grpc 1.28.0 → 1.42.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +1824 -22390
- data/etc/roots.pem +592 -899
- data/include/grpc/byte_buffer.h +1 -1
- data/include/grpc/byte_buffer_reader.h +1 -1
- data/include/grpc/compression.h +1 -1
- data/include/grpc/event_engine/README.md +38 -0
- data/include/grpc/event_engine/endpoint_config.h +43 -0
- data/include/grpc/event_engine/event_engine.h +375 -0
- data/include/grpc/event_engine/internal/memory_allocator_impl.h +98 -0
- data/include/grpc/event_engine/memory_allocator.h +210 -0
- data/include/grpc/event_engine/port.h +39 -0
- data/include/grpc/fork.h +1 -1
- data/include/grpc/grpc.h +52 -13
- data/include/grpc/grpc_posix.h +5 -2
- data/include/grpc/grpc_security.h +324 -180
- data/include/grpc/grpc_security_constants.h +20 -0
- data/include/grpc/impl/codegen/README.md +22 -0
- data/include/grpc/impl/codegen/atm.h +5 -3
- data/include/grpc/impl/codegen/atm_gcc_atomic.h +2 -0
- data/include/grpc/impl/codegen/atm_gcc_sync.h +2 -0
- data/include/grpc/impl/codegen/atm_windows.h +6 -0
- data/include/grpc/impl/codegen/byte_buffer.h +3 -1
- data/include/grpc/impl/codegen/byte_buffer_reader.h +2 -0
- data/include/grpc/impl/codegen/compression_types.h +2 -0
- data/include/grpc/impl/codegen/connectivity_state.h +2 -0
- data/include/grpc/impl/codegen/fork.h +2 -0
- data/include/grpc/impl/codegen/gpr_slice.h +2 -0
- data/include/grpc/impl/codegen/gpr_types.h +2 -0
- data/include/grpc/impl/codegen/grpc_types.h +80 -54
- data/include/grpc/impl/codegen/log.h +2 -2
- data/include/grpc/impl/codegen/port_platform.h +103 -100
- data/include/grpc/impl/codegen/propagation_bits.h +2 -0
- data/include/grpc/impl/codegen/slice.h +2 -0
- data/include/grpc/impl/codegen/status.h +2 -0
- data/include/grpc/impl/codegen/sync.h +8 -5
- data/include/grpc/impl/codegen/sync_abseil.h +2 -0
- data/include/grpc/impl/codegen/sync_custom.h +2 -0
- data/include/grpc/impl/codegen/sync_generic.h +3 -0
- data/include/grpc/impl/codegen/sync_posix.h +4 -2
- data/include/grpc/impl/codegen/sync_windows.h +6 -0
- data/include/grpc/module.modulemap +31 -46
- data/include/grpc/slice.h +1 -1
- data/include/grpc/slice_buffer.h +3 -3
- data/include/grpc/status.h +1 -1
- data/include/grpc/support/atm.h +1 -1
- data/include/grpc/support/atm_gcc_atomic.h +1 -1
- data/include/grpc/support/atm_gcc_sync.h +1 -1
- data/include/grpc/support/atm_windows.h +1 -1
- data/include/grpc/support/log.h +1 -1
- data/include/grpc/support/port_platform.h +1 -1
- data/include/grpc/support/sync.h +4 -4
- data/include/grpc/support/sync_abseil.h +1 -1
- data/include/grpc/support/sync_custom.h +1 -1
- data/include/grpc/support/sync_generic.h +1 -1
- data/include/grpc/support/sync_posix.h +1 -1
- data/include/grpc/support/sync_windows.h +1 -1
- data/include/grpc/support/time.h +9 -9
- data/src/core/ext/filters/census/grpc_context.cc +1 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +30 -28
- data/src/core/ext/filters/client_channel/backup_poller.cc +8 -6
- data/src/core/ext/filters/client_channel/backup_poller.h +1 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +158 -202
- data/src/core/ext/filters/client_channel/client_channel.cc +2207 -3176
- data/src/core/ext/filters/client_channel/client_channel.h +561 -62
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +6 -5
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +2 -5
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +2 -1
- data/src/core/ext/filters/client_channel/client_channel_factory.h +18 -19
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +18 -13
- data/src/core/ext/filters/client_channel/config_selector.cc +59 -0
- data/src/core/ext/filters/client_channel/config_selector.h +145 -0
- data/src/core/ext/filters/client_channel/connector.h +19 -19
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +190 -0
- data/src/core/ext/filters/client_channel/dynamic_filters.h +99 -0
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +26 -122
- data/src/core/ext/filters/client_channel/global_subchannel_pool.h +15 -11
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +71 -73
- data/src/core/ext/filters/client_channel/health/health_check_client.h +37 -35
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +43 -40
- data/src/core/ext/filters/client_channel/http_connect_handshaker.h +10 -2
- data/src/core/ext/filters/client_channel/http_proxy.cc +59 -34
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +96 -0
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +101 -0
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +26 -13
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +12 -21
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +659 -608
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +4 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +76 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.h +37 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +8 -44
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +3 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +5 -3
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +5 -6
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +57 -44
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +918 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +757 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +37 -0
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2502 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +25 -26
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +19 -47
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +741 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +512 -137
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +53 -26
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +29 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +795 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +701 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +1362 -0
- data/src/core/ext/filters/client_channel/lb_policy.cc +29 -35
- data/src/core/ext/filters/client_channel/lb_policy.h +130 -117
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +2 -1
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +19 -12
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
- data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +27 -67
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +12 -10
- data/src/core/ext/filters/client_channel/resolver/binder/binder_resolver.cc +139 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +136 -131
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +6 -35
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +20 -17
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +98 -138
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +651 -216
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +32 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +79 -68
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +124 -136
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +8 -10
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +384 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +38 -31
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +892 -47
- data/src/core/ext/filters/client_channel/{xds/xds_channel_args.h → resolver/xds/xds_resolver.h} +9 -7
- data/src/core/ext/filters/client_channel/resolver.cc +9 -10
- data/src/core/ext/filters/client_channel/resolver.h +13 -23
- data/src/core/ext/filters/client_channel/resolver_factory.h +10 -8
- data/src/core/ext/filters/client_channel/resolver_registry.cc +57 -56
- data/src/core/ext/filters/client_channel/resolver_registry.h +10 -10
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +61 -315
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +42 -67
- data/src/core/ext/filters/client_channel/retry_filter.cc +2573 -0
- data/src/core/ext/filters/{workarounds/workaround_cronet_compression_filter.h → client_channel/retry_filter.h} +9 -6
- data/src/core/ext/filters/client_channel/retry_service_config.cc +316 -0
- data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
- data/src/core/ext/filters/client_channel/retry_throttle.cc +20 -49
- data/src/core/ext/filters/client_channel/retry_throttle.h +4 -2
- data/src/core/ext/filters/client_channel/server_address.cc +132 -13
- data/src/core/ext/filters/client_channel/server_address.h +80 -32
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +156 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +271 -347
- data/src/core/ext/filters/client_channel/subchannel.h +142 -163
- data/src/core/ext/filters/client_channel/subchannel_interface.h +41 -5
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +38 -9
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +27 -12
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +47 -223
- data/src/core/ext/filters/client_idle/idle_filter_state.cc +96 -0
- data/src/core/ext/filters/client_idle/idle_filter_state.h +66 -0
- data/src/core/ext/filters/deadline/deadline_filter.cc +113 -108
- data/src/core/ext/filters/deadline/deadline_filter.h +7 -11
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +503 -0
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +39 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +181 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.h +85 -0
- data/src/core/ext/filters/http/client/http_client_filter.cc +104 -101
- data/src/core/ext/filters/http/client_authority_filter.cc +21 -21
- data/src/core/ext/filters/http/http_filters_plugin.cc +54 -53
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +274 -230
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +398 -0
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +31 -0
- data/src/core/ext/filters/http/server/http_server_filter.cc +107 -98
- data/src/core/ext/filters/max_age/max_age_filter.cc +74 -70
- data/src/core/ext/filters/message_size/message_size_filter.cc +89 -113
- data/src/core/ext/filters/message_size/message_size_filter.h +12 -5
- data/src/core/ext/service_config/service_config.cc +227 -0
- data/src/core/ext/service_config/service_config.h +127 -0
- data/src/core/ext/service_config/service_config_call_data.h +72 -0
- data/src/core/ext/service_config/service_config_parser.cc +89 -0
- data/src/core/ext/service_config/service_config_parser.h +97 -0
- data/src/core/ext/transport/chttp2/alpn/alpn.cc +2 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +119 -49
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +24 -5
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +42 -35
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +32 -16
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +52 -88
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +829 -357
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +16 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +14 -6
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +32 -24
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +64 -25
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +11 -9
- data/src/core/ext/transport/chttp2/transport/bin_decoder.h +2 -1
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +5 -6
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +548 -542
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +17 -2
- data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
- data/src/core/ext/transport/chttp2/transport/context_list.h +5 -6
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +82 -60
- data/src/core/ext/transport/chttp2/transport/flow_control.h +47 -33
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +30 -29
- data/src/core/ext/transport/chttp2/transport/frame_data.h +11 -10
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +25 -25
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +9 -9
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +15 -16
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +10 -9
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +18 -22
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +9 -9
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +53 -22
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +11 -10
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +25 -25
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +7 -9
- data/src/core/ext/transport/chttp2/transport/hpack_constants.h +41 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +311 -652
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +241 -72
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_index.h +107 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +86 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +69 -0
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +868 -1175
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +102 -84
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +146 -0
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +137 -0
- data/src/core/ext/transport/chttp2/transport/hpack_utils.cc +46 -0
- data/src/core/ext/transport/chttp2/transport/hpack_utils.h +30 -0
- data/src/core/ext/transport/chttp2/transport/http2_settings.h +4 -5
- data/src/core/ext/transport/chttp2/transport/huffsyms.h +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +77 -56
- data/src/core/ext/transport/chttp2/transport/parsing.cc +168 -320
- data/src/core/ext/transport/chttp2/transport/popularity_count.h +60 -0
- data/src/core/ext/transport/chttp2/transport/stream_lists.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/stream_map.h +2 -3
- data/src/core/ext/transport/chttp2/transport/varint.cc +13 -7
- data/src/core/ext/transport/chttp2/transport/varint.h +39 -28
- data/src/core/ext/transport/chttp2/transport/writing.cc +97 -80
- data/src/core/ext/transport/inproc/inproc_transport.cc +263 -180
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +406 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +1591 -0
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +2 -2
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.c +3 -3
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +18 -6
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +243 -0
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +955 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +371 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1554 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.c +74 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.h +271 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +494 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +2116 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.h +83 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +56 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +370 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +124 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +470 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.h +94 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +382 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +1295 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +103 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +418 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.h +84 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c +53 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h +161 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +241 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +917 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +171 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +830 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.h +94 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +244 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +1089 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +71 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +133 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.h +101 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +43 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +132 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +96 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +90 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.h +261 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +125 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.h +462 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.c +112 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.h +397 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.c +33 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.h +79 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +138 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +640 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +161 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +680 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +48 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +177 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +42 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +127 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +144 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +536 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +153 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +550 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +185 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +738 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +82 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +312 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +960 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +4213 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +60 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +177 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +49 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.h +134 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +73 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +298 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +303 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +42 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +123 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +403 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +1785 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +19 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h +35 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +130 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +559 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +73 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +237 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +148 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +674 -0
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.c +25 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +146 -0
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +535 -0
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +54 -0
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.h +163 -0
- data/src/core/ext/upb-generated/envoy/{api/v2/srds.upb.c → service/route/v3/rds.upb.c} +8 -8
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.c +27 -0
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.h +62 -0
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +121 -0
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +468 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +60 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +205 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.c +48 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.h +144 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +96 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.h +90 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.c +34 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.h +84 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +65 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.h +184 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +53 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +158 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +136 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.c +63 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.h +225 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.c +88 -0
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.h +343 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.c +90 -0
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.h +313 -0
- data/src/core/ext/upb-generated/envoy/type/{http.upb.c → v3/http.upb.c} +4 -3
- data/src/core/ext/upb-generated/envoy/type/{http.upb.h → v3/http.upb.h} +10 -10
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.c +40 -0
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.h +111 -0
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.c +51 -0
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.h +148 -0
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.c +30 -0
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.h +74 -0
- data/src/core/ext/upb-generated/google/api/annotations.upb.c +1 -1
- data/src/core/ext/upb-generated/google/api/annotations.upb.h +2 -2
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c +242 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h +896 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +251 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +943 -0
- data/src/core/ext/upb-generated/google/api/http.upb.c +18 -18
- data/src/core/ext/upb-generated/google/api/http.upb.h +74 -36
- data/src/core/ext/upb-generated/google/protobuf/any.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/any.upb.h +20 -8
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +155 -154
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +881 -524
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +20 -8
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.c +2 -2
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +16 -4
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +15 -15
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +77 -61
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +20 -8
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.c +19 -19
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +146 -38
- data/src/core/ext/upb-generated/google/rpc/status.upb.c +5 -5
- data/src/core/ext/upb-generated/google/rpc/status.upb.h +25 -12
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +12 -12
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +48 -47
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +63 -63
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +307 -195
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c +8 -8
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +44 -16
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.c +5 -5
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +34 -10
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +31 -31
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +186 -72
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.c +55 -0
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.h +154 -0
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.c +8 -8
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +52 -16
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +29 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.h +70 -0
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c +1 -1
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +2 -2
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +77 -0
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.c +27 -0
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.h +66 -0
- data/src/core/ext/upb-generated/validate/validate.upb.c +243 -226
- data/src/core/ext/upb-generated/validate/validate.upb.h +1048 -668
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.h +182 -0
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.c +28 -0
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +66 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +155 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +90 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +100 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +178 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +91 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +130 -0
- data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.c +33 -0
- data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.h +83 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +354 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +140 -0
- data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +46 -0
- data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.h +30 -0
- data/src/core/ext/upbdefs-generated/envoy/annotations/resource.upbdefs.c +41 -0
- data/src/core/ext/upbdefs-generated/envoy/annotations/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +252 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.h +105 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +424 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +120 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/circuit_breaker.upbdefs.c +100 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/circuit_breaker.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +596 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +155 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/filter.upbdefs.c +53 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/filter.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +136 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/address.upbdefs.c +127 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/address.upbdefs.h +65 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/backoff.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/backoff.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +313 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +150 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +144 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/event_service_config.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/event_service_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/extension.upbdefs.c +66 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/extension.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_service.upbdefs.c +263 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/grpc_service.upbdefs.h +100 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +236 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/http_uri.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/http_uri.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +300 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +100 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +43 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +59 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/socket_option.upbdefs.c +59 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/socket_option.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +72 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +52 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +107 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.c +140 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.h +60 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/load_report.upbdefs.c +146 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/load_report.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/api_listener.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/api_listener.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +205 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +60 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +201 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.h +65 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +90 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +152 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +75 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +115 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +982 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +295 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c +71 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +61 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +102 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +123 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +79 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +567 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +125 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +44 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h +30 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +196 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.h +60 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +97 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +251 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.h +60 -0
- data/src/core/ext/upbdefs-generated/envoy/service/cluster/v3/cds.upbdefs.c +72 -0
- data/src/core/ext/upbdefs-generated/envoy/service/cluster/v3/cds.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +60 -0
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +142 -0
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +65 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +73 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +72 -0
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +80 -0
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +80 -0
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/srds.upbdefs.c +74 -0
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/srds.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +163 -0
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +64 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/metadata.upbdefs.c +65 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/metadata.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/number.upbdefs.c +54 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/number.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/path.upbdefs.c +53 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/path.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +76 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +69 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/value.upbdefs.c +81 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/value.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/type/metadata/v3/metadata.upbdefs.c +92 -0
- data/src/core/ext/upbdefs-generated/envoy/type/metadata/v3/metadata.upbdefs.h +65 -0
- data/src/core/ext/upbdefs-generated/envoy/type/tracing/v3/custom_tag.upbdefs.c +95 -0
- data/src/core/ext/upbdefs-generated/envoy/type/tracing/v3/custom_tag.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/http.upbdefs.c +34 -0
- data/src/core/ext/{upb-generated/gogoproto/gogo.upb.h → upbdefs-generated/envoy/type/v3/http.upbdefs.h} +10 -10
- data/src/core/ext/upbdefs-generated/envoy/type/v3/percent.upbdefs.c +59 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/percent.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c +54 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c +47 -0
- data/src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c +40 -0
- data/src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h +30 -0
- data/src/core/ext/upbdefs-generated/google/api/http.upbdefs.c +61 -0
- data/src/core/ext/upbdefs-generated/google/api/http.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c +39 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c +386 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h +165 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c +40 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.c +37 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.c +65 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.c +40 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.c +66 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.h +75 -0
- data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.c +71 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.c +52 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.c +34 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.h +30 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.c +44 -0
- data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +332 -0
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.h +145 -0
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.c +75 -0
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +43 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +46 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +68 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.h +35 -0
- data/src/core/ext/xds/certificate_provider_factory.h +61 -0
- data/src/core/ext/xds/certificate_provider_registry.cc +103 -0
- data/src/core/ext/xds/certificate_provider_registry.h +57 -0
- data/src/core/ext/xds/certificate_provider_store.cc +87 -0
- data/src/core/ext/xds/certificate_provider_store.h +112 -0
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +144 -0
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +69 -0
- data/src/core/ext/xds/xds_api.cc +3965 -0
- data/src/core/ext/xds/xds_api.h +744 -0
- data/src/core/ext/xds/xds_bootstrap.cc +471 -0
- data/src/core/ext/xds/xds_bootstrap.h +125 -0
- data/src/core/ext/xds/xds_certificate_provider.cc +405 -0
- data/src/core/ext/xds/xds_certificate_provider.h +151 -0
- data/src/core/ext/xds/xds_channel_args.h +32 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +113 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.h +52 -0
- data/src/core/ext/xds/xds_client.cc +2791 -0
- data/src/core/ext/xds/xds_client.h +380 -0
- data/src/core/ext/xds/xds_client_stats.cc +160 -0
- data/src/core/ext/{filters/client_channel/xds → xds}/xds_client_stats.h +87 -46
- data/src/core/ext/xds/xds_http_fault_filter.cc +227 -0
- data/src/core/ext/xds/xds_http_fault_filter.h +64 -0
- data/src/core/ext/xds/xds_http_filters.cc +116 -0
- data/src/core/ext/xds/xds_http_filters.h +133 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +544 -0
- data/src/core/lib/address_utils/parse_address.cc +320 -0
- data/src/core/lib/address_utils/parse_address.h +77 -0
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +159 -46
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +46 -20
- data/src/core/lib/avl/avl.cc +5 -5
