grpc 1.37.1 → 1.39.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (636) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +96 -59
  3. data/include/grpc/event_engine/README.md +38 -0
  4. data/include/grpc/event_engine/endpoint_config.h +48 -0
  5. data/include/grpc/event_engine/event_engine.h +334 -0
  6. data/include/grpc/event_engine/port.h +41 -0
  7. data/include/grpc/event_engine/slice_allocator.h +91 -0
  8. data/include/grpc/grpc.h +11 -4
  9. data/include/grpc/grpc_security.h +32 -0
  10. data/include/grpc/grpc_security_constants.h +15 -0
  11. data/include/grpc/impl/codegen/grpc_types.h +28 -13
  12. data/include/grpc/impl/codegen/port_platform.h +22 -0
  13. data/include/grpc/module.modulemap +14 -14
  14. data/src/core/ext/filters/client_channel/backup_poller.cc +3 -3
  15. data/src/core/ext/filters/client_channel/channel_connectivity.cc +177 -202
  16. data/src/core/ext/filters/client_channel/client_channel.cc +630 -3103
  17. data/src/core/ext/filters/client_channel/client_channel.h +489 -55
  18. data/src/core/ext/filters/client_channel/client_channel_channelz.h +1 -1
  19. data/src/core/ext/filters/client_channel/client_channel_plugin.cc +4 -1
  20. data/src/core/ext/filters/client_channel/config_selector.h +1 -1
  21. data/src/core/ext/filters/client_channel/connector.h +1 -1
  22. data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -10
  23. data/src/core/ext/filters/client_channel/dynamic_filters.h +3 -3
  24. data/src/core/ext/filters/client_channel/health/health_check_client.cc +28 -27
  25. data/src/core/ext/filters/client_channel/health/health_check_client.h +30 -29
  26. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +24 -21
  27. data/src/core/ext/filters/client_channel/http_proxy.cc +16 -1
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -6
  29. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +46 -43
  30. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -1
  31. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +2 -1
  32. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +5 -5
  33. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +14 -12
  34. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +755 -0
  35. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +10 -0
  36. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +4 -4
  37. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +1 -1
  38. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +15 -15
  39. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +46 -54
  40. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +23 -23
  41. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +31 -46
  42. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +146 -155
  43. data/src/core/ext/filters/client_channel/lb_policy.cc +1 -1
  44. data/src/core/ext/filters/client_channel/lb_policy.h +4 -4
  45. data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -1
  46. data/src/core/ext/filters/client_channel/lb_policy_registry.cc +4 -4
  47. data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
  48. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +24 -18
  49. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +1 -1
  50. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
  51. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +3 -3
  52. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
  53. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +14 -14
  54. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +33 -24
  55. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
  56. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
  57. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +1 -1
  58. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
  59. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +18 -12
  60. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +20 -28
  61. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +7 -5
  62. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +20 -13
  63. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +1 -1
  64. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -32
  65. data/src/core/ext/filters/client_channel/resolver.h +2 -2
  66. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +32 -239
  67. data/src/core/ext/filters/client_channel/resolver_result_parsing.h +20 -49
  68. data/src/core/ext/filters/client_channel/retry_filter.cc +2449 -0
  69. data/src/core/ext/filters/client_channel/retry_filter.h +30 -0
  70. data/src/core/ext/filters/client_channel/retry_service_config.cc +306 -0
  71. data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
  72. data/src/core/ext/filters/client_channel/server_address.cc +1 -1
  73. data/src/core/ext/filters/client_channel/service_config.cc +15 -14
  74. data/src/core/ext/filters/client_channel/service_config.h +7 -6
  75. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +5 -4
  76. data/src/core/ext/filters/client_channel/service_config_parser.cc +6 -6
