grpc 1.35.0.pre1 → 1.37.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +121 -89
- data/include/grpc/grpc.h +15 -1
- data/include/grpc/grpc_security.h +16 -11
- data/include/grpc/impl/codegen/port_platform.h +2 -0
- data/src/core/ext/filters/client_channel/client_channel.cc +359 -331
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/client_channel_factory.h +2 -1
- data/src/core/ext/filters/client_channel/config_selector.h +9 -1
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -4
- data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -142
- data/src/core/ext/filters/client_channel/global_subchannel_pool.h +15 -10
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy.cc +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +23 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +27 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -25
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +232 -110
- data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +27 -67
- data/src/core/ext/filters/client_channel/local_subchannel_pool.h +10 -9
- data/src/core/ext/filters/client_channel/resolver.cc +5 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +3 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +34 -50
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +377 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +307 -155
- data/src/core/ext/filters/client_channel/server_address.cc +9 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +69 -146
- data/src/core/ext/filters/client_channel/subchannel.h +63 -95
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +16 -2
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +10 -8
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +1 -1
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +500 -0
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +39 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +189 -0
- data/src/core/ext/filters/fault_injection/service_config_parser.h +85 -0
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +1 -1
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +2 -2
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +3 -2
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -2
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +490 -178
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +39 -7
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +12 -1
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +5 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +406 -0
- data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +1459 -0
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +350 -0
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1348 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +6 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +25 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +144 -0
- data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +488 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +141 -0
- data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +452 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +57 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +150 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +79 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +268 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +78 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +281 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +41 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +113 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +19 -21
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +64 -51
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +93 -0
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +323 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +90 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +124 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.c +33 -0
- data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.h +77 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +354 -0
- data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +140 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +383 -0
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +115 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +10 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +141 -0
- data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +70 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +753 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +102 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +55 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +120 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +45 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +76 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +371 -377
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +130 -0
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +56 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +63 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c +8 -7
- data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c +9 -9
- data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c +9 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.c +9 -8
- data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.c +8 -8
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.c +44 -0
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +2149 -666
- data/src/core/ext/xds/xds_api.h +321 -119
- data/src/core/ext/xds/xds_bootstrap.cc +80 -45
- data/src/core/ext/xds/xds_bootstrap.h +17 -5
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +181 -34
- data/src/core/ext/xds/xds_client.h +29 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_client_stats.h +2 -2
- data/src/core/ext/xds/xds_http_fault_filter.cc +226 -0
- data/src/core/ext/xds/xds_http_fault_filter.h +63 -0
- data/src/core/ext/xds/xds_http_filters.cc +114 -0
- data/src/core/ext/xds/xds_http_filters.h +130 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +425 -24
- data/src/core/lib/channel/channel_stack.cc +12 -0
- data/src/core/lib/channel/channel_stack.h +7 -0