- data/src/core/lib/backoff/backoff.cc +1 -1
- data/src/core/lib/channel/call_tracer.h +85 -0
- data/src/core/lib/channel/channel_args.cc +50 -29
- data/src/core/lib/channel/channel_args.h +12 -2
- data/src/core/lib/channel/channel_stack.cc +27 -12
- data/src/core/lib/channel/channel_stack.h +38 -23
- data/src/core/lib/channel/channel_stack_builder.cc +6 -16
- data/src/core/lib/channel/channel_stack_builder.h +1 -9
- data/src/core/lib/channel/channel_trace.cc +11 -12
- data/src/core/lib/channel/channel_trace.h +3 -2
- data/src/core/lib/channel/channelz.cc +194 -142
- data/src/core/lib/channel/channelz.h +79 -55
- data/src/core/lib/channel/channelz_registry.cc +42 -22
- data/src/core/lib/channel/channelz_registry.h +4 -2
- data/src/core/lib/channel/connected_channel.cc +13 -12
- data/src/core/lib/channel/connected_channel.h +1 -2
- data/src/core/lib/channel/context.h +4 -1
- data/src/core/lib/channel/handshaker.cc +23 -65
- data/src/core/lib/channel/handshaker.h +12 -28
- data/src/core/lib/channel/handshaker_factory.h +10 -2
- data/src/core/lib/channel/handshaker_registry.cc +15 -82
- data/src/core/lib/channel/handshaker_registry.h +29 -12
- data/src/core/lib/channel/status_util.cc +14 -5
- data/src/core/lib/channel/status_util.h +11 -2
- data/src/core/lib/compression/algorithm_metadata.h +1 -0
- data/src/core/lib/compression/compression.cc +10 -6
- data/src/core/lib/compression/compression_args.cc +11 -7
- data/src/core/lib/compression/compression_internal.cc +14 -11
- data/src/core/lib/compression/compression_internal.h +3 -2
- data/src/core/lib/compression/message_compress.cc +7 -3
- data/src/core/lib/compression/stream_compression.cc +2 -1
- data/src/core/lib/compression/stream_compression.h +3 -2
- data/src/core/lib/compression/stream_compression_gzip.cc +2 -1
- data/src/core/lib/compression/stream_compression_gzip.h +1 -1
- data/src/core/lib/compression/stream_compression_identity.cc +3 -4
- data/src/core/lib/compression/stream_compression_identity.h +1 -1
- data/src/core/lib/config/core_configuration.cc +96 -0
- data/src/core/lib/config/core_configuration.h +146 -0
- data/src/core/lib/debug/stats.cc +22 -28
- data/src/core/lib/debug/stats.h +7 -4
- data/src/core/lib/debug/stats_data.cc +16 -14
- data/src/core/lib/debug/stats_data.h +14 -13
- data/src/core/lib/debug/trace.cc +1 -0
- data/src/core/lib/debug/trace.h +2 -1
- data/src/core/lib/event_engine/endpoint_config.cc +45 -0
- data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
- data/src/core/lib/event_engine/event_engine.cc +50 -0
- data/src/core/lib/event_engine/sockaddr.cc +40 -0
- data/src/core/lib/event_engine/sockaddr.h +44 -0
- data/src/core/lib/gpr/alloc.cc +7 -5
- data/src/core/lib/gpr/atm.cc +1 -1
- data/src/core/lib/gpr/cpu_iphone.cc +10 -2
- data/src/core/lib/gpr/cpu_posix.cc +1 -1
- data/src/core/lib/gpr/env_linux.cc +1 -2
- data/src/core/lib/gpr/env_posix.cc +2 -3
- data/src/core/lib/gpr/log.cc +61 -19
- data/src/core/lib/gpr/log_android.cc +3 -2
- data/src/core/lib/gpr/log_linux.cc +30 -13
- data/src/core/lib/gpr/log_posix.cc +25 -10
- data/src/core/lib/gpr/log_windows.cc +18 -4
- data/src/core/lib/gpr/murmur_hash.cc +5 -3
- data/src/core/lib/gpr/spinlock.h +12 -5
- data/src/core/lib/gpr/string.cc +35 -57
- data/src/core/lib/gpr/string.h +11 -26
- data/src/core/lib/gpr/sync.cc +6 -6
- data/src/core/lib/gpr/sync_abseil.cc +12 -12
- data/src/core/lib/gpr/sync_posix.cc +5 -11
- data/src/core/lib/gpr/sync_windows.cc +2 -2
- data/src/core/lib/gpr/time.cc +19 -14
- data/src/core/lib/gpr/time_posix.cc +1 -1
- data/src/core/lib/gpr/time_precise.cc +5 -2
- data/src/core/lib/gpr/time_precise.h +6 -2
- data/src/core/lib/gpr/time_windows.cc +3 -2
- data/src/core/lib/gpr/tls.h +119 -36
- data/src/core/lib/gpr/tmpfile_posix.cc +1 -2
- data/src/core/lib/gpr/useful.h +79 -31
- data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
- data/src/core/lib/gprpp/arena.cc +2 -1
- data/src/core/lib/gprpp/arena.h +18 -7
- data/src/core/lib/gprpp/atomic_utils.h +47 -0
- data/src/core/lib/gprpp/bitset.h +188 -0
- data/src/core/lib/gprpp/chunked_vector.h +211 -0
- data/src/core/lib/gprpp/construct_destruct.h +39 -0
- data/src/core/lib/gprpp/dual_ref_counted.h +330 -0
- data/src/core/lib/gprpp/{optional.h → examine_stack.cc} +19 -9
- data/src/core/lib/gprpp/examine_stack.h +46 -0
- data/src/core/lib/gprpp/fork.cc +17 -15
- data/src/core/lib/gprpp/fork.h +4 -4
- data/src/core/lib/gprpp/global_config.h +1 -2
- data/src/core/lib/gprpp/global_config_env.cc +11 -9
- data/src/core/lib/gprpp/global_config_generic.h +2 -2
- data/src/core/lib/gprpp/host_port.cc +29 -35
- data/src/core/lib/gprpp/host_port.h +14 -17
- data/src/core/lib/gprpp/manual_constructor.h +10 -7
- data/src/core/lib/gprpp/match.h +73 -0
- data/src/core/lib/gprpp/memory.h +9 -3
- data/src/core/lib/gprpp/mpscq.cc +9 -9
- data/src/core/lib/gprpp/mpscq.h +6 -5
- data/src/core/lib/gprpp/orphanable.h +10 -14
- data/src/core/lib/gprpp/overload.h +59 -0
- data/src/core/lib/gprpp/ref_counted.h +123 -86
- data/src/core/lib/gprpp/ref_counted_ptr.h +173 -7
- data/src/core/lib/gprpp/stat.h +38 -0
- data/src/core/lib/gprpp/stat_posix.cc +49 -0
- data/src/core/lib/gprpp/stat_windows.cc +48 -0
- data/src/core/lib/gprpp/status_helper.cc +427 -0
- data/src/core/lib/gprpp/status_helper.h +194 -0
- data/src/core/lib/gprpp/sync.h +106 -43
- data/src/core/lib/gprpp/table.h +411 -0
- data/src/core/lib/gprpp/thd.h +3 -3
- data/src/core/lib/gprpp/thd_posix.cc +47 -42
- data/src/core/lib/gprpp/thd_windows.cc +7 -12
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/format_request.cc +47 -65
- data/src/core/lib/http/format_request.h +1 -0
- data/src/core/lib/http/httpcli.cc +213 -193
- data/src/core/lib/http/httpcli.h +7 -6
- data/src/core/lib/http/httpcli_security_connector.cc +25 -24
- data/src/core/lib/http/parser.cc +65 -45
- data/src/core/lib/http/parser.h +7 -7
- data/src/core/lib/iomgr/buffer_list.cc +10 -11
- data/src/core/lib/iomgr/buffer_list.h +27 -28
- data/src/core/lib/iomgr/call_combiner.cc +46 -21
- data/src/core/lib/iomgr/call_combiner.h +15 -16
- data/src/core/lib/iomgr/cfstream_handle.cc +10 -8
- data/src/core/lib/iomgr/cfstream_handle.h +1 -1
- data/src/core/lib/iomgr/closure.h +9 -9
- data/src/core/lib/iomgr/combiner.cc +25 -36
- data/src/core/lib/iomgr/combiner.h +3 -2
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +48 -0
- data/src/core/lib/iomgr/endpoint.cc +6 -6
- data/src/core/lib/iomgr/endpoint.h +10 -8
- data/src/core/lib/iomgr/endpoint_cfstream.cc +60 -48
- data/src/core/lib/iomgr/endpoint_cfstream.h +1 -1
- data/src/core/lib/iomgr/endpoint_pair.h +2 -2
- data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +32 -0
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +21 -17
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +17 -9
- data/src/core/lib/iomgr/error.cc +285 -115
- data/src/core/lib/iomgr/error.h +280 -115
- data/src/core/lib/iomgr/error_cfstream.cc +17 -10
- data/src/core/lib/iomgr/error_cfstream.h +2 -2
- data/src/core/lib/iomgr/error_internal.h +7 -2
- data/src/core/lib/iomgr/ev_apple.cc +359 -0
- data/src/core/lib/iomgr/ev_apple.h +43 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +76 -80
- data/src/core/lib/iomgr/ev_epollex_linux.cc +106 -109
- data/src/core/lib/iomgr/ev_poll_posix.cc +79 -76
- data/src/core/lib/iomgr/ev_posix.cc +15 -16
- data/src/core/lib/iomgr/ev_posix.h +9 -9
- data/src/core/lib/iomgr/event_engine/closure.cc +77 -0
- data/src/core/lib/iomgr/event_engine/closure.h +42 -0
- data/src/core/lib/iomgr/event_engine/endpoint.cc +173 -0
- data/src/core/lib/iomgr/event_engine/endpoint.h +52 -0
- data/src/core/lib/iomgr/event_engine/iomgr.cc +104 -0
- data/src/core/lib/iomgr/event_engine/iomgr.h +42 -0
- data/src/core/lib/iomgr/event_engine/pollset.cc +88 -0
- data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
- data/src/core/lib/iomgr/event_engine/promise.h +51 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
- data/src/core/lib/iomgr/event_engine/resolver.cc +114 -0
- data/src/core/lib/iomgr/event_engine/tcp.cc +293 -0
- data/src/core/lib/iomgr/event_engine/timer.cc +62 -0
- data/src/core/lib/iomgr/exec_ctx.cc +15 -12
- data/src/core/lib/iomgr/exec_ctx.h +37 -30
- data/src/core/lib/iomgr/executor/mpmcqueue.cc +15 -16
- data/src/core/lib/iomgr/executor/mpmcqueue.h +11 -15
- data/src/core/lib/iomgr/executor/threadpool.cc +4 -5
- data/src/core/lib/iomgr/executor/threadpool.h +8 -7
- data/src/core/lib/iomgr/executor.cc +19 -33
- data/src/core/lib/iomgr/executor.h +3 -3
- data/src/core/lib/iomgr/grpc_if_nametoindex_posix.cc +2 -2
- data/src/core/lib/iomgr/grpc_if_nametoindex_unsupported.cc +2 -2
- data/src/core/lib/iomgr/internal_errqueue.cc +3 -2
- data/src/core/lib/iomgr/iocp_windows.cc +1 -0
- data/src/core/lib/iomgr/iomgr.cc +6 -4
- data/src/core/lib/iomgr/iomgr.h +3 -3
- data/src/core/lib/iomgr/iomgr_custom.cc +3 -3
- data/src/core/lib/iomgr/iomgr_custom.h +2 -2
- data/src/core/lib/iomgr/iomgr_internal.cc +8 -12
- data/src/core/lib/iomgr/iomgr_internal.h +6 -5
- data/src/core/lib/iomgr/iomgr_posix.cc +3 -2
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +115 -22
- data/src/core/lib/iomgr/iomgr_windows.cc +2 -3
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +18 -4
- data/src/core/lib/iomgr/load_file.cc +6 -6
- data/src/core/lib/iomgr/load_file.h +2 -2
- data/src/core/lib/iomgr/lockfree_event.cc +38 -15
- data/src/core/lib/iomgr/lockfree_event.h +2 -2
- data/src/core/lib/iomgr/polling_entity.cc +2 -2
- data/src/core/lib/iomgr/pollset.cc +5 -5
- data/src/core/lib/iomgr/pollset.h +9 -9
- data/src/core/lib/iomgr/pollset_custom.cc +10 -11
- data/src/core/lib/iomgr/pollset_custom.h +3 -1
- data/src/core/lib/iomgr/pollset_set_custom.cc +12 -13
- data/src/core/lib/iomgr/pollset_set_windows.cc +1 -0
- data/src/core/lib/iomgr/pollset_windows.cc +5 -5
- data/src/core/lib/iomgr/port.h +9 -31
- data/src/core/lib/iomgr/python_util.h +47 -0
- data/src/core/lib/iomgr/resolve_address.cc +14 -9
- data/src/core/lib/iomgr/resolve_address.h +15 -15
- data/src/core/lib/iomgr/resolve_address_custom.cc +48 -62
- data/src/core/lib/iomgr/resolve_address_custom.h +5 -4
- data/src/core/lib/iomgr/resolve_address_posix.cc +21 -30
- data/src/core/lib/iomgr/resolve_address_windows.cc +22 -33
- data/src/core/lib/iomgr/resource_quota.cc +185 -94
- data/src/core/lib/iomgr/resource_quota.h +66 -17
- data/src/core/lib/iomgr/sockaddr.h +2 -1
- data/src/core/lib/iomgr/socket_factory_posix.cc +8 -7
- data/src/core/lib/iomgr/socket_factory_posix.h +3 -3
- data/src/core/lib/iomgr/socket_mutator.cc +20 -6
- data/src/core/lib/iomgr/socket_mutator.h +28 -5
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +128 -105
- data/src/core/lib/iomgr/socket_utils_linux.cc +4 -4
- data/src/core/lib/iomgr/socket_utils_posix.cc +2 -2
- data/src/core/lib/iomgr/socket_utils_posix.h +25 -22
- data/src/core/lib/iomgr/socket_utils_windows.cc +2 -2
- data/src/core/lib/iomgr/socket_windows.cc +4 -5
- data/src/core/lib/iomgr/tcp_client.cc +5 -3
- data/src/core/lib/iomgr/tcp_client.h +4 -0
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +31 -43
- data/src/core/lib/iomgr/tcp_client_custom.cc +23 -34
- data/src/core/lib/iomgr/tcp_client_posix.cc +72 -69
- data/src/core/lib/iomgr/tcp_client_posix.h +8 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +31 -23
- data/src/core/lib/iomgr/tcp_custom.cc +77 -71
- data/src/core/lib/iomgr/tcp_custom.h +16 -14
- data/src/core/lib/iomgr/tcp_posix.cc +149 -156
- data/src/core/lib/iomgr/tcp_posix.h +19 -12
- data/src/core/lib/iomgr/tcp_server.cc +12 -11
- data/src/core/lib/iomgr/tcp_server.h +23 -17
- data/src/core/lib/iomgr/tcp_server_custom.cc +72 -94
- data/src/core/lib/iomgr/tcp_server_posix.cc +84 -76
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +19 -16
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +29 -28
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +19 -28
- data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
- data/src/core/lib/iomgr/tcp_server_windows.cc +46 -42
- data/src/core/lib/iomgr/tcp_windows.cc +44 -47
- data/src/core/lib/iomgr/tcp_windows.h +4 -3
- data/src/core/lib/iomgr/time_averaged_stats.h +2 -3
- data/src/core/lib/iomgr/timer.cc +1 -0
- data/src/core/lib/iomgr/timer.h +7 -3
- data/src/core/lib/iomgr/timer_custom.cc +9 -8
- data/src/core/lib/iomgr/timer_custom.h +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +46 -76
- data/src/core/lib/{gprpp/inlined_vector.h → iomgr/timer_generic.h} +17 -14
- data/src/core/lib/iomgr/timer_heap.cc +2 -3
- data/src/core/lib/iomgr/timer_heap.h +2 -3
- data/src/core/lib/iomgr/timer_manager.cc +4 -4
- data/src/core/lib/iomgr/unix_sockets_posix.cc +37 -33
- data/src/core/lib/iomgr/unix_sockets_posix.h +9 -3
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +20 -7
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_nospecial.cc +2 -1
- data/src/core/lib/iomgr/wakeup_fd_pipe.cc +8 -9
- data/src/core/lib/iomgr/wakeup_fd_posix.cc +4 -3
- data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
- data/src/core/lib/iomgr/work_serializer.cc +4 -4
- data/src/core/lib/iomgr/work_serializer.h +18 -2
- data/src/core/lib/json/json.h +15 -4
- data/src/core/lib/json/json_reader.cc +31 -37
- data/src/core/lib/json/json_util.cc +126 -0
- data/src/core/lib/json/json_util.h +154 -0
- data/src/core/lib/json/json_writer.cc +14 -15
- data/src/core/lib/matchers/matchers.cc +327 -0
- data/src/core/lib/matchers/matchers.h +160 -0
- data/src/core/lib/profiling/basic_timers.cc +8 -6
- data/src/core/lib/profiling/stap_timers.cc +2 -2
- data/src/core/lib/security/authorization/authorization_engine.h +44 -0
- data/src/core/lib/security/authorization/authorization_policy_provider.h +33 -0
- data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
- data/src/core/lib/security/authorization/evaluate_args.cc +213 -0
- data/src/core/lib/security/authorization/evaluate_args.h +91 -0
- data/src/core/lib/security/authorization/sdk_server_authz_filter.cc +171 -0
- data/src/core/lib/security/authorization/sdk_server_authz_filter.h +67 -0
- data/src/core/lib/security/context/security_context.cc +15 -11
- data/src/core/lib/security/context/security_context.h +3 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/alts/check_gcp_environment.cc +1 -1
- data/src/core/lib/security/credentials/alts/check_gcp_environment_linux.cc +2 -2
- data/src/core/lib/security/credentials/alts/check_gcp_environment_no_op.cc +2 -2
- data/src/core/lib/security/credentials/alts/check_gcp_environment_windows.cc +2 -2
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +21 -8
- data/src/core/lib/security/credentials/composite/composite_credentials.h +8 -5
- data/src/core/lib/security/credentials/credentials.cc +17 -99
- data/src/core/lib/security/credentials/credentials.h +27 -70
- data/src/core/lib/security/credentials/credentials_metadata.cc +2 -3
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +404 -0
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +81 -0
- data/src/core/lib/security/credentials/external/aws_request_signer.cc +214 -0
- data/src/core/lib/security/credentials/external/aws_request_signer.h +72 -0
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +527 -0
- data/src/core/lib/security/credentials/external/external_account_credentials.h +122 -0
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +136 -0
- data/src/core/lib/security/credentials/external/file_external_account_credentials.h +49 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +211 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.h +60 -0
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +5 -4
- data/src/core/lib/security/credentials/fake/fake_credentials.h +6 -2
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +8 -7
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +154 -77
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +10 -7
- data/src/core/lib/security/credentials/iam/iam_credentials.h +6 -2
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +64 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +7 -7
- data/src/core/lib/security/credentials/jwt/json_token.h +3 -5
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +39 -19
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +24 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +25 -35
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +5 -6
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +128 -118
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +20 -12
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +25 -14
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +4 -2
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +31 -10
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +12 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +348 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +217 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +455 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +147 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +82 -140
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +74 -167
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +18 -13
- data/src/core/lib/security/credentials/tls/tls_credentials.h +3 -3
- data/src/core/lib/security/credentials/tls/tls_utils.cc +123 -0
- data/src/core/lib/security/credentials/tls/tls_utils.h +51 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +244 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.h +69 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +35 -10
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +40 -37
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +121 -0
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +97 -0
- data/src/core/lib/security/security_connector/load_system_roots.h +4 -0
- data/src/core/lib/security/security_connector/load_system_roots_fallback.cc +1 -0
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +7 -6
- data/src/core/lib/security/security_connector/load_system_roots_linux.h +2 -0
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +26 -13
- data/src/core/lib/security/security_connector/security_connector.cc +15 -7
- data/src/core/lib/security/security_connector/security_connector.h +16 -9
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +55 -46
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +9 -7
- data/src/core/lib/security/security_connector/ssl_utils.cc +126 -31
- data/src/core/lib/security/security_connector/ssl_utils.h +40 -34
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +393 -303
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +144 -62
- data/src/core/lib/security/transport/auth_filters.h +1 -5
- data/src/core/lib/security/transport/client_auth_filter.cc +34 -28
- data/src/core/lib/security/transport/secure_endpoint.cc +16 -20
- data/src/core/lib/security/transport/secure_endpoint.h +1 -0
- data/src/core/lib/security/transport/security_handshaker.cc +159 -91
- data/src/core/lib/security/transport/security_handshaker.h +2 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +22 -17
- data/src/core/lib/security/transport/tsi_error.cc +5 -6
- data/src/core/lib/security/transport/tsi_error.h +2 -1
- data/src/core/lib/security/util/json_util.cc +10 -13
- data/src/core/lib/security/util/json_util.h +2 -1
- data/src/core/lib/slice/percent_encoding.cc +73 -30
- data/src/core/lib/slice/percent_encoding.h +29 -28
- data/src/core/lib/slice/slice.cc +59 -26
- data/src/core/lib/{gpr/tls_pthread.cc → slice/slice_api.cc} +15 -6
- data/src/core/lib/slice/slice_buffer.cc +8 -8
- data/src/core/lib/slice/slice_intern.cc +23 -32
- data/src/core/lib/slice/slice_internal.h +19 -246
- data/src/core/lib/slice/slice_refcount.cc +17 -0
- data/src/core/lib/slice/slice_refcount.h +121 -0
- data/src/core/lib/slice/slice_refcount_base.h +173 -0
- data/src/core/lib/slice/slice_split.cc +100 -0
- data/src/core/lib/slice/slice_split.h +40 -0
- data/src/core/lib/slice/slice_string_helpers.cc +0 -83
- data/src/core/lib/slice/slice_string_helpers.h +0 -11
- data/src/core/lib/slice/slice_utils.h +9 -0
- data/src/core/lib/slice/static_slice.cc +529 -0
- data/src/core/lib/slice/static_slice.h +331 -0
- data/src/core/lib/surface/api_trace.cc +2 -1
- data/src/core/lib/surface/api_trace.h +1 -0
- data/src/core/lib/surface/builtins.cc +49 -0
- data/src/core/lib/surface/builtins.h +26 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +3 -48
- data/src/core/lib/surface/call.cc +252 -241
- data/src/core/lib/surface/call.h +12 -6
- data/src/core/lib/surface/call_details.cc +10 -10
- data/src/core/lib/surface/call_log_batch.cc +52 -60
- data/src/core/lib/surface/channel.cc +99 -85
- data/src/core/lib/surface/channel.h +60 -9
- data/src/core/lib/surface/channel_init.cc +23 -76
- data/src/core/lib/surface/channel_init.h +52 -44
- data/src/core/lib/surface/channel_ping.cc +4 -6
- data/src/core/lib/surface/channel_stack_type.cc +2 -1
- data/src/core/lib/surface/completion_queue.cc +179 -188
- data/src/core/lib/surface/completion_queue.h +18 -17
- data/src/core/lib/surface/completion_queue_factory.cc +3 -3
- data/src/core/lib/surface/completion_queue_factory.h +1 -0
- data/src/core/lib/surface/event_string.cc +19 -25
- data/src/core/lib/surface/event_string.h +3 -1
- data/src/core/lib/surface/init.cc +44 -74
- data/src/core/lib/surface/init.h +10 -2
- data/src/core/lib/surface/init_secure.cc +36 -17
- data/src/core/lib/surface/lame_client.cc +62 -61
- data/src/core/lib/surface/lame_client.h +5 -0
- data/src/core/lib/surface/metadata_array.cc +2 -2
- data/src/core/lib/surface/server.cc +1314 -1305
- data/src/core/lib/surface/server.h +475 -45
- data/src/core/lib/surface/validate_metadata.cc +55 -24
- data/src/core/lib/surface/validate_metadata.h +6 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.h +2 -1
- data/src/core/lib/transport/byte_stream.cc +5 -5
- data/src/core/lib/transport/byte_stream.h +19 -13
- data/src/core/lib/transport/connectivity_state.cc +32 -23
- data/src/core/lib/transport/connectivity_state.h +33 -17
- data/src/core/lib/transport/error_utils.cc +71 -21
- data/src/core/lib/transport/error_utils.h +16 -4
- data/src/core/lib/transport/metadata.cc +60 -25
- data/src/core/lib/transport/metadata.h +17 -14
- data/src/core/lib/transport/metadata_batch.cc +41 -339
- data/src/core/lib/transport/metadata_batch.h +932 -69
- data/src/core/lib/transport/parsed_metadata.h +263 -0
- data/src/core/lib/transport/pid_controller.cc +4 -4
- data/src/core/lib/transport/static_metadata.cc +718 -831
- data/src/core/lib/transport/static_metadata.h +115 -372
- data/src/core/lib/transport/status_conversion.cc +6 -14
- data/src/core/lib/transport/status_metadata.cc +5 -3
- data/src/core/lib/transport/timeout_encoding.cc +4 -4
- data/src/core/lib/transport/transport.cc +15 -14
- data/src/core/lib/transport/transport.h +29 -13
- data/src/core/lib/transport/transport_op_string.cc +91 -112
- data/src/core/lib/uri/uri_parser.cc +135 -258
- data/src/core/lib/uri/uri_parser.h +60 -23
- data/src/core/plugin_registry/grpc_plugin_registry.cc +136 -44
- data/src/core/tsi/alts/crypt/aes_gcm.cc +6 -5
- data/src/core/tsi/alts/crypt/gsec.cc +5 -4
- data/src/core/tsi/alts/crypt/gsec.h +5 -0
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +13 -12
- data/src/core/tsi/alts/frame_protector/frame_handler.cc +18 -17
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +56 -45
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +10 -7
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +116 -55
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +9 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +3 -3
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc +2 -2
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +1 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.h +2 -3
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc +8 -6
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +6 -6
- data/src/core/tsi/fake_transport_security.cc +41 -26
- data/src/core/tsi/local_transport_security.cc +41 -74
- data/src/core/tsi/local_transport_security.h +6 -7
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +20 -55
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +7 -7
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +2 -2
- data/src/core/tsi/ssl_transport_security.cc +262 -113
- data/src/core/tsi/ssl_transport_security.h +32 -19
- data/src/core/tsi/ssl_types.h +0 -2
- data/src/core/tsi/transport_security.cc +25 -11
- data/src/core/tsi/transport_security.h +22 -10
- data/src/core/tsi/transport_security_grpc.h +3 -3
- data/src/core/tsi/transport_security_interface.h +35 -4
- data/src/ruby/bin/math_services_pb.rb +5 -5
- data/src/ruby/ext/grpc/extconf.rb +25 -9
- data/src/ruby/ext/grpc/rb_byte_buffer.c +2 -1
- data/src/ruby/ext/grpc/rb_call.c +17 -8
- data/src/ruby/ext/grpc/rb_call.h +4 -0
- data/src/ruby/ext/grpc/rb_call_credentials.c +62 -17
- data/src/ruby/ext/grpc/rb_channel.c +19 -8
- data/src/ruby/ext/grpc/rb_channel_args.c +2 -2
- data/src/ruby/ext/grpc/rb_channel_credentials.c +24 -5
- data/src/ruby/ext/grpc/rb_channel_credentials.h +5 -0
- data/src/ruby/ext/grpc/rb_completion_queue.c +3 -2
- data/src/ruby/ext/grpc/rb_compression_options.c +6 -5
- data/src/ruby/ext/grpc/rb_enable_cpp.cc +1 -1
- data/src/ruby/ext/grpc/rb_event_thread.c +4 -2
- data/src/ruby/ext/grpc/rb_grpc.c +9 -4
- data/src/ruby/ext/grpc/rb_grpc.h +1 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +54 -18
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +99 -45
- data/src/ruby/ext/grpc/rb_server.c +19 -6
- data/src/ruby/ext/grpc/rb_server_credentials.c +22 -6
- data/src/ruby/ext/grpc/rb_server_credentials.h +5 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +218 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.h +37 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.c +170 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.h +37 -0
- data/src/ruby/lib/grpc/errors.rb +103 -42
- data/src/ruby/lib/grpc/generic/active_call.rb +2 -3
- data/src/ruby/lib/grpc/generic/client_stub.rb +5 -3
- data/src/ruby/lib/grpc/generic/interceptors.rb +5 -5
- data/src/ruby/lib/grpc/generic/rpc_server.rb +9 -10
- data/src/ruby/lib/grpc/generic/service.rb +5 -4
- data/src/ruby/lib/grpc/structs.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/generate_proto_ruby.sh +5 -3
- data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +3 -3
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +51 -0
- data/src/ruby/pb/src/proto/grpc/testing/test_pb.rb +2 -2
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +64 -14
- data/src/ruby/spec/call_spec.rb +1 -1
- data/src/ruby/spec/channel_credentials_spec.rb +42 -0
- data/src/ruby/spec/channel_spec.rb +17 -6
- data/src/ruby/spec/client_auth_spec.rb +27 -1
- data/src/ruby/spec/client_server_spec.rb +1 -1
- data/src/ruby/spec/debug_message_spec.rb +134 -0
- data/src/ruby/spec/errors_spec.rb +1 -1
- data/src/ruby/spec/generic/active_call_spec.rb +21 -10
- data/src/ruby/spec/generic/client_stub_spec.rb +4 -4
- data/src/ruby/spec/generic/rpc_server_spec.rb +1 -1
- data/src/ruby/spec/generic/service_spec.rb +2 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto +23 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto +7 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto +27 -0
- data/src/ruby/spec/pb/codegen/grpc/testing/same_ruby_package_service_name.proto +29 -0
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +29 -7
- data/src/ruby/spec/server_credentials_spec.rb +25 -0
- data/src/ruby/spec/server_spec.rb +22 -0
- data/src/ruby/spec/support/services.rb +10 -4
- data/src/ruby/spec/testdata/ca.pem +18 -13
- data/src/ruby/spec/testdata/client.key +26 -14
- data/src/ruby/spec/testdata/client.pem +18 -12
- data/src/ruby/spec/testdata/server1.key +26 -14
- data/src/ruby/spec/testdata/server1.pem +20 -14
- data/src/ruby/spec/user_agent_spec.rb +74 -0
- data/third_party/abseil-cpp/absl/algorithm/container.h +1764 -0
- data/third_party/abseil-cpp/absl/base/attributes.h +122 -41
- data/third_party/abseil-cpp/absl/base/call_once.h +3 -10
- data/third_party/abseil-cpp/absl/base/casts.h +9 -6
- data/third_party/abseil-cpp/absl/base/config.h +97 -26
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +442 -335
- data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +169 -0
- data/third_party/abseil-cpp/absl/base/internal/dynamic_annotations.h +398 -0
- data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
- data/third_party/abseil-cpp/absl/base/internal/exponential_biased.cc +93 -0
- data/third_party/abseil-cpp/absl/base/internal/exponential_biased.h +130 -0
- data/third_party/abseil-cpp/absl/base/internal/invoke.h +4 -4
- data/third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc +620 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_alloc.h +126 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +31 -4
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +35 -33
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +17 -5
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +36 -40
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +33 -30
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +11 -3
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +28 -5
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.h +8 -0
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +9 -6
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +54 -48
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
- data/third_party/abseil-cpp/absl/base/internal/tsan_mutex_interface.h +3 -1
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.h +3 -3
- data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
- data/third_party/abseil-cpp/absl/base/macros.h +47 -109
- data/third_party/abseil-cpp/absl/base/optimization.h +69 -6
- data/third_party/abseil-cpp/absl/base/options.h +31 -4
- data/third_party/abseil-cpp/absl/base/policy_checks.h +1 -1
- data/third_party/abseil-cpp/absl/base/port.h +0 -1
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +95 -40
- data/third_party/abseil-cpp/absl/container/fixed_array.h +532 -0
- data/third_party/abseil-cpp/absl/container/flat_hash_map.h +606 -0
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +38 -39
- data/third_party/abseil-cpp/absl/container/internal/common.h +206 -0
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +34 -9
- data/third_party/abseil-cpp/absl/container/internal/container_memory.h +460 -0
- data/third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h +161 -0
- data/third_party/abseil-cpp/absl/container/internal/hash_policy_traits.h +208 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtable_debug_hooks.h +85 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +274 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +322 -0
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +31 -0
- data/third_party/abseil-cpp/absl/container/internal/have_sse.h +50 -0
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
- data/third_party/abseil-cpp/absl/container/internal/layout.h +743 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_map.h +197 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +61 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +1903 -0
- data/third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc +139 -0
- data/third_party/abseil-cpp/absl/debugging/internal/address_is_readable.h +32 -0
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +1949 -0
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.h +71 -0
- data/third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc +382 -0
- data/third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.h +134 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +199 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_arm-inl.inc +134 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +80 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_generic-inl.inc +108 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +253 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_unimplemented-inl.inc +24 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_win32-inl.inc +93 -0
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_x86-inl.inc +346 -0
- data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +147 -0
- data/third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc +173 -0
- data/third_party/abseil-cpp/absl/debugging/internal/vdso_support.h +158 -0
- data/third_party/abseil-cpp/absl/debugging/stacktrace.cc +140 -0
- data/third_party/abseil-cpp/absl/debugging/stacktrace.h +231 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize.cc +36 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize.h +99 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +101 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +1560 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_unimplemented.inc +40 -0
- data/third_party/abseil-cpp/absl/debugging/symbolize_win32.inc +81 -0
- data/third_party/abseil-cpp/absl/functional/bind_front.h +184 -0
- data/third_party/abseil-cpp/absl/functional/function_ref.h +139 -0
- data/third_party/abseil-cpp/absl/functional/internal/front_binder.h +95 -0
- data/third_party/abseil-cpp/absl/functional/internal/function_ref.h +106 -0
- data/third_party/abseil-cpp/absl/hash/hash.h +325 -0
- data/third_party/abseil-cpp/absl/hash/internal/city.cc +349 -0
- data/third_party/abseil-cpp/absl/hash/internal/city.h +78 -0
- data/third_party/abseil-cpp/absl/hash/internal/hash.cc +70 -0
- data/third_party/abseil-cpp/absl/hash/internal/hash.h +1045 -0
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
- data/third_party/abseil-cpp/absl/memory/memory.h +4 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +18 -10
- data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +13 -27
- data/third_party/abseil-cpp/absl/numeric/int128.h +16 -15
- data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
- data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
- data/third_party/abseil-cpp/absl/status/internal/status_internal.h +69 -0
- data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +396 -0
- data/third_party/abseil-cpp/absl/status/status.cc +452 -0
- data/third_party/abseil-cpp/absl/status/status.h +878 -0
- data/third_party/abseil-cpp/absl/status/status_payload_printer.cc +38 -0
- data/third_party/abseil-cpp/absl/status/status_payload_printer.h +51 -0
- data/third_party/abseil-cpp/absl/status/statusor.cc +71 -0