  77. data/src/core/ext/filters/client_channel/service_config_parser.h +7 -4
  78. data/src/core/ext/filters/client_channel/subchannel.cc +17 -16
  79. data/src/core/ext/filters/client_channel/subchannel.h +7 -6
  80. data/src/core/ext/filters/client_idle/client_idle_filter.cc +17 -16
  81. data/src/core/ext/filters/deadline/deadline_filter.cc +10 -10
  82. data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +25 -18
  83. data/src/core/ext/filters/fault_injection/service_config_parser.cc +5 -5
  84. data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
  85. data/src/core/ext/filters/http/client/http_client_filter.cc +28 -21
  86. data/src/core/ext/filters/http/client_authority_filter.cc +3 -3
  87. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +23 -22
  88. data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +21 -21
  89. data/src/core/ext/filters/http/server/http_server_filter.cc +27 -23
  90. data/src/core/ext/filters/max_age/max_age_filter.cc +12 -10
  91. data/src/core/ext/filters/message_size/message_size_filter.cc +14 -11
  92. data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
  93. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -3
  94. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +7 -7
  95. data/src/core/ext/transport/chttp2/client/chttp2_connector.h +7 -7
  96. data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +2 -2
  97. data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +3 -2
  98. data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -3
  99. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +44 -45
  100. data/src/core/ext/transport/chttp2/server/chttp2_server.h +2 -2
  101. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +3 -4
  102. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +5 -4
  103. data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +3 -4
  104. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +139 -120
  105. data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
  106. data/src/core/ext/transport/chttp2/transport/context_list.h +4 -4
  107. data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
  108. data/src/core/ext/transport/chttp2/transport/flow_control.h +8 -8
  109. data/src/core/ext/transport/chttp2/transport/frame_data.cc +8 -8
  110. data/src/core/ext/transport/chttp2/transport/frame_data.h +10 -10
  111. data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +7 -8
  112. data/src/core/ext/transport/chttp2/transport/frame_goaway.h +6 -6
  113. data/src/core/ext/transport/chttp2/transport/frame_ping.cc +7 -8
  114. data/src/core/ext/transport/chttp2/transport/frame_ping.h +7 -6
  115. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +7 -7
  116. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +6 -6
  117. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +6 -5
  118. data/src/core/ext/transport/chttp2/transport/frame_settings.h +6 -6
  119. data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +4 -6
  120. data/src/core/ext/transport/chttp2/transport/frame_window_update.h +4 -6
  121. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +237 -208
  122. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +10 -10
  123. data/src/core/ext/transport/chttp2/transport/hpack_table.cc +4 -3
  124. data/src/core/ext/transport/chttp2/transport/hpack_table.h +4 -4
  125. data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
  126. data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +2 -2
  127. data/src/core/ext/transport/chttp2/transport/internal.h +32 -27
  128. data/src/core/ext/transport/chttp2/transport/parsing.cc +65 -58
  129. data/src/core/ext/transport/chttp2/transport/writing.cc +7 -3
  130. data/src/core/ext/transport/inproc/inproc_transport.cc +72 -60
  131. data/src/core/ext/xds/certificate_provider_factory.h +1 -1
  132. data/src/core/ext/xds/certificate_provider_store.h +3 -3
  133. data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +3 -3
  134. data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +2 -2
  135. data/src/core/ext/xds/xds_api.cc +348 -199
  136. data/src/core/ext/xds/xds_api.h +21 -12
  137. data/src/core/ext/xds/xds_bootstrap.cc +97 -159
  138. data/src/core/ext/xds/xds_bootstrap.h +19 -24
  139. data/src/core/ext/xds/xds_certificate_provider.cc +4 -4
  140. data/src/core/ext/xds/xds_certificate_provider.h +4 -4
  141. data/src/core/ext/xds/xds_channel_args.h +5 -2
  142. data/src/core/ext/xds/xds_client.cc +310 -178
  143. data/src/core/ext/xds/xds_client.h +41 -27
  144. data/src/core/ext/xds/xds_client_stats.h +3 -2
  145. data/src/core/ext/xds/xds_server_config_fetcher.cc +34 -20
  146. data/src/core/lib/{iomgr → address_utils}/parse_address.cc +17 -17
  147. data/src/core/lib/{iomgr → address_utils}/parse_address.h +7 -7
  148. data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +16 -20
  149. data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +16 -11
  150. data/src/core/lib/channel/channel_stack.cc +10 -9
