grpc 1.34.0 → 1.42.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +978 -2868
- data/etc/roots.pem +592 -899
- data/include/grpc/byte_buffer.h +1 -1
- data/include/grpc/byte_buffer_reader.h +1 -1
- data/include/grpc/compression.h +1 -1
- data/include/grpc/event_engine/README.md +38 -0
- data/include/grpc/event_engine/endpoint_config.h +43 -0
- data/include/grpc/event_engine/event_engine.h +375 -0
- data/include/grpc/event_engine/internal/memory_allocator_impl.h +98 -0
- data/include/grpc/event_engine/memory_allocator.h +210 -0
- data/include/grpc/event_engine/port.h +39 -0
- data/include/grpc/fork.h +1 -1
- data/include/grpc/grpc.h +49 -4
- data/include/grpc/grpc_posix.h +5 -2
- data/include/grpc/grpc_security.h +127 -14
- data/include/grpc/grpc_security_constants.h +16 -0
- data/include/grpc/impl/codegen/atm.h +5 -3
- data/include/grpc/impl/codegen/atm_gcc_atomic.h +2 -0
- data/include/grpc/impl/codegen/atm_gcc_sync.h +2 -0
- data/include/grpc/impl/codegen/atm_windows.h +6 -0
- data/include/grpc/impl/codegen/byte_buffer.h +3 -1
- data/include/grpc/impl/codegen/byte_buffer_reader.h +2 -0
- data/include/grpc/impl/codegen/compression_types.h +2 -0
- data/include/grpc/impl/codegen/connectivity_state.h +2 -0
- data/include/grpc/impl/codegen/fork.h +2 -0
- data/include/grpc/impl/codegen/gpr_slice.h +2 -0
- data/include/grpc/impl/codegen/gpr_types.h +2 -0
- data/include/grpc/impl/codegen/grpc_types.h +49 -25
- data/include/grpc/impl/codegen/log.h +2 -2
- data/include/grpc/impl/codegen/port_platform.h +81 -22
- data/include/grpc/impl/codegen/propagation_bits.h +2 -0
- data/include/grpc/impl/codegen/slice.h +2 -0
- data/include/grpc/impl/codegen/status.h +2 -0
- data/include/grpc/impl/codegen/sync.h +8 -5
- data/include/grpc/impl/codegen/sync_abseil.h +2 -0
- data/include/grpc/impl/codegen/sync_custom.h +2 -0
- data/include/grpc/impl/codegen/sync_generic.h +3 -0
- data/include/grpc/impl/codegen/sync_posix.h +4 -2
- data/include/grpc/impl/codegen/sync_windows.h +6 -0
- data/include/grpc/module.modulemap +14 -14
- data/include/grpc/slice.h +1 -1
- data/include/grpc/slice_buffer.h +3 -3
- data/include/grpc/status.h +1 -1
- data/include/grpc/support/atm.h +1 -1
- data/include/grpc/support/atm_gcc_atomic.h +1 -1
- data/include/grpc/support/atm_gcc_sync.h +1 -1
- data/include/grpc/support/atm_windows.h +1 -1
- data/include/grpc/support/log.h +1 -1
- data/include/grpc/support/port_platform.h +1 -1
- data/include/grpc/support/sync.h +4 -4
- data/include/grpc/support/sync_abseil.h +1 -1
- data/include/grpc/support/sync_custom.h +1 -1
- data/include/grpc/support/sync_generic.h +1 -1
- data/include/grpc/support/sync_posix.h +1 -1
- data/include/grpc/support/sync_windows.h +1 -1
- data/include/grpc/support/time.h +9 -9
- data/src/core/ext/filters/census/grpc_context.cc +1 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +20 -24
- data/src/core/ext/filters/client_channel/backup_poller.cc +5 -4
- data/src/core/ext/filters/client_channel/backup_poller.h +1 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +158 -202
- data/src/core/ext/filters/client_channel/client_channel.cc +2009 -3145
- data/src/core/ext/filters/client_channel/client_channel.h +559 -60
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +6 -5
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +2 -2
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +2 -1
- data/src/core/ext/filters/client_channel/client_channel_factory.h +18 -19
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +18 -14
- data/src/core/ext/filters/client_channel/config_selector.cc +2 -1
- data/src/core/ext/filters/client_channel/config_selector.h +33 -9
- data/src/core/ext/filters/client_channel/connector.h +19 -19
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +190 -0
- data/src/core/ext/filters/client_channel/dynamic_filters.h +99 -0
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -142
- data/src/core/ext/filters/client_channel/global_subchannel_pool.h +15 -11
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +53 -50
- data/src/core/ext/filters/client_channel/health/health_check_client.h +35 -33
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +37 -34
- data/src/core/ext/filters/client_channel/http_connect_handshaker.h +10 -2
- data/src/core/ext/filters/client_channel/http_proxy.cc +36 -20
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +6 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +12 -21
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +246 -166
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +4 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +4 -3
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +5 -6
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +37 -30
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +53 -55
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +757 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +37 -0
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2502 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +16 -18
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +24 -27
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +385 -135
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +0 -8
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +29 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +57 -71
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +43 -64
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +1362 -0
- data/src/core/ext/filters/client_channel/lb_policy.cc +6 -17
- data/src/core/ext/filters/client_channel/lb_policy.h +93 -93
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +2 -1
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +8 -11
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
- data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +27 -67
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +10 -9
- data/src/core/ext/filters/client_channel/resolver/binder/binder_resolver.cc +139 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +76 -88
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +3 -33
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +10 -9
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +26 -23
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +473 -74
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +27 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +45 -35
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +43 -46
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +7 -5
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +384 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +22 -35
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +466 -254
- data/src/core/ext/filters/client_channel/resolver.cc +5 -5
- data/src/core/ext/filters/client_channel/resolver.h +4 -15
- data/src/core/ext/filters/client_channel/resolver_factory.h +8 -6
- data/src/core/ext/filters/client_channel/resolver_registry.cc +43 -44
- data/src/core/ext/filters/client_channel/resolver_registry.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +42 -252
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +25 -54
- data/src/core/ext/filters/client_channel/retry_filter.cc +2573 -0
- data/src/core/ext/filters/{workarounds/workaround_cronet_compression_filter.h → client_channel/retry_filter.h} +9 -6
- data/src/core/ext/filters/client_channel/retry_service_config.cc +316 -0
- data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
- data/src/core/ext/filters/client_channel/retry_throttle.cc +20 -49
- data/src/core/ext/filters/client_channel/retry_throttle.h +3 -1
- data/src/core/ext/filters/client_channel/server_address.cc +10 -1
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +54 -40
- data/src/core/ext/filters/client_channel/subchannel.cc +179 -329
- data/src/core/ext/filters/client_channel/subchannel.h +101 -158
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +38 -9
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +21 -10
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +47 -223
- data/src/core/ext/filters/client_idle/idle_filter_state.cc +96 -0
- data/src/core/ext/filters/client_idle/idle_filter_state.h +66 -0
- data/src/core/ext/filters/deadline/deadline_filter.cc +33 -34
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +503 -0
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +39 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +181 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.h +85 -0
- data/src/core/ext/filters/http/client/http_client_filter.cc +77 -69
- data/src/core/ext/filters/http/client_authority_filter.cc +19 -19
- data/src/core/ext/filters/http/http_filters_plugin.cc +53 -68
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +42 -35
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +29 -30
- data/src/core/ext/filters/http/server/http_server_filter.cc +104 -95
- data/src/core/ext/filters/max_age/max_age_filter.cc +71 -68
- data/src/core/ext/filters/message_size/message_size_filter.cc +43 -41
- data/src/core/ext/filters/message_size/message_size_filter.h +2 -2
- data/src/core/ext/{filters/client_channel → service_config}/service_config.cc +17 -16
- data/src/core/ext/{filters/client_channel → service_config}/service_config.h +11 -10
- data/src/core/ext/{filters/client_channel → service_config}/service_config_call_data.h +23 -19
- data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.cc +9 -9
- data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.h +15 -10
- data/src/core/ext/transport/chttp2/alpn/alpn.cc +2 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +37 -23
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +9 -7
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +42 -35
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +32 -16
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +51 -62
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +664 -236
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +13 -5
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +25 -11
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +61 -22
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +4 -2
- data/src/core/ext/transport/chttp2/transport/bin_decoder.h +2 -1
- data/src/core/ext/transport/chttp2/transport/bin_encoder.cc +1 -0
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +264 -223
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +16 -2
- data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
- data/src/core/ext/transport/chttp2/transport/context_list.h +5 -6
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +59 -40
- data/src/core/ext/transport/chttp2/transport/flow_control.h +23 -17
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +28 -24
- data/src/core/ext/transport/chttp2/transport/frame_data.h +11 -10
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +21 -20
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +7 -6
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +13 -13
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +8 -6
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +12 -15
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +7 -6
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +49 -17
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +9 -7
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +22 -19
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +5 -6
- data/src/core/ext/transport/chttp2/transport/hpack_constants.h +41 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +311 -665
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +240 -70
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_index.h +107 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +86 -0
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.h +69 -0
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +865 -1172
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +100 -81
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +146 -0
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +137 -0
- data/src/core/ext/transport/chttp2/transport/hpack_utils.cc +46 -0
- data/src/core/{lib/transport/authority_override.h → ext/transport/chttp2/transport/hpack_utils.h} +8 -12
- data/src/core/ext/transport/chttp2/transport/internal.h +40 -33
- data/src/core/ext/transport/chttp2/transport/parsing.cc +156 -286
- data/src/core/ext/transport/chttp2/transport/popularity_count.h +60 -0
- data/src/core/ext/transport/chttp2/transport/stream_lists.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/varint.cc +13 -7
- data/src/core/ext/transport/chttp2/transport/varint.h +39 -28
- data/src/core/ext/transport/chttp2/transport/writing.cc +69 -54
- data/src/core/ext/transport/inproc/inproc_transport.cc +204 -160
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +406 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +1591 -0
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/annotations/deprecation.upb.h +2 -1
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.c +3 -3
- data/src/core/ext/upb-generated/envoy/annotations/resource.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +48 -49
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +245 -56
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +371 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1554 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.c +16 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/circuit_breaker.upb.h +66 -21
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +178 -142
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +795 -314
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.c +4 -4
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/filter.upb.h +21 -7
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +25 -24
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +70 -23
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +29 -29
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +138 -47
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.c +5 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/backoff.upb.h +23 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +147 -75
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +522 -96
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +27 -27
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +116 -49
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.c +3 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h +42 -14
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +63 -63
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +228 -63
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +57 -56
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +244 -98
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.c +5 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/http_uri.upb.h +25 -11
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +125 -57
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +533 -89
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +3 -4
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +133 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.c +8 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.h +17 -4
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +15 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +56 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +96 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +16 -17
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.h +81 -40
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +56 -22
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.h +223 -34
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.c +32 -32
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/load_report.upb.h +137 -72
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.c +3 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/api_listener.upb.h +19 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +48 -38
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +276 -103
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +51 -45
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +203 -62
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +48 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +177 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +10 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +55 -22
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +144 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +536 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +153 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +550 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +51 -44
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +165 -43
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +35 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +148 -40
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +339 -279
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +1466 -543
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +10 -10
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +48 -10
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +6 -7
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.h +32 -6
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +73 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +298 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +303 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +42 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +123 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +151 -112
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +693 -244
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +1 -2
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h +2 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +52 -32
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +231 -59
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +15 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +51 -28
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +45 -44
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +178 -74
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/service/cluster/v3/cds.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/ads.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +58 -51
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +221 -135
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +2 -5
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +2 -5
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +9 -10
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.h +46 -19
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +2 -4
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/service/route/v3/srds.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +121 -0
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +468 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +60 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +205 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.c +9 -8
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/metadata.upb.h +44 -14
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +96 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.c +4 -4
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/number.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.c +3 -3
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/path.upb.h +15 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +10 -9
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.h +51 -12
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +10 -11
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +31 -6
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +136 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.c +11 -11
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/value.upb.h +41 -4
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.c +15 -15
- data/src/core/ext/upb-generated/envoy/type/metadata/v3/metadata.upb.h +96 -11
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.c +19 -19
- data/src/core/ext/upb-generated/envoy/type/tracing/v3/custom_tag.upb.h +77 -14
- data/src/core/ext/upb-generated/envoy/type/v3/http.upb.c +1 -1
- data/src/core/ext/upb-generated/envoy/type/v3/http.upb.h +2 -1
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.c +6 -6
- data/src/core/ext/upb-generated/envoy/type/v3/percent.upb.h +30 -5
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.c +10 -10
- data/src/core/ext/upb-generated/envoy/type/v3/range.upb.h +41 -4
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.c +5 -5
- data/src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.h +15 -2
- data/src/core/ext/upb-generated/google/api/annotations.upb.c +1 -1
- data/src/core/ext/upb-generated/google/api/annotations.upb.h +2 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c +62 -62
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h +227 -84
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +86 -69
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +256 -72
- data/src/core/ext/upb-generated/google/api/http.upb.c +18 -18
- data/src/core/ext/upb-generated/google/api/http.upb.h +47 -10
- data/src/core/ext/upb-generated/google/protobuf/any.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/any.upb.h +15 -2
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.c +154 -154
- data/src/core/ext/upb-generated/google/protobuf/descriptor.upb.h +645 -320
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/duration.upb.h +15 -2
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.c +2 -2
- data/src/core/ext/upb-generated/google/protobuf/empty.upb.h +15 -2
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.c +15 -15
- data/src/core/ext/upb-generated/google/protobuf/struct.upb.h +44 -7
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.c +4 -4
- data/src/core/ext/upb-generated/google/protobuf/timestamp.upb.h +15 -2
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.c +19 -19
- data/src/core/ext/upb-generated/google/protobuf/wrappers.upb.h +119 -10
- data/src/core/ext/upb-generated/google/rpc/status.upb.c +5 -5
- data/src/core/ext/upb-generated/google/rpc/status.upb.h +18 -5
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.c +12 -12
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/altscontext.upb.h +19 -5
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c +63 -63
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.h +220 -87
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c +8 -8
- data/src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.h +36 -9
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.c +5 -5
- data/src/core/ext/upb-generated/src/proto/grpc/health/v1/health.upb.h +28 -3
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.c +31 -31
- data/src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h +146 -35
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.c +55 -0
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.h +154 -0
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.c +8 -8
- data/src/core/ext/upb-generated/udpa/annotations/migrate.upb.h +41 -4
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +4 -6
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.h +15 -2
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c +1 -1
- data/src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h +2 -1
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.c +4 -4
- data/src/core/ext/upb-generated/udpa/annotations/status.upb.h +17 -4
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.c +3 -3
- data/src/core/ext/upb-generated/udpa/annotations/versioning.upb.h +15 -2
- data/src/core/ext/upb-generated/validate/validate.upb.c +243 -227
- data/src/core/ext/upb-generated/validate/validate.upb.h +626 -253
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.h +182 -0
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.c +28 -0
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +66 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +155 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +90 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +100 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +178 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +91 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +130 -0
- data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.c +33 -0
- data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.h +83 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +354 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +140 -0
- data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +15 -7
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -170
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +424 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +120 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +467 -429
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +12 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +156 -109
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +25 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +89 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +156 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +240 -168
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +20 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +59 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +37 -20
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +52 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.c +90 -63
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +137 -122
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +136 -120
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +90 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +31 -26
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +152 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +75 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +69 -51
