grpc 1.35.0.pre1 → 1.37.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (507) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +121 -89
  3. data/include/grpc/grpc.h +15 -1
  4. data/include/grpc/grpc_security.h +16 -11
  5. data/include/grpc/impl/codegen/port_platform.h +2 -0
  6. data/src/core/ext/filters/client_channel/client_channel.cc +359 -331
  7. data/src/core/ext/filters/client_channel/client_channel.h +0 -2
  8. data/src/core/ext/filters/client_channel/client_channel_factory.h +2 -1
  9. data/src/core/ext/filters/client_channel/config_selector.h +9 -1
  10. data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -4
  11. data/src/core/ext/filters/client_channel/global_subchannel_pool.cc +24 -142
  12. data/src/core/ext/filters/client_channel/global_subchannel_pool.h +15 -10
  13. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
  14. data/src/core/ext/filters/client_channel/lb_policy.cc +3 -0
  15. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
  16. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
  18. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
  19. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
  20. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +23 -0
  21. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +27 -0
  22. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -25
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +1 -1
  26. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +232 -110
  27. data/src/core/ext/filters/client_channel/local_subchannel_pool.cc +27 -67
  28. data/src/core/ext/filters/client_channel/local_subchannel_pool.h +10 -9
  29. data/src/core/ext/filters/client_channel/resolver.cc +5 -5
  30. data/src/core/ext/filters/client_channel/resolver.h +1 -12
  31. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
  32. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
  33. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +3 -1
  34. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +34 -50
  35. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
  36. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
  37. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +377 -0
  38. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
  39. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +307 -155
  40. data/src/core/ext/filters/client_channel/server_address.cc +9 -0
  41. data/src/core/ext/filters/client_channel/server_address.h +31 -0
  42. data/src/core/ext/filters/client_channel/subchannel.cc +69 -146
  43. data/src/core/ext/filters/client_channel/subchannel.h +63 -95
  44. data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +16 -2
  45. data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +10 -8
  46. data/src/core/ext/filters/client_idle/client_idle_filter.cc +1 -1
  47. data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +500 -0
  48. data/src/core/ext/filters/fault_injection/fault_injection_filter.h +39 -0
  49. data/src/core/ext/filters/fault_injection/service_config_parser.cc +189 -0
  50. data/src/core/ext/filters/fault_injection/service_config_parser.h +85 -0
  51. data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
  52. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +1 -1
  53. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +2 -2
  54. data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +3 -2
  55. data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +1 -1
  56. data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -2
  57. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +490 -178
  58. data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
  59. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
  60. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +1 -1
  61. data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
  62. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +39 -7
  63. data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +12 -1
  64. data/src/core/ext/transport/chttp2/transport/frame_data.cc +5 -1
  65. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +1 -1
  66. data/src/core/ext/transport/chttp2/transport/internal.h +1 -0
  67. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.c +406 -0
  68. data/src/core/ext/upb-generated/envoy/admin/v3/config_dump.upb.h +1459 -0
  69. data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
  70. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +350 -0
  71. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +1348 -0
  72. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
  73. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
  74. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
  75. data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
  76. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
  77. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
  78. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
  79. data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
  80. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
  81. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
  82. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +6 -0
  83. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +25 -0
  84. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
  85. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
  86. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
  87. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
  88. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
  89. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
  90. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
  91. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
  92. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
  93. data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.c +144 -0
  94. data/src/core/ext/upb-generated/envoy/config/metrics/v3/stats.upb.h +488 -0
  95. data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.c +141 -0
  96. data/src/core/ext/upb-generated/envoy/config/overload/v3/overload.upb.h +452 -0
  97. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
  98. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
  99. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +57 -16
  100. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +150 -0
  101. data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
  102. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
  103. data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
  104. data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c +79 -0
  105. data/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h +268 -0
  106. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +78 -0
  107. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +281 -0
  108. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +41 -0
  109. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +113 -0
  110. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +19 -21
  111. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +64 -51
  112. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
  113. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
  114. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
  115. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
  116. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
  117. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
  118. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
  119. data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
  120. data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
  121. data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
  122. data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
  123. data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
  124. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +93 -0
  125. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +323 -0
  126. data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.c +36 -0
  127. data/src/core/ext/upb-generated/envoy/type/matcher/v3/node.upb.h +90 -0
  128. data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
  129. data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.c +46 -0
  130. data/src/core/ext/upb-generated/envoy/type/matcher/v3/struct.upb.h +124 -0
  131. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
  132. data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
  133. data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.c +33 -0
  134. data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.h +77 -0
  135. data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
  136. data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
  137. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
  138. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
  139. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
  140. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
  141. data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
  142. data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
  143. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
  144. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
  145. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
  146. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
  147. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.c +354 -0
  148. data/src/core/ext/upbdefs-generated/envoy/admin/v3/config_dump.upbdefs.h +140 -0
  149. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
  150. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +383 -0
  151. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +115 -0
  152. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
  153. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
  154. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
  155. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
  156. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
  157. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
  158. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
  159. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +10 -7
  160. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +5 -0
  161. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
  162. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
  163. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
  164. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
  165. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
  166. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
  167. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c +141 -0
  168. data/src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h +70 -0
  169. data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c +141 -0
  170. data/src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h +70 -0
  171. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
  172. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +753 -724
  173. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +10 -0
  174. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
  175. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
  176. data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
  177. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c +102 -0
  178. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h +55 -0
  179. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +120 -0
  180. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h +45 -0
  181. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +76 -0
  182. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h +35 -0
  183. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +371 -377
  184. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
  185. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
  186. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
  187. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
  188. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
  189. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
  190. data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
  191. data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
  192. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
  193. data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
  194. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +130 -0
  195. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +50 -0
  196. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.c +56 -0
  197. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/node.upbdefs.h +35 -0
  198. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
  199. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.c +63 -0
  200. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/struct.upbdefs.h +40 -0
  201. data/src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c +8 -7
  202. data/src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c +9 -9
  203. data/src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c +9 -8
  204. data/src/core/ext/upbdefs-generated/google/protobuf/empty.upbdefs.c +8 -8
  205. data/src/core/ext/upbdefs-generated/google/protobuf/struct.upbdefs.c +8 -8
  206. data/src/core/ext/upbdefs-generated/google/protobuf/timestamp.upbdefs.c +9 -8
  207. data/src/core/ext/upbdefs-generated/google/protobuf/wrappers.upbdefs.c +8 -8
  208. data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.c +44 -0
  209. data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.h +35 -0
  210. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
  211. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
  212. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
  213. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
  214. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
  215. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
  216. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
  217. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
  218. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
  219. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
  220. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
  221. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
  222. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
  223. data/src/core/ext/xds/xds_api.cc +2149 -666
  224. data/src/core/ext/xds/xds_api.h +321 -119
  225. data/src/core/ext/xds/xds_bootstrap.cc +80 -45
  226. data/src/core/ext/xds/xds_bootstrap.h +17 -5
  227. data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
  228. data/src/core/ext/xds/xds_certificate_provider.h +83 -44
  229. data/src/core/ext/xds/xds_client.cc +181 -34
  230. data/src/core/ext/xds/xds_client.h +29 -0
  231. data/src/core/ext/xds/xds_client_stats.cc +2 -1
  232. data/src/core/ext/xds/xds_client_stats.h +2 -2
  233. data/src/core/ext/xds/xds_http_fault_filter.cc +226 -0
  234. data/src/core/ext/xds/xds_http_fault_filter.h +63 -0
  235. data/src/core/ext/xds/xds_http_filters.cc +114 -0
  236. data/src/core/ext/xds/xds_http_filters.h +130 -0
  237. data/src/core/ext/xds/xds_server_config_fetcher.cc +425 -24
  238. data/src/core/lib/channel/channel_stack.cc +12 -0
  239. data/src/core/lib/channel/channel_stack.h +7 -0
  240. data/src/core/lib/channel/channelz.cc +92 -4
  241. data/src/core/lib/channel/channelz.h +30 -1
  242. data/src/core/lib/channel/channelz_registry.cc +14 -0
  243. data/src/core/lib/channel/handshaker.cc +2 -44
  244. data/src/core/lib/channel/handshaker.h +1 -18
  245. data/src/core/lib/channel/status_util.cc +12 -2
  246. data/src/core/lib/channel/status_util.h +5 -0
  247. data/src/core/lib/gpr/log.cc +6 -1
  248. data/src/core/lib/gpr/sync_abseil.cc +3 -6
  249. data/src/core/lib/gpr/sync_windows.cc +2 -2
  250. data/src/core/lib/gprpp/atomic.h +3 -3
  251. data/src/core/lib/gprpp/dual_ref_counted.h +3 -3
  252. data/src/core/lib/gprpp/mpscq.cc +2 -2
  253. data/src/core/lib/gprpp/ref_counted.h +1 -1
  254. data/src/core/lib/gprpp/ref_counted_ptr.h +2 -0
  255. data/src/core/lib/gprpp/sync.h +129 -40
