grpc 1.35.0 → 1.36.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +60 -57
- data/include/grpc/grpc_security.h +16 -11
- data/src/core/ext/filters/client_channel/client_channel.cc +32 -26
- data/src/core/ext/filters/client_channel/client_channel.h +0 -2
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -5
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +8 -6
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +289 -170
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +231 -109
- data/src/core/ext/filters/client_channel/resolver.cc +2 -5
- data/src/core/ext/filters/client_channel/resolver.h +1 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +36 -45
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +29 -41
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +16 -14
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +18 -15
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +362 -0
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +22 -74
- data/src/core/ext/filters/client_channel/server_address.cc +6 -0
- data/src/core/ext/filters/client_channel/server_address.h +31 -0
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -2
- data/src/core/ext/filters/max_age/max_age_filter.cc +35 -32
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +1 -1
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +47 -22
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +11 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +11 -1
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +62 -18
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +11 -16
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +42 -59
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/outlier_detection.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +25 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +75 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +2 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +9 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +7 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +28 -13
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +11 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +41 -7
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -21
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +122 -77
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +13 -9
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +37 -5
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +11 -9
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +44 -27
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +42 -16
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +106 -0
- data/src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c +29 -0
- data/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h +67 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +13 -16
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +51 -42
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +16 -13
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +50 -18
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +4 -7
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +0 -17
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +30 -23
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +85 -73
- data/src/core/ext/upb-generated/envoy/service/endpoint/v3/eds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/listener/v3/lds.upb.c +0 -3
- data/src/core/ext/upb-generated/envoy/service/load_stats/v3/lrs.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/service/route/v3/rds.upb.c +0 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +0 -1
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c +21 -4
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h +29 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/authority.upb.c +5 -5
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.h +60 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.h +143 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.h +84 -0
- data/src/core/ext/upb-generated/{udpa/core/v1 → xds/core/v3}/resource.upb.c +9 -9
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.h +94 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.h +166 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.h +85 -0
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +168 -171
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +405 -420
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +2 -2
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/outlier_detection.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +177 -171
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +88 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +153 -153
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +33 -20
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint.upbdefs.c +56 -59
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +116 -111
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +129 -121
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +21 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +17 -13
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +747 -724
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c +22 -25
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c +51 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +369 -376
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c +12 -16
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +112 -108
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/secret.upbdefs.c +45 -53
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +177 -180
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.c +92 -102
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/discovery.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/service/endpoint/v3/eds.upbdefs.c +32 -42
- data/src/core/ext/upbdefs-generated/envoy/service/listener/v3/lds.upbdefs.c +30 -40
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +4 -7
- data/src/core/ext/upbdefs-generated/envoy/service/route/v3/rds.upbdefs.c +38 -44
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/string.upbdefs.c +30 -33
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +14 -11
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +42 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +62 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +49 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +67 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +738 -567
- data/src/core/ext/xds/xds_api.h +46 -84
- data/src/core/ext/xds/xds_bootstrap.cc +59 -40
- data/src/core/ext/xds/xds_bootstrap.h +12 -4
- data/src/core/ext/xds/xds_certificate_provider.cc +180 -74
- data/src/core/ext/xds/xds_certificate_provider.h +83 -44
- data/src/core/ext/xds/xds_client.cc +13 -11
- data/src/core/ext/xds/xds_client.h +3 -0
- data/src/core/ext/xds/xds_client_stats.cc +2 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +147 -11
- data/src/core/lib/channel/handshaker.cc +2 -5
- data/src/core/lib/channel/handshaker.h +1 -1
- data/src/core/lib/gpr/log.cc +6 -1
- data/src/core/lib/gprpp/mpscq.cc +2 -2
- data/src/core/lib/gprpp/ref_counted.h +1 -1
- data/src/core/lib/gprpp/sync.h +129 -40
- data/src/core/lib/gprpp/time_util.cc +77 -0
- data/src/core/lib/gprpp/time_util.h +42 -0
- data/src/core/lib/http/httpcli_security_connector.cc +2 -2
- data/src/core/lib/iomgr/ev_apple.cc +10 -7
- data/src/core/lib/iomgr/ev_epollex_linux.cc +4 -4
- data/src/core/lib/iomgr/iomgr_posix.cc +0 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +0 -1
- data/src/core/lib/iomgr/sockaddr_utils.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_posix.cc +4 -4
- data/src/core/lib/security/authorization/matchers.cc +339 -0
- data/src/core/lib/security/authorization/matchers.h +158 -0
- data/src/core/lib/security/authorization/mock_cel/activation.h +1 -1
- data/src/core/lib/security/authorization/mock_cel/cel_value.h +9 -7
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -1
- data/src/core/lib/security/credentials/alts/alts_credentials.h +1 -1
- data/src/core/lib/security/credentials/credentials.h +2 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +2 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -1