- data/third_party/abseil-cpp/absl/status/statusor.h +760 -0
- data/third_party/abseil-cpp/absl/strings/charconv.cc +7 -7
- data/third_party/abseil-cpp/absl/strings/cord.cc +1953 -0
- data/third_party/abseil-cpp/absl/strings/cord.h +1394 -0
- data/third_party/abseil-cpp/absl/strings/escaping.cc +13 -13
- data/third_party/abseil-cpp/absl/strings/internal/char_map.h +1 -1
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.cc +1 -1
- data/third_party/abseil-cpp/absl/strings/internal/charconv_bigint.h +2 -2
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +8 -8
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +543 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +236 -136
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +150 -64
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +16 -2
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +29 -21
- data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +21 -14
- data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.cc +31 -7
- data/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h +147 -135
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +1017 -87
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +17 -3
- data/third_party/abseil-cpp/absl/strings/internal/str_format/output.h +4 -12
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +22 -6
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +27 -11
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
- data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
- data/third_party/abseil-cpp/absl/strings/match.h +16 -6
- data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
- data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
- data/third_party/abseil-cpp/absl/strings/str_cat.cc +4 -4
- data/third_party/abseil-cpp/absl/strings/str_cat.h +1 -1
- data/third_party/abseil-cpp/absl/strings/str_format.h +289 -13
- data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
- data/third_party/abseil-cpp/absl/strings/str_split.cc +2 -2
- data/third_party/abseil-cpp/absl/strings/str_split.h +39 -4
- data/third_party/abseil-cpp/absl/strings/string_view.h +26 -19
- data/third_party/abseil-cpp/absl/strings/substitute.cc +5 -5
- data/third_party/abseil-cpp/absl/strings/substitute.h +32 -29
- data/third_party/abseil-cpp/absl/synchronization/barrier.cc +52 -0
- data/third_party/abseil-cpp/absl/synchronization/barrier.h +79 -0
- data/third_party/abseil-cpp/absl/synchronization/blocking_counter.cc +57 -0
- data/third_party/abseil-cpp/absl/synchronization/blocking_counter.h +99 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/create_thread_identity.cc +140 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/create_thread_identity.h +60 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +698 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.h +141 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +156 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +106 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +115 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +428 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +155 -0
- data/third_party/abseil-cpp/absl/synchronization/mutex.cc +2751 -0
- data/third_party/abseil-cpp/absl/synchronization/mutex.h +1082 -0
- data/third_party/abseil-cpp/absl/synchronization/notification.cc +78 -0
- data/third_party/abseil-cpp/absl/synchronization/notification.h +123 -0
- data/third_party/abseil-cpp/absl/time/civil_time.cc +175 -0
- data/third_party/abseil-cpp/absl/time/civil_time.h +538 -0
- data/third_party/abseil-cpp/absl/time/clock.cc +585 -0
- data/third_party/abseil-cpp/absl/time/clock.h +74 -0
- data/third_party/abseil-cpp/absl/time/duration.cc +954 -0
- data/third_party/abseil-cpp/absl/time/format.cc +160 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h +332 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +628 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h +386 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/zone_info_source.h +102 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/civil_time_detail.cc +94 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.cc +140 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_fixed.h +52 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_format.cc +1029 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.cc +45 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_if.h +76 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.cc +113 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_impl.h +93 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.cc +965 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_info.h +137 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +315 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.h +55 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_lookup.cc +187 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.cc +159 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_posix.h +132 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +122 -0
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc +116 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_chrono.inc +31 -0
- data/third_party/abseil-cpp/absl/time/internal/get_current_time_posix.inc +24 -0
- data/third_party/abseil-cpp/absl/time/time.cc +500 -0
- data/third_party/abseil-cpp/absl/time/time.h +1585 -0
- data/third_party/abseil-cpp/absl/types/bad_variant_access.cc +64 -0
- data/third_party/abseil-cpp/absl/types/bad_variant_access.h +82 -0
- data/third_party/abseil-cpp/absl/types/internal/variant.h +1646 -0
- data/third_party/abseil-cpp/absl/types/optional.h +9 -9
- data/third_party/abseil-cpp/absl/types/span.h +49 -36
- data/third_party/abseil-cpp/absl/types/variant.h +866 -0
- data/third_party/abseil-cpp/absl/utility/utility.h +2 -2
- data/third_party/address_sorting/address_sorting_posix.c +1 -0
- data/third_party/address_sorting/include/address_sorting/address_sorting.h +2 -0
- data/third_party/boringssl-with-bazel/err_data.c +789 -707
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +57 -52
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +22 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +6 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +16 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +29 -27
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +269 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +106 -153
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +23 -11
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +3 -42
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +16 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_enum.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +196 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +35 -86
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +326 -281
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +15 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +20 -75
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +156 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +68 -45
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +38 -47
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +49 -65
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +101 -3
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +120 -273
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +14 -3
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +18 -7
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/cpu-intel.c +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +11 -0
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519.c +19 -27
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/curve25519_tables.h +13 -21
- data/third_party/boringssl-with-bazel/src/{third_party/fiat → crypto/curve25519}/internal.h +15 -23
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +31 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +19 -43
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +55 -4
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/is_fips.c → dsa/internal.h} +16 -11
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +385 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +120 -112
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +159 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +6 -2
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +17 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +6 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +28 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +40 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +30 -154
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +208 -37
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/des.c +10 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/internal.h +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +149 -211
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +11 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +24 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +305 -117
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +22 -29
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +96 -55
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/felem.c +25 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +434 -165
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +63 -71
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +18 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64-table.h +9481 -9485
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +104 -122
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +740 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +297 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +90 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +125 -148
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +189 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +61 -18
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +117 -91
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +56 -72
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +56 -73
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +137 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +49 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +64 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +62 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +150 -56
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +49 -129
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +116 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +135 -63
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +231 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +93 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +91 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +86 -113
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +618 -0
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +219 -121
- data/third_party/boringssl-with-bazel/src/crypto/hrss/internal.h +9 -2
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +125 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +253 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/lhash.c +28 -23
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +75 -25
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +15 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +156 -15
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +131 -53
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/fuchsia.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +20 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +4 -28
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +318 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +1399 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +858 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +766 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +15 -11
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +11 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +345 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +20 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +13 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +1 -180
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +7 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +0 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +24 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +24 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +52 -89
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +83 -12
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +67 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +87 -113
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +54 -74
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +99 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +15 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -19
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +13 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +21 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +52 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +49 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +21 -172
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +75 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +27 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +42 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +6 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +10 -12
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +7 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +42 -22
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +27 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +128 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +86 -44
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +25 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/aes.h +16 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +119 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +1035 -625
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -176
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +71 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +7 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +32 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +29 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +8 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +22 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +32 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/des.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +82 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +20 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +16 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +20 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +39 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +5 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +110 -51
- data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +350 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hrss.h +14 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/lhash.h +4 -205
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +12 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +26 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +194 -146
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +33 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +8 -19
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +135 -63
- data/third_party/boringssl-with-bazel/src/include/openssl/sha.h +26 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +39 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +697 -194
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +54 -38
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +310 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +2071 -826
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +16 -678
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +639 -450
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +18 -5
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +16 -22
- data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc +3 -3
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +13 -4
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1084 -0
- data/third_party/boringssl-with-bazel/src/ssl/{t1_lib.cc → extensions.cc} +1083 -634
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +478 -78
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +122 -56
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +340 -236
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +199 -40
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +607 -209
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +17 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -4
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +35 -40
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +77 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +11 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +10 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +34 -31
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +169 -111
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +15 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +179 -111
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +9 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +12 -17
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +12 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +28 -23
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +53 -30
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +81 -37
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +411 -235
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +183 -166
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +434 -151
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +65 -25
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +5 -3
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +245 -175
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +135 -75
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +1593 -1672
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +512 -503
- data/third_party/re2/re2/bitmap256.h +117 -0
- data/third_party/re2/re2/bitstate.cc +385 -0
- data/third_party/re2/re2/compile.cc +1261 -0
- data/third_party/re2/re2/dfa.cc +2118 -0
- data/third_party/re2/re2/filtered_re2.cc +137 -0
- data/third_party/re2/re2/filtered_re2.h +114 -0
- data/third_party/re2/re2/mimics_pcre.cc +197 -0
- data/third_party/re2/re2/nfa.cc +713 -0
- data/third_party/re2/re2/onepass.cc +623 -0
- data/third_party/re2/re2/parse.cc +2483 -0
- data/third_party/re2/re2/perl_groups.cc +119 -0
- data/third_party/re2/re2/pod_array.h +55 -0
- data/third_party/re2/re2/prefilter.cc +711 -0
- data/third_party/re2/re2/prefilter.h +108 -0
- data/third_party/re2/re2/prefilter_tree.cc +407 -0
- data/third_party/re2/re2/prefilter_tree.h +139 -0
- data/third_party/re2/re2/prog.cc +1166 -0
- data/third_party/re2/re2/prog.h +455 -0
- data/third_party/re2/re2/re2.cc +1331 -0
- data/third_party/re2/re2/re2.h +1017 -0
- data/third_party/re2/re2/regexp.cc +987 -0
- data/third_party/re2/re2/regexp.h +665 -0
- data/third_party/re2/re2/set.cc +176 -0
- data/third_party/re2/re2/set.h +85 -0
- data/third_party/re2/re2/simplify.cc +665 -0
- data/third_party/re2/re2/sparse_array.h +392 -0
- data/third_party/re2/re2/sparse_set.h +264 -0
- data/third_party/re2/re2/stringpiece.cc +65 -0
- data/third_party/re2/re2/stringpiece.h +210 -0
- data/third_party/re2/re2/tostring.cc +351 -0
- data/third_party/re2/re2/unicode_casefold.cc +582 -0
- data/third_party/re2/re2/unicode_casefold.h +78 -0
- data/third_party/re2/re2/unicode_groups.cc +6269 -0
- data/third_party/re2/re2/unicode_groups.h +67 -0
- data/third_party/re2/re2/walker-inl.h +246 -0
- data/third_party/re2/util/benchmark.h +156 -0
- data/third_party/re2/util/flags.h +26 -0
- data/third_party/re2/util/logging.h +109 -0
- data/third_party/re2/util/malloc_counter.h +19 -0
- data/third_party/re2/util/mix.h +41 -0
- data/third_party/re2/util/mutex.h +148 -0
- data/third_party/re2/util/pcre.cc +1025 -0
- data/third_party/re2/util/pcre.h +681 -0
- data/third_party/re2/util/rune.cc +260 -0
- data/third_party/re2/util/strutil.cc +149 -0
- data/third_party/re2/util/strutil.h +21 -0
- data/third_party/re2/util/test.h +50 -0
- data/third_party/re2/util/utf.h +44 -0
- data/third_party/re2/util/util.h +42 -0
- data/third_party/upb/upb/decode.c +668 -506
- data/third_party/upb/upb/decode.h +50 -3
- data/third_party/upb/upb/decode_fast.c +1053 -0
- data/third_party/upb/upb/decode_fast.h +153 -0
- data/third_party/upb/upb/decode_internal.h +193 -0
- data/third_party/upb/upb/def.c +2168 -0
- data/third_party/upb/upb/def.h +337 -0
- data/third_party/upb/upb/def.hpp +468 -0
- data/third_party/upb/upb/encode.c +346 -213
- data/third_party/upb/upb/encode.h +56 -4
- data/third_party/upb/upb/msg.c +356 -70
- data/third_party/upb/upb/msg.h +84 -45
- data/third_party/upb/upb/msg_internal.h +687 -0
- data/third_party/upb/upb/port_def.inc +187 -84
- data/third_party/upb/upb/port_undef.inc +47 -7
- data/third_party/upb/upb/reflection.c +400 -0
- data/third_party/upb/upb/reflection.h +196 -0
- data/third_party/upb/upb/reflection.hpp +37 -0
- data/third_party/upb/upb/table.c +265 -336
- data/third_party/upb/upb/{table.int.h → table_internal.h} +73 -229
- data/third_party/upb/upb/text_encode.c +449 -0
- data/third_party/upb/upb/text_encode.h +64 -0
- data/third_party/upb/upb/upb.c +189 -135
- data/third_party/upb/upb/upb.h +153 -150
- data/third_party/upb/upb/upb.hpp +112 -0
- data/third_party/upb/upb/upb_internal.h +58 -0
- data/third_party/xxhash/xxhash.h +5325 -0
- metadata +810 -204
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +0 -1754
- data/src/core/ext/filters/client_channel/parse_address.cc +0 -237
- data/src/core/ext/filters/client_channel/parse_address.h +0 -53
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +0 -484
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +0 -181
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +0 -65
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +0 -38
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +0 -359
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +0 -122
- data/src/core/ext/filters/client_channel/service_config.cc +0 -261
- data/src/core/ext/filters/client_channel/service_config.h +0 -193
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +0 -1779
- data/src/core/ext/filters/client_channel/xds/xds_api.h +0 -280
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +0 -347
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +0 -87
- data/src/core/ext/filters/client_channel/xds/xds_channel.h +0 -46
- data/src/core/ext/filters/client_channel/xds/xds_channel_secure.cc +0 -104
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +0 -2174
- data/src/core/ext/filters/client_channel/xds/xds_client.h +0 -274
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.cc +0 -116
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +0 -210
- data/src/core/ext/filters/workarounds/workaround_utils.cc +0 -53
- data/src/core/ext/filters/workarounds/workaround_utils.h +0 -39
- data/src/core/ext/transport/chttp2/client/authority.cc +0 -42
- data/src/core/ext/transport/chttp2/client/authority.h +0 -36
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +0 -246
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +0 -148
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +0 -66
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +0 -58
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.c +0 -246
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +0 -905
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.c +0 -27
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.h +0 -53
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.c +0 -73
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.h +0 -218
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.c +0 -34
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.h +0 -69
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.c +0 -54
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.h +0 -305
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +0 -390
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +0 -1411
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.c +0 -111
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.h +0 -328
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +0 -292
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +0 -847
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.c +0 -95
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.h +0 -322
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.c +0 -196
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.h +0 -642
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.c +0 -168
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +0 -658
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.c +0 -35
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.h +0 -80
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.c +0 -132
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +0 -436
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +0 -128
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.h +0 -392
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.c +0 -30
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.h +0 -53
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.c +0 -17
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.h +0 -33
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.c +0 -88
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +0 -258
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.c +0 -111
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.h +0 -324
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +0 -91
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.h +0 -240
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.c +0 -30
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.h +0 -53
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.c +0 -17
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.h +0 -33
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +0 -144
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.h +0 -527
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.c +0 -42
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.h +0 -112
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.c +0 -104
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +0 -383
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.c +0 -29
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.h +0 -53
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.c +0 -17
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.h +0 -33
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +0 -793
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +0 -2936
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.c +0 -62
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.h +0 -199
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.c +0 -58
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.h +0 -134
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.h +0 -53
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +0 -227
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.h +0 -725
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.c +0 -296
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +0 -1072
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.c +0 -32
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.h +0 -65
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.c +0 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.h +0 -50
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.c +0 -52
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +0 -130
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.c +0 -47
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +0 -108
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.c +0 -52
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.h +0 -133
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.c +0 -87
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.h +0 -258
- data/src/core/ext/upb-generated/envoy/type/percent.upb.c +0 -38
- data/src/core/ext/upb-generated/envoy/type/percent.upb.h +0 -87
- data/src/core/ext/upb-generated/envoy/type/range.upb.c +0 -49
- data/src/core/ext/upb-generated/envoy/type/range.upb.h +0 -112
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.c +0 -28
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.h +0 -62
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.c +0 -88
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.h +0 -249
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.c +0 -17
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +0 -58
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +0 -144
- data/src/core/lib/gpr/arena.h +0 -47
- data/src/core/lib/gpr/tls_gcc.h +0 -52
- data/src/core/lib/gpr/tls_msvc.h +0 -52
- data/src/core/lib/gpr/tls_pthread.h +0 -56
- data/src/core/lib/gprpp/atomic.h +0 -104
- data/src/core/lib/gprpp/map.h +0 -59
- data/src/core/lib/gprpp/string_view.h +0 -60
- data/src/core/lib/iomgr/endpoint_pair_uv.cc +0 -40
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
- data/src/core/lib/iomgr/iomgr_uv.cc +0 -43
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -87
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
- data/src/core/lib/iomgr/pollset_uv.cc +0 -93
- data/src/core/lib/iomgr/sockaddr_custom.h +0 -54
- data/src/core/lib/iomgr/socket_utils_uv.cc +0 -49
- data/src/core/lib/iomgr/tcp_uv.cc +0 -418
- data/src/core/lib/iomgr/timer_uv.cc +0 -66
- data/src/core/lib/iomgr/udp_server.cc +0 -752
- data/src/core/lib/iomgr/udp_server.h +0 -101
- data/src/core/lib/security/transport/target_authority_table.cc +0 -75
- data/src/core/lib/security/transport/target_authority_table.h +0 -40
- data/src/core/lib/slice/slice_hash_table.h +0 -199
- data/src/core/lib/slice/slice_weak_hash_table.h +0 -102
- data/src/core/tsi/grpc_shadow_boringssl.h +0 -3311
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.cc +0 -129
- data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -218
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +0 -104
- data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pku.c +0 -110
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_sxnet.c +0 -274
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256.c +0 -1063
- data/third_party/upb/upb/generated_util.h +0 -105
- data/third_party/upb/upb/port.c +0 -26
|
@@ -113,25 +113,30 @@
|
|
|
113
113
|
#include <stdlib.h>
|
|
114
114
|
#include <string.h>
|
|
115
115
|
|
|
116
|
+
#include <algorithm>
|
|
116
117
|
#include <utility>
|
|
117
118
|
|
|
119
|
+
#include <openssl/aead.h>
|
|
118
120
|
#include <openssl/bytestring.h>
|
|
119
121
|
#include <openssl/chacha.h>
|
|
122
|
+
#include <openssl/curve25519.h>
|
|
120
123
|
#include <openssl/digest.h>
|
|
121
124
|
#include <openssl/err.h>
|
|
122
125
|
#include <openssl/evp.h>
|
|
123
126
|
#include <openssl/hmac.h>
|
|
127
|
+
#include <openssl/hpke.h>
|
|
124
128
|
#include <openssl/mem.h>
|
|
125
129
|
#include <openssl/nid.h>
|
|
126
130
|
#include <openssl/rand.h>
|
|
127
131
|
|
|
128
|
-
#include "internal.h"
|
|
129
132
|
#include "../crypto/internal.h"
|
|
133
|
+
#include "internal.h"
|
|
130
134
|
|
|
131
135
|
|
|
132
136
|
BSSL_NAMESPACE_BEGIN
|
|
133
137
|
|
|
134
138
|
static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
|
|
139
|
+
static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs);
|
|
135
140
|
|
|
136
141
|
static int compare_uint16_t(const void *p1, const void *p2) {
|
|
137
142
|
uint16_t u1 = *((const uint16_t *)p1);
|
|
@@ -204,17 +209,25 @@ static bool is_post_quantum_group(uint16_t id) {
|
|
|
204
209
|
}
|
|
205
210
|
|
|
206
211
|
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
207
|
-
const
|
|
212
|
+
Span<const uint8_t> body) {
|
|
213
|
+
CBS cbs = body;
|
|
214
|
+
if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) ||
|
|
215
|
+
CBS_len(&cbs) != 0) {
|
|
216
|
+
return false;
|
|
217
|
+
}
|
|
218
|
+
return true;
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
|
|
222
|
+
SSL_CLIENT_HELLO *out) {
|
|
208
223
|
OPENSSL_memset(out, 0, sizeof(*out));
|
|
209
224
|
out->ssl = const_cast<SSL *>(ssl);
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
!CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
|
|
217
|
-
!CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
|
|
225
|
+
|
|
226
|
+
CBS copy = *cbs;
|
|
227
|
+
CBS random, session_id;
|
|
228
|
+
if (!CBS_get_u16(cbs, &out->version) ||
|
|
229
|
+
!CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) ||
|
|
230
|
+
!CBS_get_u8_length_prefixed(cbs, &session_id) ||
|
|
218
231
|
CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
|
219
232
|
return false;
|
|
220
233
|
}
|
|
@@ -227,16 +240,16 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
|
227
240
|
// Skip past DTLS cookie
|
|
228
241
|
if (SSL_is_dtls(out->ssl)) {
|
|
229
242
|
CBS cookie;
|
|
230
|
-
if (!CBS_get_u8_length_prefixed(
|
|
243
|
+
if (!CBS_get_u8_length_prefixed(cbs, &cookie) ||
|
|
231
244
|
CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
|
|
232
245
|
return false;
|
|
233
246
|
}
|
|
234
247
|
}
|
|
235
248
|
|
|
236
249
|
CBS cipher_suites, compression_methods;
|
|
237
|
-
if (!CBS_get_u16_length_prefixed(
|
|
250
|
+
if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites) ||
|
|
238
251
|
CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
|
|
239
|
-
!CBS_get_u8_length_prefixed(
|
|
252
|
+
!CBS_get_u8_length_prefixed(cbs, &compression_methods) ||
|
|
240
253
|
CBS_len(&compression_methods) < 1) {
|
|
241
254
|
return false;
|
|
242
255
|
}
|
|
@@ -248,23 +261,22 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
|
248
261
|
|
|
249
262
|
// If the ClientHello ends here then it's valid, but doesn't have any
|
|
250
263
|
// extensions.
|
|
251
|
-
if (CBS_len(
|
|
252
|
-
out->extensions =
|
|
264
|
+
if (CBS_len(cbs) == 0) {
|
|
265
|
+
out->extensions = nullptr;
|
|
253
266
|
out->extensions_len = 0;
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
267
|
+
} else {
|
|
268
|
+
// Extract extensions and check it is valid.