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +748 -681
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +102 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +123 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +79 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +435 -379
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +121 -91
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +182 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +163 -0
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +64 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/metadata.upbdefs.c +14 -13
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +35 -32
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c +8 -7
- data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c +100 -100
- data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c +9 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.c +9 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +4 -4
- data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.c +5 -4
- data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.c +19 -23
- data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.c +4 -3
- data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.c +5 -3
- data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.c +5 -4
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +182 -157
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.c +75 -0
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +43 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +46 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +68 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.h +35 -0
- data/src/core/ext/xds/certificate_provider_factory.h +1 -1
- data/src/core/ext/xds/certificate_provider_registry.cc +2 -2
- data/src/core/ext/xds/certificate_provider_store.cc +10 -7
- data/src/core/ext/xds/certificate_provider_store.h +15 -10
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +28 -3
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +3 -6
- data/src/core/ext/xds/xds_api.cc +2654 -808
- data/src/core/ext/xds/xds_api.h +460 -154
- data/src/core/ext/xds/xds_bootstrap.cc +139 -188
- data/src/core/ext/xds/xds_bootstrap.h +34 -18
- data/src/core/ext/xds/xds_certificate_provider.cc +237 -72
- data/src/core/ext/xds/xds_certificate_provider.h +104 -27
- data/src/core/ext/xds/xds_channel_args.h +5 -2
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +113 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.h +52 -0
- data/src/core/ext/xds/xds_client.cc +985 -429
- data/src/core/ext/xds/xds_client.h +100 -51
- data/src/core/ext/xds/xds_client_stats.cc +18 -16
- data/src/core/ext/xds/xds_client_stats.h +12 -11
- data/src/core/ext/xds/xds_http_fault_filter.cc +227 -0
- data/src/core/ext/xds/xds_http_fault_filter.h +64 -0
- data/src/core/ext/xds/xds_http_filters.cc +116 -0
- data/src/core/ext/xds/xds_http_filters.h +133 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +544 -0
- data/src/core/lib/{iomgr → address_utils}/parse_address.cc +72 -68
- data/src/core/lib/{iomgr → address_utils}/parse_address.h +20 -16
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +131 -15
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +37 -7
- data/src/core/lib/avl/avl.cc +5 -5
- data/src/core/lib/backoff/backoff.cc +1 -1
- data/src/core/lib/channel/call_tracer.h +85 -0
- data/src/core/lib/channel/channel_args.cc +34 -15
- data/src/core/lib/channel/channel_args.h +9 -0
- data/src/core/lib/channel/channel_stack.cc +27 -12
- data/src/core/lib/channel/channel_stack.h +18 -10
- data/src/core/lib/channel/channel_stack_builder.cc +6 -16
- data/src/core/lib/channel/channel_stack_builder.h +1 -9
- data/src/core/lib/channel/channel_trace.cc +5 -4
- data/src/core/lib/channel/channel_trace.h +3 -2
- data/src/core/lib/channel/channelz.cc +162 -63
- data/src/core/lib/channel/channelz.h +62 -31
- data/src/core/lib/channel/channelz_registry.cc +22 -7
- data/src/core/lib/channel/channelz_registry.h +1 -2
- data/src/core/lib/channel/connected_channel.cc +6 -7
- data/src/core/lib/channel/connected_channel.h +1 -2
- data/src/core/lib/channel/context.h +3 -0
- data/src/core/lib/channel/handshaker.cc +13 -53
- data/src/core/lib/channel/handshaker.h +7 -25
- data/src/core/lib/channel/handshaker_factory.h +10 -2
- data/src/core/lib/channel/handshaker_registry.cc +15 -70
- data/src/core/lib/channel/handshaker_registry.h +29 -12
- data/src/core/lib/channel/status_util.cc +12 -2
- data/src/core/lib/channel/status_util.h +11 -2
- data/src/core/lib/compression/algorithm_metadata.h +1 -0
- data/src/core/lib/compression/compression.cc +2 -2
- data/src/core/lib/compression/compression_args.cc +11 -7
- data/src/core/lib/compression/compression_internal.cc +4 -6
- data/src/core/lib/compression/compression_internal.h +1 -1
- data/src/core/lib/compression/message_compress.cc +2 -2
- data/src/core/lib/compression/stream_compression.cc +2 -1
- data/src/core/lib/compression/stream_compression.h +3 -2
- data/src/core/lib/compression/stream_compression_gzip.cc +2 -1
- data/src/core/lib/compression/stream_compression_gzip.h +1 -1
- data/src/core/lib/compression/stream_compression_identity.cc +2 -1
- data/src/core/lib/compression/stream_compression_identity.h +1 -1
- data/src/core/lib/config/core_configuration.cc +96 -0
- data/src/core/lib/config/core_configuration.h +146 -0
- data/src/core/lib/debug/stats.cc +1 -1
- data/src/core/lib/debug/stats.h +4 -3
- data/src/core/lib/debug/stats_data.cc +15 -14
- data/src/core/lib/debug/stats_data.h +14 -13
- data/src/core/lib/debug/trace.cc +1 -0
- data/src/core/lib/debug/trace.h +2 -1
- data/src/core/lib/event_engine/endpoint_config.cc +45 -0
- data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
- data/src/core/lib/event_engine/event_engine.cc +50 -0
- data/src/core/lib/event_engine/sockaddr.cc +40 -0
- data/src/core/lib/event_engine/sockaddr.h +44 -0
- data/src/core/lib/gpr/alloc.cc +7 -5
- data/src/core/lib/gpr/atm.cc +1 -1
- data/src/core/lib/gpr/cpu_posix.cc +1 -1
- data/src/core/lib/gpr/env_linux.cc +1 -2
- data/src/core/lib/gpr/env_posix.cc +2 -3
- data/src/core/lib/gpr/log.cc +61 -19
- data/src/core/lib/gpr/log_android.cc +3 -2
- data/src/core/lib/gpr/log_linux.cc +10 -5
- data/src/core/lib/gpr/log_posix.cc +9 -4
- data/src/core/lib/gpr/log_windows.cc +3 -1
- data/src/core/lib/gpr/murmur_hash.cc +4 -2
- data/src/core/lib/gpr/spinlock.h +10 -2
- data/src/core/lib/gpr/string.cc +24 -23
- data/src/core/lib/gpr/string.h +7 -8
- data/src/core/lib/gpr/sync.cc +6 -6
- data/src/core/lib/gpr/sync_abseil.cc +10 -12
- data/src/core/lib/gpr/sync_posix.cc +3 -3
- data/src/core/lib/gpr/sync_windows.cc +2 -2
- data/src/core/lib/gpr/time.cc +15 -14
- data/src/core/lib/gpr/time_windows.cc +3 -2
- data/src/core/lib/gpr/tls.h +119 -40
- data/src/core/lib/gpr/tmpfile_posix.cc +1 -2
- data/src/core/lib/gpr/useful.h +79 -32
- data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
- data/src/core/lib/gprpp/arena.cc +2 -1
- data/src/core/lib/gprpp/arena.h +18 -7
- data/src/core/lib/gprpp/atomic_utils.h +47 -0
- data/src/core/lib/gprpp/bitset.h +188 -0
- data/src/core/lib/gprpp/chunked_vector.h +211 -0
- data/src/core/lib/gprpp/construct_destruct.h +39 -0
- data/src/core/lib/gprpp/dual_ref_counted.h +28 -29
- data/src/core/lib/gprpp/fork.cc +14 -12
- data/src/core/lib/gprpp/fork.h +4 -4
- data/src/core/lib/gprpp/global_config.h +1 -2
- data/src/core/lib/gprpp/global_config_env.cc +7 -7
- data/src/core/lib/gprpp/global_config_generic.h +2 -2
- data/src/core/lib/gprpp/manual_constructor.h +9 -6
- data/src/core/lib/gprpp/match.h +73 -0
- data/src/core/lib/gprpp/memory.h +9 -3
- data/src/core/lib/gprpp/mpscq.cc +9 -9
- data/src/core/lib/gprpp/mpscq.h +6 -5
- data/src/core/lib/gprpp/orphanable.h +6 -6
- data/src/core/lib/gprpp/overload.h +59 -0
- data/src/core/lib/gprpp/ref_counted.h +48 -34
- data/src/core/lib/gprpp/ref_counted_ptr.h +11 -1
- data/src/core/lib/gprpp/status_helper.cc +427 -0
- data/src/core/lib/gprpp/status_helper.h +194 -0
- data/src/core/lib/gprpp/sync.h +106 -43
- data/src/core/lib/gprpp/table.h +411 -0
- data/src/core/lib/gprpp/thd.h +1 -1
- data/src/core/lib/gprpp/thd_posix.cc +11 -6
- data/src/core/lib/gprpp/thd_windows.cc +7 -12
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/format_request.cc +1 -0
- data/src/core/lib/http/format_request.h +1 -0
- data/src/core/lib/http/httpcli.cc +203 -185
- data/src/core/lib/http/httpcli.h +5 -3
- data/src/core/lib/http/httpcli_security_connector.cc +19 -18
- data/src/core/lib/http/parser.cc +19 -20
- data/src/core/lib/http/parser.h +5 -4
- data/src/core/lib/iomgr/buffer_list.cc +10 -11
- data/src/core/lib/iomgr/buffer_list.h +6 -8
- data/src/core/lib/iomgr/call_combiner.cc +46 -21
- data/src/core/lib/iomgr/call_combiner.h +12 -14
- data/src/core/lib/iomgr/cfstream_handle.cc +6 -6
- data/src/core/lib/iomgr/cfstream_handle.h +1 -1
- data/src/core/lib/iomgr/closure.h +7 -6
- data/src/core/lib/iomgr/combiner.cc +25 -36
- data/src/core/lib/iomgr/combiner.h +3 -2
- data/src/core/lib/iomgr/dualstack_socket_posix.cc +1 -0
- data/src/core/lib/iomgr/endpoint.cc +1 -5
- data/src/core/lib/iomgr/endpoint.h +3 -5
- data/src/core/lib/iomgr/endpoint_cfstream.cc +27 -39
- data/src/core/lib/iomgr/endpoint_cfstream.h +1 -1
- data/src/core/lib/iomgr/endpoint_pair.h +1 -0
- data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +32 -0
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +15 -11
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +17 -9
- data/src/core/lib/iomgr/error.cc +277 -105
- data/src/core/lib/iomgr/error.h +280 -114
- data/src/core/lib/iomgr/error_cfstream.cc +10 -4
- data/src/core/lib/iomgr/error_cfstream.h +2 -2
- data/src/core/lib/iomgr/error_internal.h +7 -2
- data/src/core/lib/iomgr/ev_apple.cc +16 -13
- data/src/core/lib/iomgr/ev_apple.h +1 -1
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +53 -53
- data/src/core/lib/iomgr/ev_epollex_linux.cc +81 -81
- data/src/core/lib/iomgr/ev_poll_posix.cc +70 -68
- data/src/core/lib/iomgr/ev_posix.cc +13 -13
- data/src/core/lib/iomgr/ev_posix.h +9 -9
- data/src/core/lib/iomgr/event_engine/closure.cc +77 -0
- data/src/core/lib/iomgr/event_engine/closure.h +42 -0
- data/src/core/lib/iomgr/event_engine/endpoint.cc +173 -0
- data/src/core/lib/iomgr/event_engine/endpoint.h +52 -0
- data/src/core/lib/iomgr/event_engine/iomgr.cc +104 -0
- data/src/core/lib/iomgr/event_engine/iomgr.h +42 -0
- data/src/core/lib/iomgr/event_engine/pollset.cc +88 -0
- data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
- data/src/core/lib/iomgr/event_engine/promise.h +51 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
- data/src/core/lib/iomgr/event_engine/resolver.cc +114 -0
- data/src/core/lib/iomgr/event_engine/tcp.cc +293 -0
- data/src/core/lib/iomgr/event_engine/timer.cc +62 -0
- data/src/core/lib/iomgr/exec_ctx.cc +14 -11
- data/src/core/lib/iomgr/exec_ctx.h +21 -28
- data/src/core/lib/iomgr/executor/mpmcqueue.cc +15 -16
- data/src/core/lib/iomgr/executor/mpmcqueue.h +7 -11
- data/src/core/lib/iomgr/executor/threadpool.cc +4 -5
- data/src/core/lib/iomgr/executor/threadpool.h +5 -4
- data/src/core/lib/iomgr/executor.cc +19 -33
- data/src/core/lib/iomgr/executor.h +3 -3
- data/src/core/lib/iomgr/grpc_if_nametoindex_posix.cc +2 -2
- data/src/core/lib/iomgr/grpc_if_nametoindex_unsupported.cc +2 -2
- data/src/core/lib/iomgr/internal_errqueue.cc +3 -2
- data/src/core/lib/iomgr/iocp_windows.cc +1 -0
- data/src/core/lib/iomgr/iomgr.cc +6 -4
- data/src/core/lib/iomgr/iomgr.h +3 -3
- data/src/core/lib/iomgr/iomgr_custom.cc +3 -3
- data/src/core/lib/iomgr/iomgr_custom.h +2 -2
- data/src/core/lib/iomgr/iomgr_internal.cc +8 -12
- data/src/core/lib/iomgr/iomgr_internal.h +6 -5
- data/src/core/lib/iomgr/iomgr_posix.cc +3 -2
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +42 -13
- data/src/core/lib/iomgr/iomgr_windows.cc +2 -3
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +4 -4
- data/src/core/lib/iomgr/load_file.cc +6 -6
- data/src/core/lib/iomgr/load_file.h +2 -2
- data/src/core/lib/iomgr/lockfree_event.cc +38 -15
- data/src/core/lib/iomgr/lockfree_event.h +2 -2
- data/src/core/lib/iomgr/polling_entity.cc +2 -2
- data/src/core/lib/iomgr/pollset.cc +5 -5
- data/src/core/lib/iomgr/pollset.h +9 -9
- data/src/core/lib/iomgr/pollset_custom.cc +10 -11
- data/src/core/lib/iomgr/pollset_custom.h +3 -1
- data/src/core/lib/iomgr/pollset_set_custom.cc +2 -3
- data/src/core/lib/iomgr/pollset_set_windows.cc +1 -0
- data/src/core/lib/iomgr/pollset_windows.cc +5 -5
- data/src/core/lib/iomgr/port.h +7 -10
- data/src/core/lib/iomgr/python_util.h +4 -3
- data/src/core/lib/iomgr/resolve_address.cc +14 -9
- data/src/core/lib/iomgr/resolve_address.h +12 -10
- data/src/core/lib/iomgr/resolve_address_custom.cc +14 -13
- data/src/core/lib/iomgr/resolve_address_custom.h +3 -4
- data/src/core/lib/iomgr/resolve_address_posix.cc +10 -14
- data/src/core/lib/iomgr/resolve_address_windows.cc +10 -12
- data/src/core/lib/iomgr/resource_quota.cc +152 -62
- data/src/core/lib/iomgr/resource_quota.h +66 -17
- data/src/core/lib/iomgr/sockaddr.h +2 -1
- data/src/core/lib/iomgr/socket_factory_posix.cc +8 -7
- data/src/core/lib/iomgr/socket_factory_posix.h +1 -0
- data/src/core/lib/iomgr/socket_mutator.cc +20 -6
- data/src/core/lib/iomgr/socket_mutator.h +27 -3
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +29 -27
- data/src/core/lib/iomgr/socket_utils_linux.cc +4 -4
- data/src/core/lib/iomgr/socket_utils_posix.cc +2 -2
- data/src/core/lib/iomgr/socket_utils_posix.h +22 -22
- data/src/core/lib/iomgr/socket_utils_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_client.cc +5 -3
- data/src/core/lib/iomgr/tcp_client.h +4 -0
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +18 -26
- data/src/core/lib/iomgr/tcp_client_custom.cc +19 -27
- data/src/core/lib/iomgr/tcp_client_posix.cc +56 -47
- data/src/core/lib/iomgr/tcp_client_posix.h +8 -6
- data/src/core/lib/iomgr/tcp_client_windows.cc +23 -14
- data/src/core/lib/iomgr/tcp_custom.cc +46 -55
- data/src/core/lib/iomgr/tcp_custom.h +15 -13
- data/src/core/lib/iomgr/tcp_posix.cc +119 -145
- data/src/core/lib/iomgr/tcp_posix.h +19 -12
- data/src/core/lib/iomgr/tcp_server.cc +9 -7
- data/src/core/lib/iomgr/tcp_server.h +18 -14
- data/src/core/lib/iomgr/tcp_server_custom.cc +63 -73
- data/src/core/lib/iomgr/tcp_server_posix.cc +49 -35
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +16 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +22 -20
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +11 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
- data/src/core/lib/iomgr/tcp_server_windows.cc +40 -36
- data/src/core/lib/iomgr/tcp_windows.cc +21 -40
- data/src/core/lib/iomgr/tcp_windows.h +4 -3
- data/src/core/lib/iomgr/timer.cc +1 -0
- data/src/core/lib/iomgr/timer.h +7 -3
- data/src/core/lib/iomgr/timer_custom.cc +7 -6
- data/src/core/lib/iomgr/timer_custom.h +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +32 -62
- data/src/core/lib/iomgr/timer_generic.h +1 -0
- data/src/core/lib/iomgr/timer_heap.cc +2 -3
- data/src/core/lib/iomgr/timer_manager.cc +4 -4
- data/src/core/lib/iomgr/unix_sockets_posix.cc +21 -24
- data/src/core/lib/iomgr/unix_sockets_posix.h +4 -5
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +10 -7
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_nospecial.cc +2 -1
- data/src/core/lib/iomgr/wakeup_fd_pipe.cc +6 -7
- data/src/core/lib/iomgr/wakeup_fd_posix.cc +4 -3
- data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
- data/src/core/lib/iomgr/work_serializer.cc +4 -4
- data/src/core/lib/iomgr/work_serializer.h +18 -2
- data/src/core/lib/json/json.h +11 -1
- data/src/core/lib/json/json_reader.cc +14 -23
- data/src/core/lib/json/json_util.cc +68 -0
- data/src/core/lib/json/json_util.h +65 -115
- data/src/core/lib/json/json_writer.cc +0 -3
- data/src/core/lib/matchers/matchers.cc +327 -0
- data/src/core/lib/matchers/matchers.h +160 -0
- data/src/core/lib/profiling/basic_timers.cc +8 -6
- data/src/core/lib/profiling/stap_timers.cc +2 -2
- data/src/core/lib/security/authorization/authorization_engine.h +13 -53
- data/src/core/lib/security/authorization/authorization_policy_provider.h +33 -0
- data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
- data/src/core/lib/security/authorization/evaluate_args.cc +126 -66
- data/src/core/lib/security/authorization/evaluate_args.h +47 -15
- data/src/core/lib/security/authorization/sdk_server_authz_filter.cc +171 -0
- data/src/core/lib/security/authorization/sdk_server_authz_filter.h +67 -0
- data/src/core/lib/security/context/security_context.cc +15 -11
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/alts/check_gcp_environment.cc +1 -1
- data/src/core/lib/security/credentials/alts/check_gcp_environment_linux.cc +2 -2
- data/src/core/lib/security/credentials/alts/check_gcp_environment_no_op.cc +2 -2
- data/src/core/lib/security/credentials/alts/check_gcp_environment_windows.cc +2 -2
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +9 -8
- data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
- data/src/core/lib/security/credentials/credentials.cc +16 -14
- data/src/core/lib/security/credentials/credentials.h +11 -5
- data/src/core/lib/security/credentials/credentials_metadata.cc +2 -3
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +404 -0
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +81 -0
- data/src/core/lib/security/credentials/external/aws_request_signer.cc +20 -14
- data/src/core/lib/security/credentials/external/aws_request_signer.h +2 -3
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +270 -54
- data/src/core/lib/security/credentials/external/external_account_credentials.h +16 -12
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +8 -8
- data/src/core/lib/security/credentials/external/file_external_account_credentials.h +6 -6
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +26 -26
- data/src/core/lib/security/credentials/external/url_external_account_credentials.h +13 -12
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +5 -4
- data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -2
- data/src/core/lib/security/credentials/google_default/credentials_generic.cc +1 -2
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +92 -31
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +4 -3
- data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +18 -5
- data/src/core/lib/security/credentials/jwt/json_token.cc +4 -7
- data/src/core/lib/security/credentials/jwt/json_token.h +2 -1
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +34 -17
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +13 -5
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +15 -22
- data/src/core/lib/security/credentials/jwt/jwt_verifier.h +3 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +57 -66
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +11 -9
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +10 -12
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -2
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +11 -10
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +2 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +12 -15
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +20 -21
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +382 -5
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +74 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +5 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +2 -3
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +3 -2
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_utils.cc +123 -0
- data/src/core/lib/security/credentials/tls/tls_utils.h +51 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +209 -10
- data/src/core/lib/security/credentials/xds/xds_credentials.h +27 -9
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +14 -4
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +20 -12
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +50 -17
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +35 -8
- data/src/core/lib/security/security_connector/load_system_roots_fallback.cc +1 -0
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +4 -4
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +23 -10
- data/src/core/lib/security/security_connector/security_connector.cc +12 -6
- data/src/core/lib/security/security_connector/security_connector.h +10 -5
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +24 -17
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h +1 -2
- data/src/core/lib/security/security_connector/ssl_utils.cc +41 -14
- data/src/core/lib/security/security_connector/ssl_utils.h +16 -23
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +156 -113
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +67 -52
- data/src/core/lib/security/transport/auth_filters.h +1 -0
- data/src/core/lib/security/transport/client_auth_filter.cc +27 -21
- data/src/core/lib/security/transport/secure_endpoint.cc +10 -20
- data/src/core/lib/security/transport/secure_endpoint.h +1 -0
- data/src/core/lib/security/transport/security_handshaker.cc +158 -90
- data/src/core/lib/security/transport/security_handshaker.h +2 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -16
- data/src/core/lib/security/transport/tsi_error.cc +5 -6
- data/src/core/lib/security/transport/tsi_error.h +2 -1
- data/src/core/lib/security/util/json_util.cc +8 -10
- data/src/core/lib/security/util/json_util.h +1 -1
- data/src/core/lib/slice/percent_encoding.cc +73 -30
- data/src/core/lib/slice/percent_encoding.h +29 -28
- data/src/core/lib/slice/slice.cc +14 -21
- data/src/core/lib/{gpr/tls_pthread.cc → slice/slice_api.cc} +15 -6
- data/src/core/lib/slice/slice_buffer.cc +6 -7
- data/src/core/lib/slice/slice_intern.cc +19 -27
- data/src/core/lib/slice/slice_internal.h +4 -246
- data/src/core/lib/slice/slice_refcount.cc +17 -0
- data/src/core/lib/slice/slice_refcount.h +121 -0
- data/src/core/lib/slice/slice_refcount_base.h +173 -0
- data/src/core/lib/slice/slice_split.cc +100 -0
- data/src/core/lib/slice/slice_split.h +40 -0
- data/src/core/lib/slice/slice_string_helpers.cc +0 -83
- data/src/core/lib/slice/slice_string_helpers.h +0 -11
- data/src/core/lib/slice/static_slice.cc +529 -0
- data/src/core/lib/slice/static_slice.h +331 -0
- data/src/core/lib/surface/api_trace.cc +2 -1
- data/src/core/lib/surface/api_trace.h +1 -0
- data/src/core/lib/surface/builtins.cc +49 -0
- data/src/core/lib/surface/builtins.h +26 -0
- data/src/core/lib/surface/byte_buffer_reader.cc +1 -1
- data/src/core/lib/surface/call.cc +198 -186
- data/src/core/lib/surface/call.h +10 -5
- data/src/core/lib/surface/call_details.cc +10 -10
- data/src/core/lib/surface/call_log_batch.cc +2 -2
- data/src/core/lib/surface/channel.cc +57 -51
- data/src/core/lib/surface/channel.h +19 -14
- data/src/core/lib/surface/channel_init.cc +23 -76
- data/src/core/lib/surface/channel_init.h +52 -44
- data/src/core/lib/surface/channel_ping.cc +2 -3
- data/src/core/lib/surface/channel_stack_type.cc +2 -1
- data/src/core/lib/surface/completion_queue.cc +140 -145
- data/src/core/lib/surface/completion_queue.h +18 -17
- data/src/core/lib/surface/completion_queue_factory.cc +3 -3
- data/src/core/lib/surface/completion_queue_factory.h +1 -0
- data/src/core/lib/surface/event_string.cc +1 -0
- data/src/core/lib/surface/init.cc +18 -65
- data/src/core/lib/surface/init.h +10 -2
- data/src/core/lib/surface/init_secure.cc +36 -14
- data/src/core/lib/surface/lame_client.cc +62 -61
- data/src/core/lib/surface/lame_client.h +5 -0
- data/src/core/lib/surface/metadata_array.cc +2 -2
- data/src/core/lib/surface/server.cc +167 -116
- data/src/core/lib/surface/server.h +140 -40
- data/src/core/lib/surface/validate_metadata.cc +55 -24
- data/src/core/lib/surface/validate_metadata.h +3 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +1 -1
- data/src/core/lib/transport/byte_stream.cc +5 -5
- data/src/core/lib/transport/byte_stream.h +9 -8
- data/src/core/lib/transport/connectivity_state.cc +9 -6
- data/src/core/lib/transport/connectivity_state.h +8 -6
- data/src/core/lib/transport/error_utils.cc +64 -27
- data/src/core/lib/transport/error_utils.h +13 -7
- data/src/core/lib/transport/metadata.cc +47 -22
- data/src/core/lib/transport/metadata.h +15 -12
- data/src/core/lib/transport/metadata_batch.cc +41 -339
- data/src/core/lib/transport/metadata_batch.h +932 -68
- data/src/core/lib/transport/parsed_metadata.h +263 -0
- data/src/core/lib/transport/pid_controller.cc +4 -4
- data/src/core/lib/transport/static_metadata.cc +715 -847
- data/src/core/lib/transport/static_metadata.h +115 -379
- data/src/core/lib/transport/status_metadata.cc +5 -3
- data/src/core/lib/transport/transport.cc +8 -8
- data/src/core/lib/transport/transport.h +12 -10
- data/src/core/lib/transport/transport_op_string.cc +46 -26
- data/src/core/lib/uri/uri_parser.cc +131 -249
- data/src/core/lib/uri/uri_parser.h +57 -21
- data/src/core/plugin_registry/grpc_plugin_registry.cc +101 -44
- data/src/core/tsi/alts/crypt/aes_gcm.cc +6 -3
- data/src/core/tsi/alts/crypt/gsec.cc +5 -4
- data/src/core/tsi/alts/crypt/gsec.h +5 -0
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +13 -12
- data/src/core/tsi/alts/frame_protector/frame_handler.cc +18 -17
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +27 -33
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +2 -3
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +57 -51
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +1 -3
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc +2 -2
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +1 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc +8 -6
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +6 -6
- data/src/core/tsi/fake_transport_security.cc +31 -12
- data/src/core/tsi/local_transport_security.cc +36 -73
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +20 -55
