grpc 1.30.2 → 1.31.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +560 -619
- data/include/grpc/grpc_security_constants.h +3 -0
- data/include/grpc/impl/codegen/grpc_types.h +7 -5
- data/include/grpc/impl/codegen/port_platform.h +0 -32
- data/src/core/ext/filters/client_channel/backend_metric.cc +12 -9
- data/src/core/ext/filters/client_channel/client_channel.cc +406 -265
- data/src/core/ext/filters/client_channel/config_selector.cc +62 -0
- data/src/core/ext/filters/client_channel/config_selector.h +93 -0
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -2
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +2 -0
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +6 -5
- data/src/core/ext/filters/client_channel/http_proxy.cc +6 -4
- data/src/core/ext/filters/client_channel/lb_policy.h +2 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +39 -23
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +4 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +376 -68
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +4 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +5 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +6 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +8 -6
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +9 -7
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +7 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +33 -48
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +6 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +21 -18
- data/src/core/ext/filters/client_channel/resolver_registry.cc +13 -14
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +6 -7
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +33 -28
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +39 -20
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +142 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +1 -1
- data/src/core/ext/filters/client_channel/xds/xds_api.cc +327 -123
- data/src/core/ext/filters/client_channel/xds/xds_api.h +72 -7
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +12 -23
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +112 -33
- data/src/core/ext/filters/client_channel/xds/xds_client_stats.h +10 -10
- data/src/core/ext/filters/http/client/http_client_filter.cc +5 -5
- data/src/core/ext/filters/http/http_filters_plugin.cc +2 -1
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +74 -33
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.h +3 -1
- data/src/core/ext/filters/message_size/message_size_filter.cc +56 -80
- data/src/core/ext/filters/message_size/message_size_filter.h +6 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +383 -347
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +6 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +1 -1
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +7 -13
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +7 -8
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +19 -4
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +22 -27
- data/src/core/ext/transport/chttp2/transport/flow_control.h +14 -16
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +9 -12
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +5 -6
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +12 -13
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +6 -7
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +9 -12
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +25 -29
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +13 -17
- data/src/core/ext/transport/chttp2/transport/internal.h +13 -0
- data/src/core/ext/transport/chttp2/transport/parsing.cc +33 -43
- data/src/core/ext/transport/chttp2/transport/writing.cc +9 -14
- data/src/core/ext/transport/inproc/inproc_transport.cc +35 -15
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +3 -4
- data/src/core/ext/upb-generated/envoy/api/v2/auth/cert.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/auth/common.upb.h +80 -69
- data/src/core/ext/upb-generated/envoy/api/v2/auth/secret.upb.h +24 -23
- data/src/core/ext/upb-generated/envoy/api/v2/auth/tls.upb.h +66 -56
- data/src/core/ext/upb-generated/envoy/api/v2/cds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/api/v2/cluster.upb.h +317 -311
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/circuit_breaker.upb.h +42 -34
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/filter.upb.h +7 -7
- data/src/core/ext/upb-generated/envoy/api/v2/cluster/outlier_detection.upb.h +79 -61
- data/src/core/ext/upb-generated/envoy/api/v2/core/address.upb.h +55 -49
- data/src/core/ext/upb-generated/envoy/api/v2/core/backoff.upb.h +9 -8
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/api/v2/core/base.upb.h +163 -169
- data/src/core/ext/upb-generated/envoy/api/v2/core/config_source.upb.h +51 -45
- data/src/core/ext/upb-generated/envoy/api/v2/core/event_service_config.upb.h +4 -5
- data/src/core/ext/upb-generated/envoy/api/v2/core/grpc_service.upb.h +107 -100
- data/src/core/ext/upb-generated/envoy/api/v2/core/health_check.upb.h +137 -117
- data/src/core/ext/upb-generated/envoy/api/v2/core/http_uri.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/api/v2/core/protocol.upb.h +105 -87
- data/src/core/ext/upb-generated/envoy/api/v2/core/socket_option.upb.h +12 -13
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/api/v2/discovery.upb.h +95 -101
- data/src/core/ext/upb-generated/envoy/api/v2/eds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint.upb.h +49 -65
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/endpoint_components.upb.h +49 -42
- data/src/core/ext/upb-generated/envoy/api/v2/endpoint/load_report.upb.h +70 -62