  256. data/src/core/lib/gprpp/thd.h +1 -1
  257. data/src/core/lib/gprpp/time_util.cc +77 -0
  258. data/src/core/lib/gprpp/time_util.h +42 -0
  259. data/src/core/lib/http/httpcli_security_connector.cc +2 -2
  260. data/src/core/lib/iomgr/buffer_list.h +1 -1
  261. data/src/core/lib/iomgr/cfstream_handle.cc +2 -2
  262. data/src/core/lib/iomgr/error.h +1 -1
  263. data/src/core/lib/iomgr/ev_apple.cc +11 -8
  264. data/src/core/lib/iomgr/ev_epoll1_linux.cc +3 -3
  265. data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
  266. data/src/core/lib/iomgr/ev_posix.cc +3 -3
  267. data/src/core/lib/iomgr/exec_ctx.cc +6 -2
  268. data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
  269. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
  270. data/src/core/lib/iomgr/resource_quota.cc +1 -1
  271. data/src/core/lib/iomgr/sockaddr_utils.cc +121 -1
  272. data/src/core/lib/iomgr/sockaddr_utils.h +25 -0
  273. data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
  274. data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
  275. data/src/core/lib/iomgr/tcp_posix.cc +5 -8
  276. data/src/core/lib/iomgr/tcp_uv.cc +2 -2
  277. data/src/core/lib/iomgr/timer_generic.cc +2 -2
  278. data/src/core/lib/iomgr/timer_manager.cc +1 -1
  279. data/src/core/lib/iomgr/wakeup_fd_nospecial.cc +1 -1
  280. data/src/core/lib/matchers/matchers.cc +339 -0
  281. data/src/core/lib/matchers/matchers.h +160 -0
  282. data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
  283. data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
  284. data/src/core/lib/security/credentials/credentials.h +2 -1
  285. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
  286. data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
  287. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
  288. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
  289. data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
  290. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
  291. data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
  292. data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
  293. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
  294. data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
  295. data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
  296. data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
  297. data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
  298. data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
  299. data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
  300. data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
  301. data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
  302. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
  303. data/src/core/lib/security/security_connector/ssl_utils.cc +9 -4
  304. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +32 -14
  305. data/src/core/lib/security/transport/security_handshaker.cc +33 -5
  306. data/src/core/lib/security/transport/server_auth_filter.cc +7 -0
  307. data/src/core/lib/slice/slice_intern.cc +5 -6
  308. data/src/core/lib/surface/channel.h +3 -3
  309. data/src/core/lib/surface/completion_queue.cc +1 -1
  310. data/src/core/lib/surface/init.cc +13 -15
  311. data/src/core/lib/surface/lame_client.cc +38 -19
  312. data/src/core/lib/surface/lame_client.h +4 -3
  313. data/src/core/lib/surface/server.cc +43 -36
  314. data/src/core/lib/surface/server.h +76 -14
  315. data/src/core/lib/surface/version.cc +2 -2
  316. data/src/core/lib/transport/metadata.cc +6 -2
  317. data/src/core/lib/transport/metadata_batch.cc +27 -0
  318. data/src/core/lib/transport/metadata_batch.h +14 -0
  319. data/src/core/plugin_registry/grpc_plugin_registry.cc +12 -0
  320. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +18 -24
  321. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
  322. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.h +1 -1
  323. data/src/core/tsi/alts/handshaker/transport_security_common_api.cc +1 -3
  324. data/src/core/tsi/fake_transport_security.cc +11 -2
  325. data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
  326. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
  327. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
  328. data/src/core/tsi/ssl_transport_security.cc +0 -3
  329. data/src/core/tsi/ssl_transport_security.h +0 -3
  330. data/src/ruby/ext/grpc/extconf.rb +9 -1
  331. data/src/ruby/ext/grpc/rb_channel.c +10 -1
  332. data/src/ruby/ext/grpc/rb_channel_credentials.c +11 -1
  333. data/src/ruby/ext/grpc/rb_channel_credentials.h +4 -0
  334. data/src/ruby/ext/grpc/rb_compression_options.c +1 -1
  335. data/src/ruby/ext/grpc/rb_enable_cpp.cc +1 -1
  336. data/src/ruby/ext/grpc/rb_grpc.c +4 -0
  337. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -0
  338. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +4 -1
  339. data/src/ruby/ext/grpc/rb_server.c +13 -1
  340. data/src/ruby/ext/grpc/rb_server_credentials.c +19 -3
  341. data/src/ruby/ext/grpc/rb_server_credentials.h +4 -0
  342. data/src/ruby/ext/grpc/rb_xds_channel_credentials.c +215 -0
  343. data/src/ruby/ext/grpc/rb_xds_channel_credentials.h +35 -0
  344. data/src/ruby/ext/grpc/rb_xds_server_credentials.c +169 -0
  345. data/src/ruby/ext/grpc/rb_xds_server_credentials.h +35 -0
  346. data/src/ruby/lib/grpc/generic/client_stub.rb +4 -2
  347. data/src/ruby/lib/grpc/version.rb +1 -1
  348. data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
  349. data/src/ruby/spec/call_spec.rb +1 -1
  350. data/src/ruby/spec/channel_credentials_spec.rb +32 -0
  351. data/src/ruby/spec/channel_spec.rb +17 -6
  352. data/src/ruby/spec/client_auth_spec.rb +27 -1
  353. data/src/ruby/spec/errors_spec.rb +1 -1
  354. data/src/ruby/spec/generic/active_call_spec.rb +2 -2
  355. data/src/ruby/spec/generic/client_stub_spec.rb +4 -4
  356. data/src/ruby/spec/generic/rpc_server_spec.rb +1 -1
  357. data/src/ruby/spec/server_credentials_spec.rb +25 -0
  358. data/src/ruby/spec/server_spec.rb +22 -0
  359. data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
  360. data/third_party/boringssl-with-bazel/err_data.c +715 -713
  361. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
  362. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
  363. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
  364. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
  365. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
  366. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
  367. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
  368. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
  369. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
  370. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
  371. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
  372. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
  373. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
  374. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
  375. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
  376. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
  377. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
  378. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
  379. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
  380. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
  381. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
  382. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
  383. data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
  384. data/third_party/boringssl-with-bazel/src/crypto/cpu-arm-linux.c +11 -2
  385. data/third_party/boringssl-with-bazel/src/crypto/cpu-arm.c +3 -3
  386. data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
  387. data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
  388. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
  389. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +21 -13
  395. data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
  396. data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
  400. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +135 -43
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
  404. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
  405. data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
  406. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
  407. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
  408. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
  409. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
  410. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
  411. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
  412. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
  413. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -29
  414. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
  415. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
  416. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
  417. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
  418. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
  419. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +22 -17
  420. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
  421. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
  422. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -4
  423. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
  424. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
  425. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
  426. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
  427. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
  428. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
  429. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
  430. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
  431. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
  432. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
  433. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
  434. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
  435. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
  436. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
  437. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
  438. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
  439. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
  440. data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
  441. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
  442. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +19 -0
  443. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +22 -32
  444. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
  445. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
  446. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
  447. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
  448. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
  449. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
  450. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +67 -33
  451. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
  452. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -99
  453. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
  454. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
  455. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
  456. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
  457. data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
  458. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
  459. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
  460. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
  461. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
  462. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
  463. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
  464. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +362 -50
  465. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
  466. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
  467. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
  468. data/third_party/xxhash/xxhash.h +5443 -0
  469. metadata +140 -84
  470. data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
  471. data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
  472. data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
  473. data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
  474. data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
  475. data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
  476. data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
  477. data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
  478. data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
  479. data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
  480. data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
  481. data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
  482. data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
  483. data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
  484. data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
  485. data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
  486. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
  487. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
  488. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
  489. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
  490. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
  491. data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
  492. data/src/core/lib/iomgr/iomgr_posix.h +0 -26
  493. data/src/core/lib/security/authorization/authorization_engine.cc +0 -177
  494. data/src/core/lib/security/authorization/authorization_engine.h +0 -84
  495. data/src/core/lib/security/authorization/evaluate_args.cc +0 -148
  496. data/src/core/lib/security/authorization/evaluate_args.h +0 -59
  497. data/src/core/lib/security/authorization/mock_cel/activation.h +0 -57
  498. data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h +0 -44
  499. data/src/core/lib/security/authorization/mock_cel/cel_expression.h +0 -69
  500. data/src/core/lib/security/authorization/mock_cel/cel_value.h +0 -97
  501. data/src/core/lib/security/authorization/mock_cel/evaluator_core.h +0 -67
  502. data/src/core/lib/security/authorization/mock_cel/flat_expr_builder.h +0 -57
  503. data/third_party/abseil-cpp/absl/container/flat_hash_set.h +0 -504
  504. data/third_party/upb/upb/json_decode.c +0 -1443
  505. data/third_party/upb/upb/json_decode.h +0 -23
  506. data/third_party/upb/upb/json_encode.c +0 -713
  507. data/third_party/upb/upb/json_encode.h +0 -36
@@ -177,7 +177,6 @@ SSL3_STATE::SSL3_STATE()
177
177
  key_update_pending(false),
178
178
  wpend_pending(false),
179
179
  early_data_accepted(false),
180
- tls13_downgrade(false),
181
180
  token_binding_negotiated(false),
182
181
  alert_dispatch(false),
183
182
  renegotiate_pending(false),
@@ -105,7 +105,7 @@ BSSL_NAMESPACE_BEGIN
105
105
  // sslVersion INTEGER, -- protocol version number
106
106
  // cipher OCTET STRING, -- two bytes long
107
107
  // sessionID OCTET STRING,
108
- // masterKey OCTET STRING,
108
+ // secret OCTET STRING,
109
109
  // time [1] INTEGER, -- seconds since UNIX epoch
110
110
  // timeout [2] INTEGER, -- in seconds
111
111
  // peer [3] Certificate OPTIONAL,
@@ -218,8 +218,7 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
218
218
  // The session ID is irrelevant for a session ticket.
219
219
  !CBB_add_asn1_octet_string(&session, in->session_id,
220
220
  for_ticket ? 0 : in->session_id_length) ||
221
- !CBB_add_asn1_octet_string(&session, in->master_key,
222
- in->master_key_length) ||
221
+ !CBB_add_asn1_octet_string(&session, in->secret, in->secret_length) ||
223
222
  !CBB_add_asn1(&session, &child, kTimeTag) ||
224
223
  !CBB_add_asn1_uint64(&child, in->time) ||
225
224
  !CBB_add_asn1(&session, &child, kTimeoutTag) ||
@@ -593,18 +592,18 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
593
592
  return nullptr;
594
593
  }
595
594
 