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +6 -7
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +2 -2
- data/src/core/tsi/ssl_transport_security.cc +115 -77
- data/src/core/tsi/ssl_transport_security.h +12 -14
- data/src/core/tsi/transport_security.cc +21 -9
- data/src/core/tsi/transport_security.h +16 -1
- data/src/core/tsi/transport_security_grpc.h +1 -0
- data/src/core/tsi/transport_security_interface.h +27 -1
- data/src/ruby/bin/math_services_pb.rb +1 -1
- data/src/ruby/ext/grpc/extconf.rb +21 -8
- data/src/ruby/ext/grpc/rb_byte_buffer.c +2 -1
- data/src/ruby/ext/grpc/rb_call.c +5 -5
- data/src/ruby/ext/grpc/rb_call_credentials.c +5 -5
- data/src/ruby/ext/grpc/rb_channel.c +19 -8
- data/src/ruby/ext/grpc/rb_channel_args.c +2 -2
- data/src/ruby/ext/grpc/rb_channel_credentials.c +15 -5
- data/src/ruby/ext/grpc/rb_channel_credentials.h +5 -0
- data/src/ruby/ext/grpc/rb_completion_queue.c +3 -2
- data/src/ruby/ext/grpc/rb_compression_options.c +6 -5
- data/src/ruby/ext/grpc/rb_enable_cpp.cc +1 -1
- data/src/ruby/ext/grpc/rb_event_thread.c +4 -2
- data/src/ruby/ext/grpc/rb_grpc.c +9 -4
- data/src/ruby/ext/grpc/rb_grpc.h +1 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +24 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +50 -14
- data/src/ruby/ext/grpc/rb_server.c +19 -6
- data/src/ruby/ext/grpc/rb_server_credentials.c +22 -6
- data/src/ruby/ext/grpc/rb_server_credentials.h +5 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +218 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.h +37 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.c +170 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.h +37 -0
- data/src/ruby/lib/grpc/generic/client_stub.rb +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +35 -0
- data/src/ruby/pb/src/proto/grpc/testing/test_pb.rb +2 -2
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +23 -5
- data/src/ruby/spec/call_spec.rb +1 -1
- data/src/ruby/spec/channel_credentials_spec.rb +32 -0
- data/src/ruby/spec/channel_spec.rb +17 -6
- data/src/ruby/spec/client_auth_spec.rb +27 -1
- data/src/ruby/spec/client_server_spec.rb +1 -1
- data/src/ruby/spec/errors_spec.rb +1 -1
- data/src/ruby/spec/generic/active_call_spec.rb +2 -2
- data/src/ruby/spec/generic/client_stub_spec.rb +4 -4
- data/src/ruby/spec/generic/rpc_server_spec.rb +1 -1
- data/src/ruby/spec/pb/codegen/package_option_spec.rb +2 -6
- data/src/ruby/spec/server_credentials_spec.rb +25 -0
- data/src/ruby/spec/server_spec.rb +22 -0
- data/third_party/abseil-cpp/absl/algorithm/container.h +3 -3
- data/third_party/abseil-cpp/absl/base/attributes.h +24 -4
- data/third_party/abseil-cpp/absl/base/call_once.h +2 -9
- data/third_party/abseil-cpp/absl/base/config.h +37 -9
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +24 -10
- data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +4 -1
- data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +2 -3
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +34 -32
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +16 -6
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +11 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +14 -5
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +3 -3
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +1 -1
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +9 -6
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +54 -48
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
- data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
- data/third_party/abseil-cpp/absl/base/macros.h +11 -0
- data/third_party/abseil-cpp/absl/base/optimization.h +10 -7
- data/third_party/abseil-cpp/absl/base/options.h +1 -1
- data/third_party/abseil-cpp/absl/base/port.h +0 -1
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +1 -1
- data/third_party/abseil-cpp/absl/container/fixed_array.h +2 -2
- data/third_party/abseil-cpp/absl/container/flat_hash_map.h +606 -0
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +5 -3
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +1 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +5 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +2 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +2 -1
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
- data/third_party/abseil-cpp/absl/container/internal/layout.h +4 -4
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_map.h +197 -0
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +14 -1
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +136 -136
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +16 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +5 -2
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +3 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +6 -1
- data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +3 -5
- data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +2 -2
- data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +2 -2
- data/third_party/abseil-cpp/absl/hash/internal/city.cc +15 -12
- data/third_party/abseil-cpp/absl/hash/internal/city.h +1 -19
- data/third_party/abseil-cpp/absl/hash/internal/hash.cc +25 -10
- data/third_party/abseil-cpp/absl/hash/internal/hash.h +86 -37
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +16 -2
- data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +3 -3
- data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
- data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
- data/third_party/abseil-cpp/absl/status/internal/status_internal.h +18 -0
- data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +396 -0
- data/third_party/abseil-cpp/absl/status/status.cc +29 -22
- data/third_party/abseil-cpp/absl/status/status.h +81 -20
- data/third_party/abseil-cpp/absl/status/statusor.cc +71 -0
- data/third_party/abseil-cpp/absl/status/statusor.h +760 -0
- data/third_party/abseil-cpp/absl/strings/charconv.cc +5 -5
- data/third_party/abseil-cpp/absl/strings/cord.cc +326 -371
- data/third_party/abseil-cpp/absl/strings/cord.h +182 -64
- data/third_party/abseil-cpp/absl/strings/escaping.cc +4 -4
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +6 -6
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +387 -17
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +15 -1
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +19 -4
- data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +36 -18
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
- data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
- data/third_party/abseil-cpp/absl/strings/match.h +16 -6
- data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
- data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
- data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
- data/third_party/abseil-cpp/absl/strings/str_split.h +38 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +2 -1
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +2 -2
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +4 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +1 -65
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +2 -6
- data/third_party/abseil-cpp/absl/synchronization/mutex.cc +71 -59
- data/third_party/abseil-cpp/absl/synchronization/mutex.h +79 -62
- data/third_party/abseil-cpp/absl/time/clock.cc +146 -130
- data/third_party/abseil-cpp/absl/time/clock.h +2 -2
- data/third_party/abseil-cpp/absl/time/duration.cc +3 -2
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +7 -11
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +7 -1
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +4 -4
- data/third_party/abseil-cpp/absl/time/time.cc +4 -3
- data/third_party/abseil-cpp/absl/time/time.h +26 -24
- data/third_party/abseil-cpp/absl/types/internal/variant.h +1 -1
- data/third_party/abseil-cpp/absl/types/variant.h +9 -4
- data/third_party/address_sorting/address_sorting_posix.c +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +756 -724
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +55 -50
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +22 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +6 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +16 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +26 -24
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +269 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +106 -153
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +3 -42
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +16 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +196 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +35 -86
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +326 -281
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +15 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +20 -75
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +156 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +68 -45
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +38 -47
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +49 -65
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +101 -3
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +119 -273
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +14 -3
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +31 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +87 -80
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +28 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +15 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +35 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/des.c +10 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/internal.h +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +10 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +104 -93
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +56 -72
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +56 -73
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +30 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +123 -44
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +30 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +50 -33
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +65 -41
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +161 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +93 -107
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +91 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +50 -86
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +400 -325
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +219 -121
- data/third_party/boringssl-with-bazel/src/crypto/hrss/internal.h +9 -2
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +125 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +253 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/lhash.c +28 -23
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +28 -9
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +156 -15
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +95 -48
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/fuchsia.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/is_fips.c → rand_extra/passive.c} +16 -11
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/windows.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +0 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +15 -11
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +345 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +20 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +10 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +7 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +24 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +4 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +42 -89
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +17 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +25 -69
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +54 -74
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +61 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -19
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +21 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +15 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +23 -21
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +25 -22
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +50 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +23 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +27 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +28 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +6 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +26 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +10 -12
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +7 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +27 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +7 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +86 -44
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +69 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +1026 -615
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -176
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +63 -13
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +32 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +23 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +8 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +22 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +24 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +10 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +20 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +33 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +3 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +38 -51
- data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +350 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hrss.h +14 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/lhash.h +4 -205
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +12 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +26 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +33 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +5 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +104 -63
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +39 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +406 -108
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +48 -36
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1425 -377
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +16 -679
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +188 -49
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +16 -18
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1084 -0
- data/third_party/boringssl-with-bazel/src/ssl/{t1_lib.cc → extensions.cc} +847 -622
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +298 -22
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +92 -44
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +314 -217
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +177 -35
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +491 -152
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +9 -3
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -6
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +34 -31
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +60 -112
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +136 -104
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +12 -17
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +28 -23
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +79 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +235 -178
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +160 -91
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +269 -118
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +4 -2
- data/third_party/re2/re2/compile.cc +91 -109
- data/third_party/re2/re2/dfa.cc +27 -39
- data/third_party/re2/re2/filtered_re2.cc +18 -2
- data/third_party/re2/re2/filtered_re2.h +10 -5
- data/third_party/re2/re2/nfa.cc +1 -1
- data/third_party/re2/re2/parse.cc +42 -23
- data/third_party/re2/re2/perl_groups.cc +34 -34
- data/third_party/re2/re2/prefilter.cc +3 -2
- data/third_party/re2/re2/prog.cc +182 -4
- data/third_party/re2/re2/prog.h +28 -9
- data/third_party/re2/re2/re2.cc +87 -118
- data/third_party/re2/re2/re2.h +156 -141
- data/third_party/re2/re2/regexp.cc +12 -5
- data/third_party/re2/re2/regexp.h +8 -2
- data/third_party/re2/re2/set.cc +31 -9
- data/third_party/re2/re2/set.h +9 -4
- data/third_party/re2/re2/simplify.cc +11 -3
- data/third_party/re2/re2/tostring.cc +1 -1
- data/third_party/re2/re2/walker-inl.h +1 -1
- data/third_party/re2/util/mutex.h +2 -2
- data/third_party/re2/util/pcre.h +3 -3
- data/third_party/upb/upb/decode.c +354 -204
- data/third_party/upb/upb/decode.h +50 -3
- data/third_party/upb/upb/decode_fast.c +1053 -0
- data/third_party/upb/upb/decode_fast.h +153 -0
- data/third_party/upb/upb/decode_internal.h +193 -0
- data/third_party/upb/upb/def.c +609 -610
- data/third_party/upb/upb/def.h +57 -50
- data/third_party/upb/upb/def.hpp +66 -123
- data/third_party/upb/upb/encode.c +267 -176
- data/third_party/upb/upb/encode.h +56 -4
- data/third_party/upb/upb/msg.c +304 -84
- data/third_party/upb/upb/msg.h +76 -441
- data/third_party/upb/upb/msg_internal.h +687 -0
- data/third_party/upb/upb/port_def.inc +156 -82
- data/third_party/upb/upb/port_undef.inc +41 -8
- data/third_party/upb/upb/reflection.c +64 -55
- data/third_party/upb/upb/reflection.h +36 -8
- data/third_party/upb/upb/reflection.hpp +37 -0
- data/third_party/upb/upb/table.c +238 -276
- data/third_party/upb/upb/{table.int.h → table_internal.h} +66 -181
- data/third_party/upb/upb/text_encode.c +77 -26
- data/third_party/upb/upb/text_encode.h +30 -1
- data/third_party/upb/upb/upb.c +75 -47
- data/third_party/upb/upb/upb.h +72 -13
- data/third_party/upb/upb/upb.hpp +28 -4
- data/third_party/upb/upb/upb_internal.h +58 -0
- data/third_party/xxhash/xxhash.h +5325 -0
- metadata +287 -137
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +0 -909
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +0 -485
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +0 -179
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +0 -68
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +0 -38
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +0 -355
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +0 -138
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +0 -210
- data/src/core/ext/filters/workarounds/workaround_utils.cc +0 -53
- data/src/core/ext/filters/workarounds/workaround_utils.h +0 -39
- data/src/core/ext/transport/chttp2/client/authority.cc +0 -42
- data/src/core/ext/transport/chttp2/client/authority.h +0 -36
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +0 -242
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +0 -148
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +0 -66
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +0 -58
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.c +0 -28
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -53
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -129
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -77
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -85
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -160
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +0 -58
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +0 -117
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc +0 -265
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h +0 -104
- data/src/core/lib/gpr/arena.h +0 -47
- data/src/core/lib/gpr/tls_gcc.h +0 -52
- data/src/core/lib/gpr/tls_msvc.h +0 -54
- data/src/core/lib/gpr/tls_pthread.h +0 -56
- data/src/core/lib/gpr/tls_stdcpp.h +0 -48
- data/src/core/lib/gprpp/atomic.h +0 -104
- data/src/core/lib/gprpp/map.h +0 -53
- data/src/core/lib/iomgr/endpoint_pair_uv.cc +0 -40
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
- data/src/core/lib/iomgr/iomgr_uv.cc +0 -43
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -88
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
- data/src/core/lib/iomgr/pollset_uv.cc +0 -93
- data/src/core/lib/iomgr/pollset_uv.h +0 -32
- data/src/core/lib/iomgr/sockaddr_custom.h +0 -54
- data/src/core/lib/iomgr/socket_utils_uv.cc +0 -49
- data/src/core/lib/iomgr/tcp_uv.cc +0 -419
- data/src/core/lib/iomgr/timer_uv.cc +0 -66
- data/src/core/lib/iomgr/udp_server.cc +0 -748
- data/src/core/lib/iomgr/udp_server.h +0 -104
- data/src/core/lib/security/authorization/authorization_engine.cc +0 -177
- data/src/core/lib/security/authorization/mock_cel/activation.h +0 -57
- data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h +0 -44
- data/src/core/lib/security/authorization/mock_cel/cel_expression.h +0 -69
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +0 -97
- data/src/core/lib/security/authorization/mock_cel/evaluator_core.h +0 -67
- data/src/core/lib/security/authorization/mock_cel/flat_expr_builder.h +0 -57
- data/src/core/lib/transport/authority_override.cc +0 -38
- data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -219
- data/third_party/abseil-cpp/absl/container/flat_hash_set.h +0 -504
- data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +0 -249
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +0 -104
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -237
- data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
- data/third_party/upb/upb/port.c +0 -26
@@ -113,14 +113,18 @@
|
|
113
113
|
#include <stdlib.h>
|
114
114
|
#include <string.h>
|
115
115
|
|
116
|
+
#include <algorithm>
|
116
117
|
#include <utility>
|
117
118
|
|
119
|
+
#include <openssl/aead.h>
|
118
120
|
#include <openssl/bytestring.h>
|
119
121
|
#include <openssl/chacha.h>
|
122
|
+
#include <openssl/curve25519.h>
|
120
123
|
#include <openssl/digest.h>
|
121
124
|
#include <openssl/err.h>
|
122
125
|
#include <openssl/evp.h>
|
123
126
|
#include <openssl/hmac.h>
|
127
|
+
#include <openssl/hpke.h>
|
124
128
|
#include <openssl/mem.h>
|
125
129
|
#include <openssl/nid.h>
|
126
130
|
#include <openssl/rand.h>
|
@@ -205,17 +209,25 @@ static bool is_post_quantum_group(uint16_t id) {
|
|
205
209
|
}
|
206
210
|
|
207
211
|
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
208
|
-
const
|
212
|
+
Span<const uint8_t> body) {
|
213
|
+
CBS cbs = body;
|
214
|
+
if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) ||
|
215
|
+
CBS_len(&cbs) != 0) {
|
216
|
+
return false;
|
217
|
+
}
|
218
|
+
return true;
|
219
|
+
}
|
220
|
+
|
221
|
+
bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
|
222
|
+
SSL_CLIENT_HELLO *out) {
|
209
223
|
OPENSSL_memset(out, 0, sizeof(*out));
|
210
224
|
out->ssl = const_cast<SSL *>(ssl);
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
!CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
|
218
|
-
!CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
|
225
|
+
|
226
|
+
CBS copy = *cbs;
|
227
|
+
CBS random, session_id;
|
228
|
+
if (!CBS_get_u16(cbs, &out->version) ||
|
229
|
+
!CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) ||
|
230
|
+
!CBS_get_u8_length_prefixed(cbs, &session_id) ||
|
219
231
|
CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
220
232
|
return false;
|
221
233
|
}
|
@@ -228,16 +240,16 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
228
240
|
// Skip past DTLS cookie
|
229
241
|
if (SSL_is_dtls(out->ssl)) {
|
230
242
|
CBS cookie;
|
231
|
-
if (!CBS_get_u8_length_prefixed(
|
243
|
+
if (!CBS_get_u8_length_prefixed(cbs, &cookie) ||
|
232
244
|
CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
|
233
245
|
return false;
|
234
246
|
}
|
235
247
|
}
|
236
248
|
|
237
249
|
CBS cipher_suites, compression_methods;
|
238
|
-
if (!CBS_get_u16_length_prefixed(
|
250
|
+
if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites) ||
|
239
251
|
CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
|
240
|
-
!CBS_get_u8_length_prefixed(
|
252
|
+
!CBS_get_u8_length_prefixed(cbs, &compression_methods) ||
|
241
253
|
CBS_len(&compression_methods) < 1) {
|
242
254
|
return false;
|
243
255
|
}
|
@@ -249,23 +261,22 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
249
261
|
|
250
262
|
// If the ClientHello ends here then it's valid, but doesn't have any
|
251
263
|
// extensions.
|
252
|
-
if (CBS_len(
|
253
|
-
out->extensions =
|
264
|
+
if (CBS_len(cbs) == 0) {
|
265
|
+
out->extensions = nullptr;
|
254
266
|
out->extensions_len = 0;
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
|
267
|
+
} else {
|
268
|
+
// Extract extensions and check it is valid.
|
269
|
+
CBS extensions;
|
270
|
+
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
271
|
+
!tls1_check_duplicate_extensions(&extensions)) {
|
272
|
+
return false;
|
273
|
+
}
|
274
|
+
out->extensions = CBS_data(&extensions);
|
275
|
+
out->extensions_len = CBS_len(&extensions);
|
264
276
|
}
|
265
277
|
|
266
|
-
out->
|
267
|
-
out->
|
268
|
-
|
278
|
+
out->client_hello = CBS_data(©);
|
279
|
+
out->client_hello_len = CBS_len(©) - CBS_len(cbs);
|
269
280
|
return true;
|
270
281
|
}
|
271
282
|
|
@@ -401,6 +412,11 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
|
|
401
412
|
return false;
|
402
413
|
}
|
403
414
|
|
415
|
+
// We internally assume zero is never allocated as a group ID.
|
416
|
+
if (group_id == 0) {
|
417
|
+
return false;
|
418
|
+
}
|
419
|
+
|
404
420
|
for (uint16_t supported : tls1_get_grouplist(hs)) {
|
405
421
|
if (supported == group_id) {
|
406
422
|
return true;
|
@@ -484,9 +500,7 @@ bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
484
500
|
return false;
|
485
501
|
}
|
486
502
|
|
487
|
-
// tls_extension represents a TLS extension that is handled internally.
|
488
|
-
// |init| function is called for each handshake, before any other functions of
|
489
|
-
// the extension. Then the add and parse callbacks are called as needed.
|
503
|
+
// tls_extension represents a TLS extension that is handled internally.
