/service_config.cc +5 -5
- data/src/core/lib/transport/static_metadata.cc +225 -222
- data/src/core/lib/transport/static_metadata.h +77 -76
- data/src/core/lib/transport/timeout_encoding.cc +3 -2
- data/src/core/lib/transport/transport.cc +6 -5
- data/src/core/lib/transport/transport_op_string.cc +0 -1
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -4
- data/src/core/tsi/alts_transport_security.cc +61 -0
- data/src/core/tsi/{gts_transport_security.h → alts_transport_security.h} +16 -8
- data/src/core/tsi/fake_transport_security.cc +59 -43
- data/src/core/tsi/ssl_transport_security.cc +122 -107
- data/src/core/tsi/transport_security.cc +3 -3
- data/src/core/tsi/transport_security_adapter.cc +16 -10
- data/src/ruby/bin/apis/pubsub_demo.rb +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +3 -4
- data/src/ruby/ext/grpc/rb_compression_options.c +13 -3
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -76
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +8 -120
- data/src/ruby/ext/grpc/rb_server.c +52 -28
- data/src/ruby/lib/grpc/generic/rpc_server.rb +7 -4
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/test/client.rb +1 -1
- data/src/ruby/pb/test/server.rb +1 -1
- data/src/ruby/spec/client_server_spec.rb +4 -2
- data/src/ruby/spec/generic/active_call_spec.rb +2 -1
- data/src/ruby/spec/generic/client_stub_spec.rb +32 -8
- data/src/ruby/spec/server_spec.rb +26 -7
- data/third_party/boringssl/crypto/asn1/a_bitstr.c +7 -2
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +15 -0
- data/third_party/boringssl/crypto/asn1/a_gentm.c +1 -1
- data/third_party/boringssl/crypto/asn1/a_print.c +0 -28
- data/third_party/boringssl/crypto/asn1/a_strnid.c +3 -0
- data/third_party/boringssl/crypto/asn1/a_time.c +17 -9
- data/third_party/boringssl/crypto/asn1/a_utctm.c +1 -1
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -49
- data/third_party/boringssl/crypto/asn1/asn1_locl.h +1 -1
- data/third_party/boringssl/crypto/asn1/tasn_dec.c +9 -9
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +0 -6
- data/third_party/boringssl/crypto/asn1/time_support.c +5 -5
- data/third_party/boringssl/crypto/base64/base64.c +65 -43
- data/third_party/boringssl/crypto/bio/bio.c +134 -110
- data/third_party/boringssl/crypto/bio/bio_mem.c +9 -9
- data/third_party/boringssl/crypto/bio/connect.c +17 -17
- data/third_party/boringssl/crypto/bio/fd.c +2 -1
- data/third_party/boringssl/crypto/bio/file.c +14 -14
- data/third_party/boringssl/crypto/bio/hexdump.c +15 -16
- data/third_party/boringssl/crypto/bio/internal.h +14 -14
- data/third_party/boringssl/crypto/bio/pair.c +45 -45
- data/third_party/boringssl/crypto/bio/printf.c +6 -10
- data/third_party/boringssl/crypto/{bn → bn_extra}/bn_asn1.c +9 -9
- data/third_party/boringssl/crypto/{bn → bn_extra}/convert.c +18 -223
- data/third_party/boringssl/crypto/buf/buf.c +20 -44
- data/third_party/boringssl/crypto/bytestring/ber.c +35 -35
- data/third_party/boringssl/crypto/bytestring/cbb.c +24 -24
- data/third_party/boringssl/crypto/bytestring/cbs.c +33 -37
- data/third_party/boringssl/crypto/bytestring/internal.h +38 -38
- data/third_party/boringssl/crypto/chacha/chacha.c +7 -7
- data/third_party/boringssl/crypto/{asn1/t_bitst.c → cipher_extra/cipher_extra.c} +49 -38
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/derive_key.c +0 -2
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +281 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +867 -0
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +326 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_null.c +0 -1
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc2.c +22 -10
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_rc4.c +0 -0
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_ssl3.c +120 -64
- data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_tls.c +220 -141
- data/third_party/boringssl/crypto/{asn1/x_bignum.c → cipher_extra/internal.h} +61 -86
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +482 -0
- data/third_party/boringssl/crypto/cmac/cmac.c +20 -20
- data/third_party/boringssl/crypto/conf/conf.c +32 -20
- data/third_party/boringssl/crypto/conf/internal.h +3 -3
- data/third_party/boringssl/crypto/cpu-aarch64-linux.c +5 -5
- data/third_party/boringssl/crypto/cpu-arm-linux.c +44 -41
- data/third_party/boringssl/crypto/cpu-intel.c +68 -43
- data/third_party/boringssl/crypto/cpu-ppc64le.c +5 -7
- data/third_party/boringssl/crypto/crypto.c +54 -32
- data/third_party/boringssl/crypto/curve25519/curve25519.c +269 -269
- data/third_party/boringssl/crypto/curve25519/internal.h +28 -8
- data/third_party/boringssl/crypto/curve25519/spake25519.c +180 -106
- data/third_party/boringssl/crypto/curve25519/x25519-x86_64.c +9 -9
- data/third_party/boringssl/crypto/dh/check.c +33 -34
- data/third_party/boringssl/crypto/dh/dh.c +72 -36
- data/third_party/boringssl/crypto/dh/dh_asn1.c +1 -1
- data/third_party/boringssl/crypto/dh/params.c +1 -161
- data/third_party/boringssl/crypto/digest_extra/digest_extra.c +240 -0
- data/third_party/boringssl/crypto/dsa/dsa.c +127 -87
- data/third_party/boringssl/crypto/dsa/dsa_asn1.c +1 -1
- data/third_party/boringssl/crypto/{ec → ec_extra}/ec_asn1.c +83 -70
- data/third_party/boringssl/crypto/ecdh/ecdh.c +1 -1
- data/third_party/boringssl/crypto/{ecdsa → ecdsa_extra}/ecdsa_asn1.c +86 -31
- data/third_party/boringssl/crypto/engine/engine.c +6 -6
- data/third_party/boringssl/crypto/err/err.c +197 -106
- data/third_party/boringssl/crypto/err/internal.h +58 -0
- data/third_party/boringssl/crypto/evp/digestsign.c +86 -14
- data/third_party/boringssl/crypto/evp/evp.c +6 -11
- data/third_party/boringssl/crypto/evp/evp_asn1.c +17 -17
- data/third_party/boringssl/crypto/evp/evp_ctx.c +15 -11
- data/third_party/boringssl/crypto/evp/internal.h +66 -51
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +11 -11
- data/third_party/boringssl/crypto/evp/p_ec.c +10 -8
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +11 -12
- data/third_party/boringssl/crypto/evp/p_ed25519.c +71 -0
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +190 -0
- data/third_party/boringssl/crypto/evp/p_rsa.c +50 -95
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +28 -18
- data/third_party/boringssl/crypto/evp/pbkdf.c +49 -56
- data/third_party/boringssl/crypto/evp/print.c +5 -36