- data/src/core/lib/channel/channelz.cc +92 -4
- data/src/core/lib/channel/channelz.h +30 -1
- data/src/core/lib/channel/channelz_registry.cc +14 -0
- data/src/core/lib/channel/handshaker.cc +2 -44
- data/src/core/lib/channel/handshaker.h +1 -18
- data/src/core/lib/channel/status_util.cc +12 -2
- data/src/core/lib/channel/status_util.h +5 -0
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gpr/sync_abseil.cc +3 -6
- data/src/core/lib/gpr/sync_windows.cc +2 -2
- data/src/core/lib/gprpp/atomic.h +3 -3
- data/src/core/lib/gprpp/dual_ref_counted.h +3 -3
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/ref_counted_ptr.h +2 -0
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/thd.h +1 -1
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/buffer_list.h +1 -1
- data/src/core/lib/iomgr/cfstream_handle.cc +2 -2
- data/src/core/lib/iomgr/error.h +1 -1
- data/src/core/lib/iomgr/ev_apple.cc +11 -8
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +3 -3
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/ev_posix.cc +3 -3
- data/src/core/lib/iomgr/exec_ctx.cc +6 -2
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/resource_quota.cc +1 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +121 -1
- data/src/core/lib/iomgr/sockaddr_utils.h +25 -0
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +5 -8
- data/src/core/lib/iomgr/tcp_uv.cc +2 -2
- data/src/core/lib/iomgr/timer_generic.cc +2 -2
- data/src/core/lib/iomgr/timer_manager.cc +1 -1
- data/src/core/lib/iomgr/wakeup_fd_nospecial.cc +1 -1
- data/src/core/lib/matchers/matchers.cc +339 -0
- data/src/core/lib/matchers/matchers.h +160 -0
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +9 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +32 -14
- data/src/core/lib/security/transport/security_handshaker.cc +33 -5
- data/src/core/lib/security/transport/server_auth_filter.cc +7 -0
- data/src/core/lib/slice/slice_intern.cc +5 -6
- data/src/core/lib/surface/channel.h +3 -3
- data/src/core/lib/surface/completion_queue.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/lame_client.cc +38 -19
- data/src/core/lib/surface/lame_client.h +4 -3
- data/src/core/lib/surface/server.cc +43 -36
- data/src/core/lib/surface/server.h +76 -14
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/lib/transport/metadata_batch.cc +27 -0
- data/src/core/lib/transport/metadata_batch.h +14 -0
- data/src/core/plugin_registry/grpc_plugin_registry.cc +12 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +18 -24
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +1 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +1 -3
- data/src/core/tsi/fake_transport_security.cc +11 -2
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/ext/grpc/extconf.rb +9 -1
- data/src/ruby/ext/grpc/rb_channel.c +10 -1
- data/src/ruby/ext/grpc/rb_channel_credentials.c +11 -1
- data/src/ruby/ext/grpc/rb_channel_credentials.h +4 -0
- data/src/ruby/ext/grpc/rb_compression_options.c +1 -1
- data/src/ruby/ext/grpc/rb_enable_cpp.cc +1 -1
- data/src/ruby/ext/grpc/rb_grpc.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +4 -1
- data/src/ruby/ext/grpc/rb_server.c +13 -1
- data/src/ruby/ext/grpc/rb_server_credentials.c +19 -3
- data/src/ruby/ext/grpc/rb_server_credentials.h +4 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +215 -0
- data/src/ruby/ext/grpc/rb_xds_channel_credentials.h +35 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.c +169 -0
- data/src/ruby/ext/grpc/rb_xds_server_credentials.h +35 -0
- data/src/ruby/lib/grpc/generic/client_stub.rb +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/src/ruby/spec/call_spec.rb +1 -1
- data/src/ruby/spec/channel_credentials_spec.rb +32 -0
- data/src/ruby/spec/channel_spec.rb +17 -6
- data/src/ruby/spec/client_auth_spec.rb +27 -1
- data/src/ruby/spec/errors_spec.rb +1 -1
- data/src/ruby/spec/generic/active_call_spec.rb +2 -2
- data/src/ruby/spec/generic/client_stub_spec.rb +4 -4
- data/src/ruby/spec/generic/rpc_server_spec.rb +1 -1
- data/src/ruby/spec/server_credentials_spec.rb +25 -0
- data/src/ruby/spec/server_spec.rb +22 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +715 -713
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/cpu-arm.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +21 -13
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +135 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -29
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +22 -17
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +19 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +22 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +67 -33
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -99
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +362 -50
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- data/third_party/xxhash/xxhash.h +5443 -0
- metadata +140 -84
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
- data/src/core/lib/security/authorization/authorization_engine.cc +0 -177
- data/src/core/lib/security/authorization/authorization_engine.h +0 -84
- data/src/core/lib/security/authorization/evaluate_args.cc +0 -148
- data/src/core/lib/security/authorization/evaluate_args.h +0 -59
- data/src/core/lib/security/authorization/mock_cel/activation.h +0 -57
- data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h +0 -44
- data/src/core/lib/security/authorization/mock_cel/cel_expression.h +0 -69
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +0 -97
- data/src/core/lib/security/authorization/mock_cel/evaluator_core.h +0 -67
- data/src/core/lib/security/authorization/mock_cel/flat_expr_builder.h +0 -57
- data/third_party/abseil-cpp/absl/container/flat_hash_set.h +0 -504
- data/third_party/upb/upb/json_decode.c +0 -1443
- data/third_party/upb/upb/json_decode.h +0 -23
- data/third_party/upb/upb/json_encode.c +0 -713
- data/third_party/upb/upb/json_encode.h +0 -36
@@ -105,7 +105,7 @@ BSSL_NAMESPACE_BEGIN
|
|
105
105
|
// sslVersion INTEGER, -- protocol version number
|
106
106
|
// cipher OCTET STRING, -- two bytes long
|
107
107
|
// sessionID OCTET STRING,
|
108
|
-
//
|
108
|
+
// secret OCTET STRING,
|
109