|
490
504
|
//
|
491
505
|
// The parse callbacks receive a |CBS| that contains the contents of the
|
492
506
|
// extension (i.e. not including the type and length bytes). If an extension is
|
@@ -496,14 +510,27 @@ bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
496
510
|
// The add callbacks receive a |CBB| to which the extension can be appended but
|
497
511
|
// the function is responsible for appending the type and length bytes too.
|
498
512
|
//
|
513
|
+
// |add_clienthello| may be called multiple times and must not mutate |hs|. It
|
514
|
+
// is additionally passed two output |CBB|s. If the extension is the same
|
515
|
+
// independent of the value of |type|, the callback may write to
|
516
|
+
// |out_compressible| instead of |out|. When serializing the ClientHelloInner,
|
517
|
+
// all compressible extensions will be made continguous and replaced with
|
518
|
+
// ech_outer_extensions when encrypted. When serializing the ClientHelloOuter
|
519
|
+
// or not offering ECH, |out| will be equal to |out_compressible|, so writing to
|
520
|
+
// |out_compressible| still works.
|
521
|
+
//
|
522
|
+
// Note the |parse_serverhello| and |add_serverhello| callbacks refer to the
|
523
|
+
// TLS 1.2 ServerHello. In TLS 1.3, these callbacks act on EncryptedExtensions,
|
524
|
+
// with ServerHello extensions handled elsewhere in the handshake.
|
525
|
+
//
|
499
526
|
// All callbacks return true for success and false for error. If a parse
|
500
527
|
// function returns zero then a fatal alert with value |*out_alert| will be
|
501
528
|
// sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
|
502
529
|
struct tls_extension {
|
503
530
|
uint16_t value;
|
504
|
-
void (*init)(SSL_HANDSHAKE *hs);
|
505
531
|
|
506
|
-
bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out
|
532
|
+
bool (*add_clienthello)(const SSL_HANDSHAKE *hs, CBB *out,
|
533
|
+
CBB *out_compressible, ssl_client_hello_type_t type);
|
507
534
|
bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
508
535
|
CBS *contents);
|
509
536
|
|
@@ -538,10 +565,21 @@ static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
538
565
|
//
|
539
566
|
// https://tools.ietf.org/html/rfc6066#section-3.
|
540
567
|
|
541
|
-
static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
542
|
-
|
543
|
-
|
544
|
-
|
568
|
+
static bool ext_sni_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
569
|
+
CBB *out_compressible,
|
570
|
+
ssl_client_hello_type_t type) {
|
571
|
+
const SSL *const ssl = hs->ssl;
|
572
|
+
// If offering ECH, send the public name instead of the configured name.
|
573
|
+
Span<const uint8_t> hostname;
|
574
|
+
if (type == ssl_client_hello_outer) {
|
575
|
+
hostname = hs->selected_ech_config->public_name;
|
576
|
+
} else {
|
577
|
+
if (ssl->hostname == nullptr) {
|
578
|
+
return true;
|
579
|
+
}
|
580
|
+
hostname =
|
581
|
+
MakeConstSpan(reinterpret_cast<const uint8_t *>(ssl->hostname.get()),
|
582
|
+
strlen(ssl->hostname.get()));
|
545
583
|
}
|
546
584
|
|
547
585
|
CBB contents, server_name_list, name;
|
@@ -550,8 +588,7 @@ static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
550
588
|
!CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
|
551
589
|
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
|
552
590
|
!CBB_add_u16_length_prefixed(&server_name_list, &name) ||
|
553
|
-
!CBB_add_bytes(&name, (
|
554
|
-
strlen(ssl->hostname.get())) ||
|
591
|
+
!CBB_add_bytes(&name, hostname.data(), hostname.size()) ||
|
555
592
|
!CBB_flush(out)) {
|
556
593
|
return false;
|
557
594
|
}
|
@@ -587,14 +624,131 @@ static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
587
624
|
}
|
588
625
|
|
589
626
|
|
627
|
+
// Encrypted ClientHello (ECH)
|
628
|
+
//
|
629
|
+
// https://tools.ietf.org/html/draft-ietf-tls-esni-13
|
630
|
+
|
631
|
+
static bool ext_ech_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
632
|
+
CBB *out_compressible,
|
633
|
+
ssl_client_hello_type_t type) {
|
634
|
+
if (type == ssl_client_hello_inner) {
|
635
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
636
|
+
!CBB_add_u16(out, /* length */ 1) ||
|
637
|
+
!CBB_add_u8(out, ECH_CLIENT_INNER)) {
|
638
|
+
return false;
|
639
|
+
}
|
640
|
+
return true;
|
641
|
+
}
|
642
|
+
|
643
|
+
if (hs->ech_client_outer.empty()) {
|
644
|
+
return true;
|
645
|
+
}
|
646
|
+
|
647
|
+
CBB ech_body;
|
648
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
649
|
+
!CBB_add_u16_length_prefixed(out, &ech_body) ||
|
650
|
+
!CBB_add_u8(&ech_body, ECH_CLIENT_OUTER) ||
|
651
|
+
!CBB_add_bytes(&ech_body, hs->ech_client_outer.data(),
|
652
|
+
hs->ech_client_outer.size()) ||
|
653
|
+
!CBB_flush(out)) {
|
654
|
+
return false;
|
655
|
+
}
|
656
|
+
return true;
|
657
|
+
}
|
658
|
+
|
659
|
+
static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
660
|
+
CBS *contents) {
|
661
|
+
SSL *const ssl = hs->ssl;
|
662
|
+
if (contents == NULL) {
|
663
|
+
return true;
|
664
|
+
}
|
665
|
+
|
666
|
+
// The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3
|
667
|
+
// EncryptedExtensions. It also may not be sent in response to an inner ECH
|
668
|
+
// extension.
|
669
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||
|
670
|
+
ssl->s3->ech_status == ssl_ech_accepted) {
|
671
|
+
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
672
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
673
|
+
return false;
|
674
|
+
}
|
675
|
+
|
676
|
+
if (!ssl_is_valid_ech_config_list(*contents)) {
|
677
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
678
|
+
return false;
|
679
|
+
}
|
680
|
+
|
681
|
+
if (ssl->s3->ech_status == ssl_ech_rejected &&
|
682
|
+
!hs->ech_retry_configs.CopyFrom(*contents)) {
|
683
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
684
|
+
return false;
|
685
|
+
}
|
686
|
+
|
687
|
+
return true;
|
688
|
+
}
|
689
|
+
|
690
|
+
static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
691
|
+
CBS *contents) {
|
692
|
+
if (contents == nullptr) {
|
693
|
+
return true;
|
694
|
+
}
|
695
|
+
|
696
|
+
uint8_t type;
|
697
|
+
if (!CBS_get_u8(contents, &type)) {
|
698
|
+
return false;
|
699
|
+
}
|
700
|
+
if (type == ECH_CLIENT_OUTER) {
|
701
|
+
// Outer ECH extensions are handled outside the callback.
|
702
|
+
return true;
|
703
|
+
}
|
704
|
+
if (type != ECH_CLIENT_INNER || CBS_len(contents) != 0) {
|
705
|
+
return false;
|
706
|
+
}
|
707
|
+
|
708
|
+
hs->ech_is_inner = true;
|
709
|
+
return true;
|
710
|
+
}
|
711
|
+
|
712
|
+
static bool ext_ech_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
713
|
+
SSL *const ssl = hs->ssl;
|
714
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||
|
715
|
+
ssl->s3->ech_status == ssl_ech_accepted || //
|
716
|
+
hs->ech_keys == nullptr) {
|
717
|
+
return true;
|
718
|
+
}
|
719
|
+
|
720
|
+
// Write the list of retry configs to |out|. Note |SSL_CTX_set1_ech_keys|
|
721
|
+
// ensures |ech_keys| contains at least one retry config.
|
722
|
+
CBB body, retry_configs;
|
723
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
724
|
+
!CBB_add_u16_length_prefixed(out, &body) ||
|
725
|
+
!CBB_add_u16_length_prefixed(&body, &retry_configs)) {
|
726
|
+
return false;
|
727
|
+
}
|
728
|
+
for (const auto &config : hs->ech_keys->configs) {
|
729
|
+
if (!config->is_retry_config()) {
|
730
|
+
continue;
|
731
|
+
}
|
732
|
+
if (!CBB_add_bytes(&retry_configs, config->ech_config().raw.data(),
|
733
|
+
config->ech_config().raw.size())) {
|
734
|
+
return false;
|
735
|
+
}
|
736
|
+
}
|
737
|
+
return CBB_flush(out);
|
738
|
+
}
|
739
|
+
|
740
|
+
|
590
741
|
// Renegotiation indication.
|
591
742
|
//
|
592
743
|
// https://tools.ietf.org/html/rfc5746
|
593
744
|
|
594
|
-
static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
595
|
-
|
745
|
+
static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
746
|
+
CBB *out_compressible,
|
747
|
+
ssl_client_hello_type_t type) {
|
748
|
+
const SSL *const ssl = hs->ssl;
|
596
749
|
// Renegotiation indication is not necessary in TLS 1.3.
|
597
|
-
if (hs->min_version >= TLS1_3_VERSION
|
750
|
+
if (hs->min_version >= TLS1_3_VERSION ||
|
751
|
+
type == ssl_client_hello_inner) {
|
598
752
|
return true;
|
599
753
|
}
|
600
754
|
|
@@ -756,9 +910,11 @@ static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
756
910
|
//
|
757
911
|
// https://tools.ietf.org/html/rfc7627
|
758
912
|
|
759
|
-
static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
913
|
+
static bool ext_ems_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
914
|
+
CBB *out_compressible,
|
915
|
+
ssl_client_hello_type_t type) {
|
760
916
|
// Extended master secret is not necessary in TLS 1.3.
|
761
|
-
if (hs->min_version >= TLS1_3_VERSION) {
|
917
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {
|
762
918
|
return true;
|
763
919
|
}
|
764
920
|
|
@@ -831,10 +987,12 @@ static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
831
987
|
//
|
832
988
|
// https://tools.ietf.org/html/rfc5077
|
833
989
|
|
834
|
-
static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
835
|
-
|
990
|
+
static bool ext_ticket_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
991
|
+
CBB *out_compressible,
|
992
|
+
ssl_client_hello_type_t type) {
|
993
|
+
const SSL *const ssl = hs->ssl;
|
836
994
|
// TLS 1.3 uses a different ticket extension.
|
837
|
-
if (hs->min_version >= TLS1_3_VERSION ||
|
995
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner ||
|
838
996
|
SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
|
839
997
|
return true;
|
840
998
|
}
|
@@ -909,17 +1067,19 @@ static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
909
1067
|
//
|
910
1068
|
// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
|
911
1069
|
|
912
|
-
static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1070
|
+
static bool ext_sigalgs_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1071
|
+
CBB *out_compressible,
|
1072
|
+
ssl_client_hello_type_t type) {
|
913
1073
|
if (hs->max_version < TLS1_2_VERSION) {
|
914
1074
|
return true;
|
915
1075
|
}
|
916
1076
|
|
917
1077
|
CBB contents, sigalgs_cbb;
|
918
|
-
if (!CBB_add_u16(
|
919
|
-
!CBB_add_u16_length_prefixed(
|
1078
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_signature_algorithms) ||
|
1079
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
920
1080
|
!CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
|
921
1081
|
!tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
|
922
|
-
!CBB_flush(
|
1082
|
+
!CBB_flush(out_compressible)) {
|
923
1083
|
return false;
|
924
1084
|
}
|
925
1085
|
|
@@ -948,18 +1108,20 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
948
1108
|
//
|
949
1109
|
// https://tools.ietf.org/html/rfc6066#section-8
|
950
1110
|
|
951
|
-
static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1111
|
+
static bool ext_ocsp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1112
|
+
CBB *out_compressible,
|
1113
|
+
ssl_client_hello_type_t type) {
|
952
1114
|
if (!hs->config->ocsp_stapling_enabled) {
|
953
1115
|
return true;
|
954
1116
|
}
|
955
1117
|
|
956
1118
|
CBB contents;
|
957
|
-
if (!CBB_add_u16(
|
958
|
-
!CBB_add_u16_length_prefixed(
|
1119
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_status_request) ||
|
1120
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
959
1121
|
!CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
|
960
1122
|
!CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
|
961
1123
|
!CBB_add_u16(&contents, 0 /* empty request extensions */) ||
|
962
|
-
!CBB_flush(
|
1124
|
+
!CBB_flush(out_compressible)) {
|
963
1125
|
return false;
|
964
1126
|
}
|
965
1127
|
|
@@ -1030,11 +1192,16 @@ static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1030
1192
|
//
|
1031
1193
|
// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
|
1032
1194
|
|
1033
|
-
static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1034
|
-
|
1035
|
-
|
1036
|
-
|
1037
|
-
|
1195
|
+
static bool ext_npn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1196
|
+
CBB *out_compressible,
|
1197
|
+
ssl_client_hello_type_t type) {
|
1198
|
+
const SSL *const ssl = hs->ssl;
|
1199
|
+
if (ssl->ctx->next_proto_select_cb == NULL ||
|
1200
|
+
// Do not allow NPN to change on renegotiation.
|
1201
|
+
ssl->s3->initial_handshake_complete ||
|
1202
|
+
// NPN is not defined in DTLS or TLS 1.3.
|
1203
|
+
SSL_is_dtls(ssl) || hs->min_version >= TLS1_3_VERSION ||
|
1204
|
+
type == ssl_client_hello_inner) {
|
1038
1205
|
return true;
|
1039
1206
|
}
|
1040
1207
|
|
@@ -1153,13 +1320,15 @@ static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1153
1320
|
//
|
1154
1321
|
// https://tools.ietf.org/html/rfc6962#section-3.3.1
|
1155
1322
|
|
1156
|
-
static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1323
|
+
static bool ext_sct_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1324
|
+
CBB *out_compressible,
|
1325
|
+
ssl_client_hello_type_t type) {
|
1157
1326
|
if (!hs->config->signed_cert_timestamps_enabled) {
|
1158
1327
|
return true;
|
1159
1328
|
}
|
1160
1329
|
|
1161
|
-
if (!CBB_add_u16(
|
1162
|
-
!CBB_add_u16(
|
1330
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_certificate_timestamp) ||
|
1331
|
+
!CBB_add_u16(out_compressible, 0 /* length */)) {
|
1163
1332
|
return false;
|
1164
1333
|
}
|
1165
1334
|
|
@@ -1244,11 +1413,13 @@ static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1244
1413
|
//
|
1245
1414
|
// https://tools.ietf.org/html/rfc7301
|
1246
1415
|
|
1247
|
-
static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1248
|
-
|
1416
|
+
static bool ext_alpn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1417
|
+
CBB *out_compressible,
|
1418
|
+
ssl_client_hello_type_t type) {
|
1419
|
+
const SSL *const ssl = hs->ssl;
|
1249
1420
|
if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) {
|
1250
1421
|
// ALPN MUST be used with QUIC.
|
1251
|
-
OPENSSL_PUT_ERROR(SSL,
|
1422
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1252
1423
|
return false;
|
1253
1424
|
}
|
1254
1425
|
|
@@ -1258,12 +1429,13 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1258
1429
|
}
|
1259
1430
|
|
1260
1431
|
CBB contents, proto_list;
|
1261
|
-
if (!CBB_add_u16(
|
1262
|
-
|
1432
|
+
if (!CBB_add_u16(out_compressible,
|
1433
|
+
TLSEXT_TYPE_application_layer_protocol_negotiation) ||
|
1434
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
1263
1435
|
!CBB_add_u16_length_prefixed(&contents, &proto_list) ||
|
1264
1436
|
!CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
|
1265
1437
|
hs->config->alpn_client_proto_list.size()) ||
|
1266
|
-
!CBB_flush(
|
1438
|
+
!CBB_flush(out_compressible)) {
|
1267
1439
|
return false;
|
1268
1440
|
}
|
1269
1441
|
|
@@ -1276,7 +1448,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1276
1448
|
if (contents == NULL) {
|
1277
1449
|
if (ssl->quic_method) {
|
1278
1450
|
// ALPN is required when QUIC is used.
|
1279
|
-
OPENSSL_PUT_ERROR(SSL,
|
1451
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1280
1452
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1281
1453
|
return false;
|
1282
1454
|
}
|
@@ -1319,6 +1491,22 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1319
1491
|
return true;
|
1320
1492
|
}
|
1321
1493
|
|
1494
|
+
bool ssl_is_valid_alpn_list(Span<const uint8_t> in) {
|
1495
|
+
CBS protocol_name_list = in;
|
1496
|
+
if (CBS_len(&protocol_name_list) == 0) {
|
1497
|
+
return false;
|
1498
|
+
}
|
1499
|
+
while (CBS_len(&protocol_name_list) > 0) {
|
1500
|
+
CBS protocol_name;
|
1501
|
+
if (!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
|
1502
|
+
// Empty protocol names are forbidden.
|
1503
|
+
CBS_len(&protocol_name) == 0) {
|
1504
|
+
return false;
|
1505
|
+
}
|
1506
|
+
}
|
1507
|
+
return true;
|
1508
|
+
}
|
1509
|
+
|
1322
1510
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
1323
1511
|
Span<const uint8_t> protocol) {
|
1324
1512
|
if (hs->config->alpn_client_proto_list.empty()) {
|
@@ -1357,7 +1545,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1357
1545
|
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
|
1358
1546
|
if (ssl->quic_method) {
|
1359
1547
|
// ALPN is required when QUIC is used.
|
1360
|
-
OPENSSL_PUT_ERROR(SSL,
|
1548
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1361
1549
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1362
1550
|
return false;
|
1363
1551
|
}
|
@@ -1371,46 +1559,47 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1371
1559
|
CBS protocol_name_list;
|
1372
1560
|
if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
|
1373
1561
|
CBS_len(&contents) != 0 ||
|
1374
|
-
|
1562
|
+
!ssl_is_valid_alpn_list(protocol_name_list)) {
|
1375
1563
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
1376
1564
|
*out_alert = SSL_AD_DECODE_ERROR;
|
1377
1565
|
return false;
|
1378
1566
|
}
|
1379
1567
|
|
1380
|
-
// Validate the protocol list.
|
1381
|
-
CBS protocol_name_list_copy = protocol_name_list;
|
1382
|
-
while (CBS_len(&protocol_name_list_copy) > 0) {
|
1383
|
-
CBS protocol_name;
|
1384
|
-
if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
|
1385
|
-
// Empty protocol names are forbidden.
|
1386
|
-
CBS_len(&protocol_name) == 0) {
|
1387
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
1388
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
1389
|
-
return false;
|
1390
|
-
}
|
1391
|
-
}
|
1392
|
-
|
1393
1568
|
const uint8_t *selected;
|
1394
1569
|
uint8_t selected_len;
|
1395
|
-
|
1396
|
-
|
1397
|
-
|
1398
|
-
|
1399
|
-
|
1400
|
-
|
1401
|
-
|
1570
|
+
int ret = ssl->ctx->alpn_select_cb(
|
1571
|
+
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
1572
|
+
CBS_len(&protocol_name_list), ssl->ctx->alpn_select_cb_arg);
|
1573
|
+
// ALPN is required when QUIC is used.
|
1574
|
+
if (ssl->quic_method &&
|
1575
|
+
(ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {
|
1576
|
+
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
1577
|
+
}
|
1578
|
+
switch (ret) {
|
1579
|
+
case SSL_TLSEXT_ERR_OK:
|
1580
|
+
if (selected_len == 0) {
|
1581
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
1582
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1583
|
+
return false;
|
1584
|
+
}
|
1585
|
+
if (!ssl->s3->alpn_selected.CopyFrom(
|
1586
|
+
MakeConstSpan(selected, selected_len))) {
|
1587
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1588
|
+
return false;
|
1589
|
+
}
|
1590
|
+
break;
|
1591
|
+
case SSL_TLSEXT_ERR_NOACK:
|
1592
|
+
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
1593
|
+
break;
|
1594
|
+
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
1595
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1596
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1402
1597
|
return false;
|
1403
|
-
|
1404
|
-
|
1405
|
-
MakeConstSpan(selected, selected_len))) {
|
1598
|
+
default:
|
1599
|
+
// Invalid return value.
|
1406
1600
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1601
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
1407
1602
|
return false;
|
1408
|
-
}
|
1409
|
-
} else if (ssl->quic_method) {
|
1410
|
-
// ALPN is required when QUIC is used.