- data/third_party/boringssl/crypto/evp/scrypt.c +209 -0
- data/third_party/boringssl/crypto/ex_data.c +15 -45
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +100 -0
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +679 -0
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/internal.h +40 -27
- data/third_party/boringssl/crypto/{bn → fipsmodule/bn}/rsaz_exp.h +0 -0
- data/third_party/boringssl/crypto/{cipher → fipsmodule/cipher}/internal.h +34 -67
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +88 -0
- data/third_party/boringssl/crypto/{des → fipsmodule/des}/internal.h +18 -4
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/internal.h +18 -18
- data/third_party/boringssl/crypto/{digest → fipsmodule/digest}/md32_common.h +58 -64
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/internal.h +58 -52
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64-table.h +11 -11
- data/third_party/boringssl/crypto/{ec → fipsmodule/ec}/p256-x86_64.h +32 -32
- data/third_party/boringssl/crypto/{rand/internal.h → fipsmodule/is_fips.c} +10 -15
- data/third_party/boringssl/crypto/{modes → fipsmodule/modes}/internal.h +112 -119
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +92 -0
- data/third_party/boringssl/crypto/{rsa → fipsmodule/rsa}/internal.h +36 -49
- data/third_party/boringssl/crypto/hkdf/hkdf.c +6 -6
- data/third_party/boringssl/crypto/internal.h +301 -233
- data/third_party/boringssl/crypto/lhash/lhash.c +26 -45
- data/third_party/boringssl/crypto/mem.c +76 -33
- data/third_party/boringssl/crypto/obj/obj.c +44 -28
- data/third_party/boringssl/crypto/obj/obj_dat.h +102 -34
- data/third_party/boringssl/crypto/obj/obj_xref.c +6 -6
- data/third_party/boringssl/crypto/pem/pem_info.c +3 -5
- data/third_party/boringssl/crypto/pem/pem_lib.c +1 -6
- data/third_party/boringssl/crypto/pem/pem_pk8.c +1 -0
- data/third_party/boringssl/crypto/pem/pem_pkey.c +1 -1
- data/third_party/boringssl/crypto/pem/pem_xaux.c +0 -2
- data/third_party/boringssl/crypto/pkcs7/internal.h +49 -0
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +166 -0
- data/third_party/boringssl/crypto/{x509/pkcs7.c → pkcs7/pkcs7_x509.c} +27 -147
- data/third_party/boringssl/crypto/pkcs8/internal.h +34 -16
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +120 -39
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +144 -857
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +789 -0
- data/third_party/boringssl/crypto/poly1305/internal.h +4 -3
- data/third_party/boringssl/crypto/poly1305/poly1305.c +14 -14
- data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +11 -11
- data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +41 -41
- data/third_party/boringssl/crypto/pool/internal.h +2 -2
- data/third_party/boringssl/crypto/pool/pool.c +15 -15
- data/third_party/boringssl/crypto/{rand → rand_extra}/deterministic.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/forkunsafe.c +46 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/fuchsia.c +7 -7
- data/third_party/boringssl/crypto/rand_extra/rand_extra.c +70 -0
- data/third_party/boringssl/crypto/{rand → rand_extra}/windows.c +5 -5
- data/third_party/boringssl/crypto/refcount_c11.c +2 -2
- data/third_party/boringssl/crypto/refcount_lock.c +1 -1
- data/third_party/boringssl/crypto/{rsa → rsa_extra}/rsa_asn1.c +12 -120
- data/third_party/boringssl/crypto/stack/stack.c +13 -13
- data/third_party/boringssl/crypto/thread_none.c +1 -1
- data/third_party/boringssl/crypto/thread_pthread.c +1 -1
- data/third_party/boringssl/crypto/thread_win.c +40 -40
- data/third_party/boringssl/crypto/x509/a_sign.c +5 -12
- data/third_party/boringssl/crypto/x509/a_verify.c +6 -18
- data/third_party/boringssl/crypto/x509/algorithm.c +22 -6
- data/third_party/boringssl/crypto/x509/asn1_gen.c +30 -7
- data/third_party/boringssl/crypto/x509/by_dir.c +2 -2
- data/third_party/boringssl/crypto/x509/by_file.c +2 -2
- data/third_party/boringssl/crypto/x509/rsa_pss.c +5 -5
- data/third_party/boringssl/crypto/x509/t_x509.c +2 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_lu.c +35 -4
- data/third_party/boringssl/crypto/x509/x509_set.c +10 -0
- data/third_party/boringssl/crypto/x509/x509_vfy.c +20 -17
- data/third_party/boringssl/crypto/x509/x_name.c +13 -16
- data/third_party/boringssl/crypto/x509/x_x509.c +3 -3
- data/third_party/boringssl/crypto/x509/x_x509a.c +0 -7
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +8 -0
- data/third_party/boringssl/crypto/x509v3/pcy_int.h +2 -2
- data/third_party/boringssl/crypto/x509v3/pcy_lib.c +0 -9
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -1
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +25 -15
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +21 -11
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +9 -3
- data/third_party/boringssl/crypto/x509v3/v3_info.c +22 -14
- data/third_party/boringssl/crypto/x509v3/v3_ncons.c +27 -11
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +0 -33
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +4 -4
- data/third_party/boringssl/include/openssl/aead.h +280 -191
- data/third_party/boringssl/include/openssl/aes.h +50 -50
- data/third_party/boringssl/include/openssl/arm_arch.h +12 -12
- data/third_party/boringssl/include/openssl/asn1.h +14 -77
- data/third_party/boringssl/include/openssl/asn1t.h +11 -15
- data/third_party/boringssl/include/openssl/base.h +78 -51
- data/third_party/boringssl/include/openssl/base64.h +68 -68
- data/third_party/boringssl/include/openssl/bio.h +472 -406
- data/third_party/boringssl/include/openssl/blowfish.h +1 -1
- data/third_party/boringssl/include/openssl/bn.h +454 -435
- data/third_party/boringssl/include/openssl/buf.h +27 -27
- data/third_party/boringssl/include/openssl/bytestring.h +282 -267
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/chacha.h +5 -5
- data/third_party/boringssl/include/openssl/cipher.h +209 -200
- data/third_party/boringssl/include/openssl/cmac.h +27 -27
- data/third_party/boringssl/include/openssl/conf.h +49 -46
- data/third_party/boringssl/include/openssl/cpu.h +60 -45
- data/third_party/boringssl/include/openssl/crypto.h +59 -35
- data/third_party/boringssl/include/openssl/curve25519.h +97 -92
- data/third_party/boringssl/include/openssl/des.h +25 -25
- data/third_party/boringssl/include/openssl/dh.h +98 -97