|
|
269
|
+
CBS extensions;
|
|
270
|
+
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
|
271
|
+
!tls1_check_duplicate_extensions(&extensions)) {
|
|
272
|
+
return false;
|
|
273
|
+
}
|
|
274
|
+
out->extensions = CBS_data(&extensions);
|
|
275
|
+
out->extensions_len = CBS_len(&extensions);
|
|
263
276
|
}
|
|
264
277
|
|
|
265
|
-
out->
|
|
266
|
-
out->
|
|
267
|
-
|
|
278
|
+
out->client_hello = CBS_data(©);
|
|
279
|
+
out->client_hello_len = CBS_len(©) - CBS_len(cbs);
|
|
268
280
|
return true;
|
|
269
281
|
}
|
|
270
282
|
|
|
@@ -400,6 +412,11 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
|
|
|
400
412
|
return false;
|
|
401
413
|
}
|
|
402
414
|
|
|
415
|
+
// We internally assume zero is never allocated as a group ID.
|
|
416
|
+
if (group_id == 0) {
|
|
417
|
+
return false;
|
|
418
|
+
}
|
|
419
|
+
|
|
403
420
|
for (uint16_t supported : tls1_get_grouplist(hs)) {
|
|
404
421
|
if (supported == group_id) {
|
|
405
422
|
return true;
|
|
@@ -413,7 +430,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
|
|
|
413
430
|
// algorithms for verifying.
|
|
414
431
|
static const uint16_t kVerifySignatureAlgorithms[] = {
|
|
415
432
|
// List our preferred algorithms first.
|
|
416
|
-
SSL_SIGN_ED25519,
|
|
417
433
|
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
|
418
434
|
SSL_SIGN_RSA_PSS_RSAE_SHA256,
|
|
419
435
|
SSL_SIGN_RSA_PKCS1_SHA256,
|
|
@@ -455,39 +471,15 @@ static const uint16_t kSignSignatureAlgorithms[] = {
|
|
|
455
471
|
SSL_SIGN_RSA_PKCS1_SHA1,
|
|
456
472
|
};
|
|
457
473
|
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
uint16_t sigalg = list[0];
|
|
462
|
-
list = list.subspan(1);
|
|
463
|
-
if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
|
|
464
|
-
continue;
|
|
465
|
-
}
|
|
466
|
-
*out = sigalg;
|
|
467
|
-
return true;
|
|
468
|
-
}
|
|
469
|
-
return false;
|
|
470
|
-
}
|
|
471
|
-
|
|
472
|
-
Span<const uint16_t> list;
|
|
473
|
-
bool skip_ed25519 = false;
|
|
474
|
-
};
|
|
475
|
-
|
|
476
|
-
static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
|
|
477
|
-
SSLSignatureAlgorithmList ret;
|
|
478
|
-
if (!ssl->config->verify_sigalgs.empty()) {
|
|
479
|
-
ret.list = ssl->config->verify_sigalgs;
|
|
480
|
-
} else {
|
|
481
|
-
ret.list = kVerifySignatureAlgorithms;
|
|
482
|
-
ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
|
|
474
|
+
static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
|
|
475
|
+
if (hs->config->verify_sigalgs.empty()) {
|
|
476
|
+
return Span<const uint16_t>(kVerifySignatureAlgorithms);
|
|
483
477
|
}
|
|
484
|
-
return
|
|
478
|
+
return hs->config->verify_sigalgs;
|
|
485
479
|
}
|
|
486
480
|
|
|
487
|
-
bool tls12_add_verify_sigalgs(const
|
|
488
|
-
|
|
489
|
-
uint16_t sigalg;
|
|
490
|
-
while (list.Next(&sigalg)) {
|
|
481
|
+
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
|
|
482
|
+
for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
|
|
491
483
|
if (!CBB_add_u16(out, sigalg)) {
|
|
492
484
|
return false;
|
|
493
485
|
}
|
|
@@ -495,11 +487,9 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
|
|
|
495
487
|
return true;
|
|
496
488
|
}
|
|
497
489
|
|
|
498
|
-
bool tls12_check_peer_sigalg(const
|
|
490
|
+
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
499
491
|
uint16_t sigalg) {
|
|
500
|
-
|
|
501
|
-
uint16_t verify_sigalg;
|
|
502
|
-
while (list.Next(&verify_sigalg)) {
|
|
492
|
+
for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
|
|
503
493
|
if (verify_sigalg == sigalg) {
|
|
504
494
|
return true;
|
|
505
495
|
}
|
|
@@ -510,9 +500,7 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
|
|
510
500
|
return false;
|
|
511
501
|
}
|
|
512
502
|
|
|
513
|
-
// tls_extension represents a TLS extension that is handled internally.
|
|
514
|
-
// |init| function is called for each handshake, before any other functions of
|
|
515
|
-
// the extension. Then the add and parse callbacks are called as needed.
|
|
503
|
+
// tls_extension represents a TLS extension that is handled internally.
|
|
516
504
|
//
|
|
517
505
|
// The parse callbacks receive a |CBS| that contains the contents of the
|
|
518
506
|
// extension (i.e. not including the type and length bytes). If an extension is
|
|
@@ -522,14 +510,27 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
|
|
522
510
|
// The add callbacks receive a |CBB| to which the extension can be appended but
|
|
523
511
|
// the function is responsible for appending the type and length bytes too.
|
|
524
512
|
//
|
|
513
|
+
// |add_clienthello| may be called multiple times and must not mutate |hs|. It
|
|
514
|
+
// is additionally passed two output |CBB|s. If the extension is the same
|
|
515
|
+
// independent of the value of |type|, the callback may write to
|
|
516
|
+
// |out_compressible| instead of |out|. When serializing the ClientHelloInner,
|
|
517
|
+
// all compressible extensions will be made continguous and replaced with
|
|
518
|
+
// ech_outer_extensions when encrypted. When serializing the ClientHelloOuter
|
|
519
|
+
// or not offering ECH, |out| will be equal to |out_compressible|, so writing to
|
|
520
|
+
// |out_compressible| still works.
|
|
521
|
+
//
|
|
522
|
+
// Note the |parse_serverhello| and |add_serverhello| callbacks refer to the
|
|
523
|
+
// TLS 1.2 ServerHello. In TLS 1.3, these callbacks act on EncryptedExtensions,
|
|
524
|
+
// with ServerHello extensions handled elsewhere in the handshake.
|
|
525
|
+
//
|
|
525
526
|
// All callbacks return true for success and false for error. If a parse
|
|
526
527
|
// function returns zero then a fatal alert with value |*out_alert| will be
|
|
527
528
|
// sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
|
|
528
529
|
struct tls_extension {
|
|
529
530
|
uint16_t value;
|
|
530
|
-
void (*init)(SSL_HANDSHAKE *hs);
|
|
531
531
|
|
|
532
|
-
bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out
|
|
532
|
+
bool (*add_clienthello)(const SSL_HANDSHAKE *hs, CBB *out,
|
|
533
|
+
CBB *out_compressible, ssl_client_hello_type_t type);
|
|
533
534
|
bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
534
535
|
CBS *contents);
|
|
535
536
|
|
|
@@ -539,7 +540,7 @@ struct tls_extension {
|
|
|
539
540
|
};
|
|
540
541
|
|
|
541
542
|
static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
542
|
-
|
|
543
|
+
CBS *contents) {
|
|
543
544
|
if (contents != NULL) {
|
|
544
545
|
// Servers MUST NOT send this extension.
|
|
545
546
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
@@ -551,7 +552,7 @@ static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
551
552
|
}
|
|
552
553
|
|
|
553
554
|
static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
554
|
-
|
|
555
|
+
CBS *contents) {
|
|
555
556
|
// This extension from the client is handled elsewhere.
|
|
556
557
|
return true;
|
|
557
558
|
}
|
|
@@ -564,10 +565,21 @@ static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
564
565
|
//
|
|
565
566
|
// https://tools.ietf.org/html/rfc6066#section-3.
|
|
566
567
|
|
|
567
|
-
static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
568
|
+
static bool ext_sni_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
569
|
+
CBB *out_compressible,
|
|
570
|
+
ssl_client_hello_type_t type) {
|
|
571
|
+
const SSL *const ssl = hs->ssl;
|
|
572
|
+
// If offering ECH, send the public name instead of the configured name.
|
|
573
|
+
Span<const uint8_t> hostname;
|
|
574
|
+
if (type == ssl_client_hello_outer) {
|
|
575
|
+
hostname = hs->selected_ech_config->public_name;
|
|
576
|
+
} else {
|
|
577
|
+
if (ssl->hostname == nullptr) {
|
|
578
|
+
return true;
|
|
579
|
+
}
|
|
580
|
+
hostname =
|
|
581
|
+
MakeConstSpan(reinterpret_cast<const uint8_t *>(ssl->hostname.get()),
|
|
582
|
+
strlen(ssl->hostname.get()));
|
|
571
583
|
}
|
|
572
584
|
|
|
573
585
|
CBB contents, server_name_list, name;
|
|
@@ -576,8 +588,7 @@ static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
576
588
|
!CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
|
|
577
589
|
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
|
|
578
590
|
!CBB_add_u16_length_prefixed(&server_name_list, &name) ||
|
|
579
|
-
!CBB_add_bytes(&name, (
|
|
580
|
-
strlen(ssl->hostname.get())) ||
|
|
591
|
+
!CBB_add_bytes(&name, hostname.data(), hostname.size()) ||
|
|
581
592
|
!CBB_flush(out)) {
|
|
582
593
|
return false;
|
|
583
594
|
}
|
|
@@ -613,14 +624,131 @@ static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
613
624
|
}
|
|
614
625
|
|
|
615
626
|
|
|
627
|
+
// Encrypted ClientHello (ECH)
|
|
628
|
+
//
|
|
629
|
+
// https://tools.ietf.org/html/draft-ietf-tls-esni-13
|
|
630
|
+
|
|
631
|
+
static bool ext_ech_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
632
|
+
CBB *out_compressible,
|
|
633
|
+
ssl_client_hello_type_t type) {
|
|
634
|
+
if (type == ssl_client_hello_inner) {
|
|
635
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
636
|
+
!CBB_add_u16(out, /* length */ 1) ||
|
|
637
|
+
!CBB_add_u8(out, ECH_CLIENT_INNER)) {
|
|
638
|
+
return false;
|
|
639
|
+
}
|
|
640
|
+
return true;
|
|
641
|
+
}
|
|
642
|
+
|
|
643
|
+
if (hs->ech_client_outer.empty()) {
|
|
644
|
+
return true;
|
|
645
|
+
}
|
|
646
|
+
|
|
647
|
+
CBB ech_body;
|
|
648
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
649
|
+
!CBB_add_u16_length_prefixed(out, &ech_body) ||
|
|
650
|
+
!CBB_add_u8(&ech_body, ECH_CLIENT_OUTER) ||
|
|
651
|
+
!CBB_add_bytes(&ech_body, hs->ech_client_outer.data(),
|
|
652
|
+
hs->ech_client_outer.size()) ||
|
|
653
|
+
!CBB_flush(out)) {
|
|
654
|
+
return false;
|
|
655
|
+
}
|
|
656
|
+
return true;
|
|
657
|
+
}
|
|
658
|
+
|
|
659
|
+
static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
660
|
+
CBS *contents) {
|
|
661
|
+
SSL *const ssl = hs->ssl;
|
|
662
|
+
if (contents == NULL) {
|
|
663
|
+
return true;
|
|
664
|
+
}
|
|
665
|
+
|
|
666
|
+
// The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3
|
|
667
|
+
// EncryptedExtensions. It also may not be sent in response to an inner ECH
|
|
668
|
+
// extension.
|
|
669
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||
|
|
670
|
+
ssl->s3->ech_status == ssl_ech_accepted) {
|
|
671
|
+
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
672
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
673
|
+
return false;
|
|
674
|
+
}
|
|
675
|
+
|
|
676
|
+
if (!ssl_is_valid_ech_config_list(*contents)) {
|
|
677
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
678
|
+
return false;
|
|
679
|
+
}
|
|
680
|
+
|
|
681
|
+
if (ssl->s3->ech_status == ssl_ech_rejected &&
|
|
682
|
+
!hs->ech_retry_configs.CopyFrom(*contents)) {
|
|
683
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
684
|
+
return false;
|
|
685
|
+
}
|
|
686
|
+
|
|
687
|
+
return true;
|
|
688
|
+
}
|
|
689
|
+
|
|
690
|
+
static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
691
|
+
CBS *contents) {
|
|
692
|
+
if (contents == nullptr) {
|
|
693
|
+
return true;
|
|
694
|
+
}
|
|
695
|
+
|
|
696
|
+
uint8_t type;
|
|
697
|
+
if (!CBS_get_u8(contents, &type)) {
|
|
698
|
+
return false;
|
|
699
|
+
}
|
|
700
|
+
if (type == ECH_CLIENT_OUTER) {
|
|
701
|
+
// Outer ECH extensions are handled outside the callback.
|
|
702
|
+
return true;
|
|
703
|
+
}
|
|
704
|
+
if (type != ECH_CLIENT_INNER || CBS_len(contents) != 0) {
|
|
705
|
+
return false;
|
|
706
|
+
}
|
|
707
|
+
|
|
708
|
+
hs->ech_is_inner = true;
|
|
709
|
+
return true;
|
|
710
|
+
}
|
|
711
|
+
|
|
712
|
+
static bool ext_ech_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
713
|
+
SSL *const ssl = hs->ssl;
|
|
714
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||
|
|
715
|
+
ssl->s3->ech_status == ssl_ech_accepted || //
|
|
716
|
+
hs->ech_keys == nullptr) {
|
|
717
|
+
return true;
|
|
718
|
+
}
|
|
719
|
+
|
|
720
|
+
// Write the list of retry configs to |out|. Note |SSL_CTX_set1_ech_keys|
|
|
721
|
+
// ensures |ech_keys| contains at least one retry config.
|
|
722
|
+
CBB body, retry_configs;
|
|
723
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
724
|
+
!CBB_add_u16_length_prefixed(out, &body) ||
|
|
725
|
+
!CBB_add_u16_length_prefixed(&body, &retry_configs)) {
|
|
726
|
+
return false;
|
|
727
|
+
}
|
|
728
|
+
for (const auto &config : hs->ech_keys->configs) {
|
|
729
|
+
if (!config->is_retry_config()) {
|
|
730
|
+
continue;
|
|
731
|
+
}
|
|
732
|
+
if (!CBB_add_bytes(&retry_configs, config->ech_config().raw.data(),
|
|
733
|
+
config->ech_config().raw.size())) {
|
|
734
|
+
return false;
|
|
735
|
+
}
|
|
736
|
+
}
|
|
737
|
+
return CBB_flush(out);
|
|
738
|
+
}
|
|
739
|
+
|
|
740
|
+
|
|
616
741
|
// Renegotiation indication.
|
|
617
742
|
//
|
|
618
743
|
// https://tools.ietf.org/html/rfc5746
|
|
619
744
|
|
|
620
|
-
static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
621
|
-
|
|
745
|
+
static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
746
|
+
CBB *out_compressible,
|
|
747
|
+
ssl_client_hello_type_t type) {
|
|
748
|
+
const SSL *const ssl = hs->ssl;
|
|
622
749
|
// Renegotiation indication is not necessary in TLS 1.3.
|
|
623
|
-
if (hs->min_version >= TLS1_3_VERSION
|
|
750
|
+
if (hs->min_version >= TLS1_3_VERSION ||
|
|
751
|
+
type == ssl_client_hello_inner) {
|
|
624
752
|
return true;
|
|
625
753
|
}
|
|
626
754
|
|
|
@@ -782,9 +910,11 @@ static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
782
910
|
//
|
|
783
911
|
// https://tools.ietf.org/html/rfc7627
|
|
784
912
|
|
|
785
|
-
static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
913
|
+
static bool ext_ems_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
914
|
+
CBB *out_compressible,
|
|
915
|
+
ssl_client_hello_type_t type) {
|
|
786
916
|
// Extended master secret is not necessary in TLS 1.3.
|
|
787
|
-
if (hs->min_version >= TLS1_3_VERSION) {
|
|
917
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {
|
|
788
918
|
return true;
|
|
789
919
|
}
|
|
790
920
|
|
|
@@ -857,10 +987,12 @@ static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
857
987
|
//
|
|
858
988
|
// https://tools.ietf.org/html/rfc5077
|
|
859
989
|
|
|
860
|
-
static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
861
|
-
|
|
990
|
+
static bool ext_ticket_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
991
|
+
CBB *out_compressible,
|
|
992
|
+
ssl_client_hello_type_t type) {
|
|
993
|
+
const SSL *const ssl = hs->ssl;
|
|
862
994
|
// TLS 1.3 uses a different ticket extension.
|
|
863
|
-
if (hs->min_version >= TLS1_3_VERSION ||
|
|
995
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner ||
|
|
864
996
|
SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
|
|
865
997
|
return true;
|
|
866
998
|
}
|
|
@@ -935,18 +1067,19 @@ static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
935
1067
|
//
|
|
936
1068
|
// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
|
|
937
1069
|
|
|
938
|
-
static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
939
|
-
|
|
1070
|
+
static bool ext_sigalgs_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1071
|
+
CBB *out_compressible,
|
|
1072
|
+
ssl_client_hello_type_t type) {
|
|
940
1073
|
if (hs->max_version < TLS1_2_VERSION) {
|
|
941
1074
|
return true;
|
|
942
1075
|
}
|
|
943
1076
|
|
|
944
1077
|
CBB contents, sigalgs_cbb;
|
|
945
|
-
if (!CBB_add_u16(
|
|
946
|
-
!CBB_add_u16_length_prefixed(
|
|
1078
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_signature_algorithms) ||
|
|
1079
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
947
1080
|
!CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
|
|
948
|
-
!tls12_add_verify_sigalgs(
|
|
949
|
-
!CBB_flush(
|
|
1081
|
+
!tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
|
|
1082
|
+
!CBB_flush(out_compressible)) {
|
|
950
1083
|
return false;
|
|
951
1084
|
}
|
|
952
1085
|
|
|
@@ -975,18 +1108,20 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
975
1108
|
//
|
|
976
1109
|
// https://tools.ietf.org/html/rfc6066#section-8
|
|
977
1110
|
|
|
978
|
-
static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1111
|
+
static bool ext_ocsp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1112
|
+
CBB *out_compressible,
|
|
1113
|
+
ssl_client_hello_type_t type) {
|
|
979
1114
|
if (!hs->config->ocsp_stapling_enabled) {
|
|
980
1115
|
return true;
|
|
981
1116
|
}
|
|
982
1117
|
|
|
983
1118
|
CBB contents;
|
|
984
|
-
if (!CBB_add_u16(
|
|
985
|
-
!CBB_add_u16_length_prefixed(
|
|
1119
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_status_request) ||
|
|
1120
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
986
1121
|
!CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
|
|
987
1122
|
!CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
|
|
988
1123
|
!CBB_add_u16(&contents, 0 /* empty request extensions */) ||
|
|
989
|
-
!CBB_flush(
|
|
1124
|
+
!CBB_flush(out_compressible)) {
|
|
990
1125
|
return false;
|
|
991
1126
|
}
|
|
992
1127
|
|
|
@@ -1057,11 +1192,16 @@ static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1057
1192
|
//
|
|
1058
1193
|
// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
|
|
1059
1194
|
|
|
1060
|
-
static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1195
|
+
static bool ext_npn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1196
|
+
CBB *out_compressible,
|
|
1197
|
+
ssl_client_hello_type_t type) {
|
|
1198
|
+
const SSL *const ssl = hs->ssl;
|
|
1199
|
+
if (ssl->ctx->next_proto_select_cb == NULL ||
|
|
1200
|
+
// Do not allow NPN to change on renegotiation.
|
|
1201
|
+
ssl->s3->initial_handshake_complete ||
|
|
1202
|
+
// NPN is not defined in DTLS or TLS 1.3.
|
|
1203
|
+
SSL_is_dtls(ssl) || hs->min_version >= TLS1_3_VERSION ||
|
|
1204
|
+
type == ssl_client_hello_inner) {
|
|
1065
1205
|
return true;
|
|
1066
1206
|
}
|
|
1067
1207
|
|
|
@@ -1180,13 +1320,15 @@ static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1180
1320
|
//
|
|
1181
1321
|
// https://tools.ietf.org/html/rfc6962#section-3.3.1
|
|
1182
1322
|
|
|
1183
|
-
static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1323
|
+
static bool ext_sct_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1324
|
+
CBB *out_compressible,
|
|
1325
|
+
ssl_client_hello_type_t type) {
|
|
1184
1326
|
if (!hs->config->signed_cert_timestamps_enabled) {
|
|
1185
1327
|
return true;
|
|
1186
1328
|
}
|
|
1187
1329
|
|
|
1188
|
-
if (!CBB_add_u16(
|
|
1189
|
-
!CBB_add_u16(
|
|
1330
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_certificate_timestamp) ||
|
|
1331
|
+
!CBB_add_u16(out_compressible, 0 /* length */)) {
|
|
1190
1332
|
return false;
|
|
1191
1333
|
}
|
|
1192
1334
|
|
|
@@ -1271,20 +1413,29 @@ static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1271
1413
|
//
|
|
1272
1414
|
// https://tools.ietf.org/html/rfc7301
|
|
1273
1415
|
|
|
1274
|
-
static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1275
|
-
|
|
1416
|
+
static bool ext_alpn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1417
|
+
CBB *out_compressible,
|
|
1418
|
+
ssl_client_hello_type_t type) {
|
|
1419
|
+
const SSL *const ssl = hs->ssl;
|
|
1420
|
+
if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) {
|
|
1421
|
+
// ALPN MUST be used with QUIC.
|
|
1422
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
|
1423
|
+
return false;
|
|
1424
|
+
}
|
|
1425
|
+
|
|
1276
1426
|
if (hs->config->alpn_client_proto_list.empty() ||
|
|
1277
1427
|
ssl->s3->initial_handshake_complete) {
|
|
1278
1428
|
return true;
|
|
1279
1429
|
}
|
|
1280
1430
|
|
|
1281
1431
|
CBB contents, proto_list;
|
|
1282
|
-
if (!CBB_add_u16(
|
|
1283
|
-
|
|
1432
|
+
if (!CBB_add_u16(out_compressible,
|
|
1433
|
+
TLSEXT_TYPE_application_layer_protocol_negotiation) ||
|
|
1434
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
1284
1435
|
!CBB_add_u16_length_prefixed(&contents, &proto_list) ||
|
|
1285
1436
|
!CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
|
|
1286
1437
|
hs->config->alpn_client_proto_list.size()) ||
|
|
1287
|
-
!CBB_flush(
|
|
1438
|
+
!CBB_flush(out_compressible)) {
|
|
1288
1439
|
return false;
|
|
1289
1440
|
}
|
|
1290
1441
|
|
|
@@ -1295,6 +1446,12 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1295
1446
|
CBS *contents) {
|
|
1296
1447
|
SSL *const ssl = hs->ssl;
|
|
1297
1448
|
if (contents == NULL) {
|
|
1449
|
+
if (ssl->quic_method) {
|
|
1450
|
+
// ALPN is required when QUIC is used.
|
|
1451
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
|
1452
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
|
1453
|
+
return false;
|
|
1454
|
+
}
|
|
1298
1455
|
return true;
|
|
1299
1456
|
}
|
|
1300
1457
|
|
|
@@ -1334,6 +1491,22 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1334
1491
|
return true;
|
|
1335
1492
|
}
|
|
1336
1493
|
|
|
1494
|
+
bool ssl_is_valid_alpn_list(Span<const uint8_t> in) {
|
|
1495
|
+
CBS protocol_name_list = in;
|
|
1496
|
+
if (CBS_len(&protocol_name_list) == 0) {
|
|
1497
|
+
return false;
|
|
1498
|
+
}
|
|
1499
|
+
while (CBS_len(&protocol_name_list) > 0) {
|
|
1500
|
+
CBS protocol_name;
|
|
1501
|
+
if (!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
|
|
1502
|
+
// Empty protocol names are forbidden.
|
|
1503
|
+
CBS_len(&protocol_name) == 0) {
|
|
1504
|
+
return false;
|
|
1505
|
+
}
|
|
1506
|
+
}
|
|
1507
|
+
return true;
|
|
1508
|
+
}
|
|
1509
|
+
|
|
1337
1510
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
|
1338
1511
|
Span<const uint8_t> protocol) {
|
|
1339
1512
|
if (hs->config->alpn_client_proto_list.empty()) {
|
|
@@ -1370,6 +1543,12 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1370
1543
|
!ssl_client_hello_get_extension(
|
|
1371
1544
|
client_hello, &contents,
|
|
1372
1545
|
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
|
|
1546
|
+
if (ssl->quic_method) {
|
|
1547
|
+
// ALPN is required when QUIC is used.
|
|
1548
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
|
1549
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
|
1550
|
+
return false;
|
|
1551
|
+
}
|
|
1373
1552
|
// Ignore ALPN if not configured or no extension was supplied.