  151. data/src/core/lib/channel/channel_stack.h +10 -9
  152. data/src/core/lib/channel/channel_stack_builder.cc +2 -2
  153. data/src/core/lib/channel/channel_stack_builder.h +1 -1
  154. data/src/core/lib/channel/channelz.cc +21 -13
  155. data/src/core/lib/channel/channelz.h +3 -0
  156. data/src/core/lib/channel/connected_channel.cc +4 -4
  157. data/src/core/lib/channel/handshaker.cc +7 -6
  158. data/src/core/lib/channel/handshaker.h +5 -5
  159. data/src/core/lib/event_engine/endpoint_config.cc +46 -0
  160. data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
  161. data/src/core/lib/event_engine/event_engine.cc +50 -0
  162. data/src/core/lib/event_engine/slice_allocator.cc +89 -0
  163. data/src/core/lib/event_engine/sockaddr.cc +40 -0
  164. data/src/core/lib/event_engine/sockaddr.h +44 -0
  165. data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
  166. data/src/core/lib/gprpp/ref_counted.h +28 -14
  167. data/src/core/lib/gprpp/status_helper.cc +407 -0
  168. data/src/core/lib/gprpp/status_helper.h +183 -0
  169. data/src/core/lib/http/httpcli.cc +11 -11
  170. data/src/core/lib/http/httpcli_security_connector.cc +11 -7
  171. data/src/core/lib/http/parser.cc +16 -16
  172. data/src/core/lib/http/parser.h +4 -4
  173. data/src/core/lib/iomgr/buffer_list.cc +7 -9
  174. data/src/core/lib/iomgr/buffer_list.h +4 -5
  175. data/src/core/lib/iomgr/call_combiner.cc +15 -12
  176. data/src/core/lib/iomgr/call_combiner.h +12 -14
  177. data/src/core/lib/iomgr/cfstream_handle.cc +3 -3
  178. data/src/core/lib/iomgr/cfstream_handle.h +1 -1
  179. data/src/core/lib/iomgr/closure.h +7 -6
  180. data/src/core/lib/iomgr/combiner.cc +14 -12
  181. data/src/core/lib/iomgr/combiner.h +2 -2
  182. data/src/core/lib/iomgr/endpoint.cc +1 -1
  183. data/src/core/lib/iomgr/endpoint.h +2 -2
  184. data/src/core/lib/iomgr/endpoint_cfstream.cc +11 -13
  185. data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +33 -0
  186. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  187. data/src/core/lib/iomgr/error.cc +168 -61
  188. data/src/core/lib/iomgr/error.h +217 -106
  189. data/src/core/lib/iomgr/error_cfstream.cc +3 -2
  190. data/src/core/lib/iomgr/error_cfstream.h +2 -2
  191. data/src/core/lib/iomgr/error_internal.h +5 -1
  192. data/src/core/lib/iomgr/ev_apple.cc +5 -5
  193. data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -19
  194. data/src/core/lib/iomgr/ev_epollex_linux.cc +48 -45
  195. data/src/core/lib/iomgr/ev_poll_posix.cc +26 -23
  196. data/src/core/lib/iomgr/ev_posix.cc +9 -8
  197. data/src/core/lib/iomgr/ev_posix.h +9 -9
  198. data/src/core/lib/iomgr/event_engine/closure.cc +54 -0
  199. data/src/core/lib/iomgr/event_engine/closure.h +33 -0
  200. data/src/core/lib/iomgr/event_engine/endpoint.cc +194 -0
  201. data/src/core/lib/iomgr/event_engine/endpoint.h +53 -0
  202. data/src/core/lib/iomgr/event_engine/iomgr.cc +105 -0
  203. data/src/core/lib/iomgr/event_engine/iomgr.h +24 -0
  204. data/src/core/lib/iomgr/event_engine/pollset.cc +87 -0
  205. data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
  206. data/src/core/lib/iomgr/event_engine/promise.h +51 -0
  207. data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
  208. data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
  209. data/src/core/lib/iomgr/event_engine/resolver.cc +110 -0
  210. data/src/core/lib/iomgr/event_engine/tcp.cc +243 -0
  211. data/src/core/lib/iomgr/event_engine/timer.cc +57 -0
  212. data/src/core/lib/iomgr/exec_ctx.cc +12 -4
  213. data/src/core/lib/iomgr/exec_ctx.h +4 -5
  214. data/src/core/lib/iomgr/executor/threadpool.cc +2 -3
  215. data/src/core/lib/iomgr/executor/threadpool.h +2 -2
  216. data/src/core/lib/iomgr/executor.cc +8 -8
  217. data/src/core/lib/iomgr/executor.h +2 -2
  218. data/src/core/lib/iomgr/iomgr.cc +2 -2
  219. data/src/core/lib/iomgr/iomgr.h +1 -1
  220. data/src/core/lib/iomgr/iomgr_custom.cc +1 -1
  221. data/src/core/lib/iomgr/iomgr_internal.cc +2 -2
  222. data/src/core/lib/iomgr/iomgr_internal.h +3 -3
  223. data/src/core/lib/iomgr/iomgr_posix.cc +3 -1
  224. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +42 -12
  225. data/src/core/lib/iomgr/iomgr_windows.cc +1 -1
  226. data/src/core/lib/iomgr/load_file.cc +4 -4
  227. data/src/core/lib/iomgr/load_file.h +2 -2
  228. data/src/core/lib/iomgr/lockfree_event.cc +5 -5
  229. data/src/core/lib/iomgr/lockfree_event.h +1 -1
  230. data/src/core/lib/iomgr/pollset.cc +5 -5
  231. data/src/core/lib/iomgr/pollset.h +9 -9
  232. data/src/core/lib/iomgr/pollset_custom.cc +7 -7
  233. data/src/core/lib/iomgr/pollset_custom.h +3 -1
  234. data/src/core/lib/iomgr/pollset_uv.cc +3 -1
  235. data/src/core/lib/iomgr/pollset_uv.h +5 -1
  236. data/src/core/lib/iomgr/pollset_windows.cc +5 -5
  237. data/src/core/lib/iomgr/port.h +7 -5
  238. data/src/core/lib/iomgr/python_util.h +1 -1
  239. data/src/core/lib/iomgr/resolve_address.cc +8 -4
  240. data/src/core/lib/iomgr/resolve_address.h +12 -6
  241. data/src/core/lib/iomgr/resolve_address_custom.cc +10 -9