- data/third_party/boringssl/include/openssl/digest.h +143 -114
- data/third_party/boringssl/include/openssl/dsa.h +217 -202
- data/third_party/boringssl/include/openssl/ec.h +132 -131
- data/third_party/boringssl/include/openssl/ec_key.h +132 -128
- data/third_party/boringssl/include/openssl/ecdh.h +9 -9
- data/third_party/boringssl/include/openssl/ecdsa.h +66 -66
- data/third_party/boringssl/include/openssl/engine.h +38 -38
- data/third_party/boringssl/include/openssl/err.h +189 -219
- data/third_party/boringssl/include/openssl/evp.h +473 -397
- data/third_party/boringssl/include/openssl/ex_data.h +46 -56
- data/third_party/boringssl/include/openssl/hkdf.h +17 -17
- data/third_party/boringssl/include/openssl/hmac.h +55 -43
- data/third_party/boringssl/include/openssl/is_boringssl.h +16 -0
- data/third_party/boringssl/include/openssl/lhash.h +67 -67
- data/third_party/boringssl/include/openssl/lhash_macros.h +4 -4
- data/third_party/boringssl/include/openssl/md4.h +14 -14
- data/third_party/boringssl/include/openssl/md5.h +14 -14
- data/third_party/boringssl/include/openssl/mem.h +39 -33
- data/third_party/boringssl/include/openssl/nid.h +43 -0
- data/third_party/boringssl/include/openssl/obj.h +93 -87
- data/third_party/boringssl/include/openssl/opensslconf.h +8 -1
- data/third_party/boringssl/include/openssl/pem.h +2 -122
- data/third_party/boringssl/include/openssl/pkcs7.h +68 -2
- data/third_party/boringssl/include/openssl/pkcs8.h +81 -66
- data/third_party/boringssl/include/openssl/poly1305.h +11 -11
- data/third_party/boringssl/include/openssl/pool.h +29 -25
- data/third_party/boringssl/include/openssl/rand.h +48 -45
- data/third_party/boringssl/include/openssl/rc4.h +9 -9
- data/third_party/boringssl/include/openssl/ripemd.h +13 -13
- data/third_party/boringssl/include/openssl/rsa.h +371 -340
- data/third_party/boringssl/include/openssl/sha.h +71 -71
- data/third_party/boringssl/include/openssl/span.h +191 -0
- data/third_party/boringssl/include/openssl/ssl.h +2639 -2519
- data/third_party/boringssl/include/openssl/ssl3.h +39 -122
- data/third_party/boringssl/include/openssl/stack.h +355 -164
- data/third_party/boringssl/include/openssl/thread.h +43 -43
- data/third_party/boringssl/include/openssl/tls1.h +60 -63
- data/third_party/boringssl/include/openssl/type_check.h +10 -14
- data/third_party/boringssl/include/openssl/x509.h +41 -116
- data/third_party/boringssl/include/openssl/x509_vfy.h +17 -25
- data/third_party/boringssl/include/openssl/x509v3.h +27 -21
- data/third_party/boringssl/ssl/{bio_ssl.c → bio_ssl.cc} +9 -5
- data/third_party/boringssl/ssl/{custom_extensions.c → custom_extensions.cc} +19 -12
- data/third_party/boringssl/ssl/{d1_both.c → d1_both.cc} +224 -193
- data/third_party/boringssl/ssl/{d1_lib.c → d1_lib.cc} +86 -79
- data/third_party/boringssl/ssl/{d1_pkt.c → d1_pkt.cc} +55 -87
- data/third_party/boringssl/ssl/{d1_srtp.c → d1_srtp.cc} +12 -16
- data/third_party/boringssl/ssl/{dtls_method.c → dtls_method.cc} +33 -50
- data/third_party/boringssl/ssl/{dtls_record.c → dtls_record.cc} +76 -64
- data/third_party/boringssl/ssl/handshake.cc +547 -0
- data/third_party/boringssl/ssl/handshake_client.cc +1828 -0
- data/third_party/boringssl/ssl/handshake_server.cc +1672 -0
- data/third_party/boringssl/ssl/internal.h +2027 -1280
- data/third_party/boringssl/ssl/s3_both.cc +603 -0
- data/third_party/boringssl/ssl/{s3_lib.c → s3_lib.cc} +22 -10
- data/third_party/boringssl/ssl/{s3_pkt.c → s3_pkt.cc} +171 -75
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +415 -0
- data/third_party/boringssl/ssl/{ssl_asn1.c → ssl_asn1.cc} +257 -261
- data/third_party/boringssl/ssl/{ssl_buffer.c → ssl_buffer.cc} +81 -97
- data/third_party/boringssl/ssl/{ssl_cert.c → ssl_cert.cc} +304 -414
- data/third_party/boringssl/ssl/{ssl_cipher.c → ssl_cipher.cc} +427 -505
- data/third_party/boringssl/ssl/{ssl_file.c → ssl_file.cc} +24 -16
- data/third_party/boringssl/ssl/ssl_key_share.cc +245 -0
- data/third_party/boringssl/ssl/{ssl_lib.c → ssl_lib.cc} +665 -828
- data/third_party/boringssl/ssl/ssl_privkey.cc +518 -0
- data/third_party/boringssl/ssl/{ssl_session.c → ssl_session.cc} +596 -471
- data/third_party/boringssl/ssl/{ssl_stat.c → ssl_stat.cc} +5 -224
- data/third_party/boringssl/ssl/{ssl_transcript.c → ssl_transcript.cc} +117 -140
- data/third_party/boringssl/ssl/ssl_versions.cc +439 -0
- data/third_party/boringssl/ssl/{ssl_x509.c → ssl_x509.cc} +751 -267
- data/third_party/boringssl/ssl/{t1_enc.c → t1_enc.cc} +120 -161
- data/third_party/boringssl/ssl/{t1_lib.c → t1_lib.cc} +859 -966
- data/third_party/boringssl/ssl/{tls13_both.c → tls13_both.cc} +202 -284
- data/third_party/boringssl/ssl/tls13_client.cc +842 -0
- data/third_party/boringssl/ssl/{tls13_enc.c → tls13_enc.cc} +108 -90
- data/third_party/boringssl/ssl/tls13_server.cc +967 -0
- data/third_party/boringssl/ssl/{tls_method.c → tls_method.cc} +94 -73
- data/third_party/boringssl/ssl/tls_record.cc +675 -0
- metadata +117 -168
- data/include/grpc/support/cmdline.h +0 -88
- data/include/grpc/support/subprocess.h +0 -44
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +0 -29
- data/src/core/ext/filters/client_channel/resolver_factory.cc +0 -40
- data/src/core/lib/gpr/cmdline.cc +0 -330
- data/src/core/lib/gpr/subprocess_posix.cc +0 -99
- data/src/core/lib/gpr/subprocess_windows.cc +0 -126
- data/src/core/lib/surface/alarm.cc +0 -137
- data/src/core/lib/surface/alarm_internal.h +0 -40
- data/src/core/tsi/gts_transport_security.cc +0 -40
- data/third_party/boringssl/crypto/aes/aes.c +0 -1142
- data/third_party/boringssl/crypto/aes/internal.h +0 -87
- data/third_party/boringssl/crypto/aes/key_wrap.c +0 -138
- data/third_party/boringssl/crypto/aes/mode_wrappers.c +0 -112
- data/third_party/boringssl/crypto/asn1/x_long.c +0 -200
- data/third_party/boringssl/crypto/bn/add.c +0 -377
- data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +0 -532
- data/third_party/boringssl/crypto/bn/bn.c +0 -365
- data/third_party/boringssl/crypto/bn/cmp.c +0 -239
- data/third_party/boringssl/crypto/bn/ctx.c +0 -313
- data/third_party/boringssl/crypto/bn/div.c +0 -728
- data/third_party/boringssl/crypto/bn/exponentiation.c +0 -1240
- data/third_party/boringssl/crypto/bn/gcd.c +0 -635
- data/third_party/boringssl/crypto/bn/generic.c +0 -707