|
|
1374
1553
|
return true;
|
|
1375
1554
|
}
|
|
@@ -1380,42 +1559,47 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1380
1559
|
CBS protocol_name_list;
|
|
1381
1560
|
if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
|
|
1382
1561
|
CBS_len(&contents) != 0 ||
|
|
1383
|
-
|
|
1562
|
+
!ssl_is_valid_alpn_list(protocol_name_list)) {
|
|
1384
1563
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
1385
1564
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
1386
1565
|
return false;
|
|
1387
1566
|
}
|
|
1388
1567
|
|
|
1389
|
-
// Validate the protocol list.
|
|
1390
|
-
CBS protocol_name_list_copy = protocol_name_list;
|
|
1391
|
-
while (CBS_len(&protocol_name_list_copy) > 0) {
|
|
1392
|
-
CBS protocol_name;
|
|
1393
|
-
|
|
1394
|
-
if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
|
|
1395
|
-
// Empty protocol names are forbidden.
|
|
1396
|
-
CBS_len(&protocol_name) == 0) {
|
|
1397
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
1398
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
1399
|
-
return false;
|
|
1400
|
-
}
|
|
1401
|
-
}
|
|
1402
|
-
|
|
1403
1568
|
const uint8_t *selected;
|
|
1404
1569
|
uint8_t selected_len;
|
|
1405
|
-
|
|
1406
|
-
|
|
1407
|
-
|
|
1408
|
-
|
|
1409
|
-
|
|
1410
|
-
|
|
1411
|
-
|
|
1570
|
+
int ret = ssl->ctx->alpn_select_cb(
|
|
1571
|
+
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
|
1572
|
+
CBS_len(&protocol_name_list), ssl->ctx->alpn_select_cb_arg);
|
|
1573
|
+
// ALPN is required when QUIC is used.
|
|
1574
|
+
if (ssl->quic_method &&
|
|
1575
|
+
(ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {
|
|
1576
|
+
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
1577
|
+
}
|
|
1578
|
+
switch (ret) {
|
|
1579
|
+
case SSL_TLSEXT_ERR_OK:
|
|
1580
|
+
if (selected_len == 0) {
|
|
1581
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
|
1582
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
1583
|
+
return false;
|
|
1584
|
+
}
|
|
1585
|
+
if (!ssl->s3->alpn_selected.CopyFrom(
|
|
1586
|
+
MakeConstSpan(selected, selected_len))) {
|
|
1587
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
1588
|
+
return false;
|
|
1589
|
+
}
|
|
1590
|
+
break;
|
|
1591
|
+
case SSL_TLSEXT_ERR_NOACK:
|
|
1592
|
+
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
|
1593
|
+
break;
|
|
1594
|
+
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
1595
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
|
1596
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
|
1412
1597
|
return false;
|
|
1413
|
-
|
|
1414
|
-
|
|
1415
|
-
MakeConstSpan(selected, selected_len))) {
|
|
1598
|
+
default:
|
|
1599
|
+
// Invalid return value.
|
|
1416
1600
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
1601
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
1417
1602
|
return false;
|
|
1418
|
-
}
|
|
1419
1603
|
}
|
|
1420
1604
|
|
|
1421
1605
|
return true;
|
|
@@ -1446,13 +1630,20 @@ static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1446
1630
|
//
|
|
1447
1631
|
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
|
|
1448
1632
|
|
|
1449
|
-
static
|
|
1450
|
-
|
|
1451
|
-
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1455
|
-
|
|
1633
|
+
static bool ext_channel_id_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1634
|
+
CBB *out_compressible,
|
|
1635
|
+
ssl_client_hello_type_t type) {
|
|
1636
|
+
const SSL *const ssl = hs->ssl;
|
|
1637
|
+
if (!hs->config->channel_id_private || SSL_is_dtls(ssl) ||
|
|
1638
|
+
// Don't offer Channel ID in ClientHelloOuter. ClientHelloOuter handshakes
|
|
1639
|
+
// are not authenticated for the name that can learn the Channel ID.
|
|
1640
|
+
//
|
|
1641
|
+
// We could alternatively offer the extension but sign with a random key.
|
|
1642
|
+
// For other extensions, we try to align |ssl_client_hello_outer| and
|
|
1643
|
+
// |ssl_client_hello_unencrypted|, to improve the effectiveness of ECH
|
|
1644
|
+
// GREASE. However, Channel ID is deprecated and unlikely to be used with
|
|
1645
|
+
// ECH, so do the simplest thing.
|
|
1646
|
+
type == ssl_client_hello_outer) {
|
|
1456
1647
|
return true;
|
|
1457
1648
|
}
|
|
1458
1649
|
|
|
@@ -1467,19 +1658,18 @@ static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1467
1658
|
static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
1468
1659
|
uint8_t *out_alert,
|
|
1469
1660
|
CBS *contents) {
|
|
1470
|
-
SSL *const ssl = hs->ssl;
|
|
1471
1661
|
if (contents == NULL) {
|
|
1472
1662
|
return true;
|
|
1473
1663
|
}
|
|
1474
1664
|
|
|
1475
|
-
assert(!SSL_is_dtls(ssl));
|
|
1476
|
-
assert(hs->config->
|
|
1665
|
+
assert(!SSL_is_dtls(hs->ssl));
|
|
1666
|
+
assert(hs->config->channel_id_private);
|
|
1477
1667
|
|
|
1478
1668
|
if (CBS_len(contents) != 0) {
|
|
1479
1669
|
return false;
|
|
1480
1670
|
}
|
|
1481
1671
|
|
|
1482
|
-
|
|
1672
|
+
hs->channel_id_negotiated = true;
|
|
1483
1673
|
return true;
|
|
1484
1674
|
}
|
|
1485
1675
|
|
|
@@ -1495,13 +1685,12 @@ static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
1495
1685
|
return false;
|
|
1496
1686
|
}
|
|
1497
1687
|
|
|
1498
|
-
|
|
1688
|
+
hs->channel_id_negotiated = true;
|
|
1499
1689
|
return true;
|
|
1500
1690
|
}
|
|
1501
1691
|
|
|
1502
1692
|
static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1503
|
-
|
|
1504
|
-
if (!ssl->s3->channel_id_valid) {
|
|
1693
|
+
if (!hs->channel_id_negotiated) {
|
|
1505
1694
|
return true;
|
|
1506
1695
|
}
|
|
1507
1696
|
|
|
@@ -1518,22 +1707,21 @@ static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1518
1707
|
//
|
|
1519
1708
|
// https://tools.ietf.org/html/rfc5764
|
|
1520
1709
|
|
|
1521
|
-
|
|
1522
|
-
|
|
1523
|
-
|
|
1524
|
-
|
|
1525
|
-
|
|
1526
|
-
|
|
1527
|
-
SSL *const ssl = hs->ssl;
|
|
1528
|
-
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
|
|
1710
|
+
static bool ext_srtp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1711
|
+
CBB *out_compressible,
|
|
1712
|
+
ssl_client_hello_type_t type) {
|
|
1713
|
+
const SSL *const ssl = hs->ssl;
|
|
1714
|
+
const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles =
|
|
1715
|
+
SSL_get_srtp_profiles(ssl);
|
|
1529
1716
|
if (profiles == NULL ||
|
|
1530
|
-
sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0
|
|
1717
|
+
sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 ||
|
|
1718
|
+
!SSL_is_dtls(ssl)) {
|
|
1531
1719
|
return true;
|
|
1532
1720
|
}
|
|
1533
1721
|
|
|
1534
1722
|
CBB contents, profile_ids;
|
|
1535
|
-
if (!CBB_add_u16(
|
|
1536
|
-
!CBB_add_u16_length_prefixed(
|
|
1723
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_srtp) ||
|
|
1724
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
1537
1725
|
!CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
|
|
1538
1726
|
return false;
|
|
1539
1727
|
}
|
|
@@ -1545,7 +1733,7 @@ static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1545
1733
|
}
|
|
1546
1734
|
|
|
1547
1735
|
if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
|
|
1548
|
-
!CBB_flush(
|
|
1736
|
+
!CBB_flush(out_compressible)) {
|
|
1549
1737
|
return false;
|
|
1550
1738
|
}
|
|
1551
1739
|
|
|
@@ -1563,6 +1751,7 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1563
1751
|
// single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
|
|
1564
1752
|
//
|
|
1565
1753
|
// See https://tools.ietf.org/html/rfc5764#section-4.1.1
|
|
1754
|
+
assert(SSL_is_dtls(ssl));
|
|
1566
1755
|
CBS profile_ids, srtp_mki;
|
|
1567
1756
|
uint16_t profile_id;
|
|
1568
1757
|
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
|
|
@@ -1581,11 +1770,8 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1581
1770
|
return false;
|
|
1582
1771
|
}
|
|
1583
1772
|
|
|
1584
|
-
|
|
1585
|
-
|
|
1586
|
-
// Check to see if the server gave us something we support (and presumably
|
|
1587
|
-
// offered).
|
|
1588
|
-
for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
|
|
1773
|
+
// Check to see if the server gave us something we support and offered.
|
|
1774
|
+
for (const SRTP_PROTECTION_PROFILE *profile : SSL_get_srtp_profiles(ssl)) {
|
|
1589
1775
|
if (profile->id == profile_id) {
|
|
1590
1776
|
ssl->s3->srtp_profile = profile;
|
|
1591
1777
|
return true;
|
|
@@ -1600,7 +1786,8 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
1600
1786
|
static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1601
1787
|
CBS *contents) {
|
|
1602
1788
|
SSL *const ssl = hs->ssl;
|
|
1603
|
-
|
|
1789
|
+
// DTLS-SRTP is only defined for DTLS.
|
|
1790
|
+
if (contents == NULL || !SSL_is_dtls(ssl)) {
|
|
1604
1791
|
return true;
|
|
1605
1792
|
}
|
|
1606
1793
|
|
|
@@ -1644,6 +1831,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1644
1831
|
return true;
|
|
1645
1832
|
}
|
|
1646
1833
|
|
|
1834
|
+
assert(SSL_is_dtls(ssl));
|
|
1647
1835
|
CBB contents, profile_ids;
|
|
1648
1836
|
if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
|
|
1649
1837
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
@@ -1662,7 +1850,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1662
1850
|
//
|
|
1663
1851
|
// https://tools.ietf.org/html/rfc4492#section-5.1.2
|
|
1664
1852
|
|
|
1665
|
-
static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1853
|
+
static bool ext_ec_point_add_extension(const SSL_HANDSHAKE *hs, CBB *out) {
|
|
1666
1854
|
CBB contents, formats;
|
|
1667
1855
|
if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
|
|
1668
1856
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
@@ -1675,9 +1863,11 @@ static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1675
1863
|
return true;
|
|
1676
1864
|
}
|
|
1677
1865
|
|
|
1678
|
-
static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1866
|
+
static bool ext_ec_point_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
1867
|
+
CBB *out_compressible,
|
|
1868
|
+
ssl_client_hello_type_t type) {
|
|
1679
1869
|
// The point format extension is unnecessary in TLS 1.3.
|
|
1680
|
-
if (hs->min_version >= TLS1_3_VERSION) {
|
|
1870
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {
|
|
1681
1871
|
return true;
|
|
1682
1872
|
}
|
|
1683
1873
|
|
|
@@ -1743,10 +1933,34 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1743
1933
|
//
|
|
1744
1934
|
// https://tools.ietf.org/html/rfc8446#section-4.2.11
|
|
1745
1935
|
|
|
1746
|
-
static
|
|
1747
|
-
|
|
1936
|
+
static bool should_offer_psk(const SSL_HANDSHAKE *hs,
|
|
1937
|
+
ssl_client_hello_type_t type) {
|
|
1938
|
+
const SSL *const ssl = hs->ssl;
|
|
1748
1939
|
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
|
|
1749
|
-
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION
|
|
1940
|
+
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
|
1941
|
+
// TODO(https://crbug.com/boringssl/275): Should we synthesize a
|
|
1942
|
+
// placeholder PSK, at least when we offer early data? Otherwise
|
|
1943
|
+
// ClientHelloOuter will contain an early_data extension without a
|
|
1944
|
+
// pre_shared_key extension and potentially break the recovery flow.
|
|
1945
|
+
type == ssl_client_hello_outer) {
|
|
1946
|
+
return false;
|
|
1947
|
+
}
|
|
1948
|
+
|
|
1949
|
+
// Per RFC 8446 section 4.1.4, skip offering the session if the selected
|
|
1950
|
+
// cipher in HelloRetryRequest does not match. This avoids performing the
|
|
1951
|
+
// transcript hash transformation for multiple hashes.
|
|
1952
|
+
if (ssl->s3->used_hello_retry_request &&
|
|
1953
|
+
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
|
1954
|
+
return false;
|
|
1955
|
+
}
|
|
1956
|
+
|
|
1957
|
+
return true;
|
|
1958
|
+
}
|
|
1959
|
+
|
|
1960
|
+
static size_t ext_pre_shared_key_clienthello_length(
|
|
1961
|
+
const SSL_HANDSHAKE *hs, ssl_client_hello_type_t type) {
|
|
1962
|
+
const SSL *const ssl = hs->ssl;
|
|
1963
|
+
if (!should_offer_psk(hs, type)) {
|
|
1750
1964
|
return 0;
|
|
1751
1965
|
}
|
|
1752
1966
|
|
|
@@ -1754,19 +1968,12 @@ static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
|
|
|
1754
1968
|
return 15 + ssl->session->ticket.size() + binder_len;
|
|
1755
1969
|
}
|
|
1756
1970
|
|
|
1757
|
-
static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs,
|
|
1758
|
-
|
|
1759
|
-
|
|
1760
|
-
|
|
1761
|
-
|
|
1762
|
-
|
|
1763
|
-
}
|
|
1764
|
-
|
|
1765
|
-
// Per RFC 8446 section 4.1.4, skip offering the session if the selected
|
|
1766
|
-
// cipher in HelloRetryRequest does not match. This avoids performing the
|
|
1767
|
-
// transcript hash transformation for multiple hashes.
|
|
1768
|
-
if (ssl->s3 && ssl->s3->used_hello_retry_request &&
|
|
1769
|
-
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
|
1971
|
+
static bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs,
|
|
1972
|
+
CBB *out, bool *out_needs_binder,
|
|
1973
|
+
ssl_client_hello_type_t type) {
|
|
1974
|
+
const SSL *const ssl = hs->ssl;
|
|
1975
|
+
*out_needs_binder = false;
|
|
1976
|
+
if (!should_offer_psk(hs, type)) {
|
|
1770
1977
|
return true;
|
|
1771
1978
|
}
|
|
1772
1979
|
|
|
@@ -1777,7 +1984,6 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1777
1984
|
|
|
1778
1985
|
// Fill in a placeholder zero binder of the appropriate length. It will be
|
|
1779
1986
|
// computed and filled in later after length prefixes are computed.
|
|
1780
|
-
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
|
|
1781
1987
|
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
|
|
1782
1988
|
|
|
1783
1989
|
CBB contents, identity, ticket, binders, binder;
|
|
@@ -1790,11 +1996,11 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1790
1996
|
!CBB_add_u32(&identity, obfuscated_ticket_age) ||
|
|
1791
1997
|
!CBB_add_u16_length_prefixed(&contents, &binders) ||
|
|
1792
1998
|
!CBB_add_u8_length_prefixed(&binders, &binder) ||
|
|
1793
|
-
!
|
|
1999
|
+
!CBB_add_zeros(&binder, binder_len)) {
|
|
1794
2000
|
return false;
|
|
1795
2001
|
}
|
|
1796
2002
|
|
|
1797
|
-
|
|
2003
|
+
*out_needs_binder = true;
|
|
1798
2004
|
return CBB_flush(out);
|
|
1799
2005
|
}
|
|
1800
2006
|
|
|
@@ -1907,21 +2113,22 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1907
2113
|
//
|
|
1908
2114
|
// https://tools.ietf.org/html/rfc8446#section-4.2.9
|
|
1909
2115
|
|
|
1910
|
-
static bool ext_psk_key_exchange_modes_add_clienthello(
|
|
1911
|
-
|
|
2116
|
+
static bool ext_psk_key_exchange_modes_add_clienthello(
|
|
2117
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
|
2118
|
+
ssl_client_hello_type_t type) {
|
|
1912
2119
|
if (hs->max_version < TLS1_3_VERSION) {
|
|
1913
2120
|
return true;
|
|
1914
2121
|
}
|
|
1915
2122
|
|
|
1916
2123
|
CBB contents, ke_modes;
|
|
1917
|
-
if (!CBB_add_u16(
|
|
1918
|
-
!CBB_add_u16_length_prefixed(
|
|
2124
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_psk_key_exchange_modes) ||
|
|
2125
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
1919
2126
|
!CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
|
|
1920
2127
|
!CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
|
|
1921
2128
|
return false;
|
|
1922
2129
|
}
|
|
1923
2130
|
|
|
1924
|
-
return CBB_flush(
|
|
2131
|
+
return CBB_flush(out_compressible);
|
|
1925
2132
|
}
|
|
1926
2133
|
|
|
1927
2134
|
static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
@@ -1951,8 +2158,10 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
1951
2158
|
//
|
|
1952
2159
|
// https://tools.ietf.org/html/rfc8446#section-4.2.10
|
|
1953
2160
|
|
|
1954
|
-
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
1955
|
-
|
|
2161
|
+
static bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
2162
|
+
CBB *out_compressible,
|
|
2163
|
+
ssl_client_hello_type_t type) {
|
|
2164
|
+
const SSL *const ssl = hs->ssl;
|
|
1956
2165
|
// The second ClientHello never offers early data, and we must have already
|
|
1957
2166
|
// filled in |early_data_reason| by this point.
|
|
1958
2167
|
if (ssl->s3->used_hello_retry_request) {
|
|
@@ -1960,44 +2169,17 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
1960
2169
|
return true;
|
|
1961
2170
|
}
|
|
1962
2171
|
|
|
1963
|
-
if (!
|
|
1964
|
-
ssl->s3->early_data_reason = ssl_early_data_disabled;
|
|
1965
|
-
return true;
|
|
1966
|
-
}
|
|
1967
|
-
|
|
1968
|
-
if (hs->max_version < TLS1_3_VERSION) {
|
|
1969
|
-
// We discard inapplicable sessions, so this is redundant with the session
|
|
1970
|
-
// checks below, but we check give a more useful reason.
|
|
1971
|
-
ssl->s3->early_data_reason = ssl_early_data_protocol_version;
|
|
1972
|
-
return true;
|
|
1973
|
-
}
|
|
1974
|
-
|
|
1975
|
-
if (ssl->session == nullptr) {
|
|
1976
|
-
ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
|
|
1977
|
-
return true;
|
|
1978
|
-
}
|
|
1979
|
-
|
|
1980
|
-
if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
|
1981
|
-
ssl->session->ticket_max_early_data == 0) {
|
|
1982
|
-
ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
|
|
1983
|
-
return true;
|
|
1984
|
-
}
|
|
1985
|
-
|
|
1986
|
-
// In case ALPN preferences changed since this session was established, avoid
|
|
1987
|
-
// reporting a confusing value in |SSL_get0_alpn_selected| and sending early
|
|
1988
|
-
// data we know will be rejected.
|
|
1989
|
-
if (!ssl->session->early_alpn.empty() &&
|
|
1990
|
-
!ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
|
|
1991
|
-
ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
|
|
2172
|
+
if (!hs->early_data_offered) {
|
|
1992
2173
|
return true;
|
|
1993
2174
|
}
|
|
1994
2175
|
|
|
1995
|
-
//
|
|
1996
|
-
|
|
1997
|
-
|
|
1998
|
-
|
|
1999
|
-
|
|
2000
|
-
!
|
|
2176
|
+
// If offering ECH, the extension only applies to ClientHelloInner, but we
|
|
2177
|
+
// send the extension in both ClientHellos. This ensures that, if the server
|
|
2178
|
+
// handshakes with ClientHelloOuter, it can skip past early data. See
|
|
2179
|
+
// draft-ietf-tls-esni-13, section 6.1.
|
|
2180
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) ||
|
|
2181
|
+
!CBB_add_u16(out_compressible, 0) ||
|
|
2182
|
+
!CBB_flush(out_compressible)) {
|
|
2001
2183
|
return false;
|
|
2002
2184
|
}
|
|
2003
2185
|
|
|
@@ -2078,43 +2260,33 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2078
2260
|
//
|
|
2079
2261
|
// https://tools.ietf.org/html/rfc8446#section-4.2.8
|
|
2080
2262
|
|
|
2081
|
-
|
|
2263
|
+
bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
|
|
2082
2264
|
SSL *const ssl = hs->ssl;
|
|
2265
|
+
hs->key_shares[0].reset();
|
|
2266
|
+
hs->key_shares[1].reset();
|
|
2267
|
+
hs->key_share_bytes.Reset();
|
|
2268
|
+
|
|
2083
2269
|
if (hs->max_version < TLS1_3_VERSION) {
|
|
2084
2270
|
return true;
|
|
2085
2271
|
}
|
|
2086
2272
|
|
|
2087
|
-
|
|
2088
|
-
if (!
|
|
2089
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
2090
|
-
!CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
|
|
2273
|
+
bssl::ScopedCBB cbb;
|
|
2274
|
+
if (!CBB_init(cbb.get(), 64)) {
|
|
2091
2275
|
return false;
|
|
2092
2276
|
}
|
|
2093
2277
|
|
|
2094
|
-
|
|
2095
|
-
|
|
2096
|
-
|
|
2097
|
-
|
|
2098
|
-
|
|
2099
|
-
if (group_id == 0 &&
|
|
2100
|
-
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
|
|
2101
|
-
hs->key_share_bytes.size())) {
|
|
2102
|
-
return false;
|
|
2103
|
-
}
|
|
2104
|
-
hs->key_share_bytes.Reset();
|
|
2105
|
-
if (group_id == 0) {
|
|
2106
|
-
return CBB_flush(out);
|
|
2107
|
-
}
|
|
2108
|
-
} else {
|
|
2109
|
-
// Add a fake group. See draft-davidben-tls-grease-01.
|
|
2110
|
-
if (ssl->ctx->grease_enabled &&
|
|
2111
|
-
(!CBB_add_u16(&kse_bytes,
|
|
2112
|
-
ssl_get_grease_value(hs, ssl_grease_group)) ||
|
|
2113
|
-
!CBB_add_u16(&kse_bytes, 1 /* length */) ||
|
|
2114
|
-
!CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
|
|
2278
|
+
if (override_group_id == 0 && ssl->ctx->grease_enabled) {
|
|
2279
|
+
// Add a fake group. See RFC 8701.
|
|
2280
|
+
if (!CBB_add_u16(cbb.get(), ssl_get_grease_value(hs, ssl_grease_group)) ||
|
|
2281
|
+
!CBB_add_u16(cbb.get(), 1 /* length */) ||
|
|
2282
|
+
!CBB_add_u8(cbb.get(), 0 /* one byte key share */)) {
|
|
2115
2283
|
return false;
|
|
2116
2284
|
}
|
|
2285
|
+
}
|
|
2117
2286
|
|
|
2287
|
+
uint16_t group_id = override_group_id;
|
|
2288
|
+
uint16_t second_group_id = 0;
|
|
2289
|
+
if (override_group_id == 0) {
|
|
2118
2290
|
// Predict the most preferred group.
|
|
2119
2291
|
Span<const uint16_t> groups = tls1_get_grouplist(hs);
|
|
2120
2292
|
if (groups.empty()) {
|
|
@@ -2134,34 +2306,45 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2134
2306
|
|
|
2135
2307
|
CBB key_exchange;
|
|
2136
2308
|
hs->key_shares[0] = SSLKeyShare::Create(group_id);
|
|
2137
|
-
if (!hs->key_shares[0] ||
|
|
2138
|
-
!CBB_add_u16(
|
|
2139
|
-
!CBB_add_u16_length_prefixed(
|
|
2140
|
-
!hs->key_shares[0]->Offer(&key_exchange)
|
|
2141
|
-
!CBB_flush(&kse_bytes)) {
|
|
2309
|
+
if (!hs->key_shares[0] || //
|
|
2310
|
+
!CBB_add_u16(cbb.get(), group_id) ||
|
|
2311
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||
|
|
2312
|
+
!hs->key_shares[0]->Offer(&key_exchange)) {
|
|
2142
2313
|
return false;
|
|
2143
2314
|
}
|
|
2144
2315
|
|
|
2145
2316
|
if (second_group_id != 0) {
|
|
2146
2317
|
hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
|
|
2147
|
-
if (!hs->key_shares[1] ||
|
|
2148
|
-
!CBB_add_u16(
|
|
2149
|
-
!CBB_add_u16_length_prefixed(
|
|
2150
|
-
!hs->key_shares[1]->Offer(&key_exchange)
|
|
2151
|
-
!CBB_flush(&kse_bytes)) {
|
|
2318
|
+
if (!hs->key_shares[1] || //
|
|
2319
|
+
!CBB_add_u16(cbb.get(), second_group_id) ||
|
|
2320
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||
|
|
2321
|
+
!hs->key_shares[1]->Offer(&key_exchange)) {
|
|
2152
2322
|
return false;
|
|
2153
2323
|
}
|
|
2154
2324
|
}
|
|
2155
2325
|
|
|
2156
|
-
|
|
2157
|
-
|
|
2158
|
-
|
|
2159
|
-
|
|
2160
|
-
|
|
2326
|
+
return CBBFinishArray(cbb.get(), &hs->key_share_bytes);
|
|
2327
|
+
}
|
|
2328
|
+
|
|
2329
|
+
static bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
2330
|
+
CBB *out_compressible,
|
|
2331
|
+
ssl_client_hello_type_t type) {
|
|
2332
|
+
if (hs->max_version < TLS1_3_VERSION) {
|
|
2333
|
+
return true;
|
|
2334
|
+
}
|
|
2335
|
+
|
|
2336
|
+
assert(!hs->key_share_bytes.empty());
|
|
2337
|
+
CBB contents, kse_bytes;
|
|
2338
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_key_share) ||
|
|
2339
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
2340
|
+
!CBB_add_u16_length_prefixed(&contents, &kse_bytes) ||
|
|
2341
|
+
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
|
|
2342
|
+
hs->key_share_bytes.size()) ||
|
|
2343
|
+
!CBB_flush(out_compressible)) {
|
|
2161
2344
|
return false;
|
|
2162
2345
|
}
|
|
2163
2346
|
|
|
2164
|
-
return
|
|
2347
|
+
return true;
|
|
2165
2348
|
}
|
|
2166
2349
|
|
|
2167
2350
|
bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
@@ -2199,25 +2382,29 @@ bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
|
2199
2382
|
}
|
|
2200
2383
|
|
|
2201
2384
|
bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
|
2202
|
-
|
|
2203
|
-
uint8_t *out_alert,
|
|
2204
|
-
|
|
2205
|
-
|
|
2206
|
-
|
|
2207
|
-
|
|
2208
|
-
|
|
2385
|
+
Span<const uint8_t> *out_peer_key,
|
|
2386
|
+
uint8_t *out_alert,
|
|
2387
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
|
2388
|
+
// We only support connections that include an ECDHE key exchange.