|
1411
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
|
1412
|
-
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1413
|
-
return false;
|
1414
1603
|
}
|
1415
1604
|
|
1416
1605
|
return true;
|
@@ -1441,13 +1630,20 @@ static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1441
1630
|
//
|
1442
1631
|
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
|
1443
1632
|
|
1444
|
-
static
|
1445
|
-
|
1446
|
-
|
1447
|
-
|
1448
|
-
|
1449
|
-
|
1450
|
-
|
1633
|
+
static bool ext_channel_id_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1634
|
+
CBB *out_compressible,
|
1635
|
+
ssl_client_hello_type_t type) {
|
1636
|
+
const SSL *const ssl = hs->ssl;
|
1637
|
+
if (!hs->config->channel_id_private || SSL_is_dtls(ssl) ||
|
1638
|
+
// Don't offer Channel ID in ClientHelloOuter. ClientHelloOuter handshakes
|
1639
|
+
// are not authenticated for the name that can learn the Channel ID.
|
1640
|
+
//
|
1641
|
+
// We could alternatively offer the extension but sign with a random key.
|
1642
|
+
// For other extensions, we try to align |ssl_client_hello_outer| and
|
1643
|
+
// |ssl_client_hello_unencrypted|, to improve the effectiveness of ECH
|
1644
|
+
// GREASE. However, Channel ID is deprecated and unlikely to be used with
|
1645
|
+
// ECH, so do the simplest thing.
|
1646
|
+
type == ssl_client_hello_outer) {
|
1451
1647
|
return true;
|
1452
1648
|
}
|
1453
1649
|
|
@@ -1462,19 +1658,18 @@ static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1462
1658
|
static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
|
1463
1659
|
uint8_t *out_alert,
|
1464
1660
|
CBS *contents) {
|
1465
|
-
SSL *const ssl = hs->ssl;
|
1466
1661
|
if (contents == NULL) {
|
1467
1662
|
return true;
|
1468
1663
|
}
|
1469
1664
|
|
1470
|
-
assert(!SSL_is_dtls(ssl));
|
1471
|
-
assert(hs->config->
|
1665
|
+
assert(!SSL_is_dtls(hs->ssl));
|
1666
|
+
assert(hs->config->channel_id_private);
|
1472
1667
|
|
1473
1668
|
if (CBS_len(contents) != 0) {
|
1474
1669
|
return false;
|
1475
1670
|
}
|
1476
1671
|
|
1477
|
-
|
1672
|
+
hs->channel_id_negotiated = true;
|
1478
1673
|
return true;
|
1479
1674
|
}
|
1480
1675
|
|
@@ -1490,13 +1685,12 @@ static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
1490
1685
|
return false;
|
1491
1686
|
}
|
1492
1687
|
|
1493
|
-
|
1688
|
+
hs->channel_id_negotiated = true;
|
1494
1689
|
return true;
|
1495
1690
|
}
|
1496
1691
|
|
1497
1692
|
static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
1498
|
-
|
1499
|
-
if (!ssl->s3->channel_id_valid) {
|
1693
|
+
if (!hs->channel_id_negotiated) {
|
1500
1694
|
return true;
|
1501
1695
|
}
|
1502
1696
|
|
@@ -1513,22 +1707,21 @@ static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1513
1707
|
//
|
1514
1708
|
// https://tools.ietf.org/html/rfc5764
|
1515
1709
|
|
1516
|
-
|
1517
|
-
|
1518
|
-
|
1519
|
-
|
1520
|
-
|
1521
|
-
|
1522
|
-
SSL *const ssl = hs->ssl;
|
1523
|
-
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
|
1710
|
+
static bool ext_srtp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1711
|
+
CBB *out_compressible,
|
1712
|
+
ssl_client_hello_type_t type) {
|
1713
|
+
const SSL *const ssl = hs->ssl;
|
1714
|
+
const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles =
|
1715
|
+
SSL_get_srtp_profiles(ssl);
|
1524
1716
|
if (profiles == NULL ||
|
1525
|
-
sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0
|
1717
|
+
sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 ||
|
1718
|
+
!SSL_is_dtls(ssl)) {
|
1526
1719
|
return true;
|
1527
1720
|
}
|
1528
1721
|
|
1529
1722
|
CBB contents, profile_ids;
|
1530
|
-
if (!CBB_add_u16(
|
1531
|
-
!CBB_add_u16_length_prefixed(
|
1723
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_srtp) ||
|
1724
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
1532
1725
|
!CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
|
1533
1726
|
return false;
|
1534
1727
|
}
|
@@ -1540,7 +1733,7 @@ static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1540
1733
|
}
|
1541
1734
|
|
1542
1735
|
if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
|
1543
|
-
!CBB_flush(
|
1736
|
+
!CBB_flush(out_compressible)) {
|
1544
1737
|
return false;
|
1545
1738
|
}
|
1546
1739
|
|
@@ -1558,6 +1751,7 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1558
1751
|
// single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
|
1559
1752
|
//
|
1560
1753
|
// See https://tools.ietf.org/html/rfc5764#section-4.1.1
|
1754
|
+
assert(SSL_is_dtls(ssl));
|
1561
1755
|
CBS profile_ids, srtp_mki;
|
1562
1756
|
uint16_t profile_id;
|
1563
1757
|
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
|
@@ -1576,11 +1770,8 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1576
1770
|
return false;
|
1577
1771
|
}
|
1578
1772
|
|
1579
|
-
|
1580
|
-
|
1581
|
-
// Check to see if the server gave us something we support (and presumably
|
1582
|
-
// offered).
|
1583
|
-
for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
|
1773
|
+
// Check to see if the server gave us something we support and offered.
|
1774
|
+
for (const SRTP_PROTECTION_PROFILE *profile : SSL_get_srtp_profiles(ssl)) {
|
1584
1775
|
if (profile->id == profile_id) {
|
1585
1776
|
ssl->s3->srtp_profile = profile;
|
1586
1777
|
return true;
|
@@ -1595,7 +1786,8 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1595
1786
|
static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
1596
1787
|
CBS *contents) {
|
1597
1788
|
SSL *const ssl = hs->ssl;
|
1598
|
-
|
1789
|
+
// DTLS-SRTP is only defined for DTLS.
|
1790
|
+
if (contents == NULL || !SSL_is_dtls(ssl)) {
|
1599
1791
|
return true;
|
1600
1792
|
}
|
1601
1793
|
|
@@ -1639,6 +1831,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1639
1831
|
return true;
|
1640
1832
|
}
|
1641
1833
|
|
1834
|
+
assert(SSL_is_dtls(ssl));
|
1642
1835
|
CBB contents, profile_ids;
|
1643
1836
|
if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
|
1644
1837
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
@@ -1657,7 +1850,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1657
1850
|
//
|
1658
1851
|
// https://tools.ietf.org/html/rfc4492#section-5.1.2
|
1659
1852
|
|
1660
|
-
static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
1853
|
+
static bool ext_ec_point_add_extension(const SSL_HANDSHAKE *hs, CBB *out) {
|
1661
1854
|
CBB contents, formats;
|
1662
1855
|
if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
|
1663
1856
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
@@ -1670,9 +1863,11 @@ static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1670
1863
|
return true;
|
1671
1864
|
}
|
1672
1865
|
|
1673
|
-
static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
1866
|
+
static bool ext_ec_point_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
1867
|
+
CBB *out_compressible,
|
1868
|
+
ssl_client_hello_type_t type) {
|
1674
1869
|
// The point format extension is unnecessary in TLS 1.3.
|
1675
|
-
if (hs->min_version >= TLS1_3_VERSION) {
|
1870
|
+
if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {
|
1676
1871
|
return true;
|
1677
1872
|
}
|
1678
1873
|
|
@@ -1738,10 +1933,34 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1738
1933
|
//
|
1739
1934
|
// https://tools.ietf.org/html/rfc8446#section-4.2.11
|
1740
1935
|
|
1741
|
-
static
|
1742
|
-
|
1936
|
+
static bool should_offer_psk(const SSL_HANDSHAKE *hs,
|
1937
|
+
ssl_client_hello_type_t type) {
|
1938
|
+
const SSL *const ssl = hs->ssl;
|
1743
1939
|
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
|
1744
|
-
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION
|
1940
|
+
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
1941
|
+
// TODO(https://crbug.com/boringssl/275): Should we synthesize a
|
1942
|
+
// placeholder PSK, at least when we offer early data? Otherwise
|
1943
|
+
// ClientHelloOuter will contain an early_data extension without a
|
1944
|
+
// pre_shared_key extension and potentially break the recovery flow.
|
1945
|
+
type == ssl_client_hello_outer) {
|
1946
|
+
return false;
|
1947
|
+
}
|
1948
|
+
|
1949
|
+
// Per RFC 8446 section 4.1.4, skip offering the session if the selected
|
1950
|
+
// cipher in HelloRetryRequest does not match. This avoids performing the
|
1951
|
+
// transcript hash transformation for multiple hashes.
|
1952
|
+
if (ssl->s3->used_hello_retry_request &&
|
1953
|
+
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
1954
|
+
return false;
|
1955
|
+
}
|
1956
|
+
|
1957
|
+
return true;
|
1958
|
+
}
|
1959
|
+
|
1960
|
+
static size_t ext_pre_shared_key_clienthello_length(
|
1961
|
+
const SSL_HANDSHAKE *hs, ssl_client_hello_type_t type) {
|
1962
|
+
const SSL *const ssl = hs->ssl;
|
1963
|
+
if (!should_offer_psk(hs, type)) {
|
1745
1964
|
return 0;
|
1746
1965
|
}
|
1747
1966
|
|
@@ -1749,19 +1968,12 @@ static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
|
|
1749
1968
|
return 15 + ssl->session->ticket.size() + binder_len;
|
1750
1969
|
}
|
1751
1970
|
|
1752
|
-
static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs,
|
1753
|
-
|
1754
|
-
|
1755
|
-
|
1756
|
-
|
1757
|
-
|
1758
|
-
}
|
1759
|
-
|
1760
|
-
// Per RFC 8446 section 4.1.4, skip offering the session if the selected
|
1761
|
-
// cipher in HelloRetryRequest does not match. This avoids performing the
|
1762
|
-
// transcript hash transformation for multiple hashes.
|
1763
|
-
if (ssl->s3 && ssl->s3->used_hello_retry_request &&
|
1764
|
-
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
1971
|
+
static bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs,
|
1972
|
+
CBB *out, bool *out_needs_binder,
|
1973
|
+
ssl_client_hello_type_t type) {
|
1974
|
+
const SSL *const ssl = hs->ssl;
|
1975
|
+
*out_needs_binder = false;
|
1976
|
+
if (!should_offer_psk(hs, type)) {
|
1765
1977
|
return true;
|
1766
1978
|
}
|
1767
1979
|
|
@@ -1772,7 +1984,6 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1772
1984
|
|
1773
1985
|
// Fill in a placeholder zero binder of the appropriate length. It will be
|
1774
1986
|
// computed and filled in later after length prefixes are computed.
|
1775
|
-
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
|
1776
1987
|
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
|
1777
1988
|
|
1778
1989
|
CBB contents, identity, ticket, binders, binder;
|
@@ -1785,11 +1996,11 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1785
1996
|
!CBB_add_u32(&identity, obfuscated_ticket_age) ||
|
1786
1997
|
!CBB_add_u16_length_prefixed(&contents, &binders) ||
|
1787
1998
|
!CBB_add_u8_length_prefixed(&binders, &binder) ||
|
1788
|
-
!
|
1999
|
+
!CBB_add_zeros(&binder, binder_len)) {
|
1789
2000
|
return false;
|
1790
2001
|
}
|
1791
2002
|
|
1792
|
-
|
2003
|
+
*out_needs_binder = true;
|
1793
2004
|
return CBB_flush(out);
|
1794
2005
|
}
|
1795
2006
|
|
@@ -1902,21 +2113,22 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1902
2113
|
//
|
1903
2114
|
// https://tools.ietf.org/html/rfc8446#section-4.2.9
|
1904
2115
|
|
1905
|
-
static bool ext_psk_key_exchange_modes_add_clienthello(
|
1906
|
-
|
2116
|
+
static bool ext_psk_key_exchange_modes_add_clienthello(
|
2117
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
2118
|
+
ssl_client_hello_type_t type) {
|
1907
2119
|
if (hs->max_version < TLS1_3_VERSION) {
|
1908
2120
|
return true;
|
1909
2121
|
}
|
1910
2122
|
|
1911
2123
|
CBB contents, ke_modes;
|
1912
|
-
if (!CBB_add_u16(
|
1913
|
-
!CBB_add_u16_length_prefixed(
|
2124
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_psk_key_exchange_modes) ||
|
2125
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
1914
2126
|
!CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
|
1915
2127
|
!CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
|
1916
2128
|
return false;
|
1917
2129
|
}
|
1918
2130
|
|
1919
|
-
return CBB_flush(
|
2131
|
+
return CBB_flush(out_compressible);
|
1920
2132
|
}
|
1921
2133
|
|
1922
2134
|
static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
@@ -1946,23 +2158,10 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
1946
2158
|
//
|
1947
2159
|
// https://tools.ietf.org/html/rfc8446#section-4.2.10
|
1948
2160
|
|
1949
|
-
|
1950
|
-
|
1951
|
-
|
1952
|
-
|
1953
|
-
const SSL_HANDSHAKE *hs, Span<const uint8_t> *out_settings,
|
1954
|
-
Span<const uint8_t> protocol) {
|
1955
|
-
for (const ALPSConfig &config : hs->config->alps_configs) {
|
1956
|
-
if (protocol == config.protocol) {
|
1957
|
-
*out_settings = config.settings;
|
1958
|
-
return true;
|
1959
|
-
}
|
1960
|
-
}
|
1961
|
-
return false;
|
1962
|
-
}
|
1963
|
-
|
1964
|
-
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1965
|
-
SSL *const ssl = hs->ssl;
|
2161
|
+
static bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
2162
|
+
CBB *out_compressible,
|
2163
|
+
ssl_client_hello_type_t type) {
|
2164
|
+
const SSL *const ssl = hs->ssl;
|
1966
2165
|
// The second ClientHello never offers early data, and we must have already
|
1967
2166
|
// filled in |early_data_reason| by this point.
|
1968
2167
|
if (ssl->s3->used_hello_retry_request) {
|
@@ -1970,53 +2169,17 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1970
2169
|
return true;
|
1971
2170
|
}
|
1972
2171
|
|
1973
|
-
if (!
|
1974
|
-
ssl->s3->early_data_reason = ssl_early_data_disabled;
|
1975
|
-
return true;
|
1976
|
-
}
|
1977
|
-
|
1978
|
-
if (hs->max_version < TLS1_3_VERSION) {
|
1979
|
-
// We discard inapplicable sessions, so this is redundant with the session
|
1980
|
-
// checks below, but we check give a more useful reason.
|
1981
|
-
ssl->s3->early_data_reason = ssl_early_data_protocol_version;
|
1982
|
-
return true;
|
1983
|
-
}
|
1984
|
-
|
1985
|
-
if (ssl->session == nullptr) {
|
1986
|
-
ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
|
1987
|
-
return true;
|
1988
|
-
}
|
1989
|
-
|
1990
|
-
if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
1991
|
-
ssl->session->ticket_max_early_data == 0) {
|
1992
|
-
ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
|
2172
|
+
if (!hs->early_data_offered) {
|
1993
2173
|
return true;
|
1994
2174
|
}
|
1995
2175
|
|
1996
|
-
|
1997
|
-
|
1998
|
-
|
1999
|
-
|
2000
|
-
|
2001
|
-
|
2002
|
-
|
2003
|
-
Span<const uint8_t> settings;
|
2004
|
-
bool has_alps = ssl_get_local_application_settings(
|
2005
|
-
hs, &settings, ssl->session->early_alpn);
|
2006
|
-
if (has_alps != ssl->session->has_application_settings ||
|
2007
|
-
settings != ssl->session->local_application_settings) {
|
2008
|
-
// 0-RTT carries ALPS over, so we only offer it when the value matches.
|
2009
|
-
ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
|
2010
|
-
return true;
|
2011
|
-
}
|
2012
|
-
}
|
2013
|
-
|
2014
|
-
// |early_data_reason| will be filled in later when the server responds.
|
2015
|
-
hs->early_data_offered = true;
|
2016
|
-
|
2017
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
|
2018
|
-
!CBB_add_u16(out, 0) ||
|
2019
|
-
!CBB_flush(out)) {
|
2176
|
+
// If offering ECH, the extension only applies to ClientHelloInner, but we
|
2177
|
+
// send the extension in both ClientHellos. This ensures that, if the server
|
2178
|
+
// handshakes with ClientHelloOuter, it can skip past early data. See
|
2179
|
+
// draft-ietf-tls-esni-13, section 6.1.
|
2180
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) ||
|
2181
|
+
!CBB_add_u16(out_compressible, 0) ||
|
2182
|
+
!CBB_flush(out_compressible)) {
|
2020
2183
|
return false;
|
2021
2184
|
}
|
2022
2185
|
|
@@ -2097,43 +2260,33 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2097
2260
|
//
|
2098
2261
|
// https://tools.ietf.org/html/rfc8446#section-4.2.8
|
2099
2262
|
|
2100
|
-
|
2263
|
+
bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
|
2101
2264
|
SSL *const ssl = hs->ssl;
|
2265
|
+
hs->key_shares[0].reset();
|
2266
|
+
hs->key_shares[1].reset();
|
2267
|
+
hs->key_share_bytes.Reset();
|
2268
|
+
|
2102
2269
|
if (hs->max_version < TLS1_3_VERSION) {
|
2103
2270
|
return true;
|
2104
2271
|
}
|
2105
2272
|
|
2106
|
-
|
2107
|
-
if (!
|
2108
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2109
|
-
!CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
|
2273
|
+
bssl::ScopedCBB cbb;
|
2274
|
+
if (!CBB_init(cbb.get(), 64)) {
|
2110
2275
|
return false;
|
2111
2276
|
}
|
2112
2277
|
|
2113
|
-
|
2114
|
-
|
2115
|
-
|
2116
|
-
|
2117
|
-
|
2118
|
-
if (group_id == 0 &&
|
2119
|
-
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
|
2120
|
-
hs->key_share_bytes.size())) {
|
2121
|
-
return false;
|
2122
|
-
}
|
2123
|
-
hs->key_share_bytes.Reset();
|
2124
|
-
if (group_id == 0) {
|
2125
|
-
return CBB_flush(out);
|
2126
|
-
}
|
2127
|
-
} else {
|
2128
|
-
// Add a fake group. See draft-davidben-tls-grease-01.
|
2129
|
-
if (ssl->ctx->grease_enabled &&
|
2130
|
-
(!CBB_add_u16(&kse_bytes,
|
2131
|
-
ssl_get_grease_value(hs, ssl_grease_group)) ||
|
2132
|
-
!CBB_add_u16(&kse_bytes, 1 /* length */) ||
|
2133
|
-
!CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
|
2278
|
+
if (override_group_id == 0 && ssl->ctx->grease_enabled) {
|
2279
|
+
// Add a fake group. See RFC 8701.
|
2280
|
+
if (!CBB_add_u16(cbb.get(), ssl_get_grease_value(hs, ssl_grease_group)) ||
|
2281
|
+
!CBB_add_u16(cbb.get(), 1 /* length */) ||
|
2282
|
+
!CBB_add_u8(cbb.get(), 0 /* one byte key share */)) {
|
2134
2283
|
return false;
|
2135
2284
|
}
|
2285
|
+
}
|
2136
2286
|
|
2287
|
+
uint16_t group_id = override_group_id;
|
2288
|
+
uint16_t second_group_id = 0;
|
2289
|
+
if (override_group_id == 0) {
|
2137
2290
|
// Predict the most preferred group.