- data/third_party/boringssl/crypto/bn/kronecker.c +0 -176
- data/third_party/boringssl/crypto/bn/montgomery.c +0 -409
- data/third_party/boringssl/crypto/bn/montgomery_inv.c +0 -207
- data/third_party/boringssl/crypto/bn/mul.c +0 -871
- data/third_party/boringssl/crypto/bn/prime.c +0 -861
- data/third_party/boringssl/crypto/bn/random.c +0 -343
- data/third_party/boringssl/crypto/bn/rsaz_exp.c +0 -254
- data/third_party/boringssl/crypto/bn/shift.c +0 -307
- data/third_party/boringssl/crypto/bn/sqrt.c +0 -506
- data/third_party/boringssl/crypto/cipher/aead.c +0 -156
- data/third_party/boringssl/crypto/cipher/cipher.c +0 -657
- data/third_party/boringssl/crypto/cipher/e_aes.c +0 -1771
- data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +0 -276
- data/third_party/boringssl/crypto/cipher/e_des.c +0 -205
- data/third_party/boringssl/crypto/cipher/tls_cbc.c +0 -482
- data/third_party/boringssl/crypto/des/des.c +0 -771
- data/third_party/boringssl/crypto/digest/digest.c +0 -251
- data/third_party/boringssl/crypto/digest/digests.c +0 -358
- data/third_party/boringssl/crypto/ec/ec.c +0 -847
- data/third_party/boringssl/crypto/ec/ec_key.c +0 -479
- data/third_party/boringssl/crypto/ec/ec_montgomery.c +0 -303
- data/third_party/boringssl/crypto/ec/oct.c +0 -416
- data/third_party/boringssl/crypto/ec/p224-64.c +0 -1143
- data/third_party/boringssl/crypto/ec/p256-64.c +0 -1701
- data/third_party/boringssl/crypto/ec/p256-x86_64.c +0 -561
- data/third_party/boringssl/crypto/ec/simple.c +0 -1118
- data/third_party/boringssl/crypto/ec/util-64.c +0 -109
- data/third_party/boringssl/crypto/ec/wnaf.c +0 -458
- data/third_party/boringssl/crypto/ecdsa/ecdsa.c +0 -479
- data/third_party/boringssl/crypto/hmac/hmac.c +0 -215
- data/third_party/boringssl/crypto/md4/md4.c +0 -236
- data/third_party/boringssl/crypto/md5/md5.c +0 -285
- data/third_party/boringssl/crypto/modes/cbc.c +0 -212
- data/third_party/boringssl/crypto/modes/cfb.c +0 -230
- data/third_party/boringssl/crypto/modes/ctr.c +0 -219
- data/third_party/boringssl/crypto/modes/gcm.c +0 -1071
- data/third_party/boringssl/crypto/modes/ofb.c +0 -95
- data/third_party/boringssl/crypto/modes/polyval.c +0 -94
- data/third_party/boringssl/crypto/pkcs8/p8_pkey.c +0 -85
- data/third_party/boringssl/crypto/rand/rand.c +0 -244
- data/third_party/boringssl/crypto/rand/urandom.c +0 -335
- data/third_party/boringssl/crypto/rsa/blinding.c +0 -265
- data/third_party/boringssl/crypto/rsa/padding.c +0 -708
- data/third_party/boringssl/crypto/rsa/rsa.c +0 -830
- data/third_party/boringssl/crypto/rsa/rsa_impl.c +0 -1100
- data/third_party/boringssl/crypto/sha/sha1-altivec.c +0 -346
- data/third_party/boringssl/crypto/sha/sha1.c +0 -355
- data/third_party/boringssl/crypto/sha/sha256.c +0 -329
- data/third_party/boringssl/crypto/sha/sha512.c +0 -609
- data/third_party/boringssl/crypto/x509/x509type.c +0 -126
- data/third_party/boringssl/include/openssl/stack_macros.h +0 -3987
- data/third_party/boringssl/ssl/handshake_client.c +0 -1883
- data/third_party/boringssl/ssl/handshake_server.c +0 -1950
- data/third_party/boringssl/ssl/s3_both.c +0 -895
- data/third_party/boringssl/ssl/ssl_aead_ctx.c +0 -335
- data/third_party/boringssl/ssl/ssl_ecdh.c +0 -465
- data/third_party/boringssl/ssl/ssl_privkey.c +0 -683
- data/third_party/boringssl/ssl/ssl_privkey_cc.cc +0 -76
- data/third_party/boringssl/ssl/tls13_client.c +0 -712
- data/third_party/boringssl/ssl/tls13_server.c +0 -680
- data/third_party/boringssl/ssl/tls_record.c +0 -556
@@ -17,108 +17,46 @@
|
|
17
17
|
#include <assert.h>
|
18
18
|
#include <string.h>
|
19
19
|
|
20
|
+
#include <utility>
|
21
|
+
|
20
22
|
#include <openssl/bytestring.h>
|
21
23
|
#include <openssl/err.h>
|
22
24
|
#include <openssl/hkdf.h>
|
23
25
|
#include <openssl/mem.h>
|
24
26
|
#include <openssl/stack.h>
|
25
27
|
#include <openssl/x509.h>
|
26
|
-
#include <openssl/x509v3.h>
|
27
28
|
|
28
29
|
#include "../crypto/internal.h"
|
29
30
|
#include "internal.h"
|
30
31
|
|
31
32
|
|
32
|
-
|
33
|
-
* processed. Without this limit an attacker could force unbounded processing
|
34
|
-
* without being able to return application data. */
|
35
|
-
static const uint8_t kMaxKeyUpdates = 32;
|
36
|
-
|
37
|
-
int tls13_handshake(SSL_HANDSHAKE *hs) {
|
38
|
-
SSL *const ssl = hs->ssl;
|
39
|
-
for (;;) {
|
40
|
-
/* Resolve the operation the handshake was waiting on. */
|
41
|
-
switch (hs->wait) {
|
42
|
-
case ssl_hs_error:
|
43
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
|
44
|
-
return -1;
|
45
|
-
|
46
|
-
case ssl_hs_flush:
|
47
|
-
case ssl_hs_flush_and_read_message: {
|
48
|
-
int ret = ssl->method->flush_flight(ssl);
|
49
|
-
if (ret <= 0) {
|
50
|
-
return ret;
|
51
|
-
}
|
52
|
-
if (hs->wait != ssl_hs_flush_and_read_message) {
|
53
|
-
break;
|
54
|
-
}
|
55
|
-
ssl->method->expect_flight(ssl);
|
56
|
-
hs->wait = ssl_hs_read_message;
|
57
|
-
/* Fall-through. */
|
58
|
-
}
|
59
|
-
|
60
|
-
case ssl_hs_read_message: {
|
61
|
-
int ret = ssl->method->ssl_get_message(ssl);
|
62
|
-
if (ret <= 0) {
|
63
|
-
return ret;
|
64
|
-
}
|
65
|
-
break;
|
66
|
-
}
|
67
|
-
|
68
|
-
case ssl_hs_x509_lookup:
|
69
|
-
ssl->rwstate = SSL_X509_LOOKUP;
|
70
|
-
hs->wait = ssl_hs_ok;
|
71
|
-
return -1;
|
72
|
-
|
73
|
-
case ssl_hs_channel_id_lookup:
|
74
|
-
ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
|
75
|
-
hs->wait = ssl_hs_ok;
|
76
|
-
return -1;
|
77
|
-
|
78
|
-
case ssl_hs_private_key_operation:
|
79
|
-
ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
|
80
|
-
hs->wait = ssl_hs_ok;
|
81
|
-
return -1;
|
82
|
-
|
83
|
-
case ssl_hs_ok:
|
84
|
-
break;
|
85
|
-
}
|
86
|
-
|
87
|
-
/* Run the state machine again. */
|
88
|
-
hs->wait = hs->do_tls13_handshake(hs);
|
89
|
-
if (hs->wait == ssl_hs_error) {
|
90
|
-
/* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
|
91
|
-
* first time around. */
|
92
|
-
return -1;
|
93
|
-
}
|
94
|
-
if (hs->wait == ssl_hs_ok) {
|
95
|
-
/* The handshake has completed. */
|
96
|
-
return 1;
|
97
|
-
}
|
33
|
+
namespace bssl {
|
98
34
|
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
35
|
+
// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
|
36
|
+
// processed. Without this limit an attacker could force unbounded processing
|
37
|
+
// without being able to return application data.