  242. data/src/core/lib/iomgr/resolve_address_custom.h +3 -3
  243. data/src/core/lib/iomgr/resolve_address_posix.cc +3 -3
  244. data/src/core/lib/iomgr/resolve_address_windows.cc +4 -4
  245. data/src/core/lib/iomgr/resource_quota.cc +11 -10
  246. data/src/core/lib/iomgr/sockaddr.h +1 -0
  247. data/src/core/lib/iomgr/socket_mutator.cc +15 -2
  248. data/src/core/lib/iomgr/socket_mutator.h +26 -2
  249. data/src/core/lib/iomgr/socket_utils_common_posix.cc +24 -22
  250. data/src/core/lib/iomgr/socket_utils_posix.h +20 -20
  251. data/src/core/lib/iomgr/tcp_client_cfstream.cc +4 -4
  252. data/src/core/lib/iomgr/tcp_client_custom.cc +5 -6
  253. data/src/core/lib/iomgr/tcp_client_posix.cc +22 -19
  254. data/src/core/lib/iomgr/tcp_client_posix.h +3 -4
  255. data/src/core/lib/iomgr/tcp_client_windows.cc +5 -5
  256. data/src/core/lib/iomgr/tcp_custom.cc +14 -16
  257. data/src/core/lib/iomgr/tcp_custom.h +13 -12
  258. data/src/core/lib/iomgr/tcp_posix.cc +78 -73
  259. data/src/core/lib/iomgr/tcp_posix.h +8 -0
  260. data/src/core/lib/iomgr/tcp_server.cc +6 -6
  261. data/src/core/lib/iomgr/tcp_server.h +12 -11
  262. data/src/core/lib/iomgr/tcp_server_custom.cc +26 -25
  263. data/src/core/lib/iomgr/tcp_server_posix.cc +28 -21
  264. data/src/core/lib/iomgr/tcp_server_utils_posix.h +13 -12
  265. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +21 -18
  266. data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +9 -9
  267. data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
  268. data/src/core/lib/iomgr/tcp_server_windows.cc +26 -25
  269. data/src/core/lib/iomgr/tcp_uv.cc +25 -23
  270. data/src/core/lib/iomgr/tcp_windows.cc +13 -13
  271. data/src/core/lib/iomgr/tcp_windows.h +2 -2
  272. data/src/core/lib/iomgr/timer.h +6 -1
  273. data/src/core/lib/iomgr/timer_custom.cc +2 -1
  274. data/src/core/lib/iomgr/timer_custom.h +1 -1
  275. data/src/core/lib/iomgr/timer_generic.cc +6 -6
  276. data/src/core/lib/iomgr/udp_server.cc +21 -20
  277. data/src/core/lib/iomgr/unix_sockets_posix.cc +3 -3
  278. data/src/core/lib/iomgr/unix_sockets_posix.h +2 -2
  279. data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +10 -7
  280. data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
  281. data/src/core/lib/iomgr/wakeup_fd_pipe.cc +4 -4
  282. data/src/core/lib/iomgr/wakeup_fd_posix.cc +3 -3
  283. data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
  284. data/src/core/lib/iomgr/work_serializer.h +17 -1
  285. data/src/core/lib/json/json.h +1 -1
  286. data/src/core/lib/json/json_reader.cc +4 -4
  287. data/src/core/lib/matchers/matchers.cc +39 -39
  288. data/src/core/lib/matchers/matchers.h +28 -28
  289. data/src/core/lib/security/authorization/authorization_engine.h +44 -0
  290. data/src/core/lib/security/authorization/authorization_policy_provider.h +32 -0
  291. data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
  292. data/src/core/lib/security/authorization/evaluate_args.cc +209 -0
  293. data/src/core/lib/security/authorization/evaluate_args.h +91 -0
  294. data/src/core/lib/security/credentials/composite/composite_credentials.cc +4 -4
  295. data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
  296. data/src/core/lib/security/credentials/credentials.h +2 -2
  297. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +17 -13
  298. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +13 -11
  299. data/src/core/lib/security/credentials/external/aws_request_signer.cc +2 -1
  300. data/src/core/lib/security/credentials/external/aws_request_signer.h +1 -1
  301. data/src/core/lib/security/credentials/external/external_account_credentials.cc +15 -12
  302. data/src/core/lib/security/credentials/external/external_account_credentials.h +9 -8
  303. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +5 -4
  304. data/src/core/lib/security/credentials/external/file_external_account_credentials.h +4 -3
  305. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +8 -8
  306. data/src/core/lib/security/credentials/external/url_external_account_credentials.h +9 -7
  307. data/src/core/lib/security/credentials/fake/fake_credentials.cc +2 -2
  308. data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -2
  309. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +12 -10
  310. data/src/core/lib/security/credentials/iam/iam_credentials.cc +2 -2
  311. data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
  312. data/src/core/lib/security/credentials/jwt/json_token.cc +2 -2
  313. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +3 -3
  314. data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -2
  315. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +7 -5
  316. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +21 -19
  317. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +5 -5
  318. data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +5 -5
  319. data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -2