109
|
// time [1] INTEGER, -- seconds since UNIX epoch
|
110
110
|
// timeout [2] INTEGER, -- in seconds
|
111
111
|
// peer [3] Certificate OPTIONAL,
|
@@ -218,8 +218,7 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
|
|
218
218
|
// The session ID is irrelevant for a session ticket.
|
219
219
|
!CBB_add_asn1_octet_string(&session, in->session_id,
|
220
220
|
for_ticket ? 0 : in->session_id_length) ||
|
221
|
-
!CBB_add_asn1_octet_string(&session, in->
|
222
|
-
in->master_key_length) ||
|
221
|
+
!CBB_add_asn1_octet_string(&session, in->secret, in->secret_length) ||
|
223
222
|
!CBB_add_asn1(&session, &child, kTimeTag) ||
|
224
223
|
!CBB_add_asn1_uint64(&child, in->time) ||
|
225
224
|
!CBB_add_asn1(&session, &child, kTimeoutTag) ||
|
@@ -593,18 +592,18 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
|
|
593
592
|
return nullptr;
|
594
593
|
}
|
595
594
|
|
596
|
-
CBS session_id,
|
595
|
+
CBS session_id, secret;
|
597
596
|
if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
|
598
597
|
CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
|
599
|
-
!CBS_get_asn1(&session, &
|
600
|
-
CBS_len(&
|
598
|
+
!CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||
|
599
|
+
CBS_len(&secret) > SSL_MAX_MASTER_KEY_LENGTH) {
|
601
600
|
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
|
602
601
|
return nullptr;
|
603
602
|
}
|
604
603
|
OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
|
605
604
|
ret->session_id_length = CBS_len(&session_id);
|
606
|
-
OPENSSL_memcpy(ret->
|
607
|
-
ret->
|
605
|
+
OPENSSL_memcpy(ret->secret, CBS_data(&secret), CBS_len(&secret));
|
606
|
+
ret->secret_length = CBS_len(&secret);
|
608
607
|
|
609
608
|
CBS child;
|
610
609
|
uint64_t timeout;
|
@@ -565,7 +565,6 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
|
|
565
565
|
grease_enabled(false),
|
566
566
|
allow_unknown_alpn_protos(false),
|
567
567
|
false_start_allowed_without_alpn(false),
|
568
|
-
ignore_tls13_downgrade(false),
|
569
568
|
handoff(false),
|
570
569
|
enable_early_data(false) {
|
571
570
|
CRYPTO_MUTEX_init(&lock);
|
@@ -711,7 +710,6 @@ SSL *SSL_new(SSL_CTX *ctx) {
|
|
711
710
|
ctx->signed_cert_timestamps_enabled;
|
712
711
|
ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
|
713
712
|
ssl->config->handoff = ctx->handoff;
|
714
|
-
ssl->config->ignore_tls13_downgrade = ctx->ignore_tls13_downgrade;
|
715
713
|
ssl->quic_method = ctx->quic_method;
|
716
714
|
|
717
715
|
if (!ssl->method->ssl_new(ssl.get()) ||
|
@@ -724,6 +722,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
|
|
724
722
|
|
725
723
|
SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
|
726
724
|
: ssl(ssl_arg),
|
725
|
+
ech_grease_enabled(false),
|
727
726
|
signed_cert_timestamps_enabled(false),
|
728
727
|
ocsp_stapling_enabled(false),
|
729
728
|
channel_id_enabled(false),
|
@@ -731,8 +730,8 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
|
|
731
730
|
retain_only_sha256_of_client_certs(false),
|
732
731
|
handoff(false),
|
733
732
|
shed_handshake_config(false),
|
734
|
-
|
735
|
-
|
733
|
+
jdk11_workaround(false),
|
734
|
+
quic_use_legacy_codepoint(true) {
|
736
735
|
assert(ssl);
|
737
736
|
}
|
738
737
|
|
@@ -1469,6 +1468,13 @@ const char *SSL_error_description(int err) {
|
|
1469
1468
|
}
|
1470
1469
|
}
|
1471
1470
|
|
1471
|
+
void SSL_set_enable_ech_grease(SSL *ssl, int enable) {
|
1472
|
+
if (!ssl->config) {
|
1473
|
+
return;
|
1474
|
+
}
|
1475
|
+
ssl->config->ech_grease_enabled = !!enable;
|
1476
|
+
}
|
1477
|
+
|
1472
1478
|
uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
|
1473
1479
|
ctx->options |= options;
|
1474
1480
|
return ctx->options;
|
@@ -2929,22 +2935,15 @@ void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {
|
|
2929
2935
|
ctx->false_start_allowed_without_alpn = !!allowed;
|
2930
2936
|
}
|
2931
2937
|
|
2932
|
-
int SSL_is_tls13_downgrade(const SSL *ssl) { return
|
2938
|
+
int SSL_is_tls13_downgrade(const SSL *ssl) { return 0; }
|
2933
2939
|
|
2934
2940
|
int SSL_used_hello_retry_request(const SSL *ssl) {
|
2935
2941
|
return ssl->s3->used_hello_retry_request;
|
2936
2942
|
}
|
2937
2943
|
|
2938
|
-
void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {
|
2939
|
-
ctx->ignore_tls13_downgrade = !!ignore;
|
2940
|
-
}
|
2944
|
+
void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {}
|
2941
2945
|
|
2942
|
-
void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {
|
2943
|
-
if (!ssl->config) {
|
2944
|
-
return;
|
2945
|
-
}
|
2946
|
-
ssl->config->ignore_tls13_downgrade = !!ignore;
|
2947
|
-
}
|
2946
|
+
void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {}
|
2948
2947
|
|
2949
2948
|
void SSL_set_shed_handshake_config(SSL *ssl, int enable) {
|
2950
2949
|
if (!ssl->config) {
|
@@ -2960,6 +2959,13 @@ void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
|
|
2960
2959
|
ssl->config->jdk11_workaround = !!enable;
|
2961
2960
|
}
|
2962
2961
|
|
2962
|
+
void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) {
|
2963
|
+
if (!ssl->config) {
|
2964
|
+
return;
|
2965
|
+
}
|
2966
|
+
ssl->config->quic_use_legacy_codepoint = !!use_legacy;
|
2967
|
+
}
|
2968
|
+
|
2963
2969
|
int SSL_clear(SSL *ssl) {
|
2964
2970
|
if (!ssl->config) {
|
2965
2971
|
return 0; // SSL_clear may not be used after shedding config.
|
@@ -202,9 +202,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
|
|
202
202
|
OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
|
203
203
|
|
204
204
|
// Copy the key material.
|
205
|
-
new_session->
|
206
|
-
OPENSSL_memcpy(new_session->
|
207
|
-
session->master_key_length);
|
205
|
+
new_session->secret_length = session->secret_length;
|
206
|
+
OPENSSL_memcpy(new_session->secret, session->secret, session->secret_length);
|
208
207
|
new_session->cipher = session->cipher;
|
209
208
|
|
210
209
|
// Copy authentication state.
|
@@ -963,14 +962,14 @@ void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,
|
|
963
962
|
|
964
963
|
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
|
965
964
|
size_t max_out) {
|
966
|
-
// TODO(davidben): Fix
|
965
|
+
// TODO(davidben): Fix secret_length's type and remove these casts.