596
- CBS session_id, master_key;
595
+ CBS session_id, secret;
597
596
  if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
598
597
  CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
599
- !CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) ||
600
- CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) {
598
+ !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||
599
+ CBS_len(&secret) > SSL_MAX_MASTER_KEY_LENGTH) {
601
600
  OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
602
601
  return nullptr;
603
602
  }
604
603
  OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
605
604
  ret->session_id_length = CBS_len(&session_id);
606
- OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key));
607
- ret->master_key_length = CBS_len(&master_key);
605
+ OPENSSL_memcpy(ret->secret, CBS_data(&secret), CBS_len(&secret));
606
+ ret->secret_length = CBS_len(&secret);
608
607
 
609
608
  CBS child;
610
609
  uint64_t timeout;
@@ -565,7 +565,6 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
565
565
  grease_enabled(false),
566
566
  allow_unknown_alpn_protos(false),
567
567
  false_start_allowed_without_alpn(false),
568
- ignore_tls13_downgrade(false),
569
568
  handoff(false),
570
569
  enable_early_data(false) {
571
570
  CRYPTO_MUTEX_init(&lock);
@@ -711,7 +710,6 @@ SSL *SSL_new(SSL_CTX *ctx) {
711
710
  ctx->signed_cert_timestamps_enabled;
712
711
  ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
713
712
  ssl->config->handoff = ctx->handoff;
714
- ssl->config->ignore_tls13_downgrade = ctx->ignore_tls13_downgrade;
715
713
  ssl->quic_method = ctx->quic_method;
716
714
 