|
|
2389
|
+
CBS contents;
|
|
2390
|
+
if (!ssl_client_hello_get_extension(client_hello, &contents,
|
|
2391
|
+
TLSEXT_TYPE_key_share)) {
|
|
2392
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
|
|
2393
|
+
*out_alert = SSL_AD_MISSING_EXTENSION;
|
|
2209
2394
|
return false;
|
|
2210
2395
|
}
|
|
2211
2396
|
|
|
2212
|
-
|
|
2213
|
-
|
|
2397
|
+
CBS key_shares;
|
|
2398
|
+
if (!CBS_get_u16_length_prefixed(&contents, &key_shares) ||
|
|
2399
|
+
CBS_len(&contents) != 0) {
|
|
2214
2400
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
2215
2401
|
return false;
|
|
2216
2402
|
}
|
|
2217
2403
|
|
|
2218
2404
|
// Find the corresponding key share.
|
|
2405
|
+
const uint16_t group_id = hs->new_session->group_id;
|
|
2219
2406
|
CBS peer_key;
|
|
2220
|
-
CBS_init(&peer_key,
|
|
2407
|
+
CBS_init(&peer_key, nullptr, 0);
|
|
2221
2408
|
while (CBS_len(&key_shares) > 0) {
|
|
2222
2409
|
uint16_t id;
|
|
2223
2410
|
CBS peer_key_tmp;
|
|
@@ -2240,46 +2427,24 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
|
|
2240
2427
|
}
|
|
2241
2428
|
}
|
|
2242
2429
|
|
|
2243
|
-
if (
|
|
2244
|
-
*
|
|
2245
|
-
out_secret->Reset();
|
|
2246
|
-
return true;
|
|
2247
|
-
}
|
|
2248
|
-
|
|
2249
|
-
// Compute the DH secret.
|
|
2250
|
-
Array<uint8_t> secret;
|
|
2251
|
-
ScopedCBB public_key;
|
|
2252
|
-
UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
|
|
2253
|
-
if (!key_share ||
|
|
2254
|
-
!CBB_init(public_key.get(), 32) ||
|
|
2255
|
-
!key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
|
|
2256
|
-
!CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
|
|
2257
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
2258
|
-
return false;
|
|
2430
|
+
if (out_peer_key != nullptr) {
|
|
2431
|
+
*out_peer_key = peer_key;
|
|
2259
2432
|
}
|
|
2260
|
-
|
|
2261
|
-
*out_secret = std::move(secret);
|
|
2262
|
-
*out_found = true;
|
|
2433
|
+
*out_found = CBS_len(&peer_key) != 0;
|
|
2263
2434
|
return true;
|
|
2264
2435
|
}
|
|
2265
2436
|
|
|
2266
2437
|
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2267
|
-
uint16_t group_id;
|
|
2268
2438
|
CBB kse_bytes, public_key;
|
|
2269
|
-
if (!
|
|
2270
|
-
!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
|
2439
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
|
2271
2440
|
!CBB_add_u16_length_prefixed(out, &kse_bytes) ||
|
|
2272
|
-
!CBB_add_u16(&kse_bytes, group_id) ||
|
|
2441
|
+
!CBB_add_u16(&kse_bytes, hs->new_session->group_id) ||
|
|
2273
2442
|
!CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
|
|
2274
2443
|
!CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
|
|
2275
2444
|
hs->ecdh_public_key.size()) ||
|
|
2276
2445
|
!CBB_flush(out)) {
|
|
2277
2446
|
return false;
|
|
2278
2447
|
}
|
|
2279
|
-
|
|
2280
|
-
hs->ecdh_public_key.Reset();
|
|
2281
|
-
|
|
2282
|
-
hs->new_session->group_id = group_id;
|
|
2283
2448
|
return true;
|
|
2284
2449
|
}
|
|
2285
2450
|
|
|
@@ -2288,12 +2453,20 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2288
2453
|
//
|
|
2289
2454
|
// https://tools.ietf.org/html/rfc8446#section-4.2.1
|
|
2290
2455
|
|
|
2291
|
-
static bool ext_supported_versions_add_clienthello(
|
|
2292
|
-
|
|
2456
|
+
static bool ext_supported_versions_add_clienthello(
|
|
2457
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
|
2458
|
+
ssl_client_hello_type_t type) {
|
|
2459
|
+
const SSL *const ssl = hs->ssl;
|
|
2293
2460
|
if (hs->max_version <= TLS1_2_VERSION) {
|
|
2294
2461
|
return true;
|
|
2295
2462
|
}
|
|
2296
2463
|
|
|
2464
|
+
// supported_versions is compressible in ECH if ClientHelloOuter already
|
|
2465
|
+
// requires TLS 1.3. Otherwise the extensions differ in the older versions.
|
|
2466
|
+
if (hs->min_version >= TLS1_3_VERSION) {
|
|
2467
|
+
out = out_compressible;
|
|
2468
|
+
}
|
|
2469
|
+
|
|
2297
2470
|
CBB contents, versions;
|
|
2298
2471
|
if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
|
|
2299
2472
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
@@ -2301,13 +2474,16 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)
|
|
|
2301
2474
|
return false;
|
|
2302
2475
|
}
|
|
2303
2476
|
|
|
2304
|
-
// Add a fake version. See
|
|
2477
|
+
// Add a fake version. See RFC 8701.
|
|
2305
2478
|
if (ssl->ctx->grease_enabled &&
|
|
2306
2479
|
!CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
|
|
2307
2480
|
return false;
|
|
2308
2481
|
}
|
|
2309
2482
|
|
|
2310
|
-
|
|
2483
|
+
// Encrypted ClientHellos requires TLS 1.3 or later.
|
|
2484
|
+
uint16_t extra_min_version =
|
|
2485
|
+
type == ssl_client_hello_inner ? TLS1_3_VERSION : 0;
|
|
2486
|
+
if (!ssl_add_supported_versions(hs, &versions, extra_min_version) ||
|
|
2311
2487
|
!CBB_flush(out)) {
|
|
2312
2488
|
return false;
|
|
2313
2489
|
}
|
|
@@ -2320,22 +2496,22 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)
|
|
|
2320
2496
|
//
|
|
2321
2497
|
// https://tools.ietf.org/html/rfc8446#section-4.2.2
|
|
2322
2498
|
|
|
2323
|
-
static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
2499
|
+
static bool ext_cookie_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
2500
|
+
CBB *out_compressible,
|
|
2501
|
+
ssl_client_hello_type_t type) {
|
|
2324
2502
|
if (hs->cookie.empty()) {
|
|
2325
2503
|
return true;
|
|
2326
2504
|
}
|
|
2327
2505
|
|
|
2328
2506
|
CBB contents, cookie;
|
|
2329
|
-
if (!CBB_add_u16(
|
|
2330
|
-
!CBB_add_u16_length_prefixed(
|
|
2507
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cookie) ||
|
|
2508
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
2331
2509
|
!CBB_add_u16_length_prefixed(&contents, &cookie) ||
|
|
2332
2510
|
!CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
|
|
2333
|
-
!CBB_flush(
|
|
2511
|
+
!CBB_flush(out_compressible)) {
|
|
2334
2512
|
return false;
|
|
2335
2513
|
}
|
|
2336
2514
|
|
|
2337
|
-
// The cookie is no longer needed in memory.
|
|
2338
|
-
hs->cookie.Reset();
|
|
2339
2515
|
return true;
|
|
2340
2516
|
}
|
|
2341
2517
|
|
|
@@ -2345,16 +2521,19 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2345
2521
|
// https://tools.ietf.org/html/rfc4492#section-5.1.1
|
|
2346
2522
|
// https://tools.ietf.org/html/rfc8446#section-4.2.7
|
|
2347
2523
|
|
|
2348
|
-
static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs,
|
|
2349
|
-
|
|
2524
|
+
static bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs,
|
|
2525
|
+
CBB *out,
|
|
2526
|
+
CBB *out_compressible,
|
|
2527
|
+
ssl_client_hello_type_t type) {
|
|
2528
|
+
const SSL *const ssl = hs->ssl;
|
|
2350
2529
|
CBB contents, groups_bytes;
|
|
2351
|
-
if (!CBB_add_u16(
|
|
2352
|
-
!CBB_add_u16_length_prefixed(
|
|
2530
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_supported_groups) ||
|
|
2531
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
2353
2532
|
!CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
|
|
2354
2533
|
return false;
|
|
2355
2534
|
}
|
|
2356
2535
|
|
|
2357
|
-
// Add a fake group. See
|
|
2536
|
+
// Add a fake group. See RFC 8701.
|
|
2358
2537
|
if (ssl->ctx->grease_enabled &&
|
|
2359
2538
|
!CBB_add_u16(&groups_bytes,
|
|
2360
2539
|
ssl_get_grease_value(hs, ssl_grease_group))) {
|
|
@@ -2371,7 +2550,7 @@ static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2371
2550
|
}
|
|
2372
2551
|
}
|
|
2373
2552
|
|
|
2374
|
-
return CBB_flush(
|
|
2553
|
+
return CBB_flush(out_compressible);
|
|
2375
2554
|
}
|
|
2376
2555
|
|
|
2377
2556
|
static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
@@ -2423,213 +2602,172 @@ static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
2423
2602
|
return true;
|
|
2424
2603
|
}
|
|
2425
2604
|
|
|
2426
|
-
// Token Binding
|
|
2427
|
-
//
|
|
2428
|
-
// https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
|
|
2429
|
-
|
|
2430
|
-
// The Token Binding version number currently matches the draft number of
|
|
2431
|
-
// draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
|
|
2432
|
-
// Since there are no wire changes to the protocol from draft 13 through the
|
|
2433
|
-
// current draft (16), this implementation supports all versions in that range.
|
|
2434
|
-
static uint16_t kTokenBindingMaxVersion = 16;
|
|
2435
|
-
static uint16_t kTokenBindingMinVersion = 13;
|
|
2436
|
-
|
|
2437
|
-
static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2438
|
-
SSL *const ssl = hs->ssl;
|
|
2439
|
-
if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
|
|
2440
|
-
return true;
|
|
2441
|
-
}
|
|
2442
|
-
|
|
2443
|
-
CBB contents, params;
|
|
2444
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
|
|
2445
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
2446
|
-
!CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
|
|
2447
|
-
!CBB_add_u8_length_prefixed(&contents, ¶ms) ||
|
|
2448
|
-
!CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
|
|
2449
|
-
hs->config->token_binding_params.size()) ||
|
|
2450
|
-
!CBB_flush(out)) {
|
|
2451
|
-
return false;
|
|
2452
|
-
}
|
|
2453
|
-
|
|
2454
|
-
return true;
|
|
2455
|
-
}
|
|
2456
|
-
|
|
2457
|
-
static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2458
|
-
uint8_t *out_alert,
|
|
2459
|
-
CBS *contents) {
|
|
2460
|
-
SSL *const ssl = hs->ssl;
|
|
2461
|
-
if (contents == nullptr) {
|
|
2462
|
-
return true;
|
|
2463
|
-
}
|
|
2464
|
-
|
|
2465
|
-
CBS params_list;
|
|
2466
|
-
uint16_t version;
|
|
2467
|
-
uint8_t param;
|
|
2468
|
-
if (!CBS_get_u16(contents, &version) ||
|
|
2469
|
-
!CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
|
|
2470
|
-
!CBS_get_u8(¶ms_list, ¶m) ||
|
|
2471
|
-
CBS_len(¶ms_list) > 0 ||
|
|
2472
|
-
CBS_len(contents) > 0) {
|
|
2473
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
2474
|
-
return false;
|
|
2475
|
-
}
|
|
2476
|
-
|
|
2477
|
-
// The server-negotiated version must be less than or equal to our version.
|
|
2478
|
-
if (version > kTokenBindingMaxVersion) {
|
|
2479
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
2480
|
-
return false;
|
|
2481
|
-
}
|
|
2482
|
-
|
|
2483
|
-
// If the server-selected version is less than what we support, then Token
|
|
2484
|
-
// Binding wasn't negotiated (but the extension was parsed successfully).
|
|
2485
|
-
if (version < kTokenBindingMinVersion) {
|
|
2486
|
-
return true;
|
|
2487
|
-
}
|
|
2488
|
-
|
|
2489
|
-
for (uint8_t config_param : hs->config->token_binding_params) {
|
|
2490
|
-
if (param == config_param) {
|
|
2491
|
-
ssl->s3->negotiated_token_binding_param = param;
|
|
2492
|
-
ssl->s3->token_binding_negotiated = true;
|
|
2493
|
-
return true;
|
|
2494
|
-
}
|
|
2495
|
-
}
|
|
2496
|
-
|
|
2497
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
2498
|
-
return false;
|
|
2499
|
-
}
|
|
2500
2605
|
|
|
2501
|
-
//
|
|
2502
|
-
// |hs->ssl->token_binding_params| that is also in |params| and puts it in
|
|
2503
|
-
// |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
|
|
2504
|
-
// param is found, and false otherwise.
|
|
2505
|
-
static bool select_tb_param(SSL_HANDSHAKE *hs,
|
|
2506
|
-
Span<const uint8_t> peer_params) {
|
|
2507
|
-
for (uint8_t tb_param : hs->config->token_binding_params) {
|
|
2508
|
-
for (uint8_t peer_param : peer_params) {
|
|
2509
|
-
if (tb_param == peer_param) {
|
|
2510
|
-
hs->ssl->s3->negotiated_token_binding_param = tb_param;
|
|
2511
|
-
return true;
|
|
2512
|
-
}
|
|
2513
|
-
}
|
|
2514
|
-
}
|
|
2515
|
-
return false;
|
|
2516
|
-
}
|
|
2606
|
+
// QUIC Transport Parameters
|
|
2517
2607
|
|
|
2518
|
-
static bool
|
|
2519
|
-
|
|
2520
|
-
|
|
2521
|
-
SSL *const ssl = hs->ssl;
|
|
2522
|
-
if (contents == nullptr || hs->config->token_binding_params.empty()) {
|
|
2608
|
+
static bool ext_quic_transport_params_add_clienthello_impl(
|
|
2609
|
+
const SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
|
2610
|
+
if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
|
|
2523
2611
|
return true;
|
|
2524
2612
|
}
|
|
2525
|
-
|
|
2526
|
-
|
|
2527
|
-
|
|
2528
|
-
|
|
2529
|
-
|
|
2530
|
-
CBS_len(¶ms) == 0 ||
|
|
2531
|
-
CBS_len(contents) > 0) {
|
|
2532
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
2613
|
+
if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) {
|
|
2614
|
+
// QUIC Transport Parameters must be sent over QUIC, and they must not be
|
|
2615
|
+
// sent over non-QUIC transports. If transport params are set, then
|
|
2616
|
+
// SSL(_CTX)_set_quic_method must also be called.
|
|
2617
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
|
2533
2618
|
return false;
|
|
2534
2619
|
}
|
|
2535
|
-
|
|
2536
|
-
|
|
2537
|
-
|
|
2538
|
-
if (version < kTokenBindingMinVersion) {
|
|
2620
|
+
assert(hs->min_version > TLS1_2_VERSION);
|
|
2621
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
|
2622
|
+
// Do nothing, we'll send the other codepoint.
|
|
2539
2623
|
return true;
|
|
2540
2624
|
}
|
|
2541
2625
|
|
|
2542
|
-
|
|
2543
|
-
|
|
2544
|
-
|
|
2545
|
-
std::min(version, kTokenBindingMaxVersion);
|
|
2546
|
-
if (!select_tb_param(hs, params)) {
|
|
2547
|
-
return true;
|
|
2626
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
|
|
2627
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
|
2628
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
|
2548
2629
|
}
|
|
2549
2630
|
|
|
2550
|
-
|
|
2551
|
-
|
|
2552
|
-
}
|
|
2553
|
-
|
|
2554
|
-
static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2555
|
-
SSL *const ssl = hs->ssl;
|
|
2556
|
-
|
|
2557
|
-
if (!ssl->s3->token_binding_negotiated) {
|
|
2558
|
-
return true;
|
|
2559
|
-
}
|
|
2560
|
-
|
|
2561
|
-
CBB contents, params;
|
|
2562
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
|
|
2631
|
+
CBB contents;
|
|
2632
|
+
if (!CBB_add_u16(out, extension_type) ||
|
|
2563
2633
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
2564
|
-
!
|
|
2565
|
-
|
|
2566
|
-
!CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
|
|
2634
|
+
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
|
2635
|
+
hs->config->quic_transport_params.size()) ||
|
|
2567
2636
|
!CBB_flush(out)) {
|
|
2568
2637
|
return false;
|
|
2569
2638
|
}
|
|
2570
|
-
|
|
2571
2639
|
return true;
|
|
2572
2640
|
}
|
|
2573
2641
|
|
|
2574
|
-
|
|
2642
|
+
static bool ext_quic_transport_params_add_clienthello(
|
|
2643
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
|
2644
|
+
ssl_client_hello_type_t type) {
|
|
2645
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
|
2646
|
+
hs, out_compressible, /*use_legacy_codepoint=*/false);
|
|
2647
|
+
}
|
|
2575
2648
|
|
|
2576
|
-
static bool
|
|
2577
|
-
|
|
2578
|
-
|
|
2579
|
-
|
|
2580
|
-
|
|
2581
|
-
|
|
2649
|
+
static bool ext_quic_transport_params_add_clienthello_legacy(
|
|
2650
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
|
2651
|
+
ssl_client_hello_type_t type) {
|
|
2652
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
|
2653
|
+
hs, out_compressible, /*use_legacy_codepoint=*/true);
|
|
2654
|
+
}
|
|
2582
2655
|
|
|
2583
|
-
|
|
2584
|
-
|
|
2585
|
-
|
|
2586
|
-
|
|
2587
|
-
|
|
2588
|
-
|
|
2656
|
+
static bool ext_quic_transport_params_parse_serverhello_impl(
|
|
2657
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
|
2658
|
+
bool used_legacy_codepoint) {
|
|
2659
|
+
SSL *const ssl = hs->ssl;
|
|
2660
|
+
if (contents == nullptr) {
|
|
2661
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
|
2662
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
|
2663
|
+
return true;
|
|
2664
|
+
}
|
|
2665
|
+
if (!ssl->quic_method) {
|
|
2666
|
+
return true;
|
|
2667
|
+
}
|
|
2668
|
+
*out_alert = SSL_AD_MISSING_EXTENSION;
|
|
2589
2669
|
return false;
|
|
2590
2670
|
}
|
|
2591
|
-
|
|
2671
|
+
// The extensions parser will check for unsolicited extensions before
|
|
2672
|
+
// calling the callback.
|
|
2673
|
+
assert(ssl->quic_method != nullptr);
|
|
2674
|
+
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
|
2675
|
+
assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint);
|
|
2676
|
+
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
|
2592
2677
|
}
|
|
2593
2678
|
|
|
2594
2679
|
static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2595
2680
|
uint8_t *out_alert,
|
|
2596
2681
|
CBS *contents) {
|
|
2682
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
|
2683
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
|
2684
|
+
}
|
|
2685
|
+
|
|
2686
|
+
static bool ext_quic_transport_params_parse_serverhello_legacy(
|
|
2687
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
|
2688
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
|
2689
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
|
2690
|
+
}
|
|
2691
|
+
|
|
2692
|
+
static bool ext_quic_transport_params_parse_clienthello_impl(
|
|
2693
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
|
2694
|
+
bool used_legacy_codepoint) {
|
|
2597
2695
|
SSL *const ssl = hs->ssl;
|
|
2598
|
-
if (contents
|
|
2599
|
-
|
|
2696
|
+
if (!contents) {
|
|
2697
|
+
if (!ssl->quic_method) {
|
|
2698
|
+
if (hs->config->quic_transport_params.empty()) {
|
|
2699
|
+
return true;
|
|
2700
|
+
}
|
|
2701
|
+
// QUIC transport parameters must not be set if |ssl| is not configured
|
|
2702
|
+
// for QUIC.
|
|
2703
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
|
2704
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
2705
|
+
return false;
|
|
2706
|
+
}
|
|
2707
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
|
2708
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
|
2709
|
+
return true;
|
|
2710
|
+
}
|
|
2711
|
+
*out_alert = SSL_AD_MISSING_EXTENSION;
|
|
2712
|
+
return false;
|
|
2600
2713
|
}
|
|
2601
|
-
|
|
2602
|
-
|
|
2714
|
+
if (!ssl->quic_method) {
|
|
2715
|
+
if (used_legacy_codepoint) {
|
|
2716
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
|
2717
|
+
// to mean something else than QUIC transport parameters.
|
|
2718
|
+
return true;
|
|
2719
|
+
}
|
|
2720
|
+
// Fail if we received the codepoint registered with IANA for QUIC
|
|
2721
|
+
// because that is not allowed outside of QUIC.
|
|
2603
2722
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
2604
2723
|
return false;
|
|
2605
2724
|
}
|
|
2606
|
-
|
|
2725
|
+
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
|
2726
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
|
2727
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
|
2728
|
+
return true;
|
|
2729
|
+
}
|
|
2607
2730
|
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
|
2608
2731
|
}
|
|
2609
2732
|
|
|
2610
2733
|
static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2611
2734
|
uint8_t *out_alert,
|
|
2612
2735
|
CBS *contents) {
|
|
2613
|
-
|
|
2614
|
-
|
|
2615
|
-
|
|
2616
|
-
}
|
|
2617
|
-
// Ignore the extension before TLS 1.3.
|
|
2618
|
-
if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
2619
|
-
return true;
|
|
2620
|
-
}
|
|
2736
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
|
2737
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
|
2738
|
+
}
|
|
2621
2739
|
|
|
2622
|
-
|
|
2740
|
+
static bool ext_quic_transport_params_parse_clienthello_legacy(
|
|
2741
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
|
2742
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
|
2743
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
|
2623
2744
|
}
|
|
2624
2745
|
|
|
2625
|
-
static bool
|
|
2626
|
-
|
|
2746
|
+
static bool ext_quic_transport_params_add_serverhello_impl(
|
|
2747
|
+
SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
|
2748
|
+
if (hs->ssl->quic_method == nullptr && use_legacy_codepoint) {
|
|
2749
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
|
2750
|
+
// to mean something else than QUIC transport parameters.
|
|
2751
|
+
return true;
|
|
2752
|
+
}
|
|
2753
|
+
assert(hs->ssl->quic_method != nullptr);
|
|
2627
2754
|
if (hs->config->quic_transport_params.empty()) {
|
|
2755
|
+
// Transport parameters must be set when using QUIC.
|
|
2756
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
|
2757
|
+
return false;
|
|
2758
|
+
}
|
|
2759
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
|
2760
|
+
// Do nothing, we'll send the other codepoint.
|
|
2628
2761
|
return true;
|
|
2629
2762
|
}
|
|
2630
2763
|
|
|
2764
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
|
|
2765
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
|
2766
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
|
2767
|
+
}
|
|
2768
|
+
|
|
2631
2769
|
CBB contents;
|
|
2632
|
-
if (!CBB_add_u16(out,
|
|
2770
|
+
if (!CBB_add_u16(out, extension_type) ||
|
|
2633
2771
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
2634
2772
|
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
|
2635
2773
|
hs->config->quic_transport_params.size()) ||
|
|
@@ -2640,39 +2778,56 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
|
|
2640
2778
|
return true;
|
|
2641
2779
|
}
|
|
2642
2780
|
|
|
2781
|
+
static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
|
2782
|
+
CBB *out) {
|
|
2783
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
|
2784
|
+
hs, out, /*use_legacy_codepoint=*/false);
|
|
2785
|
+
}
|
|
2786
|
+
|
|
2787
|
+
static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs,
|
|
2788
|
+
CBB *out) {
|
|
2789
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
|
2790
|
+
hs, out, /*use_legacy_codepoint=*/true);
|
|
2791
|
+
}
|
|
2792
|
+
|
|
2643
2793
|
// Delegated credentials.