|
967
966
|
if (max_out == 0) {
|
968
|
-
return (size_t)session->
|
967
|
+
return (size_t)session->secret_length;
|
969
968
|
}
|
970
|
-
if (max_out > (size_t)session->
|
971
|
-
max_out = (size_t)session->
|
969
|
+
if (max_out > (size_t)session->secret_length) {
|
970
|
+
max_out = (size_t)session->secret_length;
|
972
971
|
}
|
973
|
-
OPENSSL_memcpy(out, session->
|
972
|
+
OPENSSL_memcpy(out, session->secret, max_out);
|
974
973
|
return max_out;
|
975
974
|
}
|
976
975
|
|
@@ -265,8 +265,8 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
|
|
265
265
|
|
266
266
|
static const size_t kFinishedLen = 12;
|
267
267
|
if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
|
268
|
-
MakeConstSpan(session->
|
269
|
-
|
268
|
+
MakeConstSpan(session->secret, session->secret_length), label,
|
269
|
+
MakeConstSpan(digest, digest_len), {})) {
|
270
270
|
return false;
|
271
271
|
}
|
272
272
|
|
@@ -191,15 +191,14 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
|
|
191
191
|
|
192
192
|
static bool generate_key_block(const SSL *ssl, Span<uint8_t> out,
|
193
193
|
const SSL_SESSION *session) {
|
194
|
-
auto
|
195
|
-
MakeConstSpan(session->master_key, session->master_key_length);
|
194
|
+
auto secret = MakeConstSpan(session->secret, session->secret_length);
|
196
195
|
static const char kLabel[] = "key expansion";
|
197
196
|
auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
|
198
197
|
|
199
198
|
const EVP_MD *digest = ssl_session_get_digest(session);
|
200
199
|
// Note this function assumes that |session|'s key material corresponds to
|
201
200
|
// |ssl->s3->client_random| and |ssl->s3->server_random|.
|
202
|
-
return tls1_prf(digest, out,
|
201
|
+
return tls1_prf(digest, out, secret, label, ssl->s3->server_random,
|
203
202
|
ssl->s3->client_random);
|
204
203
|
}
|
205
204
|
|
@@ -379,8 +378,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
|
|
379
378
|
|
380
379
|
const SSL_SESSION *session = SSL_get_session(ssl);
|
381
380
|
const EVP_MD *digest = ssl_session_get_digest(session);
|
382
|
-
return tls1_prf(
|
383
|
-
|
384
|
-
|
385
|
-
MakeConstSpan(label, label_len), seed, {});
|
381
|
+
return tls1_prf(digest, MakeSpan(out, out_len),
|
382
|
+
MakeConstSpan(session->secret, session->secret_length),
|
383
|
+
MakeConstSpan(label, label_len), seed, {});
|
386
384
|
}
|
@@ -113,10 +113,13 @@
|
|
113
113
|
#include <stdlib.h>
|
114
114
|
#include <string.h>
|
115
115
|
|
116
|
+
#include <algorithm>
|
116
117
|
#include <utility>
|
117
118
|
|
119
|
+
#include <openssl/aead.h>
|
118
120
|
#include <openssl/bytestring.h>
|
119
121
|
#include <openssl/chacha.h>
|
122
|
+
#include <openssl/curve25519.h>
|
120
123
|
#include <openssl/digest.h>
|
121
124
|
#include <openssl/err.h>
|
122
125
|
#include <openssl/evp.h>
|
@@ -125,6 +128,7 @@
|
|
125
128
|
#include <openssl/nid.h>
|
126
129
|
#include <openssl/rand.h>
|
127
130
|
|
131
|
+
#include "../crypto/hpke/internal.h"
|
128
132
|
#include "../crypto/internal.h"
|
129
133
|
#include "internal.h"
|
130
134
|
|
@@ -587,6 +591,182 @@ static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
587
591
|
}
|
588
592
|
|
589
593
|
|
594
|
+
// Encrypted Client Hello (ECH)
|
595
|
+
//
|
596
|
+
// https://tools.ietf.org/html/draft-ietf-tls-esni-09
|
597
|
+
|
598
|
+
// random_size returns a random value between |min| and |max|, inclusive.
|
599
|
+
static size_t random_size(size_t min, size_t max) {
|
600
|
+
assert(min < max);
|
601
|
+
size_t value;
|
602
|
+
RAND_bytes(reinterpret_cast<uint8_t *>(&value), sizeof(value));
|
603
|
+
return value % (max - min + 1) + min;
|
604
|
+
}
|
605
|
+
|
606
|
+
static bool ext_ech_add_clienthello_grease(SSL_HANDSHAKE *hs, CBB *out) {
|
607
|
+
// If we are responding to the server's HelloRetryRequest, we repeat the bytes
|
608
|
+
// of the first ECH GREASE extension.
|
609
|
+
if (hs->ssl->s3->used_hello_retry_request) {
|
610
|
+
CBB ech_body;
|
611
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
612
|
+
!CBB_add_u16_length_prefixed(out, &ech_body) ||
|
613
|
+
!CBB_add_bytes(&ech_body, hs->ech_grease.data(),
|
614
|
+
hs->ech_grease.size()) ||
|
615
|
+
!CBB_flush(out)) {
|
616
|
+
return false;
|
617
|
+
}
|
618
|
+
return true;
|
619
|
+
}
|
620
|
+
|
621
|
+
constexpr uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;
|
622
|
+
const uint16_t aead_id = EVP_has_aes_hardware()
|
623
|
+
? EVP_HPKE_AEAD_AES_GCM_128
|
624
|
+
: EVP_HPKE_AEAD_CHACHA20POLY1305;
|
625
|
+
const EVP_AEAD *aead = EVP_HPKE_get_aead(aead_id);
|
626
|
+
assert(aead != nullptr);
|
627
|
+
|
628
|
+
uint8_t ech_config_id[8];
|
629
|
+
RAND_bytes(ech_config_id, sizeof(ech_config_id));
|
630
|
+
|
631
|
+
uint8_t ech_enc[X25519_PUBLIC_VALUE_LEN];
|
632
|
+
uint8_t private_key_unused[X25519_PRIVATE_KEY_LEN];
|
633
|
+
X25519_keypair(ech_enc, private_key_unused);
|
634
|
+
|
635
|
+
// To determine a plausible length for the payload, we first estimate the size
|
636
|
+
// of a typical EncodedClientHelloInner, with an expected use of
|
637
|
+
// outer_extensions. To limit the size, we only consider initial ClientHellos
|
638
|
+
// that do not offer resumption.