717
715
  if (!ssl->method->ssl_new(ssl.get()) ||
@@ -724,6 +722,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
724
722
 
725
723
  SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
726
724
  : ssl(ssl_arg),
725
+ ech_grease_enabled(false),
727
726
  signed_cert_timestamps_enabled(false),
728
727
  ocsp_stapling_enabled(false),
729
728
  channel_id_enabled(false),
@@ -731,8 +730,8 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
731
730
  retain_only_sha256_of_client_certs(false),
732
731
  handoff(false),
733
732
  shed_handshake_config(false),
734
- ignore_tls13_downgrade(false),
735
- jdk11_workaround(false) {
733
+ jdk11_workaround(false),
734
+ quic_use_legacy_codepoint(true) {
736
735
  assert(ssl);
737
736
  }
738
737
 
@@ -1469,6 +1468,13 @@ const char *SSL_error_description(int err) {
1469
1468
  }
1470
1469
  }
1471
1470
 
1471
+ void SSL_set_enable_ech_grease(SSL *ssl, int enable) {
1472
+ if (!ssl->config) {
1473
+ return;
1474
+ }
1475
+ ssl->config->ech_grease_enabled = !!enable;
1476
+ }
1477
+
1472
1478
  uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
1473
1479
  ctx->options |= options;
1474
1480
  return ctx->options;
@@ -2929,22 +2935,15 @@ void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {
2929
2935
  ctx->false_start_allowed_without_alpn = !!allowed;
2930
2936
  }
2931
2937
 
2932
- int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; }
2938
+ int SSL_is_tls13_downgrade(const SSL *ssl) { return 0; }
2933
2939
 
2934
2940
  int SSL_used_hello_retry_request(const SSL *ssl) {
2935
2941
  return ssl->s3->used_hello_retry_request;
2936
2942
  }
2937
2943
 
2938
- void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {
2939
- ctx->ignore_tls13_downgrade = !!ignore;
2940
- }
2944
+ void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {}
2941
2945
 
2942
- void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {
2943
- if (!ssl->config) {
2944
- return;
2945
- }
2946
- ssl->config->ignore_tls13_downgrade = !!ignore;
2947
- }
2946
+ void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {}
2948
2947
 
2949
2948
  void SSL_set_shed_handshake_config(SSL *ssl, int enable) {
2950
2949
  if (!ssl->config) {
@@ -2960,6 +2959,13 @@ void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
2960
2959
  ssl->config->jdk11_workaround = !!enable;
2961
2960
  }
2962
2961
 
2962
+ void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) {
2963
+ if (!ssl->config) {
2964
+ return;
2965
+ }
2966
+ ssl->config->quic_use_legacy_codepoint = !!use_legacy;
2967
+ }
2968
+
2963
2969
  int SSL_clear(SSL *ssl) {
2964
2970
  if (!ssl->config) {
2965
2971
  return 0; // SSL_clear may not be used after shedding config.
@@ -202,9 +202,8 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
202
202
  OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
203
203
 
204
204
  // Copy the key material.
205
- new_session->master_key_length = session->master_key_length;
206
- OPENSSL_memcpy(new_session->master_key, session->master_key,
207
- session->master_key_length);
205
+ new_session->secret_length = session->secret_length;
206
+ OPENSSL_memcpy(new_session->secret, session->secret, session->secret_length);
208
207
  new_session->cipher = session->cipher;
209
208
 
210
209
  // Copy authentication state.
@@ -963,14 +962,14 @@ void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,
963
962
 
964
963
  size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
965
964
  size_t max_out) {
966
- // TODO(davidben): Fix master_key_length's type and remove these casts.
965
+ // TODO(davidben): Fix secret_length's type and remove these casts.
967
966
  if (max_out == 0) {
968
- return (size_t)session->master_key_length;
967
+ return (size_t)session->secret_length;
969
968
  }
970
- if (max_out > (size_t)session->master_key_length) {
971
- max_out = (size_t)session->master_key_length;
969
+ if (max_out > (size_t)session->secret_length) {
970
+ max_out = (size_t)session->secret_length;
972
971
  }
973
- OPENSSL_memcpy(out, session->master_key, max_out);
972
+ OPENSSL_memcpy(out, session->secret, max_out);
974
973
  return max_out;
975
974
  }
976
975
 