|
2138
2291
|
Span<const uint16_t> groups = tls1_get_grouplist(hs);
|
2139
2292
|
if (groups.empty()) {
|
@@ -2153,34 +2306,45 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2153
2306
|
|
2154
2307
|
CBB key_exchange;
|
2155
2308
|
hs->key_shares[0] = SSLKeyShare::Create(group_id);
|
2156
|
-
if (!hs->key_shares[0] ||
|
2157
|
-
!CBB_add_u16(
|
2158
|
-
!CBB_add_u16_length_prefixed(
|
2159
|
-
!hs->key_shares[0]->Offer(&key_exchange)
|
2160
|
-
!CBB_flush(&kse_bytes)) {
|
2309
|
+
if (!hs->key_shares[0] || //
|
2310
|
+
!CBB_add_u16(cbb.get(), group_id) ||
|
2311
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||
|
2312
|
+
!hs->key_shares[0]->Offer(&key_exchange)) {
|
2161
2313
|
return false;
|
2162
2314
|
}
|
2163
2315
|
|
2164
2316
|
if (second_group_id != 0) {
|
2165
2317
|
hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
|
2166
|
-
if (!hs->key_shares[1] ||
|
2167
|
-
!CBB_add_u16(
|
2168
|
-
!CBB_add_u16_length_prefixed(
|
2169
|
-
!hs->key_shares[1]->Offer(&key_exchange)
|
2170
|
-
!CBB_flush(&kse_bytes)) {
|
2318
|
+
if (!hs->key_shares[1] || //
|
2319
|
+
!CBB_add_u16(cbb.get(), second_group_id) ||
|
2320
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||
|
2321
|
+
!hs->key_shares[1]->Offer(&key_exchange)) {
|
2171
2322
|
return false;
|
2172
2323
|
}
|
2173
2324
|
}
|
2174
2325
|
|
2175
|
-
|
2176
|
-
|
2177
|
-
|
2178
|
-
|
2179
|
-
|
2326
|
+
return CBBFinishArray(cbb.get(), &hs->key_share_bytes);
|
2327
|
+
}
|
2328
|
+
|
2329
|
+
static bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
2330
|
+
CBB *out_compressible,
|
2331
|
+
ssl_client_hello_type_t type) {
|
2332
|
+
if (hs->max_version < TLS1_3_VERSION) {
|
2333
|
+
return true;
|
2334
|
+
}
|
2335
|
+
|
2336
|
+
assert(!hs->key_share_bytes.empty());
|
2337
|
+
CBB contents, kse_bytes;
|
2338
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_key_share) ||
|
2339
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
2340
|
+
!CBB_add_u16_length_prefixed(&contents, &kse_bytes) ||
|
2341
|
+
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
|
2342
|
+
hs->key_share_bytes.size()) ||
|
2343
|
+
!CBB_flush(out_compressible)) {
|
2180
2344
|
return false;
|
2181
2345
|
}
|
2182
2346
|
|
2183
|
-
return
|
2347
|
+
return true;
|
2184
2348
|
}
|
2185
2349
|
|
2186
2350
|
bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
@@ -2218,25 +2382,29 @@ bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2218
2382
|
}
|
2219
2383
|
|
2220
2384
|
bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
2221
|
-
|
2222
|
-
uint8_t *out_alert,
|
2223
|
-
|
2224
|
-
|
2225
|
-
|
2226
|
-
|
2227
|
-
|
2385
|
+
Span<const uint8_t> *out_peer_key,
|
2386
|
+
uint8_t *out_alert,
|
2387
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
2388
|
+
// We only support connections that include an ECDHE key exchange.
|
2389
|
+
CBS contents;
|
2390
|
+
if (!ssl_client_hello_get_extension(client_hello, &contents,
|
2391
|
+
TLSEXT_TYPE_key_share)) {
|
2392
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
|
2393
|
+
*out_alert = SSL_AD_MISSING_EXTENSION;
|
2228
2394
|
return false;
|
2229
2395
|
}
|
2230
2396
|
|
2231
|
-
|
2232
|
-
|
2397
|
+
CBS key_shares;
|
2398
|
+
if (!CBS_get_u16_length_prefixed(&contents, &key_shares) ||
|
2399
|
+
CBS_len(&contents) != 0) {
|
2233
2400
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2234
2401
|
return false;
|
2235
2402
|
}
|
2236
2403
|
|
2237
2404
|
// Find the corresponding key share.
|
2405
|
+
const uint16_t group_id = hs->new_session->group_id;
|
2238
2406
|
CBS peer_key;
|
2239
|
-
CBS_init(&peer_key,
|
2407
|
+
CBS_init(&peer_key, nullptr, 0);
|
2240
2408
|
while (CBS_len(&key_shares) > 0) {
|
2241
2409
|
uint16_t id;
|
2242
2410
|
CBS peer_key_tmp;
|
@@ -2259,46 +2427,24 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
|
2259
2427
|
}
|
2260
2428
|
}
|
2261
2429
|
|
2262
|
-
if (
|
2263
|
-
*
|
2264
|
-
out_secret->Reset();
|
2265
|
-
return true;
|
2266
|
-
}
|
2267
|
-
|
2268
|
-
// Compute the DH secret.
|
2269
|
-
Array<uint8_t> secret;
|
2270
|
-
ScopedCBB public_key;
|
2271
|
-
UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
|
2272
|
-
if (!key_share ||
|
2273
|
-
!CBB_init(public_key.get(), 32) ||
|
2274
|
-
!key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
|
2275
|
-
!CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
|
2276
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2277
|
-
return false;
|
2430
|
+
if (out_peer_key != nullptr) {
|
2431
|
+
*out_peer_key = peer_key;
|
2278
2432
|
}
|
2279
|
-
|
2280
|
-
*out_secret = std::move(secret);
|
2281
|
-
*out_found = true;
|
2433
|
+
*out_found = CBS_len(&peer_key) != 0;
|
2282
2434
|
return true;
|
2283
2435
|
}
|
2284
2436
|
|
2285
2437
|
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2286
|
-
uint16_t group_id;
|
2287
2438
|
CBB kse_bytes, public_key;
|
2288
|
-
if (!
|
2289
|
-
!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
2439
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
2290
2440
|
!CBB_add_u16_length_prefixed(out, &kse_bytes) ||
|
2291
|
-
!CBB_add_u16(&kse_bytes, group_id) ||
|
2441
|
+
!CBB_add_u16(&kse_bytes, hs->new_session->group_id) ||
|
2292
2442
|
!CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
|
2293
2443
|
!CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
|
2294
2444
|
hs->ecdh_public_key.size()) ||
|
2295
2445
|
!CBB_flush(out)) {
|
2296
2446
|
return false;
|
2297
2447
|
}
|
2298
|
-
|
2299
|
-
hs->ecdh_public_key.Reset();
|
2300
|
-
|
2301
|
-
hs->new_session->group_id = group_id;
|
2302
2448
|
return true;
|
2303
2449
|
}
|
2304
2450
|
|
@@ -2307,12 +2453,20 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2307
2453
|
//
|
2308
2454
|
// https://tools.ietf.org/html/rfc8446#section-4.2.1
|
2309
2455
|
|
2310
|
-
static bool ext_supported_versions_add_clienthello(
|
2311
|
-
|
2456
|
+
static bool ext_supported_versions_add_clienthello(
|
2457
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
2458
|
+
ssl_client_hello_type_t type) {
|
2459
|
+
const SSL *const ssl = hs->ssl;
|
2312
2460
|
if (hs->max_version <= TLS1_2_VERSION) {
|
2313
2461
|
return true;
|
2314
2462
|
}
|
2315
2463
|
|
2464
|
+
// supported_versions is compressible in ECH if ClientHelloOuter already
|
2465
|
+
// requires TLS 1.3. Otherwise the extensions differ in the older versions.
|
2466
|
+
if (hs->min_version >= TLS1_3_VERSION) {
|
2467
|
+
out = out_compressible;
|
2468
|
+
}
|
2469
|
+
|
2316
2470
|
CBB contents, versions;
|
2317
2471
|
if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
|
2318
2472
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
@@ -2320,13 +2474,16 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)
|
|
2320
2474
|
return false;
|
2321
2475
|
}
|
2322
2476
|
|
2323
|
-
// Add a fake version. See
|
2477
|
+
// Add a fake version. See RFC 8701.
|
2324
2478
|
if (ssl->ctx->grease_enabled &&
|
2325
2479
|
!CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
|
2326
2480
|
return false;
|
2327
2481
|
}
|
2328
2482
|
|
2329
|
-
|
2483
|
+
// Encrypted ClientHellos requires TLS 1.3 or later.
|
2484
|
+
uint16_t extra_min_version =
|
2485
|
+
type == ssl_client_hello_inner ? TLS1_3_VERSION : 0;
|
2486
|
+
if (!ssl_add_supported_versions(hs, &versions, extra_min_version) ||
|
2330
2487
|
!CBB_flush(out)) {
|
2331
2488
|
return false;
|
2332
2489
|
}
|
@@ -2339,22 +2496,22 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)
|
|
2339
2496
|
//
|
2340
2497
|
// https://tools.ietf.org/html/rfc8446#section-4.2.2
|
2341
2498
|
|
2342
|
-
static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
2499
|
+
static bool ext_cookie_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
2500
|
+
CBB *out_compressible,
|
2501
|
+
ssl_client_hello_type_t type) {
|
2343
2502
|
if (hs->cookie.empty()) {
|
2344
2503
|
return true;
|
2345
2504
|
}
|
2346
2505
|
|
2347
2506
|
CBB contents, cookie;
|
2348
|
-
if (!CBB_add_u16(
|
2349
|
-
!CBB_add_u16_length_prefixed(
|
2507
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cookie) ||
|
2508
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
2350
2509
|
!CBB_add_u16_length_prefixed(&contents, &cookie) ||
|
2351
2510
|
!CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
|
2352
|
-
!CBB_flush(
|
2511
|
+
!CBB_flush(out_compressible)) {
|
2353
2512
|
return false;
|
2354
2513
|
}
|
2355
2514
|
|
2356
|
-
// The cookie is no longer needed in memory.
|
2357
|
-
hs->cookie.Reset();
|
2358
2515
|
return true;
|
2359
2516
|
}
|
2360
2517
|
|
@@ -2364,16 +2521,19 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2364
2521
|
// https://tools.ietf.org/html/rfc4492#section-5.1.1
|
2365
2522
|
// https://tools.ietf.org/html/rfc8446#section-4.2.7
|
2366
2523
|
|
2367
|
-
static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs,
|
2368
|
-
|
2524
|
+
static bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs,
|
2525
|
+
CBB *out,
|
2526
|
+
CBB *out_compressible,
|
2527
|
+
ssl_client_hello_type_t type) {
|
2528
|
+
const SSL *const ssl = hs->ssl;
|
2369
2529
|
CBB contents, groups_bytes;
|
2370
|
-
if (!CBB_add_u16(
|
2371
|
-
!CBB_add_u16_length_prefixed(
|
2530
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_supported_groups) ||
|
2531
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
2372
2532
|
!CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
|
2373
2533
|
return false;
|
2374
2534
|
}
|
2375
2535
|
|
2376
|
-
// Add a fake group. See
|
2536
|
+
// Add a fake group. See RFC 8701.
|
2377
2537
|
if (ssl->ctx->grease_enabled &&
|
2378
2538
|
!CBB_add_u16(&groups_bytes,
|
2379
2539
|
ssl_get_grease_value(hs, ssl_grease_group))) {
|
@@ -2390,7 +2550,7 @@ static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2390
2550
|
}
|
2391
2551
|
}
|
2392
2552
|
|
2393
|
-
return CBB_flush(
|
2553
|
+
return CBB_flush(out_compressible);
|
2394
2554
|
}
|
2395
2555
|
|
2396
2556
|
static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
|
@@ -2442,158 +2602,11 @@ static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2442
2602
|
return true;
|
2443
2603
|
}
|
2444
2604
|
|
2445
|
-
// Token Binding
|
2446
|
-
//
|
2447
|
-
// https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
|
2448
|
-
|
2449
|
-
// The Token Binding version number currently matches the draft number of
|
2450
|
-
// draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
|
2451
|
-
// Since there are no wire changes to the protocol from draft 13 through the
|
2452
|
-
// current draft (16), this implementation supports all versions in that range.
|
2453
|
-
static uint16_t kTokenBindingMaxVersion = 16;
|
2454
|
-
static uint16_t kTokenBindingMinVersion = 13;
|
2455
|
-
|
2456
|
-
static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2457
|
-
SSL *const ssl = hs->ssl;
|
2458
|
-
if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
|
2459
|
-
return true;
|
2460
|
-
}
|
2461
|
-
|
2462
|
-
CBB contents, params;
|
2463
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
|
2464
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2465
|
-
!CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
|
2466
|
-
!CBB_add_u8_length_prefixed(&contents, ¶ms) ||
|
2467
|
-
!CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
|
2468
|
-
hs->config->token_binding_params.size()) ||
|
2469
|
-
!CBB_flush(out)) {
|
2470
|
-
return false;
|
2471
|
-
}
|
2472
|
-
|
2473
|
-
return true;
|
2474
|
-
}
|
2475
|
-
|
2476
|
-
static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
|
2477
|
-
uint8_t *out_alert,
|
2478
|
-
CBS *contents) {
|
2479
|
-
SSL *const ssl = hs->ssl;
|
2480
|
-
if (contents == nullptr) {
|
2481
|
-
return true;
|
2482
|
-
}
|
2483
|
-
|
2484
|
-
CBS params_list;
|
2485
|
-
uint16_t version;
|
2486
|
-
uint8_t param;
|
2487
|
-
if (!CBS_get_u16(contents, &version) ||
|
2488
|
-
!CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
|
2489
|
-
!CBS_get_u8(¶ms_list, ¶m) ||
|
2490
|
-
CBS_len(¶ms_list) > 0 ||
|
2491
|
-
CBS_len(contents) > 0) {
|
2492
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
2493
|
-
return false;
|
2494
|
-
}
|
2495
|
-
|
2496
|
-
// The server-negotiated version must be less than or equal to our version.
|
2497
|
-
if (version > kTokenBindingMaxVersion) {
|
2498
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2499
|
-
return false;
|
2500
|
-
}
|
2501
|
-
|
2502
|
-
// If the server-selected version is less than what we support, then Token
|
2503
|
-
// Binding wasn't negotiated (but the extension was parsed successfully).
|
2504
|
-
if (version < kTokenBindingMinVersion) {
|
2505
|
-
return true;
|
2506
|
-
}
|
2507
|
-
|
2508
|
-
for (uint8_t config_param : hs->config->token_binding_params) {
|
2509
|
-
if (param == config_param) {
|
2510
|
-
ssl->s3->negotiated_token_binding_param = param;
|
2511
|
-
ssl->s3->token_binding_negotiated = true;
|
2512
|
-
return true;
|
2513
|
-
}
|
2514
|
-
}
|
2515
|
-
|
2516
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2517
|
-
return false;
|
2518
|
-
}
|
2519
|
-
|
2520
|
-
// select_tb_param looks for the first token binding param in
|
2521
|
-
// |hs->ssl->token_binding_params| that is also in |params| and puts it in
|
2522
|
-
// |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
|
2523
|
-
// param is found, and false otherwise.
|
2524
|
-
static bool select_tb_param(SSL_HANDSHAKE *hs,
|
2525
|
-
Span<const uint8_t> peer_params) {
|
2526
|
-
for (uint8_t tb_param : hs->config->token_binding_params) {
|
2527
|
-
for (uint8_t peer_param : peer_params) {
|
2528
|
-
if (tb_param == peer_param) {
|
2529
|
-
hs->ssl->s3->negotiated_token_binding_param = tb_param;
|
2530
|
-
return true;
|
2531
|
-
}
|
2532
|
-
}
|
2533
|
-
}
|
2534
|
-
return false;
|
2535
|
-
}
|
2536
|
-
|
2537
|
-
static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
|
2538
|
-
uint8_t *out_alert,
|
2539
|
-
CBS *contents) {
|
2540
|
-
SSL *const ssl = hs->ssl;
|
2541
|
-
if (contents == nullptr || hs->config->token_binding_params.empty()) {
|
2542
|
-
return true;
|
2543
|
-
}
|
2544
|
-
|
2545
|
-
CBS params;
|
2546
|
-
uint16_t version;
|
2547
|
-
if (!CBS_get_u16(contents, &version) ||
|
2548
|
-
!CBS_get_u8_length_prefixed(contents, ¶ms) ||
|
2549
|
-
CBS_len(¶ms) == 0 ||
|
2550
|
-
CBS_len(contents) > 0) {
|
2551
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
2552
|
-
return false;
|
2553
|
-
}
|
2554
|
-
|
2555
|
-
// If the client-selected version is less than what we support, then Token
|
2556
|
-
// Binding wasn't negotiated (but the extension was parsed successfully).
|
2557
|
-
if (version < kTokenBindingMinVersion) {
|
2558
|
-
return true;
|
2559
|
-
}
|
2560
|
-
|
2561
|
-
// If the client-selected version is higher than we support, use our max
|
2562
|
-
// version. Otherwise, use the client's version.
|
2563
|
-
hs->negotiated_token_binding_version =
|
2564
|
-
std::min(version, kTokenBindingMaxVersion);
|
2565
|
-
if (!select_tb_param(hs, params)) {
|
2566
|
-
return true;
|
2567
|
-
}
|
2568
|
-
|
2569
|
-
ssl->s3->token_binding_negotiated = true;
|
2570
|
-
return true;
|
2571
|
-
}
|
2572
|
-
|
2573
|
-
static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2574
|
-
SSL *const ssl = hs->ssl;
|
2575
|
-
|
2576
|
-
if (!ssl->s3->token_binding_negotiated) {
|
2577
|
-
return true;
|
2578
|
-
}
|
2579
|
-
|
2580
|
-
CBB contents, params;
|
2581
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
|
2582
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2583
|
-
!CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
|
2584
|
-
!CBB_add_u8_length_prefixed(&contents, ¶ms) ||
|
2585
|
-
!CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
|
2586
|
-
!CBB_flush(out)) {
|
2587
|
-
return false;
|
2588
|
-
}
|
2589
|
-
|
2590
|
-
return true;
|
2591
|
-
}
|
2592
2605
|
|
2593
2606
|
// QUIC Transport Parameters
|
2594
2607
|
|
2595
|
-
static bool
|
2596
|
-
|
2608
|
+
static bool ext_quic_transport_params_add_clienthello_impl(
|
2609
|
+
const SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
2597
2610
|
if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
|
2598
2611
|
return true;
|
2599
2612
|
}
|
@@ -2605,9 +2618,18 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
|
2605
2618
|
return false;
|
2606
2619
|
}
|
2607
2620
|
assert(hs->min_version > TLS1_2_VERSION);
|
2621
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2622
|
+
// Do nothing, we'll send the other codepoint.
|
2623
|
+
return true;
|
2624
|
+
}
|
2625
|
+
|
2626
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
|
2627
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
2628
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
2629
|
+
}
|
2608
2630
|
|
2609
2631
|
CBB contents;
|
2610
|
-
if (!CBB_add_u16(out,
|
2632
|
+
if (!CBB_add_u16(out, extension_type) ||
|
2611
2633
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2612
2634
|
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2613
2635
|
hs->config->quic_transport_params.size()) ||
|
@@ -2617,31 +2639,59 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
|
2617
2639
|
return true;
|
2618
2640
|
}
|
2619
2641
|
|
2620
|
-
static bool
|
2621
|
-
|
2622
|
-
|
2642
|
+
static bool ext_quic_transport_params_add_clienthello(
|
2643
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
2644
|
+
ssl_client_hello_type_t type) {
|
2645
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
2646
|
+
hs, out_compressible, /*use_legacy_codepoint=*/false);
|
2647
|
+
}
|
2648
|
+
|
2649
|
+
static bool ext_quic_transport_params_add_clienthello_legacy(
|
2650
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
2651
|
+
ssl_client_hello_type_t type) {
|
2652
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
2653
|
+
hs, out_compressible, /*use_legacy_codepoint=*/true);
|
2654
|
+
}
|
2655
|
+
|
2656
|
+
static bool ext_quic_transport_params_parse_serverhello_impl(
|
2657
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
2658
|
+
bool used_legacy_codepoint) {
|
2623
2659
|
SSL *const ssl = hs->ssl;
|
2624
2660
|
if (contents == nullptr) {
|
2661
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2662
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2663
|
+
return true;
|
2664
|
+
}
|
2625
2665
|
if (!ssl->quic_method) {
|
2626
2666
|
return true;
|
2627
2667
|
}
|
2628
|
-
assert(ssl->quic_method);
|
2629
2668
|
*out_alert = SSL_AD_MISSING_EXTENSION;
|
2630
2669
|
return false;
|
2631
2670
|
}
|
2632
|
-
|
2633
|
-
|
2634
|
-
|
2635
|
-
}
|
2636
|
-
// QUIC requires TLS 1.3.
|
2671
|
+
// The extensions parser will check for unsolicited extensions before
|
2672
|
+
// calling the callback.