  320. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +8 -7
  321. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +9 -9
  322. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +19 -13
  323. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +4 -0
  324. data/src/core/lib/security/credentials/tls/tls_utils.cc +32 -0
  325. data/src/core/lib/security/credentials/tls/tls_utils.h +13 -0
  326. data/src/core/lib/security/credentials/xds/xds_credentials.cc +3 -3
  327. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +13 -3
  328. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +13 -3
  329. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +2 -2
  330. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +12 -2
  331. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +1 -1
  332. data/src/core/lib/security/security_connector/local/local_security_connector.cc +22 -9
  333. data/src/core/lib/security/security_connector/security_connector.h +9 -4
  334. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +16 -6
  335. data/src/core/lib/security/security_connector/ssl_utils.cc +27 -4
  336. data/src/core/lib/security/security_connector/ssl_utils.h +4 -4
  337. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +56 -60
  338. data/src/core/lib/security/security_connector/tls/tls_security_connector.h +66 -48
  339. data/src/core/lib/security/transport/client_auth_filter.cc +18 -10
  340. data/src/core/lib/security/transport/secure_endpoint.cc +4 -4
  341. data/src/core/lib/security/transport/security_handshaker.cc +33 -32
  342. data/src/core/lib/security/transport/server_auth_filter.cc +19 -13
  343. data/src/core/lib/security/transport/tsi_error.cc +2 -1
  344. data/src/core/lib/security/transport/tsi_error.h +2 -1
  345. data/src/core/lib/security/util/json_util.cc +2 -2
  346. data/src/core/lib/security/util/json_util.h +1 -1
  347. data/src/core/lib/surface/call.cc +67 -46
  348. data/src/core/lib/surface/call.h +13 -2
  349. data/src/core/lib/surface/channel.cc +6 -6
  350. data/src/core/lib/surface/channel.h +3 -2
  351. data/src/core/lib/surface/channel_ping.cc +1 -1
  352. data/src/core/lib/surface/completion_queue.cc +68 -69
  353. data/src/core/lib/surface/completion_queue.h +3 -2
  354. data/src/core/lib/surface/completion_queue_factory.cc +1 -2
  355. data/src/core/lib/surface/init.cc +1 -3
  356. data/src/core/lib/surface/init.h +10 -1
  357. data/src/core/lib/surface/lame_client.cc +11 -11
  358. data/src/core/lib/surface/lame_client.h +1 -1
  359. data/src/core/lib/surface/server.cc +28 -22
  360. data/src/core/lib/surface/server.h +16 -15
  361. data/src/core/lib/surface/validate_metadata.cc +7 -7
  362. data/src/core/lib/surface/validate_metadata.h +3 -2
  363. data/src/core/lib/surface/version.cc +4 -2
  364. data/src/core/lib/transport/byte_stream.cc +5 -5
  365. data/src/core/lib/transport/byte_stream.h +8 -8
  366. data/src/core/lib/transport/connectivity_state.cc +1 -1
  367. data/src/core/lib/transport/error_utils.cc +21 -10
  368. data/src/core/lib/transport/error_utils.h +11 -5
  369. data/src/core/lib/transport/metadata_batch.cc +37 -37
  370. data/src/core/lib/transport/metadata_batch.h +19 -18
  371. data/src/core/lib/transport/transport.cc +4 -3
  372. data/src/core/lib/transport/transport.h +6 -4
  373. data/src/core/lib/transport/transport_op_string.cc +6 -6
  374. data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
  375. data/src/core/tsi/alts/crypt/gsec.h +6 -0
  376. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +5 -4
  377. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +7 -6
  378. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
  379. data/src/core/tsi/ssl_transport_security.cc +32 -14
  380. data/src/core/tsi/ssl_transport_security.h +3 -4
  381. data/src/ruby/bin/math_services_pb.rb +1 -1
  382. data/src/ruby/ext/grpc/extconf.rb +2 -0
  383. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +6 -0
  384. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +11 -2
  385. data/src/ruby/lib/grpc/version.rb +1 -1
  386. data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +1 -1
  387. data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +6 -6
  388. data/third_party/abseil-cpp/absl/algorithm/container.h +3 -3
  389. data/third_party/abseil-cpp/absl/base/attributes.h +24 -4
  390. data/third_party/abseil-cpp/absl/base/call_once.h +2 -9
  391. data/third_party/abseil-cpp/absl/base/config.h +37 -9
  392. data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +24 -10
  393. data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +4 -1
  394. data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
  395. data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +2 -3
  396. data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +34 -32
  397. data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +16 -6
  398. data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +11 -2
  399. data/third_party/abseil-cpp/absl/base/internal/spinlock.h +14 -5