@@ -265,8 +265,8 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
265
265
 
266
266
  static const size_t kFinishedLen = 12;
267
267
  if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
268
- MakeConstSpan(session->master_key, session->master_key_length),
269
- label, MakeConstSpan(digest, digest_len), {})) {
268
+ MakeConstSpan(session->secret, session->secret_length), label,
269
+ MakeConstSpan(digest, digest_len), {})) {
270
270
  return false;
271
271
  }
272
272
 
@@ -191,15 +191,14 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
191
191
 
192
192
  static bool generate_key_block(const SSL *ssl, Span<uint8_t> out,
193
193
  const SSL_SESSION *session) {
194
- auto master_key =
195
- MakeConstSpan(session->master_key, session->master_key_length);
194
+ auto secret = MakeConstSpan(session->secret, session->secret_length);
196
195
  static const char kLabel[] = "key expansion";
197
196
  auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
198
197
 
199
198
  const EVP_MD *digest = ssl_session_get_digest(session);
200
199
  // Note this function assumes that |session|'s key material corresponds to
201
200
  // |ssl->s3->client_random| and |ssl->s3->server_random|.
202
- return tls1_prf(digest, out, master_key, label, ssl->s3->server_random,
201
+ return tls1_prf(digest, out, secret, label, ssl->s3->server_random,
203
202
  ssl->s3->client_random);
204
203
  }
205
204
 
@@ -379,8 +378,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
379
378
 
380
379
  const SSL_SESSION *session = SSL_get_session(ssl);
381
380
  const EVP_MD *digest = ssl_session_get_digest(session);
382
- return tls1_prf(
383
- digest, MakeSpan(out, out_len),
384
- MakeConstSpan(session->master_key, session->master_key_length),
385
- MakeConstSpan(label, label_len), seed, {});
381
+ return tls1_prf(digest, MakeSpan(out, out_len),
382
+ MakeConstSpan(session->secret, session->secret_length),
383
+ MakeConstSpan(label, label_len), seed, {});
386
384
  }
@@ -113,10 +113,13 @@
113
113
  #include <stdlib.h>
114
114
  #include <string.h>
115
115
 
116
+ #include <algorithm>
116
117
  #include <utility>
117
118
 
119
+ #include <openssl/aead.h>
118
120
  #include <openssl/bytestring.h>
119
121
  #include <openssl/chacha.h>
122
+ #include <openssl/curve25519.h>
120
123
  #include <openssl/digest.h>
121
124
  #include <openssl/err.h>
122
125
  #include <openssl/evp.h>
@@ -125,6 +128,7 @@
125
128
  #include <openssl/nid.h>
126
129
  #include <openssl/rand.h>
127
130
 
131
+ #include "../crypto/hpke/internal.h"
128
132
  #include "../crypto/internal.h"
129
133
  #include "internal.h"
130
134
 
@@ -587,6 +591,182 @@ static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
587
591
  }
588
592
 