|
38
|
+
static const uint8_t kMaxKeyUpdates = 32;
|
103
39
|
|
104
40
|
int tls13_get_cert_verify_signature_input(
|
105
41
|
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,
|
106
42
|
enum ssl_cert_verify_context_t cert_verify_context) {
|
107
|
-
|
108
|
-
if (!CBB_init(
|
109
|
-
|
43
|
+
ScopedCBB cbb;
|
44
|
+
if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
|
45
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
46
|
+
return 0;
|
110
47
|
}
|
111
48
|
|
112
49
|
for (size_t i = 0; i < 64; i++) {
|
113
|
-
if (!CBB_add_u8(
|
114
|
-
|
50
|
+
if (!CBB_add_u8(cbb.get(), 0x20)) {
|
51
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
52
|
+
return 0;
|
115
53
|
}
|
116
54
|
}
|
117
55
|
|
118
56
|
const uint8_t *context;
|
119
57
|
size_t context_len;
|
120
58
|
if (cert_verify_context == ssl_cert_verify_server) {
|
121
|
-
|
59
|
+
// Include the NUL byte.
|
122
60
|
static const char kContext[] = "TLS 1.3, server CertificateVerify";
|
123
61
|
context = (const uint8_t *)kContext;
|
124
62
|
context_len = sizeof(kContext);
|
@@ -131,59 +69,50 @@ int tls13_get_cert_verify_signature_input(
|
|
131
69
|
context = (const uint8_t *)kContext;
|
132
70
|
context_len = sizeof(kContext);
|
133
71
|
} else {
|
134
|
-
|
72
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
73
|
+
return 0;
|
135
74
|
}
|
136
75
|
|
137
|
-
if (!CBB_add_bytes(
|
138
|
-
|
76
|
+
if (!CBB_add_bytes(cbb.get(), context, context_len)) {
|
77
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
78
|
+
return 0;
|
139
79
|
}
|
140
80
|
|
141
81
|
uint8_t context_hash[EVP_MAX_MD_SIZE];
|
142
82
|
size_t context_hash_len;
|
143
|
-
if (!
|
144
|
-
|
145
|
-
!
|
146
|
-
|
147
|
-
|
83
|
+
if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
|
84
|
+
!CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||
|
85
|
+
!CBB_finish(cbb.get(), out, out_len)) {
|
86
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
87
|
+
return 0;
|
148
88
|
}
|
149
89
|
|
150
90
|
return 1;
|
151
|
-
|
152
|
-
err:
|
153
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
154
|
-
CBB_cleanup(&cbb);
|
155
|
-
return 0;
|
156
91
|
}
|
157
92
|
|
158
|
-
int tls13_process_certificate(SSL_HANDSHAKE *hs,
|
93
|
+
int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
|
94
|
+
int allow_anonymous) {
|
159
95
|
SSL *const ssl = hs->ssl;
|
160
|
-
CBS
|
161
|
-
|
162
|
-
|
163
|
-
|
96
|
+
CBS body = msg.body, context, certificate_list;
|
97
|
+
if (!CBS_get_u8_length_prefixed(&body, &context) ||
|
98
|
+
CBS_len(&context) != 0 ||
|
99
|
+
!CBS_get_u24_length_prefixed(&body, &certificate_list) ||
|
100
|
+
CBS_len(&body) != 0) {
|
164
101
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
165
102
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
166
103
|
return 0;
|
167
104
|
}
|
168
105
|
|
169
|
-
|
170
|
-
|
171
|
-
int ret = 0;
|
172
|
-
|
173
|
-
EVP_PKEY *pkey = NULL;
|
174
|
-
STACK_OF(CRYPTO_BUFFER) *certs = sk_CRYPTO_BUFFER_new_null();
|
175
|
-
if (certs == NULL) {
|
106
|
+
UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null());
|
107
|
+
if (!certs) {
|
176
108
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
177
109
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
178
|
-
|
179
|
-
}
|
180
|
-
|
181
|
-
if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) {
|
182
|
-
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
183
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
184
|
-
goto err;
|
110
|
+
return 0;
|
185
111
|
}
|
186
112
|
|
113
|
+
const bool retain_sha256 =
|
114
|
+
ssl->server && ssl->retain_only_sha256_of_client_certs;
|
115
|
+
UniquePtr<EVP_PKEY> pkey;
|
187
116
|
while (CBS_len(&certificate_list) > 0) {
|
188
117
|
CBS certificate, extensions;
|
189
118
|
if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||
|
@@ -191,42 +120,41 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
|
|
191
120
|
CBS_len(&certificate) == 0) {
|
192
121
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
193
122
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
|
194
|
-
|
123
|
+
return 0;
|
195
124
|
}
|
196
125
|
|
197
|
-
if (sk_CRYPTO_BUFFER_num(certs) == 0) {
|
126
|
+
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
|
198
127
|
pkey = ssl_cert_parse_pubkey(&certificate);
|
199
|
-
if (pkey
|
128
|
+
if (!pkey) {
|
200
129
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
201
130
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
202
|
-
|
131
|
+
return 0;
|
203
132
|
}
|
204
|
-
|
205
|
-
|
133
|
+
// TLS 1.3 always uses certificate keys for signing thus the correct
|
134
|
+
// keyUsage is enforced.