  400. data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
  401. data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +3 -3
  402. data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
  403. data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
  404. data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
  405. data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +1 -1
  406. data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +5 -2
  407. data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +43 -42
  408. data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
  409. data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
  410. data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
  411. data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
  412. data/third_party/abseil-cpp/absl/base/macros.h +11 -0
  413. data/third_party/abseil-cpp/absl/base/optimization.h +10 -7
  414. data/third_party/abseil-cpp/absl/base/options.h +1 -1
  415. data/third_party/abseil-cpp/absl/base/port.h +0 -1
  416. data/third_party/abseil-cpp/absl/base/thread_annotations.h +1 -1
  417. data/third_party/abseil-cpp/absl/container/fixed_array.h +2 -2
  418. data/third_party/abseil-cpp/absl/container/inlined_vector.h +5 -3
  419. data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +1 -1
  420. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +5 -1
  421. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +2 -1
  422. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +2 -1
  423. data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
  424. data/third_party/abseil-cpp/absl/container/internal/layout.h +4 -4
  425. data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +14 -1
  426. data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +136 -136
  427. data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +16 -12
  428. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +5 -2
  429. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +3 -12
  430. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +6 -1
  431. data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +3 -5
  432. data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +2 -2
  433. data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +2 -2
  434. data/third_party/abseil-cpp/absl/hash/internal/city.cc +15 -12
  435. data/third_party/abseil-cpp/absl/hash/internal/city.h +1 -19
  436. data/third_party/abseil-cpp/absl/hash/internal/hash.cc +25 -10
  437. data/third_party/abseil-cpp/absl/hash/internal/hash.h +86 -37
  438. data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
  439. data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
  440. data/third_party/abseil-cpp/absl/meta/type_traits.h +16 -2
  441. data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
  442. data/third_party/abseil-cpp/absl/numeric/int128.cc +3 -3
  443. data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
  444. data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
  445. data/third_party/abseil-cpp/absl/status/internal/status_internal.h +18 -0
  446. data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +4 -7
  447. data/third_party/abseil-cpp/absl/status/status.cc +29 -22
  448. data/third_party/abseil-cpp/absl/status/status.h +81 -20
  449. data/third_party/abseil-cpp/absl/status/statusor.h +3 -3
  450. data/third_party/abseil-cpp/absl/strings/charconv.cc +5 -5
  451. data/third_party/abseil-cpp/absl/strings/cord.cc +326 -371
  452. data/third_party/abseil-cpp/absl/strings/cord.h +182 -64
  453. data/third_party/abseil-cpp/absl/strings/escaping.cc +4 -4
  454. data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +6 -6
  455. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
  456. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +387 -17
  457. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
  458. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
  459. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
  460. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
  461. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +14 -0
  462. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +14 -0
  463. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +15 -1
  464. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +19 -4
  465. data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +14 -0
  466. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +36 -18
  467. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +14 -0
  468. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +14 -0
  469. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +14 -0
  470. data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
  471. data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
  472. data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
  473. data/third_party/abseil-cpp/absl/strings/match.h +16 -6
  474. data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