|
639
|
+
//
|
640
|
+
// Field/Extension Size
|
641
|
+
// ---------------------------------------------------------------------
|
642
|
+
// version 2
|
643
|
+
// random 32
|
644
|
+
// legacy_session_id 1
|
645
|
+
// - Has a U8 length prefix, but body is
|
646
|
+
// always empty string in inner CH.
|
647
|
+
// cipher_suites 2 (length prefix)
|
648
|
+
// - Only includes TLS 1.3 ciphers (3). 6
|
649
|
+
// - Maybe also include a GREASE suite. 2
|
650
|
+
// legacy_compression_methods 2 (length prefix)
|
651
|
+
// - Always has "null" compression method. 1
|
652
|
+
// extensions: 2 (length prefix)
|
653
|
+
// - encrypted_client_hello (empty). 4 (id + length prefix)
|
654
|
+
// - supported_versions. 4 (id + length prefix)
|
655
|
+
// - U8 length prefix 1
|
656
|
+
// - U16 protocol version (TLS 1.3) 2
|
657
|
+
// - outer_extensions. 4 (id + length prefix)
|
658
|
+
// - U8 length prefix 1
|
659
|
+
// - N extension IDs (2 bytes each):
|
660
|
+
// - key_share 2
|
661
|
+
// - sigalgs 2
|
662
|
+
// - sct 2
|
663
|
+
// - alpn 2
|
664
|
+
// - supported_groups. 2
|
665
|
+
// - status_request. 2
|
666
|
+
// - psk_key_exchange_modes. 2
|
667
|
+
// - compress_certificate. 2
|
668
|
+
//
|
669
|
+
// The server_name extension has an overhead of 9 bytes, plus up to an
|
670
|
+
// estimated 100 bytes of hostname. Rounding up to a multiple of 32 yields a
|
671
|
+
// range of 96 to 192. Note that this estimate does not fully capture
|
672
|
+
// optional extensions like GREASE, but the rounding gives some leeway.
|
673
|
+
|
674
|
+
uint8_t payload[EVP_AEAD_MAX_OVERHEAD + 192];
|
675
|
+
const size_t payload_len =
|
676
|
+
EVP_AEAD_max_overhead(aead) + 32 * random_size(96 / 32, 192 / 32);
|
677
|
+
assert(payload_len <= sizeof(payload));
|
678
|
+
RAND_bytes(payload, payload_len);
|
679
|
+
|
680
|
+
// Inside the TLS extension contents, write a serialized ClientEncryptedCH.
|
681
|
+
CBB ech_body, config_id_cbb, enc_cbb, payload_cbb;
|
682
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
683
|
+
!CBB_add_u16_length_prefixed(out, &ech_body) ||
|
684
|
+
!CBB_add_u16(&ech_body, kdf_id) || //
|
685
|
+
!CBB_add_u16(&ech_body, aead_id) ||
|
686
|
+
!CBB_add_u8_length_prefixed(&ech_body, &config_id_cbb) ||
|
687
|
+
!CBB_add_bytes(&config_id_cbb, ech_config_id, sizeof(ech_config_id)) ||
|
688
|
+
!CBB_add_u16_length_prefixed(&ech_body, &enc_cbb) ||
|
689
|
+
!CBB_add_bytes(&enc_cbb, ech_enc, OPENSSL_ARRAY_SIZE(ech_enc)) ||
|
690
|
+
!CBB_add_u16_length_prefixed(&ech_body, &payload_cbb) ||
|
691
|
+
!CBB_add_bytes(&payload_cbb, payload, payload_len) || //
|
692
|
+
!CBB_flush(&ech_body)) {
|
693
|
+
return false;
|
694
|
+
}
|
695
|
+
// Save the bytes of the newly-generated extension in case the server sends
|
696
|
+
// a HelloRetryRequest.
|
697
|
+
if (!hs->ech_grease.CopyFrom(
|
698
|
+
MakeConstSpan(CBB_data(&ech_body), CBB_len(&ech_body)))) {
|
699
|
+
return false;
|
700
|
+
}
|
701
|
+
return CBB_flush(out);
|
702
|
+
}
|
703
|
+
|
704
|
+
static bool ext_ech_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
705
|
+
if (hs->max_version < TLS1_3_VERSION) {
|
706
|
+
return true;
|
707
|
+
}
|
708
|
+
if (hs->config->ech_grease_enabled) {
|
709
|
+
return ext_ech_add_clienthello_grease(hs, out);
|
710
|
+
}
|
711
|
+
// Nothing to do, since we don't yet implement the non-GREASE parts of ECH.
|
712
|
+
return true;
|
713
|
+
}
|
714
|
+
|
715
|
+
static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
716
|
+
CBS *contents) {
|
717
|
+
if (contents == NULL) {
|
718
|
+
return true;
|
719
|
+
}
|
720
|
+
|
721
|
+
// If the client only sent GREASE, we must check the extension syntactically.
|
722
|
+
CBS ech_configs;
|
723
|
+
if (!CBS_get_u16_length_prefixed(contents, &ech_configs) ||
|
724
|
+
CBS_len(&ech_configs) == 0 || //
|
725
|
+
CBS_len(contents) > 0) {
|
726
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
727
|
+
return false;
|
728
|
+
}
|
729
|
+
while (CBS_len(&ech_configs) > 0) {
|
730
|
+
// Do a top-level parse of the ECHConfig, stopping before ECHConfigContents.