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -1
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +7 -6
- data/src/core/lib/security/credentials/insecure/insecure_credentials.cc +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +0 -3
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +0 -3
- data/src/core/lib/security/credentials/local/local_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.h +1 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +2 -1
- data/src/core/lib/security/credentials/ssl/ssl_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.cc +2 -1
- data/src/core/lib/security/credentials/tls/tls_credentials.h +1 -1
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +128 -59
- data/src/core/lib/security/credentials/xds/xds_credentials.h +3 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +5 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +3 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +26 -14
- data/src/core/lib/security/transport/security_handshaker.cc +1 -3
- data/src/core/lib/slice/slice_intern.cc +1 -1
- data/src/core/lib/surface/init.cc +13 -15
- data/src/core/lib/surface/server.cc +3 -3
- data/src/core/lib/surface/server.h +3 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/metadata.cc +6 -2
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +17 -20
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +16 -21
- data/src/core/tsi/fake_transport_security.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session.h +0 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +0 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +2 -4
- data/src/core/tsi/ssl_transport_security.cc +0 -3
- data/src/core/tsi/ssl_transport_security.h +0 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/messages_pb.rb +7 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/graphcycles.cc +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +725 -723
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +15 -14
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +30 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +28 -79
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +39 -85
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +5 -16
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +10 -61
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +158 -0
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/bn_asn1.c +3 -10
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +8 -9
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +60 -45
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +6 -81
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +87 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu-aarch64-win.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/dh_asn1.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → dh_extra}/params.c +179 -0
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +2 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +13 -20
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/check.c +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/{dh → fipsmodule/dh}/dh.c +136 -213
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +9 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +28 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +128 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +0 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +51 -32
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +147 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +18 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +13 -4
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +13 -11
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +7 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +5 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_r2x.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +29 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +39 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +40 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +25 -36
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +6 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +652 -545
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +0 -167
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +62 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +22 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +56 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +15 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +12 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +3 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +2 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +42 -24
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +27 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +287 -98
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +139 -36
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +11 -20
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +10 -5
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +37 -16
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +0 -1
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +20 -14
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +7 -8
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +5 -7
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +329 -31
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +48 -15
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +66 -24
- metadata +77 -65
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +0 -60
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +0 -52
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +0 -143
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +0 -42
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +0 -84
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +0 -94
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +0 -54
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +0 -173
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +0 -36
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +0 -92
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.c +0 -42
- data/src/core/ext/upbdefs-generated/udpa/core/v1/authority.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.c +0 -62
- data/src/core/ext/upbdefs-generated/udpa/core/v1/collection_entry.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.c +0 -45
- data/src/core/ext/upbdefs-generated/udpa/core/v1/context_params.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.c +0 -49
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource.upbdefs.h +0 -35
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.c +0 -68
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_locator.upbdefs.h +0 -40
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.c +0 -51
- data/src/core/ext/upbdefs-generated/udpa/core/v1/resource_name.upbdefs.h +0 -35
- data/src/core/lib/iomgr/iomgr_posix.h +0 -26
|
@@ -466,17 +466,6 @@ typedef struct x509_purpose_st {
|
|
|
466
466
|
#define X509_PURPOSE_MIN 1
|
|
467
467
|
#define X509_PURPOSE_MAX 9
|
|
468
468
|
|
|
469
|
-
// Flags for X509V3_add1_i2d
|
|
470
|
-
|
|
471
|
-
#define X509V3_ADD_OP_MASK 0xfL
|
|
472
|
-
#define X509V3_ADD_DEFAULT 0L
|
|
473
|
-
#define X509V3_ADD_APPEND 1L
|
|
474
|
-
#define X509V3_ADD_REPLACE 2L
|
|
475
|
-
#define X509V3_ADD_REPLACE_EXISTING 3L
|
|
476
|
-
#define X509V3_ADD_KEEP_EXISTING 4L
|
|
477
|
-
#define X509V3_ADD_DELETE 5L
|
|
478
|
-
#define X509V3_ADD_SILENT 0x10
|
|
479
|
-
|
|
480
469
|
DEFINE_STACK_OF(X509_PURPOSE)
|
|
481
470
|
|
|
482
471
|
DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
|
|
@@ -485,7 +474,12 @@ DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
|
|
|
485
474
|
|
|
486
475
|
DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
|
|
487
476
|
OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
|
|
488
|
-
|
|
477
|
+
|
|
478
|
+
// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero
|
|
479
|
+
// value otherwise. Note this function does not provide a comparison suitable
|
|
480
|
+
// for sorting.