  475. data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
  476. data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
  477. data/third_party/abseil-cpp/absl/strings/str_split.h +38 -4
  478. data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
  479. data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +2 -1
  480. data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +2 -2
  481. data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +4 -4
  482. data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +1 -65
  483. data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +2 -6
  484. data/third_party/abseil-cpp/absl/synchronization/mutex.cc +71 -59
  485. data/third_party/abseil-cpp/absl/synchronization/mutex.h +79 -62
  486. data/third_party/abseil-cpp/absl/time/clock.cc +146 -130
  487. data/third_party/abseil-cpp/absl/time/clock.h +2 -2
  488. data/third_party/abseil-cpp/absl/time/duration.cc +3 -2
  489. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +7 -11
  490. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +7 -1
  491. data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +4 -4
  492. data/third_party/abseil-cpp/absl/time/time.cc +4 -3
  493. data/third_party/abseil-cpp/absl/time/time.h +26 -24
  494. data/third_party/abseil-cpp/absl/types/internal/variant.h +1 -1
  495. data/third_party/abseil-cpp/absl/types/variant.h +9 -4
  496. data/third_party/boringssl-with-bazel/err_data.c +483 -461
  497. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
  498. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +9 -7
  499. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +18 -8
  500. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -2
  501. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +5 -0
  502. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +1 -1
  503. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +1 -1
  504. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +4 -0
  505. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
  506. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -3
  507. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +119 -273
  508. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
  509. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
  510. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +87 -80
  511. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
  512. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
  513. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +1 -1
  514. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
  515. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +11 -3
  516. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +25 -2
  517. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +7 -0
  518. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +10 -2
  519. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
  520. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +4 -0
  521. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +0 -1
  522. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +0 -4
  523. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +104 -93
  524. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
  525. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +52 -65
  526. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +52 -66
  527. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
  528. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
  529. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
  530. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
  531. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
  532. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
  533. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +1 -4
  534. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +0 -13
  535. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +26 -7
  536. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +26 -24
  537. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -7
  538. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
  539. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +14 -9
  540. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +61 -75
  541. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +80 -103
  542. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +40 -49
  543. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +367 -315
  544. data/third_party/boringssl-with-bazel/src/crypto/internal.h +65 -0
  545. data/third_party/boringssl-with-bazel/src/crypto/mem.c +14 -0
  546. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +3 -3
  547. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +5 -3
  548. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +95 -48
  549. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +2 -2
  550. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +1 -1
  551. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