- data/src/core/ext/upb-generated/envoy/api/v2/lds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/listener.upb.h +81 -65
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/api/v2/listener/listener_components.upb.h +91 -80
- data/src/core/ext/upb-generated/envoy/api/v2/listener/udp_listener_config.upb.h +9 -10
- data/src/core/ext/upb-generated/envoy/api/v2/rds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/api/v2/route.upb.h +36 -31
- data/src/core/ext/upb-generated/envoy/api/v2/route/route.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/api/v2/route/route_components.upb.h +648 -696
- data/src/core/ext/upb-generated/envoy/api/v2/scoped_route.upb.h +16 -15
- data/src/core/ext/upb-generated/envoy/api/v2/srds.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/config/filter/accesslog/v2/accesslog.upb.h +95 -88
- data/src/core/ext/upb-generated/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.upb.h +234 -199
- data/src/core/ext/upb-generated/envoy/config/listener/v2/api_listener.upb.h +5 -5
- data/src/core/ext/upb-generated/envoy/config/trace/v2/http_tracer.upb.h +13 -13
- data/src/core/ext/upb-generated/envoy/service/discovery/v2/ads.upb.h +1 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v2/lrs.upb.h +20 -18
- data/src/core/ext/upb-generated/envoy/type/http.upb.h +0 -1
- data/src/core/ext/upb-generated/envoy/type/matcher/regex.upb.h +18 -17
- data/src/core/ext/upb-generated/envoy/type/matcher/string.upb.h +14 -14
- data/src/core/ext/upb-generated/envoy/type/metadata/v2/metadata.upb.h +23 -23
- data/src/core/ext/upb-generated/envoy/type/percent.upb.h +8 -9
- data/src/core/ext/upb-generated/envoy/type/range.upb.h +15 -16
- data/src/core/ext/upb-generated/envoy/type/semantic_version.upb.h +7 -8
- data/src/core/ext/upb-generated/envoy/type/tracing/v2/custom_tag.upb.h +36 -35
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.h +0 -1
- data/src/core/ext/upb-generated/google/api/annotations.upb.h +0 -1
- data/src/core/ext/upb-generated/google/api/http.upb.h +29 -28
- data/src/core/ext/upb-generated/google/protobuf/any.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +3 -3
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +412 -386
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +1 -2
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +1 -1
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +33 -54
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +5 -6
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +27 -28
- data/src/core/ext/upb-generated/google/rpc/status.upb.h +8 -8
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +1 -1
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +32 -45
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +4 -4
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +157 -178
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +14 -13
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +6 -7
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +59 -56
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +11 -12
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +0 -1
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +5 -6
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +6 -6
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +41 -68
- data/src/core/ext/upb-generated/validate/validate.upb.h +536 -535
- data/src/core/lib/channel/channel_trace.cc +2 -6
- data/src/core/lib/channel/channelz.cc +5 -15
- data/src/core/lib/gpr/log_linux.cc +6 -8
- data/src/core/lib/gpr/log_posix.cc +6 -8
- data/src/core/lib/gpr/string.cc +10 -9
- data/src/core/lib/gpr/string.h +4 -2
- data/src/core/lib/gprpp/global_config_env.cc +8 -6
- data/src/core/lib/http/httpcli.cc +13 -10
- data/src/core/lib/http/httpcli_security_connector.cc +5 -5
- data/src/core/lib/iomgr/cfstream_handle.cc +1 -0
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +10 -10
- data/src/core/lib/iomgr/error_cfstream.cc +9 -8
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +5 -6
- data/src/core/lib/iomgr/ev_epollex_linux.cc +15 -21
- data/src/core/lib/iomgr/ev_poll_posix.cc +6 -5
- data/src/core/lib/iomgr/ev_posix.cc +2 -0
- data/src/core/lib/iomgr/iomgr.cc +10 -0
- data/src/core/lib/iomgr/iomgr.h +10 -0
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +14 -0
- data/src/core/lib/iomgr/port.h +1 -21
- data/src/core/lib/iomgr/resolve_address_custom.cc +13 -18
- data/src/core/lib/iomgr/resolve_address_windows.cc +8 -8
- data/src/core/lib/iomgr/resource_quota.cc +34 -31
- data/src/core/lib/iomgr/sockaddr_utils.cc +7 -5
- data/src/core/lib/iomgr/sockaddr_utils.h +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +95 -55
- data/src/core/lib/iomgr/socket_windows.cc +4 -5
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +9 -11
- data/src/core/lib/iomgr/tcp_client_custom.cc +6 -9
- data/src/core/lib/iomgr/tcp_client_posix.cc +27 -36
- data/src/core/lib/iomgr/tcp_client_windows.cc +9 -9
- data/src/core/lib/iomgr/tcp_custom.cc +1 -1
- data/src/core/lib/iomgr/tcp_custom.h +1 -1
- data/src/core/lib/iomgr/tcp_server.cc +3 -4
- data/src/core/lib/iomgr/tcp_server.h +7 -5
- data/src/core/lib/iomgr/tcp_server_custom.cc +6 -14
- data/src/core/lib/iomgr/tcp_server_posix.cc +34 -41
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +3 -4
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +5 -7
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +4 -9
- data/src/core/lib/iomgr/tcp_server_windows.cc +16 -16
- data/src/core/lib/iomgr/timer_generic.cc +13 -12
- data/src/core/lib/iomgr/udp_server.cc +24 -23
- data/src/core/lib/iomgr/udp_server.h +5 -2
- data/src/core/lib/iomgr/unix_sockets_posix.cc +9 -14
- data/src/core/lib/iomgr/unix_sockets_posix.h +3 -1