|
206
135
|
if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {
|
207
136
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
208
|
-
|
137
|
+
return 0;
|
209
138
|
}
|
210
139
|
|
211
140
|
if (retain_sha256) {
|
212
|
-
|
141
|
+
// Retain the hash of the leaf certificate if requested.
|
213
142
|
SHA256(CBS_data(&certificate), CBS_len(&certificate),
|
214
143
|
hs->new_session->peer_sha256);
|
215
144
|
}
|
216
145
|
}
|
217
146
|
|
218
|
-
CRYPTO_BUFFER
|
219
|
-
CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);
|
220
|
-
if (buf
|
221
|
-
!
|
222
|
-
CRYPTO_BUFFER_free(buf);
|
147
|
+
UniquePtr<CRYPTO_BUFFER> buf(
|
148
|
+
CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));
|
149
|
+
if (!buf ||
|
150
|
+
!PushToStack(certs.get(), std::move(buf))) {
|
223
151
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
224
152
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
225
|
-
|
153
|
+
return 0;
|
226
154
|
}
|
227
155
|
|
228
|
-
|
229
|
-
|
156
|
+
// Parse out the extensions.
|
157
|
+
bool have_status_request = false, have_sct = false;
|
230
158
|
CBS status_request, sct;
|
231
159
|
const SSL_EXTENSION_TYPE ext_types[] = {
|
232
160
|
{TLSEXT_TYPE_status_request, &have_status_request, &status_request},
|
@@ -238,16 +166,16 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
|
|
238
166
|
OPENSSL_ARRAY_SIZE(ext_types),
|
239
167
|
0 /* reject unknown */)) {
|
240
168
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
241
|
-
|
169
|
+
return 0;
|
242
170
|
}
|
243
171
|
|
244
|
-
|
245
|
-
|
172
|
+
// All Certificate extensions are parsed, but only the leaf extensions are
|
173
|
+
// stored.
|
246
174
|
if (have_status_request) {
|
247
175
|
if (ssl->server || !ssl->ocsp_stapling_enabled) {
|
248
176
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
249
177
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
250
|
-
|
178
|
+
return 0;
|
251
179
|
}
|
252
180
|
|
253
181
|
uint8_t status_type;
|
@@ -258,14 +186,17 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
|
|
258
186
|
CBS_len(&ocsp_response) == 0 ||
|
259
187
|
CBS_len(&status_request) != 0) {
|
260
188
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
261
|
-
|
189
|
+
return 0;
|
262
190
|
}
|
263
191
|
|
264
|
-
if (sk_CRYPTO_BUFFER_num(certs) == 1
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
192
|
+
if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
|
193
|
+
CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
|
194
|
+
hs->new_session->ocsp_response =
|
195
|
+
CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
|
196
|
+
if (hs->new_session->ocsp_response == nullptr) {
|
197
|
+
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
198
|
+
return 0;
|
199
|
+
}
|
269
200
|
}
|
270
201
|
}
|
271
202
|
|
@@ -273,114 +204,100 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {
|
|
273
204
|
if (ssl->server || !ssl->signed_cert_timestamps_enabled) {
|
274
205
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
275
206
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
276
|
-
|
207
|
+
return 0;
|
277
208
|
}
|
278
209
|
|
279
210
|
if (!ssl_is_sct_list_valid(&sct)) {
|
280
211
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
281
212
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
282
|
-
|
213
|
+
return 0;
|
283
214
|
}
|
284
215
|
|
285
|
-
if (sk_CRYPTO_BUFFER_num(certs) == 1
|
286
|
-
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
216
|
+
if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
|
217
|
+
CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
|
218
|
+
hs->new_session->signed_cert_timestamp_list =
|
219
|
+
CRYPTO_BUFFER_new_from_CBS(&sct, ssl->ctx->pool);
|
220
|
+
if (hs->new_session->signed_cert_timestamp_list == nullptr) {
|
221
|
+
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
222
|
+
return 0;
|
223
|
+
}
|
291
224
|
}
|
292
225
|
}
|
293
226
|
}
|
294
227
|
|
295
|
-
if
|
296
|
-
|
297
|
-
|
298
|
-
|
228
|
+
// Store a null certificate list rather than an empty one if the peer didn't
|
229
|
+
// send certificates.
|
230
|
+
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
|
231
|
+
certs.reset();
|
299
232
|
}
|
300
233
|
|
301
|
-
|
302
|
-
hs->peer_pubkey = pkey;
|
303
|
-
pkey = NULL;
|
234
|
+
hs->peer_pubkey = std::move(pkey);
|
304
235
|
|
305
236
|
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
|
306
|
-
hs->new_session->certs = certs;
|
307
|
-
certs = NULL;
|
237
|
+
hs->new_session->certs = certs.release();
|
308
238
|
|
309
|
-
if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session)) {
|
239
|
+
if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
|
310
240
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
311
241
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
312
|
-
|
242
|
+
return 0;
|
313
243
|
}
|
314
244
|
|
315
245
|
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
|
316
246
|
if (!allow_anonymous) {
|
317
247
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
|
318
248
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);
|
319
|
-
|
249
|
+
return 0;
|
320
250
|
}
|
321
251
|
|
322
|
-
|
323
|
-
|
252
|
+
// OpenSSL returns X509_V_OK when no certificates are requested. This is
|
253
|
+
// classed by them as a bug, but it's assumed by at least NGINX.
|
324
254
|
hs->new_session->verify_result = X509_V_OK;
|
325
255
|
|
326
|
-
|
327
|
-
|
328
|
-
goto err;
|
256
|
+
// No certificate, so nothing more to do.