589
593
 
594
+ // Encrypted Client Hello (ECH)
595
+ //
596
+ // https://tools.ietf.org/html/draft-ietf-tls-esni-09
597
+
598
+ // random_size returns a random value between |min| and |max|, inclusive.
599
+ static size_t random_size(size_t min, size_t max) {
600
+ assert(min < max);
601
+ size_t value;
602
+ RAND_bytes(reinterpret_cast<uint8_t *>(&value), sizeof(value));
603
+ return value % (max - min + 1) + min;
604
+ }
605
+
606
+ static bool ext_ech_add_clienthello_grease(SSL_HANDSHAKE *hs, CBB *out) {
607
+ // If we are responding to the server's HelloRetryRequest, we repeat the bytes
608
+ // of the first ECH GREASE extension.
609
+ if (hs->ssl->s3->used_hello_retry_request) {
610
+ CBB ech_body;
611
+ if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
612
+ !CBB_add_u16_length_prefixed(out, &ech_body) ||
613
+ !CBB_add_bytes(&ech_body, hs->ech_grease.data(),
614
+ hs->ech_grease.size()) ||
615
+ !CBB_flush(out)) {
616
+ return false;
617
+ }
618
+ return true;
619
+ }
620
+
621
+ constexpr uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;
622
+ const uint16_t aead_id = EVP_has_aes_hardware()
623
+ ? EVP_HPKE_AEAD_AES_GCM_128
624
+ : EVP_HPKE_AEAD_CHACHA20POLY1305;
625
+ const EVP_AEAD *aead = EVP_HPKE_get_aead(aead_id);
626
+ assert(aead != nullptr);
627
+
628
+ uint8_t ech_config_id[8];
629
+ RAND_bytes(ech_config_id, sizeof(ech_config_id));
630
+
631
+ uint8_t ech_enc[X25519_PUBLIC_VALUE_LEN];
632
+ uint8_t private_key_unused[X25519_PRIVATE_KEY_LEN];
633
+ X25519_keypair(ech_enc, private_key_unused);
634
+
635
+ // To determine a plausible length for the payload, we first estimate the size
636
+ // of a typical EncodedClientHelloInner, with an expected use of
637
+ // outer_extensions. To limit the size, we only consider initial ClientHellos
638
+ // that do not offer resumption.
639
+ //
640
+ // Field/Extension Size
641
+ // ---------------------------------------------------------------------
642
+ // version 2
643
+ // random 32
644
+ // legacy_session_id 1
645
+ // - Has a U8 length prefix, but body is
646
+ // always empty string in inner CH.
647
+ // cipher_suites 2 (length prefix)
648
+ // - Only includes TLS 1.3 ciphers (3). 6
649
+ // - Maybe also include a GREASE suite. 2
650
+ // legacy_compression_methods 2 (length prefix)
651
+ // - Always has "null" compression method. 1
652
+ // extensions: 2 (length prefix)
653
+ // - encrypted_client_hello (empty). 4 (id + length prefix)
654
+ // - supported_versions. 4 (id + length prefix)
655
+ // - U8 length prefix 1
656
+ // - U16 protocol version (TLS 1.3) 2
657
+ // - outer_extensions. 4 (id + length prefix)
658
+ // - U8 length prefix 1
659
+ // - N extension IDs (2 bytes each):
660
+ // - key_share 2
661
+ // - sigalgs 2
662
+ // - sct 2
663
+ // - alpn 2
664
+ // - supported_groups. 2
665
+ // - status_request. 2
666
+ // - psk_key_exchange_modes. 2
667
+ // - compress_certificate. 2
668
+ //
669
+ // The server_name extension has an overhead of 9 bytes, plus up to an
670
+ // estimated 100 bytes of hostname. Rounding up to a multiple of 32 yields a
671
+ // range of 96 to 192. Note that this estimate does not fully capture
672
+ // optional extensions like GREASE, but the rounding gives some leeway.
673
+
674
+ uint8_t payload[EVP_AEAD_MAX_OVERHEAD + 192];
675
+ const size_t payload_len =
676
+ EVP_AEAD_max_overhead(aead) + 32 * random_size(96 / 32, 192 / 32);
677
+ assert(payload_len <= sizeof(payload));
678
+ RAND_bytes(payload, payload_len);
679
+
680
+ // Inside the TLS extension contents, write a serialized ClientEncryptedCH.
681
+ CBB ech_body, config_id_cbb, enc_cbb, payload_cbb;
682
+ if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
683
+ !CBB_add_u16_length_prefixed(out, &ech_body) ||
684
+ !CBB_add_u16(&ech_body, kdf_id) || //
685
+ !CBB_add_u16(&ech_body, aead_id) ||
686
+ !CBB_add_u8_length_prefixed(&ech_body, &config_id_cbb) ||
687
+ !CBB_add_bytes(&config_id_cbb, ech_config_id, sizeof(ech_config_id)) ||
688
+ !CBB_add_u16_length_prefixed(&ech_body, &enc_cbb) ||
689
+ !CBB_add_bytes(&enc_cbb, ech_enc, OPENSSL_ARRAY_SIZE(ech_enc)) ||
690
+ !CBB_add_u16_length_prefixed(&ech_body, &payload_cbb) ||
691
+ !CBB_add_bytes(&payload_cbb, payload, payload_len) || //
692
+ !CBB_flush(&ech_body)) {
693
+ return false;
694
+ }
695
+ // Save the bytes of the newly-generated extension in case the server sends
696
+ // a HelloRetryRequest.
697
+ if (!hs->ech_grease.CopyFrom(
698
+ MakeConstSpan(CBB_data(&ech_body), CBB_len(&ech_body)))) {
699
+ return false;
700
+ }
701
+ return CBB_flush(out);
702
+ }
703
+
704
+ static bool ext_ech_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
705
+ if (hs->max_version < TLS1_3_VERSION) {
706
+ return true;
707
+ }
708
+ if (hs->config->ech_grease_enabled) {
709
+ return ext_ech_add_clienthello_grease(hs, out);
710
+ }
711
+ // Nothing to do, since we don't yet implement the non-GREASE parts of ECH.
712
+ return true;
713
+ }
714
+
715
+ static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
716
+ CBS *contents) {
717
+ if (contents == NULL) {
718
+ return true;
719
+ }
720
+
721
+ // If the client only sent GREASE, we must check the extension syntactically.
722
+ CBS ech_configs;
723
+ if (!CBS_get_u16_length_prefixed(contents, &ech_configs) ||
724
+ CBS_len(&ech_configs) == 0 || //
725
+ CBS_len(contents) > 0) {
726
+ *out_alert = SSL_AD_DECODE_ERROR;
727
+ return false;
728
+ }
729
+ while (CBS_len(&ech_configs) > 0) {
730
+ // Do a top-level parse of the ECHConfig, stopping before ECHConfigContents.
731
+ uint16_t version;
732
+ CBS ech_config_contents;
733
+ if (!CBS_get_u16(&ech_configs, &version) ||
734
+ !CBS_get_u16_length_prefixed(&ech_configs, &ech_config_contents)) {
735
+ *out_alert = SSL_AD_DECODE_ERROR;
736
+ return false;
737
+ }
738
+ }
739
+ return true;
740
+ }
741
+
742
+ static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
743
+ CBS *contents) {
744
+ if (contents != nullptr) {
745
+ hs->ech_present = true;
746
+ return true;
747
+ }
748
+ return true;
749
+ }
750
+
751
+ static bool ext_ech_is_inner_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
752
+ return true;
753
+ }
754
+
755
+ static bool ext_ech_is_inner_parse_clienthello(SSL_HANDSHAKE *hs,
756
+ uint8_t *out_alert,
757
+ CBS *contents) {
758
+ if (contents == nullptr) {
759
+ return true;
760
+ }
761
+ if (CBS_len(contents) > 0) {
762
+ *out_alert = SSL_AD_ILLEGAL_PARAMETER;
763
+ return false;
764
+ }
765
+ hs->ech_is_inner_present = true;
766
+ return true;
767
+ }
768
+
769
+
590
770
  // Renegotiation indication.
591
771
  //
592
772
  // https://tools.ietf.org/html/rfc5746
@@ -1248,7 +1428,7 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1248
1428
  SSL *const ssl = hs->ssl;
1249
1429
  if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) {
1250
1430
  // ALPN MUST be used with QUIC.
1251
- OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
1431
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
1252
1432
  return false;
1253
1433
  }
1254
1434
 
@@ -1276,7 +1456,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1276
1456
  if (contents == NULL) {
1277
1457
  if (ssl->quic_method) {
1278
1458
  // ALPN is required when QUIC is used.
1279
- OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
1459
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
1280
1460
  *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
1281
1461
  return false;
1282
1462
  }
@@ -1357,7 +1537,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1357
1537
  TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1358
1538
  if (ssl->quic_method) {
1359
1539
  // ALPN is required when QUIC is used.
1360
- OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
1540
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
1361
1541
  *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
1362
1542
  return false;
1363
1543
  }
@@ -1392,25 +1572,39 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1392
1572
 