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +5 -2
- data/src/core/lib/json/json_reader.cc +20 -21
- data/src/core/lib/security/credentials/credentials.h +5 -3
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +8 -6
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +12 -9
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +7 -4
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +19 -28
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +6 -6
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +20 -0
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +10 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +10 -0
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +10 -10
- data/src/core/lib/security/security_connector/security_connector.cc +2 -0
- data/src/core/lib/security/security_connector/security_connector.h +1 -1
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +18 -11
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +5 -0
- data/src/core/lib/security/security_connector/ssl_utils.cc +44 -23
- data/src/core/lib/security/security_connector/ssl_utils.h +6 -2
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +27 -24
- data/src/core/lib/security/transport/client_auth_filter.cc +10 -9
- data/src/core/lib/security/util/json_util.cc +12 -13
- data/src/core/lib/slice/slice.cc +38 -1
- data/src/core/lib/slice/slice_internal.h +1 -0
- data/src/core/lib/surface/call.cc +40 -41
- data/src/core/lib/surface/completion_queue.cc +271 -14
- data/src/core/lib/surface/completion_queue.h +8 -0
- data/src/core/lib/surface/init.cc +2 -0
- data/src/core/lib/surface/server.cc +565 -632
- data/src/core/lib/surface/server.h +34 -12
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/transport.h +6 -0
- data/src/core/lib/uri/uri_parser.cc +8 -15
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +23 -13
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +2 -0
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +2 -0
- data/src/core/tsi/ssl_transport_security.cc +102 -11
- data/src/core/tsi/ssl_transport_security.h +14 -2
- data/src/core/tsi/transport_security_interface.h +5 -0
- data/src/ruby/ext/grpc/extconf.rb +5 -2
- data/src/ruby/ext/grpc/rb_call.c +3 -2
- data/src/ruby/ext/grpc/rb_call.h +4 -0
- data/src/ruby/ext/grpc/rb_call_credentials.c +54 -10
- data/src/ruby/lib/grpc/generic/interceptors.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +89 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_enum.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +12 -52
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +0 -22
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +143 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +17 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +11 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c +24 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +20 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/util.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -5
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +116 -363
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +7 -45
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +0 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +13 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +28 -9
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +35 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +0 -154
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +28 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +74 -35
- data/third_party/boringssl-with-bazel/src/include/openssl/aes.h +16 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +22 -22
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +69 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +33 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +1 -10
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +789 -715
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +3 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +9 -2
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +9 -0
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +17 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -7
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +28 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +4 -24
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +45 -24
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +31 -21
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +12 -9
- data/third_party/upb/upb/decode.c +467 -504
- data/third_party/upb/upb/encode.c +163 -121
- data/third_party/upb/upb/msg.c +130 -64
- data/third_party/upb/upb/msg.h +418 -14
- data/third_party/upb/upb/port_def.inc +35 -6
- data/third_party/upb/upb/port_undef.inc +8 -1
- data/third_party/upb/upb/table.c +53 -75
- data/third_party/upb/upb/table.int.h +11 -43
- data/third_party/upb/upb/upb.c +148 -124
- data/third_party/upb/upb/upb.h +65 -147
- data/third_party/upb/upb/upb.hpp +86 -0
- metadata +40 -37
- data/third_party/upb/upb/generated_util.h +0 -105
@@ -632,7 +632,7 @@ bool SSL_apply_handback(SSL *ssl, Span
|
|
632
632
|
case handback_after_session_resumption:
|
633
633
|
// The write keys are installed after server Finished, but the client
|
634
634
|
// keys must wait for ChangeCipherSpec.
|
635
|
-
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session
|
635
|
+
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
|
636
636
|
write_iv)) {
|
637
637
|
return false;
|
638
638
|
}
|
@@ -642,9 +642,9 @@ bool SSL_apply_handback(SSL *ssl, Span
|
|
642
642
|
break;
|
643
643
|
case handback_after_handshake:
|
644
644
|
// The handshake is complete, so both keys are installed.