|
257
|
+
return 1;
|
329
258
|
}
|
330
259
|
|
331
260
|
hs->new_session->peer_sha256_valid = retain_sha256;
|
332
|
-
|
333
|
-
if (!ssl_verify_cert_chain(ssl, &hs->new_session->verify_result,
|
334
|
-
hs->new_session->x509_chain)) {
|
335
|
-
goto err;
|
336
|
-
}
|
337
|
-
|
338
|
-
ret = 1;
|
339
|
-
|
340
|
-
err:
|
341
|
-
sk_CRYPTO_BUFFER_pop_free(certs, CRYPTO_BUFFER_free);
|
342
|
-
EVP_PKEY_free(pkey);
|
343
|
-
return ret;
|
261
|
+
return 1;
|
344
262
|
}
|
345
263
|
|
346
|
-
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {
|
264
|
+
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
347
265
|
SSL *const ssl = hs->ssl;
|
348
|
-
int ret = 0;
|
349
|
-
uint8_t *msg = NULL;
|
350
|
-
size_t msg_len;
|
351
|
-
|
352
266
|
if (hs->peer_pubkey == NULL) {
|
353
|
-
|
267
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
268
|
+
return 0;
|
354
269
|
}
|
355
270
|
|
356
|
-
CBS
|
271
|
+
CBS body = msg.body, signature;
|
357
272
|
uint16_t signature_algorithm;
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
CBS_len(&cbs) != 0) {
|
273
|
+
if (!CBS_get_u16(&body, &signature_algorithm) ||
|
274
|
+
!CBS_get_u16_length_prefixed(&body, &signature) ||
|
275
|
+
CBS_len(&body) != 0) {
|
362
276
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
363
277
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
364
|
-
|
278
|
+
return 0;
|
365
279
|
}
|
366
280
|
|
367
|
-
|
368
|
-
if (!tls12_check_peer_sigalg(ssl, &
|
369
|
-
ssl3_send_alert(ssl, SSL3_AL_FATAL,
|
370
|
-
|
281
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
282
|
+
if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
|
283
|
+
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
284
|
+
return 0;
|
371
285
|
}
|
372
286
|
hs->new_session->peer_signature_algorithm = signature_algorithm;
|
373
287
|
|
288
|
+
uint8_t *input = NULL;
|
289
|
+
size_t input_len;
|
374
290
|
if (!tls13_get_cert_verify_signature_input(
|
375
|
-
hs, &
|
291
|
+
hs, &input, &input_len,
|
376
292
|
ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {
|
377
293
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
378
|
-
|
294
|
+
return 0;
|
379
295
|
}
|
296
|
+
UniquePtr<uint8_t> free_input(input);
|
380
297
|
|
381
|
-
int sig_ok =
|
382
|
-
|
383
|
-
|
298
|
+
int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature),
|
299
|
+
CBS_len(&signature), signature_algorithm,
|
300
|
+
hs->peer_pubkey.get(), input, input_len);
|
384
301
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
385
302
|
sig_ok = 1;
|
386
303
|
ERR_clear_error();
|
@@ -388,27 +305,31 @@ int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
388
305
|
if (!sig_ok) {
|
389
306
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
|
390
307
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
391
|
-
|
308
|
+
return 0;
|
392
309
|
}
|
393
310
|
|
394
|
-
|
395
|
-
|
396
|
-
err:
|
397
|
-
OPENSSL_free(msg);
|
398
|
-
return ret;
|
311
|
+
return 1;
|
399
312
|
}
|
400
313
|
|
401
|
-
int tls13_process_finished(SSL_HANDSHAKE *hs
|
314
|
+
int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
|
315
|
+
int use_saved_value) {
|
402
316
|
SSL *const ssl = hs->ssl;
|
403
|
-
uint8_t
|
317
|
+
uint8_t verify_data_buf[EVP_MAX_MD_SIZE];
|
318
|
+
const uint8_t *verify_data;
|
404
319
|
size_t verify_data_len;
|
405
|
-
if (
|
406
|
-
|
320
|
+
if (use_saved_value) {
|
321
|
+
assert(ssl->server);
|
322
|
+
verify_data = hs->expected_client_finished;
|
323
|
+
verify_data_len = hs->hash_len;
|
324
|
+
} else {
|
325
|
+
if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len,
|
326
|
+
!ssl->server)) {
|
327
|
+
return 0;
|
328
|
+
}
|
329
|
+
verify_data = verify_data_buf;
|
407
330
|
}
|
408
331
|
|
409
|
-
int finished_ok =
|
410
|
-
ssl->init_num == verify_data_len &&
|
411
|
-
CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) == 0;
|
332
|
+
int finished_ok = CBS_mem_equal(&msg.body, verify_data, verify_data_len);
|
412
333
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
413
334
|
finished_ok = 1;
|
414
335
|
#endif
|
@@ -423,21 +344,18 @@ int tls13_process_finished(SSL_HANDSHAKE *hs) {
|
|
423
344
|
|
424
345
|
int tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
425
346
|
SSL *const ssl = hs->ssl;
|
426
|
-
|
427
|
-
|
428
|
-
|
347
|
+
ScopedCBB cbb;
|
348
|
+
CBB body, certificate_list;
|
349
|
+
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
|
350
|
+
// The request context is always empty in the handshake.
|
429
351
|
!CBB_add_u8(&body, 0) ||
|
430
352
|
!CBB_add_u24_length_prefixed(&body, &certificate_list)) {
|
431
353
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
432
|
-
|
354
|
+
return 0;
|
433
355
|
}
|
434
356
|
|
435
357
|
if (!ssl_has_certificate(ssl)) {
|
436
|
-
|
437
|
-
goto err;
|
438
|
-
}
|
439
|
-
|
440
|
-
return 1;
|
358
|
+
return ssl_add_message_cbb(ssl, cbb.get());
|
441
359
|
}
|
442
360
|
|
443
361
|
CERT *cert = ssl->cert;
|
@@ -448,7 +366,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
|
448
366
|
CRYPTO_BUFFER_len(leaf_buf)) ||
|
449
367
|
!CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {
|
450
368
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
451
|
-
|
369
|
+
return 0;
|
452
370
|
}
|
453
371
|
|
454
372
|
if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != NULL) {
|
@@ -461,7 +379,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
|
461
379
|
CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) ||
|
462
380
|
!CBB_flush(&extensions)) {
|
463
381
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
464
|
-
|
382
|
+
return 0;
|
465
383
|
}
|
466
384
|
}
|
467
385
|
|
@@ -477,7 +395,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
|
477
395
|
CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) ||
|
478
396
|
!CBB_flush(&extensions)) {
|
479
397
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
480
|
-
|
398
|
+
return 0;
|
481
399
|
}
|
482
400
|
}
|
483
401
|
|
@@ -489,82 +407,62 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
|
489
407
|
CRYPTO_BUFFER_len(cert_buf)) ||
|
490
408
|
!CBB_add_u16(&certificate_list, 0 /* no extensions */)) {
|
491
409
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
492
|
-
|
410
|
+
return 0;
|
493
411
|
}
|
494
412
|
}
|
495
413
|
|
496
|
-
|
497
|
-
goto err;
|
498
|
-
}
|
499
|
-
|
500
|
-
return 1;
|
501
|
-
|
502
|
-
err:
|
503
|
-
CBB_cleanup(&cbb);
|
504
|
-
return 0;
|
414
|
+
return ssl_add_message_cbb(ssl, cbb.get());
|
505
415
|
}
|
506
416
|
|
507
|
-
enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs
|
508
|
-
int is_first_run) {
|
417
|
+
enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
|
509
418
|
SSL *const ssl = hs->ssl;
|
510
|
-
enum ssl_private_key_result_t ret = ssl_private_key_failure;
|
511
|
-
uint8_t *msg = NULL;
|
512
|
-
size_t msg_len;
|
513
|
-
CBB cbb, body;
|
514
|
-
CBB_zero(&cbb);
|
515
|
-
|
516
419
|
uint16_t signature_algorithm;
|
517
420
|
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
|
518
|
-
|
421
|
+
return ssl_private_key_failure;
|
519
422
|
}
|
520
|
-
|
423
|
+
|
424
|
+
ScopedCBB cbb;
|
425
|
+
CBB body;
|
426
|
+
if (!ssl->method->init_message(ssl, cbb.get(), &body,
|
521
427
|
SSL3_MT_CERTIFICATE_VERIFY) ||
|
522
428
|
!CBB_add_u16(&body, signature_algorithm)) {
|
523
429
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
524
|
-
|
430
|
+
return ssl_private_key_failure;
|
525
431
|
}
|
526
432
|
|
527
|
-
|
433
|
+
// Sign the digest.