|
2673
|
+
assert(ssl->quic_method != nullptr);
|
2637
2674
|
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
2638
|
-
|
2675
|
+
assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint);
|
2639
2676
|
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
2640
2677
|
}
|
2641
2678
|
|
2642
|
-
static bool
|
2679
|
+
static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
|
2643
2680
|
uint8_t *out_alert,
|
2644
2681
|
CBS *contents) {
|
2682
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
2683
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
2684
|
+
}
|
2685
|
+
|
2686
|
+
static bool ext_quic_transport_params_parse_serverhello_legacy(
|
2687
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
2688
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
2689
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
2690
|
+
}
|
2691
|
+
|
2692
|
+
static bool ext_quic_transport_params_parse_clienthello_impl(
|
2693
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
2694
|
+
bool used_legacy_codepoint) {
|
2645
2695
|
SSL *const ssl = hs->ssl;
|
2646
2696
|
if (!contents) {
|
2647
2697
|
if (!ssl->quic_method) {
|
@@ -2652,29 +2702,72 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2652
2702
|
// for QUIC.
|
2653
2703
|
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
2654
2704
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
2705
|
+
return false;
|
2706
|
+
}
|
2707
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2708
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2709
|
+
return true;
|
2655
2710
|
}
|
2656
2711
|
*out_alert = SSL_AD_MISSING_EXTENSION;
|
2657
2712
|
return false;
|
2658
2713
|
}
|
2659
2714
|
if (!ssl->quic_method) {
|
2715
|
+
if (used_legacy_codepoint) {
|
2716
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
2717
|
+
// to mean something else than QUIC transport parameters.
|
2718
|
+
return true;
|
2719
|
+
}
|
2720
|
+
// Fail if we received the codepoint registered with IANA for QUIC
|
2721
|
+
// because that is not allowed outside of QUIC.
|
2660
2722
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
2661
2723
|
return false;
|
2662
2724
|
}
|
2663
2725
|
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
2726
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2727
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2728
|
+
return true;
|
2729
|
+
}
|
2664
2730
|
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
2665
2731
|
}
|
2666
2732
|
|
2667
|
-
static bool
|
2668
|
-
|
2733
|
+
static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
2734
|
+
uint8_t *out_alert,
|
2735
|
+
CBS *contents) {
|
2736
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
2737
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
2738
|
+
}
|
2739
|
+
|
2740
|
+
static bool ext_quic_transport_params_parse_clienthello_legacy(
|
2741
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
2742
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
2743
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
2744
|
+
}
|
2745
|
+
|
2746
|
+
static bool ext_quic_transport_params_add_serverhello_impl(
|
2747
|
+
SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
2748
|
+
if (hs->ssl->quic_method == nullptr && use_legacy_codepoint) {
|
2749
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
2750
|
+
// to mean something else than QUIC transport parameters.
|
2751
|
+
return true;
|
2752
|
+
}
|
2669
2753
|
assert(hs->ssl->quic_method != nullptr);
|
2670
2754
|
if (hs->config->quic_transport_params.empty()) {
|
2671
2755
|
// Transport parameters must be set when using QUIC.
|
2672
2756
|
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
2673
2757
|
return false;
|
2674
2758
|
}
|
2759
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2760
|
+
// Do nothing, we'll send the other codepoint.
|
2761
|
+
return true;
|
2762
|
+
}
|
2763
|
+
|
2764
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
|
2765
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
2766
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
2767
|
+
}
|
2675
2768
|
|
2676
2769
|
CBB contents;
|
2677
|
-
if (!CBB_add_u16(out,
|
2770
|
+
if (!CBB_add_u16(out, extension_type) ||
|
2678
2771
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2679
2772
|
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2680
2773
|
hs->config->quic_transport_params.size()) ||
|
@@ -2685,12 +2778,25 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
|
2685
2778
|
return true;
|
2686
2779
|
}
|
2687
2780
|
|
2781
|
+
static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
2782
|
+
CBB *out) {
|
2783
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
2784
|
+
hs, out, /*use_legacy_codepoint=*/false);
|
2785
|
+
}
|
2786
|
+
|
2787
|
+
static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs,
|
2788
|
+
CBB *out) {
|
2789
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
2790
|
+
hs, out, /*use_legacy_codepoint=*/true);
|
2791
|
+
}
|
2792
|
+
|
2688
2793
|
// Delegated credentials.
|
2689
2794
|
//
|
2690
2795
|
// https://tools.ietf.org/html/draft-ietf-tls-subcerts
|
2691
2796
|
|
2692
|
-
static bool ext_delegated_credential_add_clienthello(
|
2693
|
-
|
2797
|
+
static bool ext_delegated_credential_add_clienthello(
|
2798
|
+
const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,
|
2799
|
+
ssl_client_hello_type_t type) {
|
2694
2800
|
return true;
|
2695
2801
|
}
|
2696
2802
|
|
@@ -2719,7 +2825,9 @@ static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2719
2825
|
|
2720
2826
|
// Certificate compression
|
2721
2827
|
|
2722
|
-
static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out
|
2828
|
+
static bool cert_compression_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
2829
|
+
CBB *out_compressible,
|
2830
|
+
ssl_client_hello_type_t type) {
|
2723
2831
|
bool first = true;
|
2724
2832
|
CBB contents, algs;
|
2725
2833
|
|
@@ -2728,9 +2836,10 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2728
2836
|
continue;
|
2729
2837
|
}
|
2730
2838
|
|
2731
|
-
if (first &&
|
2732
|
-
|
2733
|
-
|
2839
|
+
if (first &&
|
2840
|
+
(!CBB_add_u16(out_compressible, TLSEXT_TYPE_cert_compression) ||
|
2841
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
2842
|
+
!CBB_add_u8_length_prefixed(&contents, &algs))) {
|
2734
2843
|
return false;
|
2735
2844
|
}
|
2736
2845
|
first = false;
|
@@ -2739,7 +2848,7 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2739
2848
|
}
|
2740
2849
|
}
|
2741
2850
|
|
2742
|
-
return first || CBB_flush(
|
2851
|
+
return first || CBB_flush(out_compressible);
|
2743
2852
|
}
|
2744
2853
|
|
2745
2854
|
static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
|
@@ -2825,8 +2934,22 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2825
2934
|
//
|
2826
2935
|
// https://tools.ietf.org/html/draft-vvv-tls-alps-01
|
2827
2936
|
|
2828
|
-
|
2829
|
-
|
2937
|
+
bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs,
|
2938
|
+
Span<const uint8_t> *out_settings,
|
2939
|
+
Span<const uint8_t> protocol) {
|
2940
|
+
for (const ALPSConfig &config : hs->config->alps_configs) {
|
2941
|
+
if (protocol == config.protocol) {
|
2942
|
+
*out_settings = config.settings;
|
2943
|
+
return true;
|
2944
|
+
}
|
2945
|
+
}
|
2946
|
+
return false;
|
2947
|
+
}
|
2948
|
+
|
2949
|
+
static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
2950
|
+
CBB *out_compressible,
|
2951
|
+
ssl_client_hello_type_t type) {
|
2952
|
+
const SSL *const ssl = hs->ssl;
|
2830
2953
|
if (// ALPS requires TLS 1.3.
|
2831
2954
|
hs->max_version < TLS1_3_VERSION ||
|
2832
2955
|
// Do not offer ALPS without ALPN.
|
@@ -2839,8 +2962,8 @@ static bool ext_alps_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2839
2962
|
}
|
2840
2963
|
|
2841
2964
|
CBB contents, proto_list, proto;
|
2842
|
-
if (!CBB_add_u16(
|
2843
|
-
!CBB_add_u16_length_prefixed(
|
2965
|
+
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_application_settings) ||
|
2966
|
+
!CBB_add_u16_length_prefixed(out_compressible, &contents) ||
|
2844
2967
|
!CBB_add_u16_length_prefixed(&contents, &proto_list)) {
|
2845
2968
|
return false;
|
2846
2969
|
}
|
@@ -2853,7 +2976,7 @@ static bool ext_alps_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2853
2976
|
}
|
2854
2977
|
}
|
2855
2978
|
|
2856
|
-
return CBB_flush(
|
2979
|
+
return CBB_flush(out_compressible);
|
2857
2980
|
}
|
2858
2981
|
|
2859
2982
|
static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
@@ -2964,15 +3087,20 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
2964
3087
|
static const struct tls_extension kExtensions[] = {
|
2965
3088
|
{
|
2966
3089
|
TLSEXT_TYPE_server_name,
|
2967
|
-
NULL,
|
2968
3090
|
ext_sni_add_clienthello,
|
2969
3091
|
ext_sni_parse_serverhello,
|
2970
3092
|
ext_sni_parse_clienthello,
|
2971
3093
|
ext_sni_add_serverhello,
|
2972
3094
|
},
|
3095
|
+
{
|
3096
|
+
TLSEXT_TYPE_encrypted_client_hello,
|
3097
|
+
ext_ech_add_clienthello,
|
3098
|
+
ext_ech_parse_serverhello,
|
3099
|
+
ext_ech_parse_clienthello,
|
3100
|
+
ext_ech_add_serverhello,
|
3101
|
+
},
|
2973
3102
|
{
|
2974
3103
|
TLSEXT_TYPE_extended_master_secret,
|
2975
|
-
NULL,
|
2976
3104
|
ext_ems_add_clienthello,
|
2977
3105
|
ext_ems_parse_serverhello,
|
2978
3106
|
ext_ems_parse_clienthello,
|
@@ -2980,7 +3108,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2980
3108
|
},
|
2981
3109
|
{
|
2982
3110
|
TLSEXT_TYPE_renegotiate,
|
2983
|
-
NULL,
|
2984
3111
|
ext_ri_add_clienthello,
|
2985
3112
|
ext_ri_parse_serverhello,
|
2986
3113
|
ext_ri_parse_clienthello,
|
@@ -2988,7 +3115,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2988
3115
|
},
|
2989
3116
|
{
|
2990
3117
|
TLSEXT_TYPE_supported_groups,
|
2991
|
-
NULL,
|
2992
3118
|
ext_supported_groups_add_clienthello,
|
2993
3119
|
ext_supported_groups_parse_serverhello,
|
2994
3120
|
ext_supported_groups_parse_clienthello,
|
@@ -2996,7 +3122,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2996
3122
|
},
|
2997
3123
|
{
|
2998
3124
|
TLSEXT_TYPE_ec_point_formats,
|
2999
|
-
NULL,
|
3000
3125
|
ext_ec_point_add_clienthello,
|
3001
3126
|
ext_ec_point_parse_serverhello,
|
3002
3127
|
ext_ec_point_parse_clienthello,
|
@@ -3004,7 +3129,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3004
3129
|
},
|
3005
3130
|
{
|
3006
3131
|
TLSEXT_TYPE_session_ticket,
|
3007
|
-
NULL,
|
3008
3132
|
ext_ticket_add_clienthello,
|
3009
3133
|
ext_ticket_parse_serverhello,
|
3010
3134
|
// Ticket extension client parsing is handled in ssl_session.c
|
@@ -3013,7 +3137,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3013
3137
|
},
|
3014
3138
|
{
|
3015
3139
|
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
3016
|
-
NULL,
|
3017
3140
|
ext_alpn_add_clienthello,
|
3018
3141
|
ext_alpn_parse_serverhello,
|
3019
3142
|
// ALPN is negotiated late in |ssl_negotiate_alpn|.
|
@@ -3022,7 +3145,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3022
3145
|
},
|
3023
3146
|
{
|
3024
3147
|
TLSEXT_TYPE_status_request,
|
3025
|
-
NULL,
|
3026
3148
|
ext_ocsp_add_clienthello,
|
3027
3149
|
ext_ocsp_parse_serverhello,
|
3028
3150
|
ext_ocsp_parse_clienthello,
|
@@ -3030,7 +3152,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3030
3152
|
},
|
3031
3153
|
{
|
3032
3154
|
TLSEXT_TYPE_signature_algorithms,
|
3033
|
-
NULL,
|
3034
3155
|
ext_sigalgs_add_clienthello,
|
3035
3156
|
forbid_parse_serverhello,
|
3036
3157
|
ext_sigalgs_parse_clienthello,
|
@@ -3038,7 +3159,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3038
3159
|
},
|
3039
3160
|
{
|
3040
3161
|
TLSEXT_TYPE_next_proto_neg,
|
3041
|
-
NULL,
|
3042
3162
|
ext_npn_add_clienthello,
|
3043
3163
|
ext_npn_parse_serverhello,
|
3044
3164
|
ext_npn_parse_clienthello,
|
@@ -3046,7 +3166,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3046
3166
|
},
|
3047
3167
|
{
|
3048
3168
|
TLSEXT_TYPE_certificate_timestamp,
|
3049
|
-
NULL,
|
3050
3169
|
ext_sct_add_clienthello,
|
3051
3170
|
ext_sct_parse_serverhello,
|
3052
3171
|
ext_sct_parse_clienthello,
|
@@ -3054,7 +3173,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3054
3173
|
},
|
3055
3174
|
{
|
3056
3175
|
TLSEXT_TYPE_channel_id,
|
3057
|
-
ext_channel_id_init,
|
3058
3176
|
ext_channel_id_add_clienthello,
|
3059
3177
|
ext_channel_id_parse_serverhello,
|
3060
3178
|
ext_channel_id_parse_clienthello,
|
@@ -3062,7 +3180,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3062
3180
|
},
|
3063
3181
|
{
|
3064
3182
|
TLSEXT_TYPE_srtp,
|
3065
|
-
ext_srtp_init,
|
3066
3183
|
ext_srtp_add_clienthello,
|
3067
3184
|
ext_srtp_parse_serverhello,
|
3068
3185
|
ext_srtp_parse_clienthello,
|
@@ -3070,7 +3187,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3070
3187
|
},
|
3071
3188
|
{
|
3072
3189
|
TLSEXT_TYPE_key_share,
|
3073
|
-
NULL,
|
3074
3190
|
ext_key_share_add_clienthello,
|
3075
3191
|
forbid_parse_serverhello,
|
3076
3192
|
ignore_parse_clienthello,
|
@@ -3078,7 +3194,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3078
3194
|
},
|
3079
3195
|
{
|
3080
3196
|
TLSEXT_TYPE_psk_key_exchange_modes,
|
3081
|
-
NULL,
|
3082
3197
|
ext_psk_key_exchange_modes_add_clienthello,
|
3083
3198
|
forbid_parse_serverhello,
|
3084
3199
|
ext_psk_key_exchange_modes_parse_clienthello,
|
@@ -3086,7 +3201,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3086
3201
|
},
|
3087
3202
|
{
|
3088
3203
|
TLSEXT_TYPE_early_data,
|
3089
|
-
NULL,
|
3090
3204
|
ext_early_data_add_clienthello,
|
3091
3205
|
ext_early_data_parse_serverhello,
|
3092
3206
|
ext_early_data_parse_clienthello,
|
@@ -3094,7 +3208,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3094
3208
|
},
|
3095
3209
|
{
|
3096
3210
|
TLSEXT_TYPE_supported_versions,
|
3097
|
-
NULL,
|
3098
3211
|
ext_supported_versions_add_clienthello,
|
3099
3212
|
forbid_parse_serverhello,
|
3100
3213
|
ignore_parse_clienthello,
|
@@ -3102,7 +3215,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3102
3215
|
},
|
3103
3216
|
{
|
3104
3217
|
TLSEXT_TYPE_cookie,
|
3105
|
-
NULL,
|
3106
3218
|
ext_cookie_add_clienthello,
|
3107
3219
|
forbid_parse_serverhello,
|
3108
3220
|
ignore_parse_clienthello,
|
@@ -3110,23 +3222,20 @@ static const struct tls_extension kExtensions[] = {
|
|
3110
3222
|
},
|
3111
3223
|
{
|
3112
3224
|
TLSEXT_TYPE_quic_transport_parameters,
|
3113
|
-
NULL,
|
3114
3225
|
ext_quic_transport_params_add_clienthello,
|
3115
3226
|
ext_quic_transport_params_parse_serverhello,
|
3116
3227
|
ext_quic_transport_params_parse_clienthello,
|
3117
3228
|
ext_quic_transport_params_add_serverhello,
|
3118
3229
|
},
|
3119
3230
|
{
|
3120
|
-
|
3121
|
-
|
3122
|
-
|
3123
|
-
|
3124
|
-
|
3125
|
-
ext_token_binding_add_serverhello,
|
3231
|
+
TLSEXT_TYPE_quic_transport_parameters_legacy,
|
3232
|
+
ext_quic_transport_params_add_clienthello_legacy,
|
3233
|
+
ext_quic_transport_params_parse_serverhello_legacy,
|
3234
|
+
ext_quic_transport_params_parse_clienthello_legacy,
|
3235
|
+
ext_quic_transport_params_add_serverhello_legacy,
|
3126
3236
|
},
|
3127
3237
|
{
|
3128
3238
|
TLSEXT_TYPE_cert_compression,
|
3129
|
-
NULL,
|
3130
3239
|
cert_compression_add_clienthello,
|
3131
3240
|
cert_compression_parse_serverhello,
|
3132
3241
|
cert_compression_parse_clienthello,
|
@@ -3134,7 +3243,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3134
3243
|
},
|
3135
3244
|
{
|
3136
3245
|
TLSEXT_TYPE_delegated_credential,
|
3137
|
-
NULL,
|
3138
3246
|
ext_delegated_credential_add_clienthello,
|
3139
3247
|
forbid_parse_serverhello,
|
3140
3248
|
ext_delegated_credential_parse_clienthello,
|
@@ -3142,7 +3250,6 @@ static const struct tls_extension kExtensions[] = {
|
|
3142
3250
|
},
|
3143
3251
|
{
|
3144
3252
|
TLSEXT_TYPE_application_settings,
|
3145
|
-
NULL,
|
3146
3253
|
ext_alps_add_clienthello,
|
3147
3254
|
ext_alps_parse_serverhello,
|
3148
3255
|
// ALPS is negotiated late in |ssl_negotiate_alpn|.
|
@@ -3160,6 +3267,30 @@ static_assert(kNumExtensions <=
|
|
3160
3267
|
sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
|
3161
3268
|
"too many extensions for received bitset");
|
3162
3269
|
|
3270
|
+
bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {
|
3271
|
+
if (!hs->config->permute_extensions) {
|
3272
|
+
return true;
|
3273
|
+
}
|
3274
|
+
|
3275
|
+
static_assert(kNumExtensions <= UINT8_MAX,
|
3276
|
+
"extensions_permutation type is too small");
|
3277
|
+
uint32_t seeds[kNumExtensions - 1];
|
3278
|
+
Array<uint8_t> permutation;
|
3279
|
+
if (!RAND_bytes(reinterpret_cast<uint8_t *>(seeds), sizeof(seeds)) ||
|
3280
|
+
!permutation.Init(kNumExtensions)) {
|
3281
|
+
return false;
|
3282
|
+
}
|
3283
|
+
for (size_t i = 0; i < kNumExtensions; i++) {
|
3284
|
+
permutation[i] = i;
|
3285
|
+
}
|
3286
|
+
for (size_t i = kNumExtensions - 1; i > 0; i--) {
|
3287
|
+
// Set element |i| to a randomly-selected element 0 <= j <= i.
|
3288
|
+
std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]);
|
3289
|
+
}
|
3290
|
+
hs->extension_permutation = std::move(permutation);
|
3291
|
+
return true;
|
3292
|
+
}
|
3293
|
+
|
3163
3294
|
static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
3164
3295
|
uint16_t value) {
|
3165
3296
|
unsigned i;
|
@@ -3173,8 +3304,137 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
3173
3304
|
return NULL;
|
3174
3305
|
}
|
3175
3306
|
|
3176
|
-
bool
|
3307
|
+
static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {
|
3308
|
+
CBB child;
|
3309
|
+
if (!CBB_add_u16(cbb, ext) || //
|
3310
|
+
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
3311
|
+
!CBB_add_zeros(&child, len)) {
|
3312
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3313
|
+
return false;
|
3314
|
+
}
|
3315
|
+
return CBB_flush(cbb);
|
3316
|
+
}
|
3317
|
+
|
3318
|
+
static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
|
3319
|
+
CBB *out_encoded,
|
3320
|
+
bool *out_needs_psk_binder) {
|
3321
|
+
// When writing ClientHelloInner, we construct the real and encoded
|
3322
|
+
// ClientHellos concurrently, to handle compression. Uncompressed extensions
|
3323
|
+
// are written to |extensions| and copied to |extensions_encoded|. Compressed
|
3324
|
+
// extensions are buffered in |compressed| and written to the end. (ECH can
|
3325
|
+
// only compress continguous extensions.)