|
645
|
-
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session
|
645
|
+
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
|
646
646
|
write_iv) ||
|
647
|
-
!tls1_configure_aead(ssl, evp_aead_open, &key_block, session
|
647
|
+
!tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
|
648
648
|
read_iv)) {
|
649
649
|
return false;
|
650
650
|
}
|
@@ -441,7 +441,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
|
|
441
441
|
uint8_t finished[EVP_MAX_MD_SIZE];
|
442
442
|
size_t finished_len;
|
443
443
|
if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
|
444
|
-
|
444
|
+
ssl_handshake_session(hs), !ssl->server) ||
|
445
445
|
!ssl_hash_message(hs, msg)) {
|
446
446
|
return ssl_hs_error;
|
447
447
|
}
|
@@ -484,7 +484,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
|
|
484
484
|
|
485
485
|
bool ssl_send_finished(SSL_HANDSHAKE *hs) {
|
486
486
|
SSL *const ssl = hs->ssl;
|
487
|
-
const SSL_SESSION *session =
|
487
|
+
const SSL_SESSION *session = ssl_handshake_session(hs);
|
488
488
|
|
489
489
|
uint8_t finished[EVP_MAX_MD_SIZE];
|
490
490
|
size_t finished_len;
|
@@ -541,6 +541,13 @@ bool ssl_output_cert_chain(SSL_HANDSHAKE *hs) {
|
|
541
541
|
return true;
|
542
542
|
}
|
543
543
|
|
544
|
+
const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
|
545
|
+
if (hs->new_session) {
|
546
|
+
return hs->new_session.get();
|
547
|
+
}
|
548
|
+
return hs->ssl->session.get();
|
549
|
+
}
|
550
|
+
|
544
551
|
int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
|
545
552
|
SSL *const ssl = hs->ssl;
|
546
553
|
for (;;) {
|
@@ -1268,10 +1268,10 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
|
|
1268
1268
|
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
|
1269
1269
|
uint32_t alg_a = hs->new_cipher->algorithm_auth;
|
1270
1270
|
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
|
1271
|
-
CRYPTO_BUFFER *leaf =
|
1271
|
+
const CRYPTO_BUFFER *leaf =
|
1272
1272
|
sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
|
1273
1273
|
CBS leaf_cbs;
|
1274
|
-
|
1274
|
+
CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
|
1275
1275
|
|
1276
1276
|
// Check the key usage matches the cipher suite. We do this unconditionally
|
1277
1277
|
// for non-RSA certificates. In particular, it's needed to distinguish ECDH
|
@@ -1436,6 +1436,15 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
1436
1436
|
return ssl_hs_error;
|
1437
1437
|
}
|
1438
1438
|
|
1439
|
+
// The peer certificate must be valid for signing.
|
1440
|
+
const CRYPTO_BUFFER *leaf =
|
1441
|
+
sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
|
1442
|
+
CBS leaf_cbs;
|
1443
|
+
CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
|
1444
|
+
if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
|
1445
|
+
return ssl_hs_error;
|
1446
|
+
}
|
1447
|
+
|
1439
1448
|
CBS certificate_verify = msg.body, signature;
|
1440
1449
|
|
1441
1450
|
// Determine the signature algorithm.
|
@@ -1863,6 +1863,8 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs);
|
|
1863
1863
|
|
1864
1864
|
bool tls13_add_finished(SSL_HANDSHAKE *hs);
|
1865
1865
|
bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg);
|
1866
|
+
bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
|
1867
|
+
CBS *body);
|
1866
1868
|
|
1867
1869
|
bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
1868
1870
|
Array<uint8_t> *out_secret,
|
@@ -1938,6 +1940,11 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs);
|
|
1938
1940
|
bool ssl_send_finished(SSL_HANDSHAKE *hs);
|
1939
1941
|
bool ssl_output_cert_chain(SSL_HANDSHAKE *hs);
|
1940
1942
|
|
1943
|
+
// ssl_handshake_session returns the |SSL_SESSION| corresponding to the current
|
1944
|
+
// handshake. Note, in TLS 1.2 resumptions, this session is immutable.
|
1945
|
+
const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs);
|
1946
|
+
|
1947
|
+
|
1941
1948
|
// SSLKEYLOGFILE functions.
|
1942
1949
|
|
1943
1950
|
// ssl_log_secret logs |secret| with label |label|, if logging is enabled for
|
@@ -2740,11 +2747,6 @@ struct SSL_CONFIG {
|
|
2740
2747
|
bool jdk11_workaround : 1;
|
2741
2748
|
};
|
2742
2749
|
|
2743
|
-
// Computes a SHA-256 hash of the transport parameters and early data context
|
2744
|
-
// for QUIC, putting the hash in |SHA256_DIGEST_LENGTH| bytes at |hash_out|.