|
|
481
|
+
OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a,
|
|
482
|
+
const GENERAL_NAME *b);
|
|
489
483
|
|
|
490
484
|
|
|
491
485
|
|
|
@@ -525,7 +519,7 @@ OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
|
|
|
525
519
|
OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
|
|
526
520
|
const ASN1_OCTET_STRING *ia5);
|
|
527
521
|
OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(
|
|
528
|
-
X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
|
|
522
|
+
X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
|
|
529
523
|
|
|
530
524
|
DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
|
|
531
525
|
OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
|
|
@@ -565,7 +559,7 @@ DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
|
|
|
565
559
|
OPENSSL_EXPORT GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
|
|
566
560
|
const X509V3_EXT_METHOD *method,
|
|
567
561
|
X509V3_CTX *ctx, int gen_type,
|
|
568
|
-
char *value, int is_nc);
|
|
562
|
+
const char *value, int is_nc);
|
|
569
563
|
|
|
570
564
|
OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
|
|
571
565
|
X509V3_CTX *ctx, CONF_VALUE *cnf);
|
|
@@ -579,32 +573,36 @@ OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val);
|
|
|
579
573
|
// this function so we cannot, yet, replace the type with a dummy struct.
|
|
580
574
|
OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
|
|
581
575
|
X509V3_CTX *ctx, int ext_nid,
|
|
582
|
-
char *value);
|
|
576
|
+
const char *value);
|
|
583
577
|
|
|
584
578
|
OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx,
|
|
585
|
-
int ext_nid,
|
|
579
|
+
int ext_nid,
|
|
580
|
+
const char *value);
|
|
586
581
|
OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx,
|
|
587
|
-
char *name,
|
|
582
|
+
const char *name,
|
|
583
|
+
const char *value);
|
|
588
584
|
OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx,
|
|
589
|
-
char *section,
|
|
585
|
+
const char *section,
|
|
590
586
|
STACK_OF(X509_EXTENSION) **sk);
|
|
591
587
|
OPENSSL_EXPORT int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx,
|
|
592
|
-
char *section, X509 *cert);
|
|
588
|
+
const char *section, X509 *cert);
|
|
593
589
|
OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx,
|
|
594
|
-
char *section, X509_REQ *req);
|
|
590
|
+
const char *section, X509_REQ *req);
|
|
595
591
|
OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx,
|
|
596
|
-
char *section, X509_CRL *crl);
|
|
592
|
+
const char *section, X509_CRL *crl);
|
|
597
593
|
|
|
598
|
-
OPENSSL_EXPORT int X509V3_add_value_bool_nf(char *name, int asn1_bool,
|
|
594
|
+
OPENSSL_EXPORT int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
|
|
599
595
|
STACK_OF(CONF_VALUE) **extlist);
|
|
600
|
-
OPENSSL_EXPORT int X509V3_get_value_bool(CONF_VALUE *value,
|
|
601
|
-
|
|
596
|
+
OPENSSL_EXPORT int X509V3_get_value_bool(const CONF_VALUE *value,
|
|
597
|
+
int *asn1_bool);
|
|
598
|
+
OPENSSL_EXPORT int X509V3_get_value_int(const CONF_VALUE *value,
|
|
599
|
+
ASN1_INTEGER **aint);
|
|
602
600
|
OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
|
|
603
601
|
|
|
604
|
-
OPENSSL_EXPORT char *X509V3_get_string(X509V3_CTX *ctx, char *name,
|
|
605
|
-
char *section);
|
|
602
|
+
OPENSSL_EXPORT char *X509V3_get_string(X509V3_CTX *ctx, const char *name,
|
|
603
|
+
const char *section);
|
|
606
604
|
OPENSSL_EXPORT STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx,
|
|
607
|
-
char *section);
|
|
605
|
+
const char *section);
|
|
608
606
|
OPENSSL_EXPORT void X509V3_string_free(X509V3_CTX *ctx, char *str);
|
|
609
607
|
OPENSSL_EXPORT void X509V3_section_free(X509V3_CTX *ctx,
|
|
610
608
|
STACK_OF(CONF_VALUE) *section);
|
|
@@ -621,30 +619,135 @@ OPENSSL_EXPORT int X509V3_add_value_bool(const char *name, int asn1_bool,
|
|
|
621
619
|
OPENSSL_EXPORT int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
|
|
622
620
|
STACK_OF(CONF_VALUE) **extlist);
|
|
623
621
|
OPENSSL_EXPORT char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth,
|
|
624
|
-
ASN1_INTEGER *aint);
|
|
622
|
+
const ASN1_INTEGER *aint);
|
|
625
623
|
OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth,
|
|
626
|
-
char *value);
|
|
624
|
+
const char *value);
|
|
627
625
|
OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth,
|
|
628
|
-
ASN1_ENUMERATED *aint);
|
|
626
|
+
const ASN1_ENUMERATED *aint);
|
|
629
627
|
OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
|
|
630
|
-
ASN1_ENUMERATED *aint);
|
|
628
|
+
const ASN1_ENUMERATED *aint);
|
|
631
629
|
OPENSSL_EXPORT int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
|
|
632
630
|
OPENSSL_EXPORT int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
|
|
633
631
|
OPENSSL_EXPORT int X509V3_EXT_add_alias(int nid_to, int nid_from);
|
|
634
632
|
OPENSSL_EXPORT void X509V3_EXT_cleanup(void);
|
|
635
633
|
|
|
636
|
-
OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get(
|
|
634
|
+
OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get(
|
|
635
|
+
const X509_EXTENSION *ext);
|
|
637
636
|
OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
|
|
638
637
|
OPENSSL_EXPORT int X509V3_add_standard_extensions(void);
|
|
639
638
|
OPENSSL_EXPORT STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
|
|
640
|
-
OPENSSL_EXPORT void *X509V3_EXT_d2i(X509_EXTENSION *ext);
|
|
641
|
-
OPENSSL_EXPORT void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid,
|
|
642
|
-
int *crit, int *idx);
|
|
643
|
-
OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data);
|
|
644
639
|
|
|
640
|
+
// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated
|
|
641
|
+
// structure, with type dependent on the type of the extension. It returns NULL
|
|
642
|
+
// if |ext| is an unsupported extension or if there was a syntax error in the
|
|
643
|
+
// extension. The caller should cast the return value to the expected type and
|
|
644
|
+
// free the structure when done.
|
|
645
|
+
//
|
|
646
|
+
// WARNING: Casting the return value to the wrong type is a potentially
|
|
647
|
+
// exploitable memory error, so callers must not use this function before
|
|
648
|
+
// checking |ext| is of a known type.
|
|
649
|
+
OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext);
|
|
650
|
+
|
|
651
|
+
// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|.
|
|
652
|
+
// If found, it decodes it and returns a newly-allocated structure, with type
|
|
653
|
+
// dependent on |nid|. If the extension is not found or on error, it returns
|
|
654
|
+
// NULL. The caller may distinguish these cases using the |out_critical| value.
|
|
655
|
+
//
|
|
656
|
+
// If |out_critical| is not NULL, this function sets |*out_critical| to one if
|
|
657
|
+
// the extension is found and critical, zero if it is found and not critical, -1
|
|
658
|
+
// if it is not found, and -2 if there is an invalid duplicate extension. Note
|
|
659
|
+
// this function may set |*out_critical| to one or zero and still return NULL if
|
|
660
|
+
// the extension is found but has a syntax error.
|
|
661
|
+
//
|
|
662
|
+
// If |out_idx| is not NULL, this function looks for the first occurrence of the
|
|
663
|
+
// extension after |*out_idx|. It then sets |*out_idx| to the index of the
|
|
664
|
+
// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions
|
|
665
|
+
// are not treated as an error. Callers, however, should not rely on this
|
|
666
|
+
// behavior as it may be removed in the future. Duplicate extensions are
|
|
667
|
+
// forbidden in RFC5280.
|
|
668
|
+
//
|
|
669
|
+
// WARNING: This function is difficult to use correctly. Callers should pass a
|
|
670
|
+
// non-NULL |out_critical| and check both the return value and |*out_critical|
|
|
671
|
+
// to handle errors. If the return value is NULL and |*out_critical| is not -1,
|
|
672
|
+
// there was an error. Otherwise, the function succeeded and but may return NULL
|
|
673
|
+
// for a missing extension. Callers should pass NULL to |out_idx| so that
|
|
674
|
+
// duplicate extensions are handled correctly.
|
|
675
|
+
//
|
|
676
|
+
// Additionally, casting the return value to the wrong type is a potentially
|
|
677
|
+
// exploitable memory error, so callers must ensure the cast and |nid| match.