|
731
|
+
uint16_t version;
|
732
|
+
CBS ech_config_contents;
|
733
|
+
if (!CBS_get_u16(&ech_configs, &version) ||
|
734
|
+
!CBS_get_u16_length_prefixed(&ech_configs, &ech_config_contents)) {
|
735
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
736
|
+
return false;
|
737
|
+
}
|
738
|
+
}
|
739
|
+
return true;
|
740
|
+
}
|
741
|
+
|
742
|
+
static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
743
|
+
CBS *contents) {
|
744
|
+
if (contents != nullptr) {
|
745
|
+
hs->ech_present = true;
|
746
|
+
return true;
|
747
|
+
}
|
748
|
+
return true;
|
749
|
+
}
|
750
|
+
|
751
|
+
static bool ext_ech_is_inner_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
752
|
+
return true;
|
753
|
+
}
|
754
|
+
|
755
|
+
static bool ext_ech_is_inner_parse_clienthello(SSL_HANDSHAKE *hs,
|
756
|
+
uint8_t *out_alert,
|
757
|
+
CBS *contents) {
|
758
|
+
if (contents == nullptr) {
|
759
|
+
return true;
|
760
|
+
}
|
761
|
+
if (CBS_len(contents) > 0) {
|
762
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
763
|
+
return false;
|
764
|
+
}
|
765
|
+
hs->ech_is_inner_present = true;
|
766
|
+
return true;
|
767
|
+
}
|
768
|
+
|
769
|
+
|
590
770
|
// Renegotiation indication.
|
591
771
|
//
|
592
772
|
// https://tools.ietf.org/html/rfc5746
|
@@ -1248,7 +1428,7 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1248
1428
|
SSL *const ssl = hs->ssl;
|
1249
1429
|
if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) {
|
1250
1430
|
// ALPN MUST be used with QUIC.
|
1251
|
-
OPENSSL_PUT_ERROR(SSL,
|
1431
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1252
1432
|
return false;
|
1253
1433
|
}
|
1254
1434
|
|
@@ -1276,7 +1456,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1276
1456
|
if (contents == NULL) {
|
1277
1457
|
if (ssl->quic_method) {
|
1278
1458
|
// ALPN is required when QUIC is used.
|
1279
|
-
OPENSSL_PUT_ERROR(SSL,
|
1459
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1280
1460
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1281
1461
|
return false;
|
1282
1462
|
}
|
@@ -1357,7 +1537,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1357
1537
|
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
|
1358
1538
|
if (ssl->quic_method) {
|
1359
1539
|
// ALPN is required when QUIC is used.
|
1360
|
-
OPENSSL_PUT_ERROR(SSL,
|
1540
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1361
1541
|
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1362
1542
|
return false;
|
1363
1543
|
}
|
@@ -1392,25 +1572,39 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1392
1572
|
|
1393
1573
|
const uint8_t *selected;
|
1394
1574
|
uint8_t selected_len;
|
1395
|
-
|
1396
|
-
|
1397
|
-
|
1398
|
-
|
1399
|
-
|
1400
|
-
|
1401
|
-
|
1575
|
+
int ret = ssl->ctx->alpn_select_cb(
|
1576
|
+
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
1577
|
+
CBS_len(&protocol_name_list), ssl->ctx->alpn_select_cb_arg);
|
1578
|
+
// ALPN is required when QUIC is used.
|
1579
|
+
if (ssl->quic_method &&
|
1580
|
+
(ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {
|
1581
|
+
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
1582
|
+
}
|
1583
|
+
switch (ret) {
|
1584
|
+
case SSL_TLSEXT_ERR_OK:
|
1585
|
+
if (selected_len == 0) {
|
1586
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
1587
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1588
|
+
return false;
|
1589
|
+
}
|
1590
|
+
if (!ssl->s3->alpn_selected.CopyFrom(
|
1591
|
+
MakeConstSpan(selected, selected_len))) {
|
1592
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1593
|
+
return false;
|
1594
|
+
}
|
1595
|
+
break;
|
1596
|
+
case SSL_TLSEXT_ERR_NOACK:
|
1597
|
+
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
1598
|
+
break;
|
1599
|
+
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
1600
|
+
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1601
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
|
1402
1602
|
return false;
|
1403
|
-
|
1404
|
-
|
1405
|
-
MakeConstSpan(selected, selected_len))) {
|
1603
|
+
default:
|
1604
|
+
// Invalid return value.
|
1406
1605
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1606
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
1407
1607
|
return false;
|
1408
|
-
}
|
1409
|
-
} else if (ssl->quic_method) {
|
1410
|
-
// ALPN is required when QUIC is used.
|
1411
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
|
1412
|
-
*out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
|
1413
|
-
return false;
|
1414
1608
|
}
|
1415
1609
|
|
1416
1610
|
return true;
|
@@ -2000,14 +2194,17 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2000
2194
|
return true;
|
2001
2195
|
}
|
2002
2196
|
|
2003
|
-
|
2004
|
-
|
2005
|
-
|
2006
|
-
if (
|
2007
|
-
|
2008
|
-
|
2009
|
-
|
2010
|
-
|
2197
|
+
// If the previous connection negotiated ALPS, only offer 0-RTT when the
|
2198
|
+
// local are settings are consistent with what we'd offer for this
|
2199
|
+
// connection.