|
2745
|
-
bool compute_quic_early_data_hash(const SSL_CONFIG *config,
|
2746
|
-
uint8_t hash_out[SHA256_DIGEST_LENGTH]);
|
2747
|
-
|
2748
2750
|
// From RFC 8446, used in determining PSK modes.
|
2749
2751
|
#define SSL_PSK_DHE_KE 0x1
|
2750
2752
|
|
@@ -2924,13 +2926,14 @@ int dtls1_dispatch_alert(SSL *ssl);
|
|
2924
2926
|
// determined by |direction|) using the keys generated by the TLS KDF. The
|
2925
2927
|
// |key_block_cache| argument is used to store the generated key block, if
|
2926
2928
|
// empty. Otherwise it's assumed that the key block is already contained within
|
2927
|
-
// it.
|
2928
|
-
|
2929
|
-
|
2930
|
-
|
2931
|
-
|
2932
|
-
|
2933
|
-
|
2929
|
+
// it. It returns true on success or false on error.
|
2930
|
+
bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
|
2931
|
+
Array<uint8_t> *key_block_cache,
|
2932
|
+
const SSL_SESSION *session,
|
2933
|
+
Span<const uint8_t> iv_override);
|
2934
|
+
|
2935
|
+
bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
|
2936
|
+
evp_aead_direction_t direction);
|
2934
2937
|
int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
|
2935
2938
|
Span<const uint8_t> premaster);
|
2936
2939
|
|
@@ -3559,9 +3562,9 @@ struct ssl_session_st {
|
|
3559
3562
|
// is_quic indicates whether this session was created using QUIC.
|
3560
3563
|
bool is_quic : 1;
|
3561
3564
|
|
3562
|
-
//
|
3565
|
+
// quic_early_data_context is used to determine whether early data must be
|
3563
3566
|
// rejected when performing a QUIC handshake.
|
3564
|
-
bssl::Array<uint8_t>
|
3567
|
+
bssl::Array<uint8_t> quic_early_data_context;
|
3565
3568
|
|
3566
3569
|
private:
|
3567
3570
|
~ssl_session_st();
|
@@ -192,7 +192,7 @@ static const unsigned kEarlyALPNTag =
|
|
192
192
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
|
193
193
|
static const unsigned kIsQuicTag =
|
194
194
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 27;
|
195
|
-
static const unsigned
|
195
|
+
static const unsigned kQuicEarlyDataContextTag =
|
196
196
|
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 28;
|
197
197
|
|
198
198
|
static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
|
@@ -402,10 +402,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
|
|
402
402
|
}
|
403
403
|
}
|
404
404
|
|
405
|
-
if (!in->
|
406
|
-
if (!CBB_add_asn1(&session, &child,
|
407
|
-
!CBB_add_asn1_octet_string(&child, in->
|
408
|
-
in->
|
405
|
+
if (!in->quic_early_data_context.empty()) {
|
406
|
+
if (!CBB_add_asn1(&session, &child, kQuicEarlyDataContextTag) ||
|
407
|
+
!CBB_add_asn1_octet_string(&child, in->quic_early_data_context.data(),
|
408
|
+
in->quic_early_data_context.size())) {
|
409
409
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
410
410
|
return 0;
|
411
411
|
}
|
@@ -752,8 +752,8 @@ UniquePtr
|
|
752
752
|
kEarlyALPNTag) ||
|
753
753
|
!CBS_get_optional_asn1_bool(&session, &is_quic, kIsQuicTag,
|
754
754
|
/*default_value=*/false) ||
|
755
|
-
!SSL_SESSION_parse_octet_string(&session, &ret->
|
756
|
-
|
755
|
+
!SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_context,
|
756
|
+
kQuicEarlyDataContextTag) ||
|
757
757
|
CBS_len(&session) != 0) {
|
758
758
|
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
|
759
759
|
return nullptr;
|
@@ -2968,6 +2968,34 @@ void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,
|
|
2968
2968
|
ctx->ticket_aead_method = aead_method;
|
2969
2969
|
}
|
2970
2970
|
|
2971
|
+
SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
|
2972
|
+
size_t buf_len) {
|
2973
|
+
if (SSL_in_init(ssl) ||
|
2974
|
+
ssl_protocol_version(ssl) != TLS1_3_VERSION ||
|
2975
|
+
ssl->server) {
|
2976
|
+
// Only TLS 1.3 clients are supported.