|
|
678
|
+
OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions,
|
|
679
|
+
int nid, int *out_critical, int *out_idx);
|
|
680
|
+
|
|
681
|
+
// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and
|
|
682
|
+
// releases memory associated with it. It returns one on success and zero if
|
|
683
|
+
// |nid| is not a known extension.
|
|
684
|
+
//
|
|
685
|
+
// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable
|
|
686
|
+
// memory error, so callers must ensure |ext_data|'s type matches |nid|.
|
|
687
|
+
//
|
|
688
|
+
// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it?
|
|
689
|
+
OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data);
|
|
645
690
|
|
|
691
|
+
// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to
|
|
692
|
+
// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION|
|
|
693
|
+
// object containing the serialization, or NULL on error. The |X509_EXTENSION|
|
|
694
|
+
// has OID |ext_nid| and is critical if |crit| is one.
|
|
695
|
+
//
|
|
696
|
+
// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable
|
|
697
|
+
// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|.
|
|
646
698
|
OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit,
|
|
647
699
|
void *ext_struc);
|
|
700
|
+
|
|
701
|
+
// The following constants control the behavior of |X509V3_add1_i2d| and related
|
|
702
|
+
// functions.
|
|
703
|
+
|
|
704
|
+
// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate
|
|
705
|
+
// extensions are processed.
|
|
706
|
+
#define X509V3_ADD_OP_MASK 0xfL
|
|
707
|
+
|
|
708
|
+
// X509V3_ADD_DEFAULT causes the function to fail if the extension was already
|
|
709
|
+
// present.
|
|
710
|
+
#define X509V3_ADD_DEFAULT 0L
|
|
711
|
+
|
|
712
|
+
// X509V3_ADD_APPEND causes the function to unconditionally appended the new
|
|
713
|
+
// extension to to the extensions list, even if there is a duplicate.
|
|
714
|
+
#define X509V3_ADD_APPEND 1L
|
|
715
|
+
|
|
716
|
+
// X509V3_ADD_REPLACE causes the function to replace the existing extension, or
|
|
717
|
+
// append if it is not present.
|
|
718
|
+
#define X509V3_ADD_REPLACE 2L
|
|
719
|
+
|
|
720
|
+
// X509V3_ADD_REPLACE causes the function to replace the existing extension and
|
|
721
|
+
// fail if it is not present.
|
|
722
|
+
#define X509V3_ADD_REPLACE_EXISTING 3L
|
|
723
|
+
|
|
724
|
+
// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the
|
|
725
|
+
// extension if already present.
|
|
726
|
+
#define X509V3_ADD_KEEP_EXISTING 4L
|
|
727
|
+
|
|
728
|
+
// X509V3_ADD_DELETE causes the function to remove the matching extension. No
|
|
729
|
+
// new extension is added. If there is no matching extension, the function
|
|
730
|
+
// fails. The |value| parameter is ignored in this mode.
|
|
731
|
+
#define X509V3_ADD_DELETE 5L
|
|
732
|
+
|
|
733
|
+
// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the
|
|
734
|
+
// function should not add to the error queue on duplicate or missing extension.
|
|
735
|
+
// The function will continue to return zero in those cases, and it will
|
|
736
|
+
// continue to return -1 and add to the error queue on other errors.
|
|
737
|
+
#define X509V3_ADD_SILENT 0x10
|
|
738
|
+
|
|
739
|
+
// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|,
|
|
740
|
+
// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL,
|
|
741
|
+
// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed.
|
|
742
|
+
// The |crit| parameter determines whether the new extension is critical.
|
|
743
|
+
// |flags| may be some combination of the |X509V3_ADD_*| constants to control
|
|
744
|
+
// the function's behavior on duplicate extension.
|
|
745
|
+
//
|
|
746
|
+
// This function returns one on success, zero if the operation failed due to a
|
|
747
|
+
// missing or duplicate extension, and -1 on other errors.
|
|
748
|
+
//
|
|
749
|
+
// WARNING: Casting |value| to the wrong type is a potentially exploitable
|
|
750
|
+
// memory error, so callers must ensure |value|'s type matches |nid|.
|
|
648
751
|
OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid,
|
|
649
752
|
void *value, int crit, unsigned long flags);
|
|
650
753
|
|
|
@@ -126,6 +126,8 @@ BSSL_NAMESPACE_BEGIN
|
|
|
126
126
|
|
|
127
127
|
SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
|
|
128
128
|
: ssl(ssl_arg),
|
|
129
|
+
ech_present(false),
|
|
130
|
+
ech_is_inner_present(false),
|
|
129
131
|
scts_requested(false),
|
|
130
132
|
needs_psk_binder(false),
|
|
131
133
|
handshake_finalized(false),
|
|
@@ -494,9 +496,8 @@ bool ssl_send_finished(SSL_HANDSHAKE *hs) {
|
|
|
494
496
|
}
|
|
495
497
|
|
|
496
498
|
// Log the master secret, if logging is enabled.