|
3326
|
+
SSL *const ssl = hs->ssl;
|
3327
|
+
bssl::ScopedCBB compressed, outer_extensions;
|
3328
|
+
CBB extensions, extensions_encoded;
|
3329
|
+
if (!CBB_add_u16_length_prefixed(out, &extensions) ||
|
3330
|
+
!CBB_add_u16_length_prefixed(out_encoded, &extensions_encoded) ||
|
3331
|
+
!CBB_init(compressed.get(), 64) ||
|
3332
|
+
!CBB_init(outer_extensions.get(), 64)) {
|
3333
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3334
|
+
return false;
|
3335
|
+
}
|
3336
|
+
|
3337
|
+
hs->inner_extensions_sent = 0;
|
3338
|
+
|
3339
|
+
if (ssl->ctx->grease_enabled) {
|
3340
|
+
// Add a fake empty extension. See RFC 8701. This always matches
|
3341
|
+
// |ssl_add_clienthello_tlsext|, so compress it.
|
3342
|
+
uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension1);
|
3343
|
+
if (!add_padding_extension(compressed.get(), grease_ext, 0) ||
|
3344
|
+
!CBB_add_u16(outer_extensions.get(), grease_ext)) {
|
3345
|
+
return false;
|
3346
|
+
}
|
3347
|
+
}
|
3348
|
+
|
3349
|
+
for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {
|
3350
|
+
size_t i = hs->extension_permutation.empty()
|
3351
|
+
? unpermuted
|
3352
|
+
: hs->extension_permutation[unpermuted];
|
3353
|
+
const size_t len_before = CBB_len(&extensions);
|
3354
|
+
const size_t len_compressed_before = CBB_len(compressed.get());
|
3355
|
+
if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(),
|
3356
|
+
ssl_client_hello_inner)) {
|
3357
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
3358
|
+
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
3359
|
+
return false;
|
3360
|
+
}
|
3361
|
+
|
3362
|
+
const size_t bytes_written = CBB_len(&extensions) - len_before;
|
3363
|
+
const size_t bytes_written_compressed =
|
3364
|
+
CBB_len(compressed.get()) - len_compressed_before;
|
3365
|
+
// The callback may write to at most one output.
|
3366
|
+
assert(bytes_written == 0 || bytes_written_compressed == 0);
|
3367
|
+
if (bytes_written != 0 || bytes_written_compressed != 0) {
|
3368
|
+
hs->inner_extensions_sent |= (1u << i);
|
3369
|
+
}
|
3370
|
+
// If compressed, update the running ech_outer_extensions extension.
|
3371
|
+
if (bytes_written_compressed != 0 &&
|
3372
|
+
!CBB_add_u16(outer_extensions.get(), kExtensions[i].value)) {
|
3373
|
+
return false;
|
3374
|
+
}
|
3375
|
+
}
|
3376
|
+
|
3377
|
+
if (ssl->ctx->grease_enabled) {
|
3378
|
+
// Add a fake non-empty extension. See RFC 8701. This always matches
|
3379
|
+
// |ssl_add_clienthello_tlsext|, so compress it.
|
3380
|
+
uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension2);
|
3381
|
+
if (!add_padding_extension(compressed.get(), grease_ext, 1) ||
|
3382
|
+
!CBB_add_u16(outer_extensions.get(), grease_ext)) {
|
3383
|
+
return false;
|
3384
|
+
}
|
3385
|
+
}
|
3386
|
+
|
3387
|
+
// Uncompressed extensions are encoded as-is.
|
3388
|
+
if (!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions),
|
3389
|
+
CBB_len(&extensions))) {
|
3390
|
+
return false;
|
3391
|
+
}
|
3392
|
+
|
3393
|
+
// Flush all the compressed extensions.
|
3394
|
+
if (CBB_len(compressed.get()) != 0) {
|
3395
|
+
CBB extension, child;
|
3396
|
+
// Copy them as-is in the real ClientHelloInner.
|
3397
|
+
if (!CBB_add_bytes(&extensions, CBB_data(compressed.get()),
|
3398
|
+
CBB_len(compressed.get())) ||
|
3399
|
+
// Replace with ech_outer_extensions in the encoded form.
|
3400
|
+
!CBB_add_u16(&extensions_encoded, TLSEXT_TYPE_ech_outer_extensions) ||
|
3401
|
+
!CBB_add_u16_length_prefixed(&extensions_encoded, &extension) ||
|
3402
|
+
!CBB_add_u8_length_prefixed(&extension, &child) ||
|
3403
|
+
!CBB_add_bytes(&child, CBB_data(outer_extensions.get()),
|
3404
|
+
CBB_len(outer_extensions.get())) ||
|
3405
|
+
!CBB_flush(&extensions_encoded)) {
|
3406
|
+
return false;
|
3407
|
+
}
|
3408
|
+
}
|
3409
|
+
|
3410
|
+
// The PSK extension must be last. It is never compressed. Note, if there is a
|
3411
|
+
// binder, the caller will need to update both ClientHelloInner and
|
3412
|
+
// EncodedClientHelloInner after computing it.
|
3413
|
+
const size_t len_before = CBB_len(&extensions);
|
3414
|
+
if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,
|
3415
|
+
ssl_client_hello_inner) ||
|
3416
|
+
!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions) + len_before,
|
3417
|
+
CBB_len(&extensions) - len_before) ||
|
3418
|
+
!CBB_flush(out) || //
|
3419
|
+
!CBB_flush(out_encoded)) {
|
3420
|
+
return false;
|
3421
|
+
}
|
3422
|
+
|
3423
|
+
return true;
|
3424
|
+
}
|
3425
|
+
|
3426
|
+
bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
|
3427
|
+
bool *out_needs_psk_binder,
|
3428
|
+
ssl_client_hello_type_t type,
|
3177
3429
|
size_t header_len) {
|
3430
|
+
*out_needs_psk_binder = false;
|
3431
|
+
|
3432
|
+
if (type == ssl_client_hello_inner) {
|
3433
|
+
return ssl_add_clienthello_tlsext_inner(hs, out, out_encoded,
|
3434
|
+
out_needs_psk_binder);
|
3435
|
+
}
|
3436
|
+
|
3437
|
+
assert(out_encoded == nullptr); // Only ClientHelloInner needs two outputs.
|
3178
3438
|
SSL *const ssl = hs->ssl;
|
3179
3439
|
CBB extensions;
|
3180
3440
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
@@ -3187,27 +3447,20 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
3187
3447
|
// important to reset this value.
|
3188
3448
|
hs->extensions.sent = 0;
|
3189
3449
|
|
3190
|
-
|
3191
|
-
|
3192
|
-
|
3193
|
-
|
3194
|
-
|
3195
|
-
|
3196
|
-
uint16_t grease_ext1 = 0;
|
3197
|
-
if (ssl->ctx->grease_enabled) {
|
3198
|
-
// Add a fake empty extension. See draft-davidben-tls-grease-01.
|
3199
|
-
grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
|
3200
|
-
if (!CBB_add_u16(&extensions, grease_ext1) ||
|
3201
|
-
!CBB_add_u16(&extensions, 0 /* zero length */)) {
|
3202
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3203
|
-
return false;
|
3204
|
-
}
|
3450
|
+
// Add a fake empty extension. See RFC 8701.
|
3451
|
+
if (ssl->ctx->grease_enabled &&
|
3452
|
+
!add_padding_extension(
|
3453
|
+
&extensions, ssl_get_grease_value(hs, ssl_grease_extension1), 0)) {
|
3454
|
+
return false;
|
3205
3455
|
}
|
3206
3456
|
|
3207
3457
|
bool last_was_empty = false;
|
3208
|
-
for (size_t
|
3458
|
+
for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {
|
3459
|
+
size_t i = hs->extension_permutation.empty()
|
3460
|
+
? unpermuted
|
3461
|
+
: hs->extension_permutation[unpermuted];
|
3209
3462
|
const size_t len_before = CBB_len(&extensions);
|
3210
|
-
if (!kExtensions[i].add_clienthello(hs, &extensions)) {
|
3463
|
+
if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
|
3211
3464
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
3212
3465
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
3213
3466
|
return false;
|
@@ -3223,29 +3476,22 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
3223
3476
|
}
|
3224
3477
|
|
3225
3478
|
if (ssl->ctx->grease_enabled) {
|
3226
|
-
// Add a fake non-empty extension. See
|
3227
|
-
|
3228
|
-
|
3229
|
-
// The two fake extensions must not have the same value. GREASE values are
|
3230
|
-
// of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
|
3231
|
-
// one.
|
3232
|
-
if (grease_ext1 == grease_ext2) {
|
3233
|
-
grease_ext2 ^= 0x1010;
|
3234
|
-
}
|
3235
|
-
|
3236
|
-
if (!CBB_add_u16(&extensions, grease_ext2) ||
|
3237
|
-
!CBB_add_u16(&extensions, 1 /* one byte length */) ||
|
3238
|
-
!CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
|
3239
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3479
|
+
// Add a fake non-empty extension. See RFC 8701.
|
3480
|
+
if (!add_padding_extension(
|
3481
|
+
&extensions, ssl_get_grease_value(hs, ssl_grease_extension2), 1)) {
|
3240
3482
|
return false;
|
3241
3483
|
}
|
3242
|
-
|
3243
3484
|
last_was_empty = false;
|
3244
3485
|
}
|
3245
3486
|
|
3246
|
-
|
3247
|
-
|
3248
|
-
|
3487
|
+
// In cleartext ClientHellos, we add the padding extension to work around
|
3488
|
+
// bugs. We also apply this padding to ClientHelloOuter, to keep the wire
|
3489
|
+
// images aligned.
|
3490
|
+
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs, type);
|
3491
|
+
if (!SSL_is_dtls(ssl) && !ssl->quic_method &&
|
3492
|
+
!ssl->s3->used_hello_retry_request) {
|
3493
|
+
header_len +=
|
3494
|
+
SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len;
|
3249
3495
|
size_t padding_len = 0;
|
3250
3496
|
|
3251
3497
|
// The final extension must be non-empty. WebSphere Application
|
@@ -3279,24 +3525,21 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
|
3279
3525
|
}
|
3280
3526
|
}
|
3281
3527
|
|
3282
|
-
if (padding_len != 0
|
3283
|
-
|
3284
|
-
|
3285
|
-
!CBB_add_u16(&extensions, padding_len) ||
|
3286
|
-
!CBB_add_space(&extensions, &padding_bytes, padding_len)) {
|
3287
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3288
|
-
return false;
|
3289
|
-
}
|
3290
|
-
|
3291
|
-
OPENSSL_memset(padding_bytes, 0, padding_len);
|
3528
|
+
if (padding_len != 0 &&
|
3529
|
+
!add_padding_extension(&extensions, TLSEXT_TYPE_padding, padding_len)) {
|
3530
|
+
return false;
|
3292
3531
|
}
|
3293
3532
|
}
|
3294
3533
|
|
3295
3534
|
// The PSK extension must be last, including after the padding.
|
3296
|
-
|
3535
|
+
const size_t len_before = CBB_len(&extensions);
|
3536
|
+
if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,
|
3537
|
+
type)) {
|
3297
3538
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3298
3539
|
return false;
|
3299
3540
|
}
|
3541
|
+
assert(psk_extension_len == CBB_len(&extensions) - len_before);
|
3542
|
+
(void)len_before; // |assert| is omitted in release builds.
|
3300
3543
|
|
3301
3544
|
// Discard empty extensions blocks.
|
3302
3545
|
if (CBB_len(&extensions) == 0) {
|
@@ -3342,12 +3585,6 @@ err:
|
|
3342
3585
|
static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
3343
3586
|
const SSL_CLIENT_HELLO *client_hello,
|
3344
3587
|
int *out_alert) {
|
3345
|
-
for (size_t i = 0; i < kNumExtensions; i++) {
|
3346
|
-
if (kExtensions[i].init != NULL) {
|
3347
|
-
kExtensions[i].init(hs);
|
3348
|
-
}
|
3349
|
-
}
|
3350
|
-
|
3351
3588
|
hs->extensions.received = 0;
|
3352
3589
|
CBS extensions;
|
3353
3590
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
@@ -3428,18 +3665,10 @@ bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3428
3665
|
return true;
|
3429
3666
|
}
|
3430
3667
|
|
3431
|
-
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
3668
|
+
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs,
|
3432
3669
|
int *out_alert) {
|
3433
|
-
|
3434
|
-
|
3435
|
-
if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
3436
|
-
return true;
|
3437
|
-
}
|
3438
|
-
|
3439
|
-
// Decode the extensions block and check it is valid.
|
3440
|
-
CBS extensions;
|
3441
|
-
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
3442
|
-
!tls1_check_duplicate_extensions(&extensions)) {
|
3670
|
+
CBS extensions = *cbs;
|
3671
|
+
if (!tls1_check_duplicate_extensions(&extensions)) {
|
3443
3672
|
*out_alert = SSL_AD_DECODE_ERROR;
|
3444
3673
|
return false;
|
3445
3674
|
}
|
@@ -3508,18 +3737,8 @@ static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3508
3737
|
|
3509
3738
|
static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
|
3510
3739
|
SSL *const ssl = hs->ssl;
|
3511
|
-
|
3512
|
-
if (ssl->s3->token_binding_negotiated &&
|
3513
|
-
!(SSL_get_secure_renegotiation_support(ssl) &&
|
3514
|
-
SSL_get_extms_support(ssl))) {
|
3515
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
|
3516
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
3517
|
-
return false;
|
3518
|
-
}
|
3519
|
-
|
3520
3740
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
3521
3741
|
int al = SSL_AD_UNRECOGNIZED_NAME;
|
3522
|
-
|
3523
3742
|
if (ssl->ctx->servername_callback != 0) {
|
3524
3743
|
ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
|
3525
3744
|
} else if (ssl->session_ctx->servername_callback != 0) {
|
@@ -3571,7 +3790,7 @@ static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs) {
|
|
3571
3790
|
return true;
|
3572
3791
|
}
|
3573
3792
|
|
3574
|
-
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
|
3793
|
+
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs) {
|
3575
3794
|
SSL *const ssl = hs->ssl;
|
3576
3795
|
int alert = SSL_AD_DECODE_ERROR;
|
3577
3796
|
if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
|
@@ -3599,8 +3818,8 @@ static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
|
|
3599
3818
|
return ssl_ticket_aead_ignore_ticket;
|
3600
3819
|
}
|
3601
3820
|
// Split the ticket into the ticket and the MAC.
|
3602
|
-
auto ticket_mac = ticket.
|
3603
|
-
ticket = ticket.
|
3821
|
+
auto ticket_mac = ticket.last(mac_len);
|
3822
|
+
ticket = ticket.first(ticket.size() - mac_len);
|
3604
3823
|
HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
|
3605
3824
|
HMAC_Final(hmac_ctx, mac, NULL);
|
3606
3825
|
assert(mac_len == ticket_mac.size());
|
@@ -3734,6 +3953,7 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3734
3953
|
SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
|
3735
3954
|
bool *out_renew_ticket, Span<const uint8_t> ticket,
|
3736
3955
|
Span<const uint8_t> session_id) {
|
3956
|
+
SSL *const ssl = hs->ssl;
|
3737
3957
|
*out_renew_ticket = false;
|
3738
3958
|
out_session->reset();
|
3739
3959
|
|
@@ -3742,9 +3962,21 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3742
3962
|
return ssl_ticket_aead_ignore_ticket;
|
3743
3963
|
}
|
3744
3964
|
|
3965
|
+
// Tickets in TLS 1.3 are tied into pre-shared keys (PSKs), unlike in TLS 1.2
|
3966
|
+
// where that concept doesn't exist. The |decrypted_psk| and |ignore_psk|
|
3967
|
+
// hints only apply to PSKs. We check the version to determine which this is.
|
3968
|
+
const bool is_psk = ssl_protocol_version(ssl) >= TLS1_3_VERSION;
|
3969
|
+
|
3745
3970
|
Array<uint8_t> plaintext;
|
3746
3971
|
enum ssl_ticket_aead_result_t result;
|
3747
|
-
|
3972
|
+
SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
|
3973
|
+
if (is_psk && hints && !hs->hints_requested &&
|
3974
|
+
!hints->decrypted_psk.empty()) {
|
3975
|
+
result = plaintext.CopyFrom(hints->decrypted_psk) ? ssl_ticket_aead_success
|
3976
|
+
: ssl_ticket_aead_error;
|
3977
|
+
} else if (is_psk && hints && !hs->hints_requested && hints->ignore_psk) {
|
3978
|
+
result = ssl_ticket_aead_ignore_ticket;
|
3979
|
+
} else if (ssl->session_ctx->ticket_aead_method != NULL) {
|
3748
3980
|
result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
|
3749
3981
|
ticket);
|
3750
3982
|
} else {
|
@@ -3753,9 +3985,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3753
3985
|
// length should be well under the minimum size for the session material and
|
3754
3986
|
// HMAC.
|
3755
3987
|
if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
|
3756
|
-
|
3757
|
-
}
|
3758
|
-
if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
|
3988
|
+
result = ssl_ticket_aead_ignore_ticket;
|
3989
|
+
} else if (ssl->session_ctx->ticket_key_cb != NULL) {
|
3759
3990
|
result =
|
3760
3991
|
ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
|
3761
3992
|
} else {
|
@@ -3763,22 +3994,33 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3763
3994
|
}
|
3764
3995
|
}
|
3765
3996
|
|
3997
|
+
if (is_psk && hints && hs->hints_requested) {
|
3998
|
+
if (result == ssl_ticket_aead_ignore_ticket) {
|
3999
|
+
hints->ignore_psk = true;
|
4000
|
+
} else if (result == ssl_ticket_aead_success &&
|
4001
|
+
!hints->decrypted_psk.CopyFrom(plaintext)) {
|
4002
|
+
return ssl_ticket_aead_error;
|
4003
|
+
}
|
4004
|
+
}
|
4005
|
+
|
3766
4006
|
if (result != ssl_ticket_aead_success) {
|
3767
4007
|
return result;
|
3768
4008
|
}
|
3769
4009
|
|
3770
4010
|
// Decode the session.
|
3771
4011
|
UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
|
3772
|
-
plaintext.data(), plaintext.size(),
|
4012
|
+
plaintext.data(), plaintext.size(), ssl->ctx.get()));
|
3773
4013
|
if (!session) {
|
3774
4014
|
ERR_clear_error(); // Don't leave an error on the queue.
|
3775
4015
|
return ssl_ticket_aead_ignore_ticket;
|
3776
4016
|
}
|
3777
4017
|
|
3778
|
-
//
|
3779
|
-
//
|
3780
|
-
|
3781
|
-
|
4018
|
+
// Envoy's tests expect the session to have a session ID that matches the
|
4019
|
+
// placeholder used by the client. It's unclear whether this is a good idea,
|
4020
|
+
// but we maintain it for now.
|
4021
|
+
SHA256(ticket.data(), ticket.size(), session->session_id);
|
4022
|
+
// Other consumers may expect a non-empty session ID to indicate resumption.
|
4023
|
+
session->session_id_length = SHA256_DIGEST_LENGTH;
|
3782
4024
|
|
3783
4025
|
*out_session = std::move(session);
|
3784
4026
|
return ssl_ticket_aead_success;
|
@@ -3926,11 +4168,11 @@ bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
3926
4168
|
if (!sig_ok) {
|
3927
4169
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
|
3928
4170
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
3929
|
-
ssl->s3->channel_id_valid = false;
|
3930
4171
|
return false;
|
3931
4172
|
}
|
3932
4173
|
|
3933
4174
|
OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
|
4175
|
+
ssl->s3->channel_id_valid = true;
|
3934
4176
|
return true;
|
3935
4177
|
}
|
3936
4178
|
|
@@ -4041,23 +4283,6 @@ bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
|
|
4041
4283
|
return true;
|
4042
4284
|
}
|
4043
4285
|
|
4044
|
-
bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
|
4045
|
-
if (hs->config->channel_id_private != NULL ||
|
4046
|
-
hs->ssl->ctx->channel_id_cb == NULL) {
|
4047
|
-
return true;
|
4048
|
-
}
|
4049
|
-
|
4050
|
-
EVP_PKEY *key = NULL;
|
4051
|
-
hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
|
4052
|
-
if (key == NULL) {
|
4053
|
-
// The caller should try again later.
|
4054
|
-
return true;
|
4055
|
-
}
|
4056
|
-
|
4057
|
-
UniquePtr<EVP_PKEY> free_key(key);
|
4058
|
-
return SSL_set1_tls_channel_id(hs->ssl, key);
|
4059
|
-
}
|
4060
|
-
|
4061
4286
|
bool ssl_is_sct_list_valid(const CBS *contents) {
|
4062
4287
|
// Shallow parse the SCT list for sanity. By the RFC
|
4063
4288
|
// (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
|