|
2977
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
2978
|
+
return nullptr;
|
2979
|
+
}
|
2980
|
+
|
2981
|
+
CBS cbs, body;
|
2982
|
+
CBS_init(&cbs, buf, buf_len);
|
2983
|
+
uint8_t type;
|
2984
|
+
if (!CBS_get_u8(&cbs, &type) ||
|
2985
|
+
!CBS_get_u24_length_prefixed(&cbs, &body) ||
|
2986
|
+
CBS_len(&cbs) != 0) {
|
2987
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2988
|
+
return nullptr;
|
2989
|
+
}
|
2990
|
+
|
2991
|
+
UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
|
2992
|
+
if (!session) {
|
2993
|
+
// |tls13_create_session_with_ticket| puts the correct error.
|
2994
|
+
return nullptr;
|
2995
|
+
}
|
2996
|
+
return session.release();
|
2997
|
+
}
|
2998
|
+
|
2971
2999
|
int SSL_set_tlsext_status_type(SSL *ssl, int type) {
|
2972
3000
|
if (!ssl->config) {
|
2973
3001
|
return 0;
|
@@ -269,8 +269,8 @@ UniquePtr
|
|
269
269
|
return nullptr;
|
270
270
|
}
|
271
271
|
|
272
|
-
if (!new_session->
|
273
|
-
session->
|
272
|
+
if (!new_session->quic_early_data_context.CopyFrom(
|
273
|
+
session->quic_early_data_context)) {
|
274
274
|
return nullptr;
|
275
275
|
}
|
276
276
|
}
|
@@ -349,25 +349,6 @@ const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {
|
|
349
349
|
session->cipher);
|
350
350
|
}
|
351
351
|
|
352
|
-
bool compute_quic_early_data_hash(const SSL_CONFIG *config,
|
353
|
-
uint8_t hash_out[SHA256_DIGEST_LENGTH]) {
|
354
|
-
ScopedEVP_MD_CTX hash_ctx;
|
355
|
-
uint32_t transport_param_len = config->quic_transport_params.size();
|
356
|
-
uint32_t context_len = config->quic_early_data_context.size();
|
357
|
-
if (!EVP_DigestInit(hash_ctx.get(), EVP_sha256()) ||
|
358
|
-
!EVP_DigestUpdate(hash_ctx.get(), &transport_param_len,
|
359
|
-
sizeof(transport_param_len)) ||
|
360
|
-
!EVP_DigestUpdate(hash_ctx.get(), config->quic_transport_params.data(),
|
361
|
-
config->quic_transport_params.size()) ||
|
362
|
-
!EVP_DigestUpdate(hash_ctx.get(), &context_len, sizeof(context_len)) ||
|
363
|
-
!EVP_DigestUpdate(hash_ctx.get(), config->quic_early_data_context.data(),
|
364
|
-
config->quic_early_data_context.size()) ||
|
365
|
-
!EVP_DigestFinal(hash_ctx.get(), hash_out, nullptr)) {
|
366
|
-
return false;
|
367
|
-
}
|
368
|
-
return true;
|
369
|
-
}
|
370
|
-
|
371
352
|
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
|
372
353
|
SSL *const ssl = hs->ssl;
|
373
354
|
if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
|
@@ -384,9 +365,8 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
|
|
384
365
|
session->ssl_version = ssl->version;
|
385
366
|
session->is_quic = ssl->quic_method != nullptr;
|
386
367
|
if (is_server && ssl->enable_early_data && session->is_quic) {
|
387
|
-
if (!session->
|
388
|
-
|
389
|
-
session->quic_early_data_hash.data())) {
|
368
|
+
if (!session->quic_early_data_context.CopyFrom(
|
369
|
+
hs->config->quic_early_data_context)) {
|
390
370
|
return 0;
|
391
371
|
}
|
392
372
|
}
|
@@ -193,11 +193,11 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
|
|
193
193
|
min_version = TLS1_3_VERSION;
|
194
194
|
}
|
195
195
|
|
196
|
-
//
|
197
|
-
//
|
198
|
-
//
|
199
|
-
//
|
200
|
-
//
|
196
|
+
// The |SSL_OP_NO_*| flags disable individual protocols. This has two
|
197
|
+
// problems. First, prior to TLS 1.3, the protocol can only express a
|
198
|
+
// contiguous range of versions. Second, a library consumer trying to set a
|
199
|
+
// maximum version cannot disable protocol versions that get added in a future
|
200
|
+
// version of the library.