|
|
497
|
-
if (!ssl_log_secret(
|
|
498
|
-
|
|
499
|
-
MakeConstSpan(session->master_key, session->master_key_length))) {
|
|
499
|
+
if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
|
|
500
|
+
MakeConstSpan(session->secret, session->secret_length))) {
|
|
500
501
|
return 0;
|
|
501
502
|
}
|
|
502
503
|
|
|
@@ -459,8 +459,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
|
|
|
459
459
|
}
|
|
460
460
|
|
|
461
461
|
if (!tls13_init_early_key_schedule(
|
|
462
|
-
hs,
|
|
463
|
-
|
|
462
|
+
hs,
|
|
463
|
+
MakeConstSpan(ssl->session->secret, ssl->session->secret_length)) ||
|
|
464
464
|
!tls13_derive_early_secret(hs)) {
|
|
465
465
|
return ssl_hs_error;
|
|
466
466
|
}
|
|
@@ -636,12 +636,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
636
636
|
.subspan(SSL3_RANDOM_SIZE - sizeof(kTLS13DowngradeRandom));
|
|
637
637
|
if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom ||
|
|
638
638
|
suffix == kJDK11DowngradeRandom) {
|
|
639
|
-
|
|
640
|
-
|
|
641
|
-
|
|
642
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
643
|
-
return ssl_hs_error;
|
|
644
|
-
}
|
|
639
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE);
|
|
640
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
641
|
+
return ssl_hs_error;
|
|
645
642
|
}
|
|
646
643
|
}
|
|
647
644
|
|
|
@@ -1410,9 +1407,9 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
|
|
|
1410
1407
|
return ssl_hs_error;
|
|
1411
1408
|
}
|
|
1412
1409
|
|
|
1413
|
-
hs->new_session->
|
|
1414
|
-
tls1_generate_master_secret(hs, hs->new_session->
|
|
1415
|
-
if (hs->new_session->
|
|
1410
|
+
hs->new_session->secret_length =
|
|
1411
|
+
tls1_generate_master_secret(hs, hs->new_session->secret, pms);
|
|
1412
|
+
if (hs->new_session->secret_length == 0) {
|
|
1416
1413
|
return ssl_hs_error;
|
|
1417
1414
|
}
|
|
1418
1415
|
hs->new_session->extended_master_secret = hs->extended_master_secret;
|
|
@@ -1550,18 +1547,12 @@ static bool can_false_start(const SSL_HANDSHAKE *hs) {
|
|
|
1550
1547
|
//
|
|
1551
1548
|
// Now that TLS 1.3 exists, we would like to avoid similar attacks between
|
|
1552
1549
|
// TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to
|
|
1553
|
-
// sacrifice False Start on them.
|
|
1554
|
-
//
|
|
1555
|
-
// issues.
|
|
1556
|
-
//
|
|
1557
|
-
// |SSL_CTX_set_ignore_tls13_downgrade| normally still retains Finished-based
|
|
1558
|
-
// downgrade protection, but False Start bypasses that. Thus, we disable False
|
|
1559
|
-
// Start based on the TLS 1.3 downgrade signal, even if otherwise unenforced.
|
|
1550
|
+
// sacrifice False Start on them. Instead, we rely on the ServerHello.random
|
|
1551
|
+
// downgrade signal, which we unconditionally enforce.
|
|
1560
1552
|
if (SSL_is_dtls(ssl) ||
|
|
1561
1553
|
SSL_version(ssl) != TLS1_2_VERSION ||
|
|
1562
1554
|
hs->new_cipher->algorithm_mkey != SSL_kECDHE ||
|
|
1563
|
-
hs->new_cipher->algorithm_mac != SSL_AEAD
|
|
1564
|
-
ssl->s3->tls13_downgrade) {
|
|
1555
|
+
hs->new_cipher->algorithm_mac != SSL_AEAD) {
|
|
1565
1556
|
return false;
|
|
1566
1557
|
}
|
|
1567
1558
|
|
|
@@ -644,6 +644,12 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
644
644
|
return ssl_hs_error;
|
|
645
645
|
}
|
|
646
646
|
|
|
647
|
+
if (hs->ech_present && hs->ech_is_inner_present) {
|
|
648
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
649
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
650
|
+
return ssl_hs_error;
|
|
651
|
+
}
|
|
652
|
+
|
|
647
653
|
hs->state = state12_select_certificate;
|
|
648
654
|
return ssl_hs_ok;
|
|
649
655
|
}
|
|
@@ -1402,14 +1408,13 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
|
|
|
1402
1408
|
}
|
|
1403
1409
|
|
|
1404
1410
|
// Compute the master secret.