|
2200
|
+
if (ssl->session->has_application_settings) {
|
2201
|
+
Span<const uint8_t> settings;
|
2202
|
+
if (!ssl_get_local_application_settings(hs, &settings,
|
2203
|
+
ssl->session->early_alpn) ||
|
2204
|
+
settings != ssl->session->local_application_settings) {
|
2205
|
+
ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
|
2206
|
+
return true;
|
2207
|
+
}
|
2011
2208
|
}
|
2012
2209
|
}
|
2013
2210
|
|
@@ -2282,7 +2479,8 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
|
2282
2479
|
return true;
|
2283
2480
|
}
|
2284
2481
|
|
2285
|
-
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out
|
2482
|
+
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out,
|
2483
|
+
bool dry_run) {
|
2286
2484
|
uint16_t group_id;
|
2287
2485
|
CBB kse_bytes, public_key;
|
2288
2486
|
if (!tls1_get_shared_group(hs, &group_id) ||
|
@@ -2295,10 +2493,10 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2295
2493
|
!CBB_flush(out)) {
|
2296
2494
|
return false;
|
2297
2495
|
}
|
2298
|
-
|
2299
|
-
|
2300
|
-
|
2301
|
-
|
2496
|
+
if (!dry_run) {
|
2497
|
+
hs->ecdh_public_key.Reset();
|
2498
|
+
hs->new_session->group_id = group_id;
|
2499
|
+
}
|
2302
2500
|
return true;
|
2303
2501
|
}
|
2304
2502
|
|
@@ -2592,8 +2790,8 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2592
2790
|
|
2593
2791
|
// QUIC Transport Parameters
|
2594
2792
|
|
2595
|
-
static bool
|
2596
|
-
|
2793
|
+
static bool ext_quic_transport_params_add_clienthello_impl(
|
2794
|
+
SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
2597
2795
|
if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
|
2598
2796
|
return true;
|
2599
2797
|
}
|
@@ -2605,9 +2803,18 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
|
2605
2803
|
return false;
|
2606
2804
|
}
|
2607
2805
|
assert(hs->min_version > TLS1_2_VERSION);
|
2806
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2807
|
+
// Do nothing, we'll send the other codepoint.
|
2808
|
+
return true;
|
2809
|
+
}
|
2810
|
+
|
2811
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
|
2812
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
2813
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
2814
|
+
}
|
2608
2815
|
|
2609
2816
|
CBB contents;
|
2610
|
-
if (!CBB_add_u16(out,
|
2817
|
+
if (!CBB_add_u16(out, extension_type) ||
|
2611
2818
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2612
2819
|
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2613
2820
|
hs->config->quic_transport_params.size()) ||
|
@@ -2617,31 +2824,57 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
|
2617
2824
|
return true;
|
2618
2825
|
}
|
2619
2826
|
|
2620
|
-
static bool
|
2621
|
-
|
2622
|
-
|
2827
|
+
static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
2828
|
+
CBB *out) {
|
2829
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
2830
|
+
hs, out, /*use_legacy_codepoint=*/false);
|
2831
|
+
}
|
2832
|
+
|
2833
|
+
static bool ext_quic_transport_params_add_clienthello_legacy(SSL_HANDSHAKE *hs,
|
2834
|
+
CBB *out) {
|
2835
|
+
return ext_quic_transport_params_add_clienthello_impl(
|
2836
|
+
hs, out, /*use_legacy_codepoint=*/true);
|
2837
|
+
}
|
2838
|
+
|
2839
|
+
static bool ext_quic_transport_params_parse_serverhello_impl(
|
2840
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
2841
|
+
bool used_legacy_codepoint) {
|
2623
2842
|
SSL *const ssl = hs->ssl;
|
2624
2843
|
if (contents == nullptr) {
|
2844
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2845
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2846
|
+
return true;
|
2847
|
+
}
|
2625
2848
|
if (!ssl->quic_method) {
|
2626
2849
|
return true;
|
2627
2850
|
}
|
2628
|
-
assert(ssl->quic_method);
|
2629
2851
|
*out_alert = SSL_AD_MISSING_EXTENSION;
|
2630
2852
|
return false;
|
2631
2853
|
}
|
2632
|
-
|
2633
|
-
|
2634
|
-
|
2635
|
-
}
|
2636
|
-
// QUIC requires TLS 1.3.
|
2854
|
+
// The extensions parser will check for unsolicited extensions before
|
2855
|
+
// calling the callback.
|
2856
|
+
assert(ssl->quic_method != nullptr);
|
2637
2857
|
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
2638
|
-
|
2858
|
+
assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint);
|
2639
2859
|
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
2640
2860
|
}
|
2641
2861
|
|
2642
|
-
static bool
|
2862
|
+
static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
|
2643
2863
|
uint8_t *out_alert,
|
2644
2864
|
CBS *contents) {
|
2865
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
2866
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
2867
|
+
}
|
2868
|
+
|
2869
|
+
static bool ext_quic_transport_params_parse_serverhello_legacy(
|
2870
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
2871
|
+
return ext_quic_transport_params_parse_serverhello_impl(
|
2872
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
2873
|
+
}
|
2874
|
+
|
2875
|
+
static bool ext_quic_transport_params_parse_clienthello_impl(
|
2876
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
|
2877
|
+
bool used_legacy_codepoint) {
|
2645
2878
|
SSL *const ssl = hs->ssl;
|
2646
2879
|
if (!contents) {
|
2647
2880
|
if (!ssl->quic_method) {
|
@@ -2652,29 +2885,72 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2652
2885
|
// for QUIC.
|
2653
2886
|
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
2654
2887
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
2888
|
+
return false;
|
2889
|
+
}
|
2890
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2891
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2892
|
+
return true;
|
2655
2893
|
}
|
2656
2894
|
*out_alert = SSL_AD_MISSING_EXTENSION;
|
2657
2895
|
return false;
|
2658
2896
|
}
|
2659
2897
|
if (!ssl->quic_method) {
|
2898
|
+
if (used_legacy_codepoint) {
|
2899
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
2900
|
+
// to mean something else than QUIC transport parameters.
|
2901
|
+
return true;
|
2902
|
+
}
|
2903
|
+
// Fail if we received the codepoint registered with IANA for QUIC
|
2904
|
+
// because that is not allowed outside of QUIC.