|
201
201
|
//
|
202
202
|
// To account for both of these, OpenSSL interprets the client-side bitmask
|
203
203
|
// as a min/max range by picking the lowest contiguous non-empty range of
|
@@ -189,21 +189,36 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
|
|
189
189
|
return true;
|
190
190
|
}
|
191
191
|
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
192
|
+
static bool generate_key_block(const SSL *ssl, Span<uint8_t> out,
|
193
|
+
const SSL_SESSION *session) {
|
194
|
+
auto master_key =
|
195
|
+
MakeConstSpan(session->master_key, session->master_key_length);
|
196
|
+
static const char kLabel[] = "key expansion";
|
197
|
+
auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
|
198
|
+
|
199
|
+
const EVP_MD *digest = ssl_session_get_digest(session);
|
200
|
+
// Note this function assumes that |session|'s key material corresponds to
|
201
|
+
// |ssl->s3->client_random| and |ssl->s3->server_random|.
|
202
|
+
return tls1_prf(digest, out, master_key, label, ssl->s3->server_random,
|
203
|
+
ssl->s3->client_random);
|
204
|
+
}
|
205
|
+
|
206
|
+
bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
|
207
|
+
Array<uint8_t> *key_block_cache,
|
208
|
+
const SSL_SESSION *session,
|
209
|
+
Span<const uint8_t> iv_override) {
|
196
210
|
size_t mac_secret_len, key_len, iv_len;
|
197
|
-
if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len,
|
198
|
-
|
211
|
+
if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len,
|
212
|
+
session->cipher)) {
|
213
|
+
return false;
|
199
214
|
}
|
200
215
|
|
201
216
|
// Ensure that |key_block_cache| is set up.
|
202
217
|
const size_t key_block_size = 2 * (mac_secret_len + key_len + iv_len);
|
203
218
|
if (key_block_cache->empty()) {
|
204
219
|
if (!key_block_cache->Init(key_block_size) ||
|
205
|
-
!
|
206
|
-
return
|
220
|
+
!generate_key_block(ssl, MakeSpan(*key_block_cache), session)) {
|
221
|
+
return false;
|
207
222
|
}
|
208
223
|
}
|
209
224
|
assert(key_block_cache->size() == key_block_size);
|
@@ -224,15 +239,16 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
|
|
224
239
|
|
225
240
|
if (!iv_override.empty()) {
|
226
241
|
if (iv_override.size() != iv_len) {
|
227
|
-
return
|
242
|
+
return false;
|
228
243
|
}
|
229
244
|
iv = iv_override;
|
230
245
|
}
|
231
246
|
|
232
|
-
UniquePtr<SSLAEADContext> aead_ctx =
|
233
|
-
direction, ssl->version, SSL_is_dtls(ssl),
|
247
|
+
UniquePtr<SSLAEADContext> aead_ctx =
|
248
|
+
SSLAEADContext::Create(direction, ssl->version, SSL_is_dtls(ssl),
|
249
|
+
session->cipher, key, mac_secret, iv);
|
234
250
|
if (!aead_ctx) {
|
235
|
-
return
|
251
|
+
return false;
|
236
252
|
}
|
237
253
|
|
238
254
|
if (direction == evp_aead_open) {
|
@@ -246,10 +262,10 @@ int tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
|
|
246
262
|
/*secret_for_quic=*/{});
|
247
263
|
}
|
248
264
|
|
249
|
-
|
250
|
-
|
265
|
+
bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
|
266
|
+
evp_aead_direction_t direction) {
|
251
267
|
return tls1_configure_aead(hs->ssl, direction, &hs->key_block,
|
252
|
-
hs
|
268
|
+
ssl_handshake_session(hs), {});
|
253
269
|
}
|
254
270
|
|
255
271
|
int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
|
@@ -286,6 +302,11 @@ BSSL_NAMESPACE_END
|
|
286
302
|
using namespace bssl;
|
287
303
|
|
288
304
|
size_t SSL_get_key_block_len(const SSL *ssl) {
|
305
|
+
// See |SSL_generate_key_block|.
|
306
|
+
if (SSL_in_init(ssl)) {
|
307
|
+
return 0;
|
308
|
+
}
|
309
|
+
|
289
310
|
size_t mac_secret_len, key_len, fixed_iv_len;
|
290
311
|
if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &fixed_iv_len,
|
291
312
|
SSL_get_current_cipher(ssl))) {
|
@@ -297,16 +318,16 @@ size_t SSL_get_key_block_len(const SSL *ssl) {
|
|
297
318
|
}
|
298
319
|
|
299
320
|
int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {
|
300
|
-
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
|
321
|
+
// Which cipher state to use is ambiguous during a handshake. In particular,
|
322
|
+
// there are points where read and write states are from different epochs.
|
323
|
+
// During a handshake, before ChangeCipherSpec, the encryption states may not
|
324
|
+
// match |ssl->s3->client_random| and |ssl->s3->server_random|.