|
|
2644
2794
|
//
|
|
2645
2795
|
// https://tools.ietf.org/html/draft-ietf-tls-subcerts
|
|
2646
2796
|
|
|
2647
|
-
static bool ext_delegated_credential_add_clienthello(
|
|
2648
|
-
|
|
2797
|
+
static bool ext_delegated_credential_add_clienthello(
|
|
2798
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
|
2799
|
+
ssl_client_hello_type_t type) {
|
|
2649
2800
|
return true;
|
|
2650
2801
|
}
|
|
2651
2802
|
|
|
2652
2803
|
static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2653
2804
|
uint8_t *out_alert,
|
|
2654
2805
|
CBS *contents) {
|
|
2655
|
-
assert(TLSEXT_TYPE_delegated_credential == 0xff02);
|
|
2656
|
-
// TODO: Check that the extension is empty.
|
|
2657
|
-
//
|
|
2658
|
-
// As of draft-03, the client sends an empty extension in order indicate
|
|
2659
|
-
// support for delegated credentials. This could change, however, since the
|
|
2660
|
-
// spec is not yet finalized. This assertion is here to remind us to enforce
|
|
2661
|
-
// this check once the extension ID is assigned.
|
|
2662
|
-
|
|
2663
2806
|
if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
|
|
2664
2807
|
// Don't use delegated credentials unless we're negotiating TLS 1.3 or
|
|
2665
2808
|
// higher.
|
|
2666
2809
|
return true;
|
|
2667
2810
|
}
|
|
2668
2811
|
|
|
2812
|
+
// The contents of the extension are the signature algorithms the client will
|
|
2813
|
+
// accept for a delegated credential.
|
|
2814
|
+
CBS sigalg_list;
|
|
2815
|
+
if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) ||
|
|
2816
|
+
CBS_len(&sigalg_list) == 0 ||
|
|
2817
|
+
CBS_len(contents) != 0 ||
|
|
2818
|
+
!parse_u16_array(&sigalg_list, &hs->peer_delegated_credential_sigalgs)) {
|
|
2819
|
+
return false;
|
|
2820
|
+
}
|
|
2821
|
+
|
|
2669
2822
|
hs->delegated_credential_requested = true;
|
|
2670
2823
|
return true;
|
|
2671
2824
|
}
|
|
2672
2825
|
|
|
2673
2826
|
// Certificate compression
|
|
2674
2827
|
|
|
2675
|
-
static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
|
2828
|
+
static bool cert_compression_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
2829
|
+
CBB *out_compressible,
|
|
2830
|
+
ssl_client_hello_type_t type) {
|
|
2676
2831
|
bool first = true;
|
|
2677
2832
|
CBB contents, algs;
|
|
2678
2833
|
|
|
@@ -2681,9 +2836,10 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2681
2836
|
continue;
|
|
2682
2837
|
}
|
|
2683
2838
|
|
|
2684
|
-
if (first &&
|
|
2685
|
-
|
|
2686
|
-
|
|
2839
|
+
if (first &&
|
|
2840
|
+
(!CBB_add_u16(out_compressible, TLSEXT_TYPE_cert_compression) ||
|
|
2841
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
2842
|
+
!CBB_add_u8_length_prefixed(&contents, &algs))) {
|
|
2687
2843
|
return false;
|
|
2688
2844
|
}
|
|
2689
2845
|
first = false;
|
|
@@ -2692,7 +2848,7 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2692
2848
|
}
|
|
2693
2849
|
}
|
|
2694
2850
|
|
|
2695
|
-
return first || CBB_flush(
|
|
2851
|
+
return first || CBB_flush(out_compressible);
|
|
2696
2852
|
}
|
|
2697
2853
|
|
|
2698
2854
|
static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
@@ -2774,20 +2930,177 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
2774
2930
|
return true;
|
|
2775
2931
|
}
|
|
2776
2932
|
|
|
2933
|
+
// Application-level Protocol Settings
|
|
2934
|
+
//
|
|
2935
|
+
// https://tools.ietf.org/html/draft-vvv-tls-alps-01
|
|
2936
|
+
|
|
2937
|
+
bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs,
|
|
2938
|
+
Span<const uint8_t> *out_settings,
|
|
2939
|
+
Span<const uint8_t> protocol) {
|
|
2940
|
+
for (const ALPSConfig &config : hs->config->alps_configs) {
|
|
2941
|
+
if (protocol == config.protocol) {
|
|
2942
|
+
*out_settings = config.settings;
|
|
2943
|
+
return true;
|
|
2944
|
+
}
|
|
2945
|
+
}
|
|
2946
|
+
return false;
|
|
2947
|
+
}
|
|
2948
|
+
|
|
2949
|
+
static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
2950
|
+
CBB *out_compressible,
|
|
2951
|
+
ssl_client_hello_type_t type) {
|
|
2952
|
+
const SSL *const ssl = hs->ssl;
|
|
2953
|
+
if (// ALPS requires TLS 1.3.
|
|
2954
|
+
hs->max_version < TLS1_3_VERSION ||
|
|
2955
|
+
// Do not offer ALPS without ALPN.
|
|
2956
|
+
hs->config->alpn_client_proto_list.empty() ||
|
|
2957
|
+
// Do not offer ALPS if not configured.
|
|
2958
|
+
hs->config->alps_configs.empty() ||
|
|
2959
|
+
// Do not offer ALPS on renegotiation handshakes.
|
|
2960
|
+
ssl->s3->initial_handshake_complete) {
|
|
2961
|
+
return true;
|
|
2962
|
+
}
|
|
2963
|
+
|
|
2964
|
+
CBB contents, proto_list, proto;
|
|
2965
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_application_settings) ||
|
|
2966
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
|
2967
|
+
!CBB_add_u16_length_prefixed(&contents, &proto_list)) {
|
|
2968
|
+
return false;
|
|
2969
|
+
}
|
|
2970
|
+
|
|
2971
|
+
for (const ALPSConfig &config : hs->config->alps_configs) {
|
|
2972
|
+
if (!CBB_add_u8_length_prefixed(&proto_list, &proto) ||
|
|
2973
|
+
!CBB_add_bytes(&proto, config.protocol.data(),
|
|
2974
|
+
config.protocol.size())) {
|
|
2975
|
+
return false;
|
|
2976
|
+
}
|
|
2977
|
+
}
|
|
2978
|
+
|
|
2979
|
+
return CBB_flush(out_compressible);
|
|
2980
|
+
}
|
|
2981
|
+
|
|
2982
|
+
static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
2983
|
+
CBS *contents) {
|
|
2984
|
+
SSL *const ssl = hs->ssl;
|
|
2985
|
+
if (contents == nullptr) {
|
|
2986
|
+
return true;
|
|
2987
|
+
}
|
|
2988
|
+
|
|
2989
|
+
assert(!ssl->s3->initial_handshake_complete);
|
|
2990
|
+
assert(!hs->config->alpn_client_proto_list.empty());
|
|
2991
|
+
assert(!hs->config->alps_configs.empty());
|
|
2992
|
+
|
|
2993
|
+
// ALPS requires TLS 1.3.
|
|
2994
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
2995
|
+
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
2996
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
2997
|
+
return false;
|
|
2998
|
+
}
|
|
2999
|
+
|
|
3000
|
+
// Note extension callbacks may run in any order, so we defer checking
|
|
3001
|
+
// consistency with ALPN to |ssl_check_serverhello_tlsext|.
|
|
3002
|
+
if (!hs->new_session->peer_application_settings.CopyFrom(*contents)) {
|
|
3003
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
3004
|
+
return false;
|
|
3005
|
+
}
|
|
3006
|
+
|
|
3007
|
+
hs->new_session->has_application_settings = true;
|
|
3008
|
+
return true;
|
|
3009
|
+
}
|
|
3010
|
+
|
|
3011
|
+
static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
3012
|
+
SSL *const ssl = hs->ssl;
|
|
3013
|
+
// If early data is accepted, we omit the ALPS extension. It is implicitly
|
|
3014
|
+
// carried over from the previous connection.
|
|
3015
|
+
if (hs->new_session == nullptr ||
|
|
3016
|
+
!hs->new_session->has_application_settings ||
|
|
3017
|
+
ssl->s3->early_data_accepted) {
|
|
3018
|
+
return true;
|
|
3019
|
+
}
|
|
3020
|
+
|
|
3021
|
+
CBB contents;
|
|
3022
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_application_settings) ||
|
|
3023
|
+
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
3024
|
+
!CBB_add_bytes(&contents,
|
|
3025
|
+
hs->new_session->local_application_settings.data(),
|
|
3026
|
+
hs->new_session->local_application_settings.size()) ||
|
|
3027
|
+
!CBB_flush(out)) {
|
|
3028
|
+
return false;
|
|
3029
|
+
}
|
|
3030
|
+
|
|
3031
|
+
return true;
|
|
3032
|
+
}
|
|
3033
|
+
|
|
3034
|
+
bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
3035
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
|
3036
|
+
SSL *const ssl = hs->ssl;
|
|
3037
|
+
if (ssl->s3->alpn_selected.empty()) {
|
|
3038
|
+
return true;
|
|
3039
|
+
}
|
|
3040
|
+
|
|
3041
|
+
// If we negotiate ALPN over TLS 1.3, try to negotiate ALPS.
|
|
3042
|
+
CBS alps_contents;
|
|
3043
|
+
Span<const uint8_t> settings;
|
|
3044
|
+
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
|
|
3045
|
+
ssl_get_local_application_settings(hs, &settings,
|
|
3046
|
+
ssl->s3->alpn_selected) &&
|
|
3047
|
+
ssl_client_hello_get_extension(client_hello, &alps_contents,
|
|
3048
|
+
TLSEXT_TYPE_application_settings)) {
|
|
3049
|
+
// Check if the client supports ALPS with the selected ALPN.
|
|
3050
|
+
bool found = false;
|
|
3051
|
+
CBS alps_list;
|
|
3052
|
+
if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) ||
|
|
3053
|
+
CBS_len(&alps_contents) != 0 ||
|
|
3054
|
+
CBS_len(&alps_list) == 0) {
|
|
3055
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
3056
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
3057
|
+
return false;
|
|
3058
|
+
}
|
|
3059
|
+
while (CBS_len(&alps_list) > 0) {
|
|
3060
|
+
CBS protocol_name;
|
|
3061
|
+
if (!CBS_get_u8_length_prefixed(&alps_list, &protocol_name) ||
|
|
3062
|
+
// Empty protocol names are forbidden.
|
|
3063
|
+
CBS_len(&protocol_name) == 0) {
|
|
3064
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
3065
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
3066
|
+
return false;
|
|
3067
|
+
}
|
|
3068
|
+
if (protocol_name == MakeConstSpan(ssl->s3->alpn_selected)) {
|
|
3069
|
+
found = true;
|
|
3070
|
+
}
|
|
3071
|
+
}
|
|
3072
|
+
|
|
3073
|
+
// Negotiate ALPS if both client also supports ALPS for this protocol.
|
|
3074
|
+
if (found) {
|
|
3075
|
+
hs->new_session->has_application_settings = true;
|
|
3076
|
+
if (!hs->new_session->local_application_settings.CopyFrom(settings)) {
|
|
3077
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
3078
|
+
return false;
|
|
3079
|
+
}
|
|
3080
|
+
}
|
|
3081
|
+
}
|
|
3082
|
+
|
|
3083
|
+
return true;
|
|
3084
|
+
}
|
|
2777
3085
|
|
|
2778
3086
|
// kExtensions contains all the supported extensions.
|
|
2779
3087
|
static const struct tls_extension kExtensions[] = {
|
|
2780
3088
|
{
|
|
2781
3089
|
TLSEXT_TYPE_server_name,
|
|
2782
|
-
NULL,
|
|
2783
3090
|
ext_sni_add_clienthello,
|
|
2784
3091
|
ext_sni_parse_serverhello,
|
|
2785
3092
|
ext_sni_parse_clienthello,
|
|
2786
3093
|
ext_sni_add_serverhello,
|
|
2787
3094
|
},
|
|
3095
|
+
{
|
|
3096
|
+
TLSEXT_TYPE_encrypted_client_hello,
|
|
3097
|
+
ext_ech_add_clienthello,
|
|
3098
|
+
ext_ech_parse_serverhello,
|
|
3099
|
+
ext_ech_parse_clienthello,
|
|
3100
|
+
ext_ech_add_serverhello,
|
|
3101
|
+
},
|
|
2788
3102
|
{
|
|
2789
3103
|
TLSEXT_TYPE_extended_master_secret,
|
|
2790
|
-
NULL,
|
|
2791
3104
|
ext_ems_add_clienthello,
|
|
2792
3105
|
ext_ems_parse_serverhello,
|
|
2793
3106
|
ext_ems_parse_clienthello,
|
|
@@ -2795,7 +3108,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2795
3108
|
},
|
|
2796
3109
|
{
|
|
2797
3110
|
TLSEXT_TYPE_renegotiate,
|
|
2798
|
-
NULL,
|
|
2799
3111
|
ext_ri_add_clienthello,
|
|
2800
3112
|
ext_ri_parse_serverhello,
|
|
2801
3113
|
ext_ri_parse_clienthello,
|
|
@@ -2803,7 +3115,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2803
3115
|
},
|
|
2804
3116
|
{
|
|
2805
3117
|
TLSEXT_TYPE_supported_groups,
|
|
2806
|
-
NULL,
|
|
2807
3118
|
ext_supported_groups_add_clienthello,
|
|
2808
3119
|
ext_supported_groups_parse_serverhello,
|
|
2809
3120
|
ext_supported_groups_parse_clienthello,
|
|
@@ -2811,7 +3122,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2811
3122
|
},
|
|
2812
3123
|
{
|
|
2813
3124
|
TLSEXT_TYPE_ec_point_formats,
|
|
2814
|
-
NULL,
|
|
2815
3125
|
ext_ec_point_add_clienthello,
|
|
2816
3126
|
ext_ec_point_parse_serverhello,
|
|
2817
3127
|
ext_ec_point_parse_clienthello,
|
|
@@ -2819,7 +3129,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2819
3129
|
},
|
|
2820
3130
|
{
|
|
2821
3131
|
TLSEXT_TYPE_session_ticket,
|
|
2822
|
-
NULL,
|
|
2823
3132
|
ext_ticket_add_clienthello,
|
|
2824
3133
|
ext_ticket_parse_serverhello,
|
|
2825
3134
|
// Ticket extension client parsing is handled in ssl_session.c
|
|
@@ -2828,7 +3137,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2828
3137
|
},
|
|
2829
3138
|
{
|
|
2830
3139
|
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
|
2831
|
-
NULL,
|
|
2832
3140
|
ext_alpn_add_clienthello,
|
|
2833
3141
|
ext_alpn_parse_serverhello,
|
|
2834
3142
|
// ALPN is negotiated late in |ssl_negotiate_alpn|.
|
|
@@ -2837,7 +3145,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2837
3145
|
},
|
|
2838
3146
|
{
|
|
2839
3147
|
TLSEXT_TYPE_status_request,
|
|
2840
|
-
NULL,
|
|
2841
3148
|
ext_ocsp_add_clienthello,
|
|
2842
3149
|
ext_ocsp_parse_serverhello,
|
|
2843
3150
|
ext_ocsp_parse_clienthello,
|
|
@@ -2845,7 +3152,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2845
3152
|
},
|
|
2846
3153
|
{
|
|
2847
3154
|
TLSEXT_TYPE_signature_algorithms,
|
|
2848
|
-
NULL,
|
|
2849
3155
|
ext_sigalgs_add_clienthello,
|
|
2850
3156
|
forbid_parse_serverhello,
|
|
2851
3157
|
ext_sigalgs_parse_clienthello,
|
|
@@ -2853,7 +3159,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2853
3159
|
},
|
|
2854
3160
|
{
|
|
2855
3161
|
TLSEXT_TYPE_next_proto_neg,
|
|
2856
|
-
NULL,
|
|
2857
3162
|
ext_npn_add_clienthello,
|
|
2858
3163
|
ext_npn_parse_serverhello,
|
|
2859
3164
|
ext_npn_parse_clienthello,
|
|
@@ -2861,7 +3166,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2861
3166
|
},
|
|
2862
3167
|
{
|
|
2863
3168
|
TLSEXT_TYPE_certificate_timestamp,
|
|
2864
|
-
NULL,
|
|
2865
3169
|
ext_sct_add_clienthello,
|
|
2866
3170
|
ext_sct_parse_serverhello,
|
|
2867
3171
|
ext_sct_parse_clienthello,
|
|
@@ -2869,7 +3173,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2869
3173
|
},
|
|
2870
3174
|
{
|
|
2871
3175
|
TLSEXT_TYPE_channel_id,
|
|
2872
|
-
ext_channel_id_init,
|
|
2873
3176
|
ext_channel_id_add_clienthello,
|
|
2874
3177
|
ext_channel_id_parse_serverhello,
|
|
2875
3178
|
ext_channel_id_parse_clienthello,
|
|
@@ -2877,7 +3180,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2877
3180
|
},
|
|
2878
3181
|
{
|
|
2879
3182
|
TLSEXT_TYPE_srtp,
|
|
2880
|
-
ext_srtp_init,
|
|
2881
3183
|
ext_srtp_add_clienthello,
|
|
2882
3184
|
ext_srtp_parse_serverhello,
|
|
2883
3185
|
ext_srtp_parse_clienthello,
|
|
@@ -2885,7 +3187,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2885
3187
|
},
|
|
2886
3188
|
{
|
|
2887
3189
|
TLSEXT_TYPE_key_share,
|
|
2888
|
-
NULL,
|
|
2889
3190
|
ext_key_share_add_clienthello,
|
|
2890
3191
|
forbid_parse_serverhello,
|
|
2891
3192
|
ignore_parse_clienthello,
|
|
@@ -2893,7 +3194,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2893
3194
|
},
|
|
2894
3195
|
{
|
|
2895
3196
|
TLSEXT_TYPE_psk_key_exchange_modes,
|
|
2896
|
-
NULL,
|
|
2897
3197
|
ext_psk_key_exchange_modes_add_clienthello,
|
|
2898
3198
|
forbid_parse_serverhello,
|
|
2899
3199
|
ext_psk_key_exchange_modes_parse_clienthello,
|
|
@@ -2901,7 +3201,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2901
3201
|
},
|
|
2902
3202
|
{
|
|
2903
3203
|
TLSEXT_TYPE_early_data,
|
|
2904
|
-
NULL,
|
|
2905
3204
|
ext_early_data_add_clienthello,
|
|
2906
3205
|
ext_early_data_parse_serverhello,
|
|
2907
3206
|
ext_early_data_parse_clienthello,
|
|
@@ -2909,7 +3208,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2909
3208
|
},
|
|
2910
3209
|
{
|
|
2911
3210
|
TLSEXT_TYPE_supported_versions,
|
|
2912
|
-
NULL,
|
|
2913
3211
|
ext_supported_versions_add_clienthello,
|
|
2914
3212
|
forbid_parse_serverhello,
|
|
2915
3213
|
ignore_parse_clienthello,
|
|
@@ -2917,7 +3215,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2917
3215
|
},
|
|
2918
3216
|
{
|
|
2919
3217
|
TLSEXT_TYPE_cookie,
|
|
2920
|
-
NULL,
|
|
2921
3218
|
ext_cookie_add_clienthello,
|
|
2922
3219
|
forbid_parse_serverhello,
|
|
2923
3220
|
ignore_parse_clienthello,
|
|
@@ -2925,23 +3222,20 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2925
3222
|
},
|
|
2926
3223
|
{
|
|
2927
3224
|
TLSEXT_TYPE_quic_transport_parameters,
|
|
2928
|
-
NULL,
|
|
2929
3225
|
ext_quic_transport_params_add_clienthello,
|
|
2930
3226
|
ext_quic_transport_params_parse_serverhello,
|
|
2931
3227
|
ext_quic_transport_params_parse_clienthello,
|
|
2932
3228
|
ext_quic_transport_params_add_serverhello,
|
|
2933
3229
|
},
|
|
2934
3230
|
{
|
|
2935
|
-
|
|
2936
|
-
|
|
2937
|
-
|
|
2938
|
-
|
|
2939
|
-
|
|
2940
|
-
ext_token_binding_add_serverhello,
|
|
3231
|
+
TLSEXT_TYPE_quic_transport_parameters_legacy,
|
|
3232
|
+
ext_quic_transport_params_add_clienthello_legacy,
|
|
3233
|
+
ext_quic_transport_params_parse_serverhello_legacy,
|
|
3234
|
+
ext_quic_transport_params_parse_clienthello_legacy,
|
|
3235
|
+
ext_quic_transport_params_add_serverhello_legacy,
|
|
2941
3236
|
},
|
|
2942
3237
|
{
|
|
2943
3238
|
TLSEXT_TYPE_cert_compression,
|
|
2944
|
-
NULL,
|
|
2945
3239
|
cert_compression_add_clienthello,
|
|
2946
3240
|
cert_compression_parse_serverhello,
|
|
2947
3241
|
cert_compression_parse_clienthello,
|
|
@@ -2949,12 +3243,19 @@ static const struct tls_extension kExtensions[] = {
|
|
|
2949
3243
|
},
|
|
2950
3244
|
{
|
|
2951
3245
|
TLSEXT_TYPE_delegated_credential,
|
|
2952
|
-
NULL,
|
|
2953
3246
|
ext_delegated_credential_add_clienthello,
|
|
2954
3247
|
forbid_parse_serverhello,
|
|
2955
3248
|
ext_delegated_credential_parse_clienthello,
|
|
2956
3249
|
dont_add_serverhello,
|
|
2957
3250
|
},
|
|
3251
|
+
{
|
|
3252
|
+
TLSEXT_TYPE_application_settings,
|
|
3253
|
+
ext_alps_add_clienthello,
|
|
3254
|
+
ext_alps_parse_serverhello,
|
|
3255
|
+
// ALPS is negotiated late in |ssl_negotiate_alpn|.
|
|
3256
|
+
ignore_parse_clienthello,
|
|
3257
|
+
ext_alps_add_serverhello,
|
|
3258
|
+
},
|
|
2958
3259
|
};
|
|
2959
3260
|
|
|
2960
3261
|
#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
|
|
@@ -2966,6 +3267,30 @@ static_assert(kNumExtensions <=
|
|
|
2966
3267
|
sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
|
|
2967
3268
|
"too many extensions for received bitset");
|
|
2968
3269
|
|
|
3270
|
+
bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
|
|
3271
|
+
if (!hs->config->permute_extensions) {
|
|
3272
|
+
return true;
|
|
3273
|
+
}
|
|
3274
|
+
|
|
3275
|
+
static_assert(kNumExtensions <= UINT8_MAX,
|
|
3276
|
+
"extensions_permutation type is too small");
|
|
3277
|
+
uint32_t seeds[kNumExtensions - 1];
|
|
3278
|
+
Array<uint8_t> permutation;
|
|
3279
|
+
if (!RAND_bytes(reinterpret_cast<uint8_t *>(seeds), sizeof(seeds)) ||
|
|
3280
|
+
!permutation.Init(kNumExtensions)) {
|
|
3281
|
+
return false;
|
|
3282
|
+
}
|
|
3283
|
+
for (size_t i = 0; i < kNumExtensions; i++) {
|
|
3284
|
+
permutation[i] = i;
|
|
3285
|
+
}
|
|
3286
|
+
for (size_t i = kNumExtensions - 1; i > 0; i--) {
|
|
3287
|
+
// Set element |i| to a randomly-selected element 0 <= j <= i.
|
|
3288
|
+
std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]);
|
|
3289
|
+
}
|
|
3290
|
+
hs->extension_permutation = std::move(permutation);
|
|
3291
|
+
return true;
|
|
3292
|
+
}
|
|
3293
|
+
|
|
2969
3294
|
static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
2970
3295
|
uint16_t value) {
|
|
2971
3296
|
unsigned i;
|
|
@@ -2979,8 +3304,137 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
|
2979
3304
|
return NULL;
|
|
2980
3305
|
}
|
|
2981
3306
|
|
|
2982
|
-
bool
|
|
3307
|
+
static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {
|
|
3308
|
+
CBB child;
|
|
3309
|
+
if (!CBB_add_u16(cbb, ext) || //
|
|
3310
|
+
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
3311
|
+
!CBB_add_zeros(&child, len)) {
|
|
3312
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3313
|
+
return false;
|
|
3314
|
+
}
|
|
3315
|
+
return CBB_flush(cbb);
|
|
3316
|
+
}
|
|
3317
|
+
|
|
3318
|
+
static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
|
|
3319
|
+
CBB *out_encoded,
|
|
3320
|
+
bool *out_needs_psk_binder) {
|
|
3321
|
+
// When writing ClientHelloInner, we construct the real and encoded
|
|
3322
|
+
// ClientHellos concurrently, to handle compression. Uncompressed extensions
|
|
3323
|
+
// are written to |extensions| and copied to |extensions_encoded|. Compressed
|
|
3324
|
+
// extensions are buffered in |compressed| and written to the end. (ECH can
|
|
3325
|
+
// only compress continguous extensions.)