1393
1573
  const uint8_t *selected;
1394
1574
  uint8_t selected_len;
1395
- if (ssl->ctx->alpn_select_cb(
1396
- ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1397
- CBS_len(&protocol_name_list),
1398
- ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1399
- if (selected_len == 0) {
1400
- OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1401
- *out_alert = SSL_AD_INTERNAL_ERROR;
1575
+ int ret = ssl->ctx->alpn_select_cb(
1576
+ ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1577
+ CBS_len(&protocol_name_list), ssl->ctx->alpn_select_cb_arg);
1578
+ // ALPN is required when QUIC is used.
1579
+ if (ssl->quic_method &&
1580
+ (ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {
1581
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1582
+ }
1583
+ switch (ret) {
1584
+ case SSL_TLSEXT_ERR_OK:
1585
+ if (selected_len == 0) {
1586
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1587
+ *out_alert = SSL_AD_INTERNAL_ERROR;
1588
+ return false;
1589
+ }
1590
+ if (!ssl->s3->alpn_selected.CopyFrom(
1591
+ MakeConstSpan(selected, selected_len))) {
1592
+ *out_alert = SSL_AD_INTERNAL_ERROR;
1593
+ return false;
1594
+ }
1595
+ break;
1596
+ case SSL_TLSEXT_ERR_NOACK:
1597
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
1598
+ break;
1599
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
1600
+ *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
1601
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);
1402
1602
  return false;
1403
- }
1404
- if (!ssl->s3->alpn_selected.CopyFrom(
1405
- MakeConstSpan(selected, selected_len))) {
1603
+ default:
1604
+ // Invalid return value.
1406
1605
  *out_alert = SSL_AD_INTERNAL_ERROR;
1606
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1407
1607
  return false;
1408
- }
1409
- } else if (ssl->quic_method) {
1410
- // ALPN is required when QUIC is used.
1411
- OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_ALPN);
1412
- *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;
1413
- return false;
1414
1608
  }
1415
1609
 
1416
1610
  return true;
@@ -2000,14 +2194,17 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2000
2194
  return true;
2001
2195
  }
2002
2196
 
2003
- Span<const uint8_t> settings;
2004
- bool has_alps = ssl_get_local_application_settings(
2005
- hs, &settings, ssl->session->early_alpn);
2006
- if (has_alps != ssl->session->has_application_settings ||
2007
- settings != ssl->session->local_application_settings) {
2008
- // 0-RTT carries ALPS over, so we only offer it when the value matches.
2009
- ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
2010
- return true;
2197
+ // If the previous connection negotiated ALPS, only offer 0-RTT when the
2198
+ // local are settings are consistent with what we'd offer for this
2199
+ // connection.
2200
+ if (ssl->session->has_application_settings) {
2201
+ Span<const uint8_t> settings;
2202
+ if (!ssl_get_local_application_settings(hs, &settings,
2203
+ ssl->session->early_alpn) ||
2204
+ settings != ssl->session->local_application_settings) {
2205
+ ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
2206
+ return true;
2207
+ }
2011
2208
  }
2012
2209
  }
2013
2210
 
@@ -2282,7 +2479,8 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2282
2479
  return true;
2283
2480
  }
2284
2481
 
2285
- bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2482
+ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out,
2483
+ bool dry_run) {
2286
2484
  uint16_t group_id;
2287
2485
  CBB kse_bytes, public_key;
2288
2486
  if (!tls1_get_shared_group(hs, &group_id) ||
@@ -2295,10 +2493,10 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2295
2493
  !CBB_flush(out)) {
2296
2494
  return false;
2297
2495
  }
2298
-
2299
- hs->ecdh_public_key.Reset();
2300
-
2301
- hs->new_session->group_id = group_id;
2496
+ if (!dry_run) {
2497
+ hs->ecdh_public_key.Reset();
2498
+ hs->new_session->group_id = group_id;
2499
+ }
2302
2500
  return true;
2303
2501
  }
2304
2502
 
@@ -2592,8 +2790,8 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2592
2790
 
2593
2791
  // QUIC Transport Parameters
2594
2792
 
2595
- static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2596
- CBB *out) {
2793
+ static bool ext_quic_transport_params_add_clienthello_impl(
2794
+ SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
2597
2795
  if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
2598
2796
  return true;
2599
2797
  }
@@ -2605,9 +2803,18 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2605
2803
  return false;
2606
2804
  }
2607
2805
  assert(hs->min_version > TLS1_2_VERSION);
2806
+ if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
2807
+ // Do nothing, we'll send the other codepoint.
2808
+ return true;
2809
+ }
2810
+
2811
+ uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
2812
+ if (hs->config->quic_use_legacy_codepoint) {
2813
+ extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
2814
+ }
2608
2815
 
2609
2816
  CBB contents;
2610
- if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2817
+ if (!CBB_add_u16(out, extension_type) ||
2611
2818
  !CBB_add_u16_length_prefixed(out, &contents) ||
2612
2819
  !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2613
2820
  hs->config->quic_transport_params.size()) ||
@@ -2617,31 +2824,57 @@ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2617
2824
  return true;
2618
2825
  }
2619
2826
 
2620
- static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2621
- uint8_t *out_alert,
2622
- CBS *contents) {
2827
+ static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2828
+ CBB *out) {
2829
+ return ext_quic_transport_params_add_clienthello_impl(
2830
+ hs, out, /*use_legacy_codepoint=*/false);
2831
+ }
2832
+
2833
+ static bool ext_quic_transport_params_add_clienthello_legacy(SSL_HANDSHAKE *hs,
2834
+ CBB *out) {
2835
+ return ext_quic_transport_params_add_clienthello_impl(
2836
+ hs, out, /*use_legacy_codepoint=*/true);
2837
+ }
2838
+
2839
+ static bool ext_quic_transport_params_parse_serverhello_impl(
2840
+ SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
2841
+ bool used_legacy_codepoint) {
2623
2842
  SSL *const ssl = hs->ssl;
2624
2843
  if (contents == nullptr) {
2844
+ if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
2845
+ // Silently ignore because we expect the other QUIC codepoint.
2846
+ return true;
2847
+ }
2625
2848
  if (!ssl->quic_method) {
2626
2849
  return true;
2627
2850
  }
2628
- assert(ssl->quic_method);
2629
2851
  *out_alert = SSL_AD_MISSING_EXTENSION;
2630
2852
  return false;
2631
2853
  }
2632
- if (!ssl->quic_method) {
2633
- *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2634
- return false;
2635
- }
2636
- // QUIC requires TLS 1.3.
2854
+ // The extensions parser will check for unsolicited extensions before
2855
+ // calling the callback.
2856
+ assert(ssl->quic_method != nullptr);
2637
2857
  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
2638
-
2858
+ assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint);
2639
2859
  return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2640
2860
  }
2641
2861
 