|
325
|
+
if (SSL_in_init(ssl)) {
|
326
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
327
|
+
return 0;
|
328
|
+
}
|
306
329
|
|
307
|
-
|
308
|
-
return tls1_prf(digest, out_span, master_key, label, ssl->s3->server_random,
|
309
|
-
ssl->s3->client_random);
|
330
|
+
return generate_key_block(ssl, MakeSpan(out, out_len), SSL_get_session(ssl));
|
310
331
|
}
|
311
332
|
|
312
333
|
int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
|
@@ -931,26 +931,43 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
931
931
|
return true;
|
932
932
|
}
|
933
933
|
|
934
|
+
CBS body = msg.body;
|
935
|
+
UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
|
936
|
+
if (!session) {
|
937
|
+
return false;
|
938
|
+
}
|
939
|
+
|
940
|
+
if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
|
941
|
+
ssl->session_ctx->new_session_cb != NULL &&
|
942
|
+
ssl->session_ctx->new_session_cb(ssl, session.get())) {
|
943
|
+
// |new_session_cb|'s return value signals that it took ownership.
|
944
|
+
session.release();
|
945
|
+
}
|
946
|
+
|
947
|
+
return true;
|
948
|
+
}
|
949
|
+
|
950
|
+
UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
|
934
951
|
UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
|
935
952
|
ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
|
936
953
|
if (!session) {
|
937
|
-
return
|
954
|
+
return nullptr;
|
938
955
|
}
|
939
956
|
|
940
957
|
ssl_session_rebase_time(ssl, session.get());
|
941
958
|
|
942
959
|
uint32_t server_timeout;
|
943
|
-
CBS
|
944
|
-
if (!CBS_get_u32(
|
945
|
-
!CBS_get_u32(
|
946
|
-
!CBS_get_u8_length_prefixed(
|
947
|
-
!CBS_get_u16_length_prefixed(
|
960
|
+
CBS ticket_nonce, ticket, extensions;
|
961
|
+
if (!CBS_get_u32(body, &server_timeout) ||
|
962
|
+
!CBS_get_u32(body, &session->ticket_age_add) ||
|
963
|
+
!CBS_get_u8_length_prefixed(body, &ticket_nonce) ||
|
964
|
+
!CBS_get_u16_length_prefixed(body, &ticket) ||
|
948
965
|
!session->ticket.CopyFrom(ticket) ||
|
949
|
-
!CBS_get_u16_length_prefixed(
|
950
|
-
CBS_len(
|
966
|
+
!CBS_get_u16_length_prefixed(body, &extensions) ||
|
967
|
+
CBS_len(body) != 0) {
|
951
968
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
952
969
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
953
|
-
return
|
970
|
+
return nullptr;
|
954
971
|
}
|
955
972
|
|
956
973
|
// Cap the renewable lifetime by the server advertised value. This avoids
|
@@ -960,7 +977,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
960
977
|
}
|
961
978
|
|
962
979
|
if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
|
963
|
-
return
|
980
|
+
return nullptr;
|
964
981
|
}
|
965
982
|
|
966
983
|
// Parse out the extensions.
|
@@ -975,7 +992,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
975
992
|
OPENSSL_ARRAY_SIZE(ext_types),
|
976
993
|
1 /* ignore unknown */)) {
|
977
994
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
978
|
-
return
|
995
|
+
return nullptr;
|
979
996
|
}
|
980
997
|
|
981
998
|
if (have_early_data) {
|
@@ -983,7 +1000,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
983
1000
|
CBS_len(&early_data) != 0) {
|
984
1001
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
985
1002
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
986
|
-
return
|
1003
|
+
return nullptr;
|
987
1004
|
}
|
988
1005
|
|
989
1006
|
// QUIC does not use the max_early_data_size parameter and always sets it to
|
@@ -992,7 +1009,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
992
1009
|
session->ticket_max_early_data != 0xffffffff) {
|
993
1010
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
994
1011
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
995
|
-
return
|
1012
|
+
return nullptr;
|
996
1013
|
}
|
997
1014
|
}
|
998
1015
|
|
@@ -1004,14 +1021,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
|
|
1004
1021
|
session->ticket_age_add_valid = true;
|
1005
1022
|
session->not_resumable = false;
|
1006
1023
|
|
1007
|
-
|
1008
|
-
ssl->session_ctx->new_session_cb != NULL &&
|
1009
|
-
ssl->session_ctx->new_session_cb(ssl, session.get())) {
|
1010
|
-
// |new_session_cb|'s return value signals that it took ownership.
|
1011
|
-
session.release();
|
1012
|
-
}
|
1013
|
-
|
1014
|
-
return true;
|
1024
|
+
return session;
|
1015
1025
|
}
|
1016
1026
|
|
1017
1027
|
BSSL_NAMESPACE_END
|