|
|
3326
|
+
SSL *const ssl = hs->ssl;
|
|
3327
|
+
bssl::ScopedCBB compressed, outer_extensions;
|
|
3328
|
+
CBB extensions, extensions_encoded;
|
|
3329
|
+
if (!CBB_add_u16_length_prefixed(out, &extensions) ||
|
|
3330
|
+
!CBB_add_u16_length_prefixed(out_encoded, &extensions_encoded) ||
|
|
3331
|
+
!CBB_init(compressed.get(), 64) ||
|
|
3332
|
+
!CBB_init(outer_extensions.get(), 64)) {
|
|
3333
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3334
|
+
return false;
|
|
3335
|
+
}
|
|
3336
|
+
|
|
3337
|
+
hs->inner_extensions_sent = 0;
|
|
3338
|
+
|
|
3339
|
+
if (ssl->ctx->grease_enabled) {
|
|
3340
|
+
// Add a fake empty extension. See RFC 8701. This always matches
|
|
3341
|
+
// |ssl_add_clienthello_tlsext|, so compress it.
|
|
3342
|
+
uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension1);
|
|
3343
|
+
if (!add_padding_extension(compressed.get(), grease_ext, 0) ||
|
|
3344
|
+
!CBB_add_u16(outer_extensions.get(), grease_ext)) {
|
|
3345
|
+
return false;
|
|
3346
|
+
}
|
|
3347
|
+
}
|
|
3348
|
+
|
|
3349
|
+
for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {
|
|
3350
|
+
size_t i = hs->extension_permutation.empty()
|
|
3351
|
+
? unpermuted
|
|
3352
|
+
: hs->extension_permutation[unpermuted];
|
|
3353
|
+
const size_t len_before = CBB_len(&extensions);
|
|
3354
|
+
const size_t len_compressed_before = CBB_len(compressed.get());
|
|
3355
|
+
if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(),
|
|
3356
|
+
ssl_client_hello_inner)) {
|
|
3357
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
|
3358
|
+
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
|
3359
|
+
return false;
|
|
3360
|
+
}
|
|
3361
|
+
|
|
3362
|
+
const size_t bytes_written = CBB_len(&extensions) - len_before;
|
|
3363
|
+
const size_t bytes_written_compressed =
|
|
3364
|
+
CBB_len(compressed.get()) - len_compressed_before;
|
|
3365
|
+
// The callback may write to at most one output.
|
|
3366
|
+
assert(bytes_written == 0 || bytes_written_compressed == 0);
|
|
3367
|
+
if (bytes_written != 0 || bytes_written_compressed != 0) {
|
|
3368
|
+
hs->inner_extensions_sent |= (1u << i);
|
|
3369
|
+
}
|
|
3370
|
+
// If compressed, update the running ech_outer_extensions extension.
|
|
3371
|
+
if (bytes_written_compressed != 0 &&
|
|
3372
|
+
!CBB_add_u16(outer_extensions.get(), kExtensions[i].value)) {
|
|
3373
|
+
return false;
|
|
3374
|
+
}
|
|
3375
|
+
}
|
|
3376
|
+
|
|
3377
|
+
if (ssl->ctx->grease_enabled) {
|
|
3378
|
+
// Add a fake non-empty extension. See RFC 8701. This always matches
|
|
3379
|
+
// |ssl_add_clienthello_tlsext|, so compress it.
|
|
3380
|
+
uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension2);
|
|
3381
|
+
if (!add_padding_extension(compressed.get(), grease_ext, 1) ||
|
|
3382
|
+
!CBB_add_u16(outer_extensions.get(), grease_ext)) {
|
|
3383
|
+
return false;
|
|
3384
|
+
}
|
|
3385
|
+
}
|
|
3386
|
+
|
|
3387
|
+
// Uncompressed extensions are encoded as-is.
|
|
3388
|
+
if (!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions),
|
|
3389
|
+
CBB_len(&extensions))) {
|
|
3390
|
+
return false;
|
|
3391
|
+
}
|
|
3392
|
+
|
|
3393
|
+
// Flush all the compressed extensions.
|
|
3394
|
+
if (CBB_len(compressed.get()) != 0) {
|
|
3395
|
+
CBB extension, child;
|
|
3396
|
+
// Copy them as-is in the real ClientHelloInner.
|
|
3397
|
+
if (!CBB_add_bytes(&extensions, CBB_data(compressed.get()),
|
|
3398
|
+
CBB_len(compressed.get())) ||
|
|
3399
|
+
// Replace with ech_outer_extensions in the encoded form.
|
|
3400
|
+
!CBB_add_u16(&extensions_encoded, TLSEXT_TYPE_ech_outer_extensions) ||
|
|
3401
|
+
!CBB_add_u16_length_prefixed(&extensions_encoded, &extension) ||
|
|
3402
|
+
!CBB_add_u8_length_prefixed(&extension, &child) ||
|
|
3403
|
+
!CBB_add_bytes(&child, CBB_data(outer_extensions.get()),
|
|
3404
|
+
CBB_len(outer_extensions.get())) ||
|
|
3405
|
+
!CBB_flush(&extensions_encoded)) {
|
|
3406
|
+
return false;
|
|
3407
|
+
}
|
|
3408
|
+
}
|
|
3409
|
+
|
|
3410
|
+
// The PSK extension must be last. It is never compressed. Note, if there is a
|
|
3411
|
+
// binder, the caller will need to update both ClientHelloInner and
|
|
3412
|
+
// EncodedClientHelloInner after computing it.
|
|
3413
|
+
const size_t len_before = CBB_len(&extensions);
|
|
3414
|
+
if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,
|
|
3415
|
+
ssl_client_hello_inner) ||
|
|
3416
|
+
!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions) + len_before,
|
|
3417
|
+
CBB_len(&extensions) - len_before) ||
|
|
3418
|
+
!CBB_flush(out) || //
|
|
3419
|
+
!CBB_flush(out_encoded)) {
|
|
3420
|
+
return false;
|
|
3421
|
+
}
|
|
3422
|
+
|
|
3423
|
+
return true;
|
|
3424
|
+
}
|
|
3425
|
+
|
|
3426
|
+
bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
|
|
3427
|
+
bool *out_needs_psk_binder,
|
|
3428
|
+
ssl_client_hello_type_t type,
|
|
2983
3429
|
size_t header_len) {
|
|
3430
|
+
*out_needs_psk_binder = false;
|
|
3431
|
+
|
|
3432
|
+
if (type == ssl_client_hello_inner) {
|
|
3433
|
+
return ssl_add_clienthello_tlsext_inner(hs, out, out_encoded,
|
|
3434
|
+
out_needs_psk_binder);
|
|
3435
|
+
}
|
|
3436
|
+
|
|
3437
|
+
assert(out_encoded == nullptr); // Only ClientHelloInner needs two outputs.
|
|
2984
3438
|
SSL *const ssl = hs->ssl;
|
|
2985
3439
|
CBB extensions;
|
|
2986
3440
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
|
@@ -2993,27 +3447,20 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
|
2993
3447
|
// important to reset this value.
|
|
2994
3448
|
hs->extensions.sent = 0;
|
|
2995
3449
|
|
|
2996
|
-
|
|
2997
|
-
|
|
2998
|
-
|
|
2999
|
-
|
|
3000
|
-
|
|
3001
|
-
|
|
3002
|
-
uint16_t grease_ext1 = 0;
|
|
3003
|
-
if (ssl->ctx->grease_enabled) {
|
|
3004
|
-
// Add a fake empty extension. See draft-davidben-tls-grease-01.
|
|
3005
|
-
grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
|
|
3006
|
-
if (!CBB_add_u16(&extensions, grease_ext1) ||
|
|
3007
|
-
!CBB_add_u16(&extensions, 0 /* zero length */)) {
|
|
3008
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3009
|
-
return false;
|
|
3010
|
-
}
|
|
3450
|
+
// Add a fake empty extension. See RFC 8701.
|
|
3451
|
+
if (ssl->ctx->grease_enabled &&
|
|
3452
|
+
!add_padding_extension(
|
|
3453
|
+
&extensions, ssl_get_grease_value(hs, ssl_grease_extension1), 0)) {
|
|
3454
|
+
return false;
|
|
3011
3455
|
}
|
|
3012
3456
|
|
|
3013
3457
|
bool last_was_empty = false;
|
|
3014
|
-
for (size_t
|
|
3458
|
+
for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {
|
|
3459
|
+
size_t i = hs->extension_permutation.empty()
|
|
3460
|
+
? unpermuted
|
|
3461
|
+
: hs->extension_permutation[unpermuted];
|
|
3015
3462
|
const size_t len_before = CBB_len(&extensions);
|
|
3016
|
-
if (!kExtensions[i].add_clienthello(hs, &extensions)) {
|
|
3463
|
+
if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
|
|
3017
3464
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
|
3018
3465
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
|
3019
3466
|
return false;
|
|
@@ -3029,29 +3476,22 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
|
3029
3476
|
}
|
|
3030
3477
|
|
|
3031
3478
|
if (ssl->ctx->grease_enabled) {
|
|
3032
|
-
// Add a fake non-empty extension. See
|
|
3033
|
-
|
|
3034
|
-
|
|
3035
|
-
// The two fake extensions must not have the same value. GREASE values are
|
|
3036
|
-
// of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
|
|
3037
|
-
// one.
|
|
3038
|
-
if (grease_ext1 == grease_ext2) {
|
|
3039
|
-
grease_ext2 ^= 0x1010;
|
|
3040
|
-
}
|
|
3041
|
-
|
|
3042
|
-
if (!CBB_add_u16(&extensions, grease_ext2) ||
|
|
3043
|
-
!CBB_add_u16(&extensions, 1 /* one byte length */) ||
|
|
3044
|
-
!CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
|
|
3045
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3479
|
+
// Add a fake non-empty extension. See RFC 8701.
|
|
3480
|
+
if (!add_padding_extension(
|
|
3481
|
+
&extensions, ssl_get_grease_value(hs, ssl_grease_extension2), 1)) {
|
|
3046
3482
|
return false;
|
|
3047
3483
|
}
|
|
3048
|
-
|
|
3049
3484
|
last_was_empty = false;
|
|
3050
3485
|
}
|
|
3051
3486
|
|
|
3052
|
-
|
|
3053
|
-
|
|
3054
|
-
|
|
3487
|
+
// In cleartext ClientHellos, we add the padding extension to work around
|
|
3488
|
+
// bugs. We also apply this padding to ClientHelloOuter, to keep the wire
|
|
3489
|
+
// images aligned.
|
|
3490
|
+
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs, type);
|
|
3491
|
+
if (!SSL_is_dtls(ssl) && !ssl->quic_method &&
|
|
3492
|
+
!ssl->s3->used_hello_retry_request) {
|
|
3493
|
+
header_len +=
|
|
3494
|
+
SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len;
|
|
3055
3495
|
size_t padding_len = 0;
|
|
3056
3496
|
|
|
3057
3497
|
// The final extension must be non-empty. WebSphere Application
|
|
@@ -3085,24 +3525,21 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
|
3085
3525
|
}
|
|
3086
3526
|
}
|
|
3087
3527
|
|
|
3088
|
-
if (padding_len != 0
|
|
3089
|
-
|
|
3090
|
-
|
|
3091
|
-
!CBB_add_u16(&extensions, padding_len) ||
|
|
3092
|
-
!CBB_add_space(&extensions, &padding_bytes, padding_len)) {
|
|
3093
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3094
|
-
return false;
|
|
3095
|
-
}
|
|
3096
|
-
|
|
3097
|
-
OPENSSL_memset(padding_bytes, 0, padding_len);
|
|
3528
|
+
if (padding_len != 0 &&
|
|
3529
|
+
!add_padding_extension(&extensions, TLSEXT_TYPE_padding, padding_len)) {
|
|
3530
|
+
return false;
|
|
3098
3531
|
}
|
|
3099
3532
|
}
|
|
3100
3533
|
|
|
3101
3534
|
// The PSK extension must be last, including after the padding.
|
|
3102
|
-
|
|
3535
|
+
const size_t len_before = CBB_len(&extensions);
|
|
3536
|
+
if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,
|
|
3537
|
+
type)) {
|
|
3103
3538
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3104
3539
|
return false;
|
|
3105
3540
|
}
|
|
3541
|
+
assert(psk_extension_len == CBB_len(&extensions) - len_before);
|
|
3542
|
+
(void)len_before; // |assert| is omitted in release builds.
|
|
3106
3543
|
|
|
3107
3544
|
// Discard empty extensions blocks.
|
|
3108
3545
|
if (CBB_len(&extensions) == 0) {
|
|
@@ -3148,12 +3585,6 @@ err:
|
|
|
3148
3585
|
static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3149
3586
|
const SSL_CLIENT_HELLO *client_hello,
|
|
3150
3587
|
int *out_alert) {
|
|
3151
|
-
for (size_t i = 0; i < kNumExtensions; i++) {
|
|
3152
|
-
if (kExtensions[i].init != NULL) {
|
|
3153
|
-
kExtensions[i].init(hs);
|
|
3154
|
-
}
|
|
3155
|
-
}
|
|
3156
|
-
|
|
3157
3588
|
hs->extensions.received = 0;
|
|
3158
3589
|
CBS extensions;
|
|
3159
3590
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
|
@@ -3234,18 +3665,10 @@ bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
|
3234
3665
|
return true;
|
|
3235
3666
|
}
|
|
3236
3667
|
|
|
3237
|
-
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3668
|
+
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs,
|
|
3238
3669
|
int *out_alert) {
|
|
3239
|
-
|
|
3240
|
-
|
|
3241
|
-
if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
3242
|
-
return true;
|
|
3243
|
-
}
|
|
3244
|
-
|
|
3245
|
-
// Decode the extensions block and check it is valid.
|
|
3246
|
-
CBS extensions;
|
|
3247
|
-
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
|
3248
|
-
!tls1_check_duplicate_extensions(&extensions)) {
|
|
3670
|
+
CBS extensions = *cbs;
|
|
3671
|
+
if (!tls1_check_duplicate_extensions(&extensions)) {
|
|
3249
3672
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
3250
3673
|
return false;
|
|
3251
3674
|
}
|
|
@@ -3314,18 +3737,8 @@ static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
|
3314
3737
|
|
|
3315
3738
|
static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
|
|
3316
3739
|
SSL *const ssl = hs->ssl;
|
|
3317
|
-
|
|
3318
|
-
if (ssl->s3->token_binding_negotiated &&
|
|
3319
|
-
!(SSL_get_secure_renegotiation_support(ssl) &&
|
|
3320
|
-
SSL_get_extms_support(ssl))) {
|
|
3321
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
|
|
3322
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
|
3323
|
-
return false;
|
|
3324
|
-
}
|
|
3325
|
-
|
|
3326
3740
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
|
3327
3741
|
int al = SSL_AD_UNRECOGNIZED_NAME;
|
|
3328
|
-
|
|
3329
3742
|
if (ssl->ctx->servername_callback != 0) {
|
|
3330
3743
|
ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
|
|
3331
3744
|
} else if (ssl->session_ctx->servername_callback != 0) {
|
|
@@ -3347,7 +3760,37 @@ static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
|
|
|
3347
3760
|
}
|
|
3348
3761
|
}
|
|
3349
3762
|
|
|
3350
|
-
bool
|
|
3763
|
+
static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs) {
|
|
3764
|
+
SSL *const ssl = hs->ssl;
|
|
3765
|
+
// ALPS and ALPN have a dependency between each other, so we defer checking
|
|
3766
|
+
// consistency to after the callbacks run.
|
|
3767
|
+
if (hs->new_session != nullptr && hs->new_session->has_application_settings) {
|
|
3768
|
+
// ALPN must be negotiated.
|
|
3769
|
+
if (ssl->s3->alpn_selected.empty()) {
|
|
3770
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN);
|
|
3771
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
3772
|
+
return false;
|
|
3773
|
+
}
|
|
3774
|
+
|
|
3775
|
+
// The negotiated protocol must be one of the ones we advertised for ALPS.
|
|
3776
|
+
Span<const uint8_t> settings;
|
|
3777
|
+
if (!ssl_get_local_application_settings(hs, &settings,
|
|
3778
|
+
ssl->s3->alpn_selected)) {
|
|
3779
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
|
3780
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
3781
|
+
return false;
|
|
3782
|
+
}
|
|
3783
|
+
|
|
3784
|
+
if (!hs->new_session->local_application_settings.CopyFrom(settings)) {
|
|
3785
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
3786
|
+
return false;
|
|
3787
|
+
}
|
|
3788
|
+
}
|
|
3789
|
+
|
|
3790
|
+
return true;
|
|
3791
|
+
}
|
|
3792
|
+
|
|
3793
|
+
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs) {
|
|
3351
3794
|
SSL *const ssl = hs->ssl;
|
|
3352
3795
|
int alert = SSL_AD_DECODE_ERROR;
|
|
3353
3796
|
if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
|
|
@@ -3355,6 +3798,10 @@ bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
|
|
|
3355
3798
|
return false;
|
|
3356
3799
|
}
|
|
3357
3800
|
|
|
3801
|
+
if (!ssl_check_serverhello_tlsext(hs)) {
|
|
3802
|
+
return false;
|
|
3803
|
+
}
|
|
3804
|
+
|
|
3358
3805
|
return true;
|
|
3359
3806
|
}
|
|
3360
3807
|
|
|
@@ -3371,8 +3818,8 @@ static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
|
|
|
3371
3818
|
return ssl_ticket_aead_ignore_ticket;
|
|
3372
3819
|
}
|
|
3373
3820
|
// Split the ticket into the ticket and the MAC.
|
|
3374
|
-
auto ticket_mac = ticket.
|
|
3375
|
-
ticket = ticket.
|
|
3821
|
+
auto ticket_mac = ticket.last(mac_len);
|
|
3822
|
+
ticket = ticket.first(ticket.size() - mac_len);
|
|
3376
3823
|
HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
|
|
3377
3824
|
HMAC_Final(hmac_ctx, mac, NULL);
|
|
3378
3825
|
assert(mac_len == ticket_mac.size());
|
|
@@ -3506,6 +3953,7 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
|
3506
3953
|
SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
|
|
3507
3954
|
bool *out_renew_ticket, Span<const uint8_t> ticket,
|
|
3508
3955
|
Span<const uint8_t> session_id) {
|
|
3956
|
+
SSL *const ssl = hs->ssl;
|
|
3509
3957
|
*out_renew_ticket = false;
|
|
3510
3958
|
out_session->reset();
|
|
3511
3959
|
|
|
@@ -3514,9 +3962,21 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
|
3514
3962
|
return ssl_ticket_aead_ignore_ticket;
|
|
3515
3963
|
}
|
|
3516
3964
|
|
|
3965
|
+
// Tickets in TLS 1.3 are tied into pre-shared keys (PSKs), unlike in TLS 1.2
|
|
3966
|
+
// where that concept doesn't exist. The |decrypted_psk| and |ignore_psk|
|
|
3967
|
+
// hints only apply to PSKs. We check the version to determine which this is.
|
|
3968
|
+
const bool is_psk = ssl_protocol_version(ssl) >= TLS1_3_VERSION;
|
|
3969
|
+
|
|
3517
3970
|
Array<uint8_t> plaintext;
|
|
3518
3971
|
enum ssl_ticket_aead_result_t result;
|
|
3519
|
-
|
|
3972
|
+
SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
|
|
3973
|
+
if (is_psk && hints && !hs->hints_requested &&
|
|
3974
|
+
!hints->decrypted_psk.empty()) {
|
|
3975
|
+
result = plaintext.CopyFrom(hints->decrypted_psk) ? ssl_ticket_aead_success
|
|
3976
|
+
: ssl_ticket_aead_error;
|
|
3977
|
+
} else if (is_psk && hints && !hs->hints_requested && hints->ignore_psk) {
|
|
3978
|
+
result = ssl_ticket_aead_ignore_ticket;
|
|
3979
|
+
} else if (ssl->session_ctx->ticket_aead_method != NULL) {
|
|
3520
3980
|
result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
|
|
3521
3981
|
ticket);
|
|
3522
3982
|
} else {
|
|
@@ -3525,9 +3985,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
|
3525
3985
|
// length should be well under the minimum size for the session material and
|
|
3526
3986
|
// HMAC.
|
|
3527
3987
|
if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
|
|
3528
|
-
|
|
3529
|
-
}
|
|
3530
|
-
if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
|
|
3988
|
+
result = ssl_ticket_aead_ignore_ticket;
|
|
3989
|
+
} else if (ssl->session_ctx->ticket_key_cb != NULL) {
|
|
3531
3990
|
result =
|
|
3532
3991
|
ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
|
|
3533
3992
|
} else {
|
|
@@ -3535,22 +3994,33 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
|
3535
3994
|
}
|
|
3536
3995
|
}
|
|
3537
3996
|
|
|
3997
|
+
if (is_psk && hints && hs->hints_requested) {
|
|
3998
|
+
if (result == ssl_ticket_aead_ignore_ticket) {
|
|
3999
|
+
hints->ignore_psk = true;
|
|
4000
|
+
} else if (result == ssl_ticket_aead_success &&
|
|
4001
|
+
!hints->decrypted_psk.CopyFrom(plaintext)) {
|
|
4002
|
+
return ssl_ticket_aead_error;
|
|
4003
|
+
}
|
|
4004
|
+
}
|
|
4005
|
+
|
|
3538
4006
|
if (result != ssl_ticket_aead_success) {
|
|
3539
4007
|
return result;
|
|
3540
4008
|
}
|
|
3541
4009
|
|
|
3542
4010
|
// Decode the session.
|
|
3543
4011
|
UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
|
|
3544
|
-
plaintext.data(), plaintext.size(),
|
|
4012
|
+
plaintext.data(), plaintext.size(), ssl->ctx.get()));
|
|
3545
4013
|
if (!session) {
|
|
3546
4014
|
ERR_clear_error(); // Don't leave an error on the queue.
|
|
3547
4015
|
return ssl_ticket_aead_ignore_ticket;
|
|
3548
4016
|
}
|
|
3549
4017
|
|
|
3550
|
-
//
|
|
3551
|
-
//
|
|
3552
|
-
|
|
3553
|
-
|
|
4018
|
+
// Envoy's tests expect the session to have a session ID that matches the
|
|
4019
|
+
// placeholder used by the client. It's unclear whether this is a good idea,
|
|
4020
|
+
// but we maintain it for now.
|
|
4021
|
+
SHA256(ticket.data(), ticket.size(), session->session_id);
|
|
4022
|
+
// Other consumers may expect a non-empty session ID to indicate resumption.
|
|
4023
|
+
session->session_id_length = SHA256_DIGEST_LENGTH;
|
|
3554
4024
|
|
|
3555
4025
|
*out_session = std::move(session);
|
|
3556
4026
|
return ssl_ticket_aead_success;
|
|
@@ -3698,11 +4168,11 @@ bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
|
3698
4168
|
if (!sig_ok) {
|
|
3699
4169
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
|
|
3700
4170
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
|
3701
|
-
ssl->s3->channel_id_valid = false;
|
|
3702
4171
|
return false;
|
|
3703
4172
|
}
|
|
3704
4173
|
|
|
3705
4174
|
OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
|
|
4175
|
+
ssl->s3->channel_id_valid = true;
|
|
3706
4176
|
return true;
|
|
3707
4177
|
}
|
|
3708
4178
|
|
|
@@ -3813,23 +4283,6 @@ bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
|
|
|
3813
4283
|
return true;
|
|
3814
4284
|
}
|
|
3815
4285
|
|
|
3816
|
-
bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
|
|
3817
|
-
if (hs->config->channel_id_private != NULL ||
|
|
3818
|
-
hs->ssl->ctx->channel_id_cb == NULL) {
|
|
3819
|
-
return true;
|
|
3820
|
-
}
|
|
3821
|
-
|
|
3822
|
-
EVP_PKEY *key = NULL;
|
|
3823
|
-
hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
|
|
3824
|
-
if (key == NULL) {
|
|
3825
|
-
// The caller should try again later.
|
|
3826
|
-
return true;
|
|
3827
|
-
}
|
|
3828
|
-
|
|
3829
|
-
UniquePtr<EVP_PKEY> free_key(key);
|
|
3830
|
-
return SSL_set1_tls_channel_id(hs->ssl, key);
|
|
3831
|
-
}
|
|
3832
|
-
|
|
3833
4286
|
bool ssl_is_sct_list_valid(const CBS *contents) {
|
|
3834
4287
|
// Shallow parse the SCT list for sanity. By the RFC
|
|
3835
4288
|
// (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
|
|
@@ -3870,7 +4323,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
|
|
|
3870
4323
|
*out_len = CBS_len(&cbs);
|
|
3871
4324
|
return 1;
|
|
3872
4325
|
}
|
|
3873
|
-
|
|
3874
|
-
void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
|
|
3875
|
-
ctx->ed25519_enabled = !!enabled;
|
|
3876
|
-
}
|