|
2660
2905
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
2661
2906
|
return false;
|
2662
2907
|
}
|
2663
2908
|
assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
|
2909
|
+
if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2910
|
+
// Silently ignore because we expect the other QUIC codepoint.
|
2911
|
+
return true;
|
2912
|
+
}
|
2664
2913
|
return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
|
2665
2914
|
}
|
2666
2915
|
|
2667
|
-
static bool
|
2668
|
-
|
2916
|
+
static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
2917
|
+
uint8_t *out_alert,
|
2918
|
+
CBS *contents) {
|
2919
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
2920
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/false);
|
2921
|
+
}
|
2922
|
+
|
2923
|
+
static bool ext_quic_transport_params_parse_clienthello_legacy(
|
2924
|
+
SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
|
2925
|
+
return ext_quic_transport_params_parse_clienthello_impl(
|
2926
|
+
hs, out_alert, contents, /*used_legacy_codepoint=*/true);
|
2927
|
+
}
|
2928
|
+
|
2929
|
+
static bool ext_quic_transport_params_add_serverhello_impl(
|
2930
|
+
SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
|
2931
|
+
if (hs->ssl->quic_method == nullptr && use_legacy_codepoint) {
|
2932
|
+
// Ignore the legacy private-use codepoint because that could be sent
|
2933
|
+
// to mean something else than QUIC transport parameters.
|
2934
|
+
return true;
|
2935
|
+
}
|
2669
2936
|
assert(hs->ssl->quic_method != nullptr);
|
2670
2937
|
if (hs->config->quic_transport_params.empty()) {
|
2671
2938
|
// Transport parameters must be set when using QUIC.
|
2672
2939
|
OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
|
2673
2940
|
return false;
|
2674
2941
|
}
|
2942
|
+
if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
|
2943
|
+
// Do nothing, we'll send the other codepoint.
|
2944
|
+
return true;
|
2945
|
+
}
|
2946
|
+
|
2947
|
+
uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
|
2948
|
+
if (hs->config->quic_use_legacy_codepoint) {
|
2949
|
+
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
|
2950
|
+
}
|
2675
2951
|
|
2676
2952
|
CBB contents;
|
2677
|
-
if (!CBB_add_u16(out,
|
2953
|
+
if (!CBB_add_u16(out, extension_type) ||
|
2678
2954
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2679
2955
|
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2680
2956
|
hs->config->quic_transport_params.size()) ||
|
@@ -2685,6 +2961,18 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
|
2685
2961
|
return true;
|
2686
2962
|
}
|
2687
2963
|
|
2964
|
+
static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
2965
|
+
CBB *out) {
|
2966
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
2967
|
+
hs, out, /*use_legacy_codepoint=*/false);
|
2968
|
+
}
|
2969
|
+
|
2970
|
+
static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs,
|
2971
|
+
CBB *out) {
|
2972
|
+
return ext_quic_transport_params_add_serverhello_impl(
|
2973
|
+
hs, out, /*use_legacy_codepoint=*/true);
|
2974
|
+
}
|
2975
|
+
|
2688
2976
|
// Delegated credentials.
|
2689
2977
|
//
|
2690
2978
|
// https://tools.ietf.org/html/draft-ietf-tls-subcerts
|
@@ -2970,6 +3258,22 @@ static const struct tls_extension kExtensions[] = {
|
|
2970
3258
|
ext_sni_parse_clienthello,
|
2971
3259
|
ext_sni_add_serverhello,
|
2972
3260
|
},
|
3261
|
+
{
|
3262
|
+
TLSEXT_TYPE_encrypted_client_hello,
|
3263
|
+
NULL,
|
3264
|
+
ext_ech_add_clienthello,
|
3265
|
+
ext_ech_parse_serverhello,
|
3266
|
+
ext_ech_parse_clienthello,
|
3267
|
+
dont_add_serverhello,
|
3268
|
+
},
|
3269
|
+
{
|
3270
|
+
TLSEXT_TYPE_ech_is_inner,
|
3271
|
+
NULL,
|
3272
|
+
ext_ech_is_inner_add_clienthello,
|
3273
|
+
forbid_parse_serverhello,
|
3274
|
+
ext_ech_is_inner_parse_clienthello,
|
3275
|
+
dont_add_serverhello,
|
3276
|
+
},
|
2973
3277
|
{
|
2974
3278
|
TLSEXT_TYPE_extended_master_secret,
|
2975
3279
|
NULL,
|
@@ -3109,13 +3413,21 @@ static const struct tls_extension kExtensions[] = {
|
|
3109
3413
|
dont_add_serverhello,
|
3110
3414
|
},
|
3111
3415
|
{
|
3112
|
-
|
3416
|
+
TLSEXT_TYPE_quic_transport_parameters_standard,
|
3113
3417
|
NULL,
|
3114
3418
|
ext_quic_transport_params_add_clienthello,
|
3115
3419
|
ext_quic_transport_params_parse_serverhello,
|
3116
3420
|
ext_quic_transport_params_parse_clienthello,
|
3117
3421
|
ext_quic_transport_params_add_serverhello,
|
3118
3422
|
},
|
3423
|
+
{
|
3424
|
+
TLSEXT_TYPE_quic_transport_parameters_legacy,
|
3425
|
+
NULL,
|
3426
|
+
ext_quic_transport_params_add_clienthello_legacy,
|
3427
|
+
ext_quic_transport_params_parse_serverhello_legacy,
|
3428
|
+
ext_quic_transport_params_parse_clienthello_legacy,
|
3429
|
+
ext_quic_transport_params_add_serverhello_legacy,
|
3430
|
+
},
|
3119
3431
|
{
|
3120
3432
|
TLSEXT_TYPE_token_binding,
|
3121
3433
|
NULL,
|