|
528
434
|
CBB child;
|
529
|
-
const size_t max_sig_len =
|
435
|
+
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
|
530
436
|
uint8_t *sig;
|
531
437
|
size_t sig_len;
|
532
438
|
if (!CBB_add_u16_length_prefixed(&body, &child) ||
|
533
439
|
!CBB_reserve(&child, &sig, max_sig_len)) {
|
534
440
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
535
|
-
|
441
|
+
return ssl_private_key_failure;
|
536
442
|
}
|
537
443
|
|
538
|
-
|
539
|
-
|
540
|
-
|
541
|
-
|
542
|
-
|
543
|
-
|
544
|
-
|
545
|
-
}
|
546
|
-
sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
|
547
|
-
signature_algorithm, msg, msg_len);
|
548
|
-
} else {
|
549
|
-
sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
|
444
|
+
uint8_t *msg = NULL;
|
445
|
+
size_t msg_len;
|
446
|
+
if (!tls13_get_cert_verify_signature_input(
|
447
|
+
hs, &msg, &msg_len,
|
448
|
+
ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {
|
449
|
+
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
450
|
+
return ssl_private_key_failure;
|
550
451
|
}
|
452
|
+
UniquePtr<uint8_t> free_msg(msg);
|
551
453
|
|
454
|
+
enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
|
455
|
+
hs, sig, &sig_len, max_sig_len, signature_algorithm, msg, msg_len);
|
552
456
|
if (sign_result != ssl_private_key_success) {
|
553
|
-
|
554
|
-
goto err;
|
457
|
+
return sign_result;
|
555
458
|
}
|
556
459
|
|
557
460
|
if (!CBB_did_write(&child, sig_len) ||
|
558
|
-
!ssl_add_message_cbb(ssl,
|
559
|
-
|
461
|
+
!ssl_add_message_cbb(ssl, cbb.get())) {
|
462
|
+
return ssl_private_key_failure;
|
560
463
|
}
|
561
464
|
|
562
|
-
|
563
|
-
|
564
|
-
err:
|
565
|
-
CBB_cleanup(&cbb);
|
566
|
-
OPENSSL_free(msg);
|
567
|
-
return ret;
|
465
|
+
return ssl_private_key_success;
|
568
466
|
}
|
569
467
|
|
570
468
|
int tls13_add_finished(SSL_HANDSHAKE *hs) {
|
@@ -578,23 +476,22 @@ int tls13_add_finished(SSL_HANDSHAKE *hs) {
|
|
578
476
|
return 0;
|
579
477
|
}
|
580
478
|
|
581
|
-
|
582
|
-
|
479
|
+
ScopedCBB cbb;
|
480
|
+
CBB body;
|
481
|
+
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
|
583
482
|
!CBB_add_bytes(&body, verify_data, verify_data_len) ||
|
584
|
-
!ssl_add_message_cbb(ssl,
|
585
|
-
CBB_cleanup(&cbb);
|
483
|
+
!ssl_add_message_cbb(ssl, cbb.get())) {
|
586
484
|
return 0;
|
587
485
|
}
|
588
486
|
|
589
487
|
return 1;
|
590
488
|
}
|
591
489
|
|
592
|
-
static int tls13_receive_key_update(SSL *ssl) {
|
593
|
-
CBS
|
490
|
+
static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
|
491
|
+
CBS body = msg.body;
|
594
492
|
uint8_t key_update_request;
|
595
|
-
|
596
|
-
|
597
|
-
CBS_len(&cbs) != 0 ||
|
493
|
+
if (!CBS_get_u8(&body, &key_update_request) ||
|
494
|
+
CBS_len(&body) != 0 ||
|
598
495
|
(key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&
|
599
496
|
key_update_request != SSL_KEY_UPDATE_REQUESTED)) {
|
600
497
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
@@ -602,13 +499,35 @@ static int tls13_receive_key_update(SSL *ssl) {
|
|
602
499
|
return 0;
|
603
500
|
}
|
604
501
|
|
605
|
-
|
606
|
-
|
607
|
-
|
502
|
+
if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {
|
503
|
+
return 0;
|
504
|
+
}
|
505
|
+
|
506
|
+
// Acknowledge the KeyUpdate
|
507
|
+
if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
|
508
|
+
!ssl->s3->key_update_pending) {
|
509
|
+
ScopedCBB cbb;
|
510
|
+
CBB body_cbb;
|
511
|
+
if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb,
|
512
|
+
SSL3_MT_KEY_UPDATE) ||
|
513
|
+
!CBB_add_u8(&body_cbb, SSL_KEY_UPDATE_NOT_REQUESTED) ||
|
514
|
+
!ssl_add_message_cbb(ssl, cbb.get()) ||
|
515
|
+
!tls13_rotate_traffic_key(ssl, evp_aead_seal)) {
|
516
|
+
return 0;
|
517
|
+
}
|
518
|
+
|
519
|
+
// Suppress KeyUpdate acknowledgments until this change is written to the
|
520
|
+
// wire. This prevents us from accumulating write obligations when read and
|
521
|
+
// write progress at different rates. See draft-ietf-tls-tls13-18, section
|
522
|
+
// 4.5.3.
|
523
|
+
ssl->s3->key_update_pending = true;
|
524
|
+
}
|
525
|
+
|
526
|
+
return 1;
|
608
527
|
}
|
609
528
|
|
610
|
-
int tls13_post_handshake(SSL *ssl) {
|
611
|
-
if (
|
529
|
+
int tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {
|
530
|
+
if (msg.type == SSL3_MT_KEY_UPDATE) {
|
612
531
|
ssl->s3->key_update_count++;
|
613
532
|
if (ssl->s3->key_update_count > kMaxKeyUpdates) {
|
614
533
|
OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);
|
@@ -616,19 +535,18 @@ int tls13_post_handshake(SSL *ssl) {
|
|
616
535
|
return 0;
|
617
536
|
}
|
618
537
|
|
619
|
-
return tls13_receive_key_update(ssl);
|
538
|
+
return tls13_receive_key_update(ssl, msg);
|
620
539
|
}
|
621
540
|
|
622
541
|
ssl->s3->key_update_count = 0;
|
623
542
|
|
624
|
-
if (
|
625
|
-
|
626
|
-
return tls13_process_new_session_ticket(ssl);
|
543
|
+
if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) {
|
544
|
+
return tls13_process_new_session_ticket(ssl, msg);
|
627
545
|
}
|
628
546
|
|
629
|
-
// TODO(svaldez): Handle post-handshake authentication.
|
630
|
-
|
631
547
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
|
632
548
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
|
633
549
|
return 0;
|
634
550
|
}
|
551
|
+
|
552
|
+
} // namespace bssl
|