2642
- static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2862
+ static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2643
2863
  uint8_t *out_alert,
2644
2864
  CBS *contents) {
2865
+ return ext_quic_transport_params_parse_serverhello_impl(
2866
+ hs, out_alert, contents, /*used_legacy_codepoint=*/false);
2867
+ }
2868
+
2869
+ static bool ext_quic_transport_params_parse_serverhello_legacy(
2870
+ SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
2871
+ return ext_quic_transport_params_parse_serverhello_impl(
2872
+ hs, out_alert, contents, /*used_legacy_codepoint=*/true);
2873
+ }
2874
+
2875
+ static bool ext_quic_transport_params_parse_clienthello_impl(
2876
+ SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,
2877
+ bool used_legacy_codepoint) {
2645
2878
  SSL *const ssl = hs->ssl;
2646
2879
  if (!contents) {
2647
2880
  if (!ssl->quic_method) {
@@ -2652,29 +2885,72 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2652
2885
  // for QUIC.
2653
2886
  OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
2654
2887
  *out_alert = SSL_AD_INTERNAL_ERROR;
2888
+ return false;
2889
+ }
2890
+ if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
2891
+ // Silently ignore because we expect the other QUIC codepoint.
2892
+ return true;
2655
2893
  }
2656
2894
  *out_alert = SSL_AD_MISSING_EXTENSION;
2657
2895
  return false;
2658
2896
  }
2659
2897
  if (!ssl->quic_method) {
2898
+ if (used_legacy_codepoint) {
2899
+ // Ignore the legacy private-use codepoint because that could be sent
2900
+ // to mean something else than QUIC transport parameters.
2901
+ return true;
2902
+ }
2903
+ // Fail if we received the codepoint registered with IANA for QUIC
2904
+ // because that is not allowed outside of QUIC.
2660
2905
  *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2661
2906
  return false;
2662
2907
  }
2663
2908
  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
2909
+ if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
2910
+ // Silently ignore because we expect the other QUIC codepoint.
2911
+ return true;
2912
+ }
2664
2913
  return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2665
2914
  }
2666
2915
 
2667
- static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2668
- CBB *out) {
2916
+ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2917
+ uint8_t *out_alert,
2918
+ CBS *contents) {
2919
+ return ext_quic_transport_params_parse_clienthello_impl(
2920
+ hs, out_alert, contents, /*used_legacy_codepoint=*/false);
2921
+ }
2922
+
2923
+ static bool ext_quic_transport_params_parse_clienthello_legacy(
2924
+ SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {
2925
+ return ext_quic_transport_params_parse_clienthello_impl(
2926
+ hs, out_alert, contents, /*used_legacy_codepoint=*/true);
2927
+ }
2928
+
2929
+ static bool ext_quic_transport_params_add_serverhello_impl(
2930
+ SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {
2931
+ if (hs->ssl->quic_method == nullptr && use_legacy_codepoint) {
2932
+ // Ignore the legacy private-use codepoint because that could be sent
2933
+ // to mean something else than QUIC transport parameters.
2934
+ return true;
2935
+ }
2669
2936
  assert(hs->ssl->quic_method != nullptr);
2670
2937
  if (hs->config->quic_transport_params.empty()) {
2671
2938
  // Transport parameters must be set when using QUIC.
2672
2939
  OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
2673
2940
  return false;
2674
2941
  }
2942
+ if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {
2943
+ // Do nothing, we'll send the other codepoint.
2944
+ return true;
2945
+ }
2946
+
2947
+ uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
2948
+ if (hs->config->quic_use_legacy_codepoint) {
2949
+ extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
2950
+ }
2675
2951
 
2676
2952
  CBB contents;
2677
- if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2953
+ if (!CBB_add_u16(out, extension_type) ||
2678
2954
  !CBB_add_u16_length_prefixed(out, &contents) ||
2679
2955
  !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2680
2956
  hs->config->quic_transport_params.size()) ||
@@ -2685,6 +2961,18 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2685
2961
  return true;
2686
2962
  }
2687
2963
 
2964
+ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2965
+ CBB *out) {
2966
+ return ext_quic_transport_params_add_serverhello_impl(
2967
+ hs, out, /*use_legacy_codepoint=*/false);
2968
+ }
2969
+
2970
+ static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs,
2971
+ CBB *out) {
2972
+ return ext_quic_transport_params_add_serverhello_impl(
2973
+ hs, out, /*use_legacy_codepoint=*/true);
2974
+ }
2975
+
2688
2976
  // Delegated credentials.
2689
2977
  //
2690
2978
  // https://tools.ietf.org/html/draft-ietf-tls-subcerts
@@ -2970,6 +3258,22 @@ static const struct tls_extension kExtensions[] = {
2970
3258
  ext_sni_parse_clienthello,
2971
3259
  ext_sni_add_serverhello,
2972
3260
  },
3261
+ {
3262
+ TLSEXT_TYPE_encrypted_client_hello,
3263
+ NULL,
3264
+ ext_ech_add_clienthello,
3265
+ ext_ech_parse_serverhello,
3266
+ ext_ech_parse_clienthello,
3267
+ dont_add_serverhello,
3268
+ },
3269
+ {
3270
+ TLSEXT_TYPE_ech_is_inner,
3271
+ NULL,
3272
+ ext_ech_is_inner_add_clienthello,
3273
+ forbid_parse_serverhello,
3274
+ ext_ech_is_inner_parse_clienthello,
3275
+ dont_add_serverhello,
3276
+ },
2973
3277
  {
2974
3278
  TLSEXT_TYPE_extended_master_secret,
2975
3279
  NULL,
@@ -3109,13 +3413,21 @@ static const struct tls_extension kExtensions[] = {
3109
3413
  dont_add_serverhello,
3110
3414
  },
3111
3415
  {
3112
- TLSEXT_TYPE_quic_transport_parameters,
3416
+ TLSEXT_TYPE_quic_transport_parameters_standard,
3113
3417
  NULL,
3114
3418
  ext_quic_transport_params_add_clienthello,
3115
3419
  ext_quic_transport_params_parse_serverhello,
3116
3420
  ext_quic_transport_params_parse_clienthello,
3117
3421
  ext_quic_transport_params_add_serverhello,
3118
3422
  },
3423
+ {
3424
+ TLSEXT_TYPE_quic_transport_parameters_legacy,
3425
+ NULL,
3426
+ ext_quic_transport_params_add_clienthello_legacy,
3427
+ ext_quic_transport_params_parse_serverhello_legacy,
3428
+ ext_quic_transport_params_parse_clienthello_legacy,
3429
+ ext_quic_transport_params_add_serverhello_legacy,
3430
+ },
3119
3431
  {
3120
3432
  TLSEXT_TYPE_token_binding,
3121
3433
  NULL,