|
|
1405
|
-
hs->new_session->
|
|
1406
|
-
hs, hs->new_session->
|
|
1407
|
-
if (hs->new_session->
|
|
1411
|
+
hs->new_session->secret_length = tls1_generate_master_secret(
|
|
1412
|
+
hs, hs->new_session->secret, premaster_secret);
|
|
1413
|
+
if (hs->new_session->secret_length == 0) {
|
|
1408
1414
|
return ssl_hs_error;
|
|
1409
1415
|
}
|
|
1410
1416
|
hs->new_session->extended_master_secret = hs->extended_master_secret;
|
|
1411
|
-
CONSTTIME_DECLASSIFY(hs->new_session->
|
|
1412
|
-
hs->new_session->master_key_length);
|
|
1417
|
+
CONSTTIME_DECLASSIFY(hs->new_session->secret, hs->new_session->secret_length);
|
|
1413
1418
|
|
|
1414
1419
|
ssl->method->next_message(ssl);
|
|
1415
1420
|
hs->state = state12_read_client_certificate_verify;
|
|
@@ -1419,6 +1419,15 @@ bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
|
|
|
1419
1419
|
const SSLMessage &msg, CBS *binders);
|
|
1420
1420
|
|
|
1421
1421
|
|
|
1422
|
+
// Encrypted Client Hello.
|
|
1423
|
+
|
|
1424
|
+
// tls13_ech_accept_confirmation computes the server's ECH acceptance signal,
|
|
1425
|
+
// writing it to |out|. It returns true on success, and false on failure.
|
|
1426
|
+
bool tls13_ech_accept_confirmation(
|
|
1427
|
+
SSL_HANDSHAKE *hs, bssl::Span<uint8_t> out,
|
|
1428
|
+
bssl::Span<const uint8_t> server_hello_ech_conf);
|
|
1429
|
+
|
|
1430
|
+
|
|
1422
1431
|
// Handshake functions.
|
|
1423
1432
|
|
|
1424
1433
|
enum ssl_hs_wait_t {
|
|
@@ -1638,6 +1647,10 @@ struct SSL_HANDSHAKE {
|
|
|
1638
1647
|
// cookie is the value of the cookie received from the server, if any.
|
|
1639
1648
|
Array<uint8_t> cookie;
|
|
1640
1649
|
|
|
1650
|
+
// ech_grease contains the bytes of the GREASE ECH extension that was sent in
|
|
1651
|
+
// the first ClientHello.
|
|
1652
|
+
Array<uint8_t> ech_grease;
|
|
1653
|
+
|
|
1641
1654
|
// key_share_bytes is the value of the previously sent KeyShare extension by
|
|
1642
1655
|
// the client in TLS 1.3.
|
|
1643
1656
|
Array<uint8_t> key_share_bytes;
|
|
@@ -1716,6 +1729,14 @@ struct SSL_HANDSHAKE {
|
|
|
1716
1729
|
// key_block is the record-layer key block for TLS 1.2 and earlier.
|
|
1717
1730
|
Array<uint8_t> key_block;
|
|
1718
1731
|
|
|
1732
|
+
// ech_present, on the server, indicates whether the ClientHello contained an
|
|
1733
|
+
// encrypted_client_hello extension.
|
|
1734
|
+
bool ech_present : 1;
|
|
1735
|
+
|
|
1736
|
+
// ech_is_inner_present, on the server, indicates whether the ClientHello
|
|
1737
|
+
// contained an ech_is_inner extension.
|
|
1738
|
+
bool ech_is_inner_present : 1;
|
|
1739
|
+
|
|
1719
1740
|
// scts_requested is true if the SCT extension is in the ClientHello.
|
|
1720
1741
|
bool scts_requested : 1;
|
|
1721
1742
|
|
|
@@ -1882,7 +1903,8 @@ bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
|
1882
1903
|
bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
|
|
1883
1904
|
Array<uint8_t> *out_secret,
|
|
1884
1905
|
uint8_t *out_alert, CBS *contents);
|
|
1885
|
-
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out
|
|
1906
|
+
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out,
|
|
1907
|
+
bool dry_run);
|
|
1886
1908
|
|
|
1887
1909
|
bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
1888
1910
|
uint8_t *out_alert,
|
|
@@ -2413,9 +2435,6 @@ struct SSL3_STATE {
|
|
|
2413
2435
|
// early_data_accepted is true if early data was accepted by the server.
|
|
2414
2436
|
bool early_data_accepted : 1;
|
|
2415
2437
|
|
|
2416
|
-
// tls13_downgrade is whether the TLS 1.3 anti-downgrade logic fired.
|
|
2417
|
-
bool tls13_downgrade : 1;
|
|
2418
|
-
|
|
2419
2438
|
// token_binding_negotiated is set if Token Binding was negotiated.
|
|
2420
2439
|
bool token_binding_negotiated : 1;
|
|
2421
2440
|
|
|
@@ -2732,6 +2751,10 @@ struct SSL_CONFIG {
|
|
|
2732
2751
|
// verify_mode is a bitmask of |SSL_VERIFY_*| values.
|
|
2733
2752
|
uint8_t verify_mode = SSL_VERIFY_NONE;
|
|
2734
2753
|
|
|
2754
|
+
// ech_grease_enabled controls whether ECH GREASE may be sent in the
|
|
2755
|
+
// ClientHello.
|
|
2756
|
+
bool ech_grease_enabled : 1;
|
|
2757
|
+
|
|
2735
2758
|
// Enable signed certificate time stamps. Currently client only.
|
|
2736
2759
|
bool signed_cert_timestamps_enabled : 1;
|
|
2737
2760
|
|
|
@@ -2764,13 +2787,13 @@ struct SSL_CONFIG {
|
|
|
2764
2787
|
// should be freed after the handshake completes.
|
|
2765
2788
|
bool shed_handshake_config : 1;
|
|
2766
2789
|
|
|
2767
|
-
// ignore_tls13_downgrade is whether the connection should continue when the
|
|
2768
|
-
// server random signals a downgrade.
|
|
2769
|
-
bool ignore_tls13_downgrade : 1;
|
|
2770
|
-
|
|
2771
2790
|
// jdk11_workaround is whether to disable TLS 1.3 for JDK 11 clients, as a
|
|
2772
2791
|
// workaround for https://bugs.openjdk.java.net/browse/JDK-8211806.
|
|
2773
2792
|
bool jdk11_workaround : 1;
|
|
2793
|
+
|
|
2794
|
+
// QUIC drafts up to and including 32 used a different TLS extension
|
|
2795
|
+
// codepoint to convey QUIC's transport parameters.
|
|
2796
|
+
bool quic_use_legacy_codepoint : 1;
|
|
2774
2797
|
};
|
|
2775
2798
|
|
|
2776
2799
|
// From RFC 8446, used in determining PSK modes.
|
|
@@ -3353,10 +3376,6 @@ struct ssl_ctx_st {
|
|
|
3353
3376
|
// |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN.
|
|
3354
3377
|
bool false_start_allowed_without_alpn : 1;
|
|
3355
3378
|
|
|
3356
|
-
// ignore_tls13_downgrade is whether a connection should continue when the
|
|
3357
|
-
// server random signals a downgrade.
|
|
3358
|
-
bool ignore_tls13_downgrade:1;
|
|
3359
|
-
|
|
3360
3379
|
// handoff indicates that a server should stop after receiving the
|
|
3361
3380
|
// ClientHello and pause the handshake in such a way that |SSL_get_error|
|
|
3362
3381
|
// returns |SSL_ERROR_HANDOFF|.
|
|
@@ -3477,10 +3496,12 @@ struct ssl_session_st {
|
|
|
3477
3496
|
// the peer, or zero if not applicable or unknown.
|
|
3478
3497
|
uint16_t peer_signature_algorithm = 0;
|
|
3479
3498
|
|
|
3480
|
-
//
|
|
3481
|
-
// session. In TLS 1.3 and up, it is the resumption
|
|
3482
|
-
|
|
3483
|
-
|
|
3499
|
+
// secret, in TLS 1.2 and below, is the master secret associated with the
|
|
3500
|
+
// session. In TLS 1.3 and up, it is the resumption PSK for sessions handed to
|
|
3501
|
+
// the caller, but it stores the resumption secret when stored on |SSL|
|
|
3502
|
+
// objects.
|
|
3503
|
+
int secret_length = 0;
|
|
3504
|
+
uint8_t secret[SSL_MAX_MASTER_KEY_LENGTH] = {0};
|
|
3484
3505
|
|
|
3485
3506
|
// session_id - valid?
|
|
3486
3507
|
unsigned session_id_length = 0;
|