  552. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +0 -28
  553. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +120 -11
  554. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
  555. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +3 -0
  556. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +19 -25
  557. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +3 -2
  558. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +42 -89
  559. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +9 -16
  560. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
  561. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +14 -15
  562. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +53 -73
  563. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +31 -0
  564. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
  565. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -17
  566. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -0
  567. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +7 -25
  568. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +5 -0
  569. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +25 -22
  570. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
  571. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
  572. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
  573. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +3 -0
  574. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +7 -0
  575. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -4
  576. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
  577. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -0
  578. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +5 -8
  579. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -4
  580. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +66 -1
  581. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +120 -41
  582. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +47 -7
  583. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +1 -0
  584. data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
  585. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +0 -8
  586. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +24 -4
  587. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +6 -2
  588. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +5 -2
  589. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +33 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +3 -2
  591. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +20 -49
  592. data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
  593. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +325 -0
  594. data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +24 -5
  595. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +25 -7
  596. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
  597. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +2 -2
  598. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +99 -63
  599. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +283 -85
  600. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +13 -19
  601. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +445 -152
  602. data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +451 -435
  603. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +2 -1
  604. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +7 -2
  605. data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
  606. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1133 -0
  607. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +298 -22
  608. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +66 -30
  609. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +189 -86
  610. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +154 -24
  611. data/third_party/boringssl-with-bazel/src/ssl/internal.h +414 -135
  612. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +9 -3
  613. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  614. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
  615. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -6
  616. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +23 -26
  617. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +51 -60
  618. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
  619. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +8 -31
  620. data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
  621. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +4 -3
  622. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
  623. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +664 -702
  624. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +65 -7
  625. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -39
  626. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +141 -94
  627. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +213 -118
  628. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +4 -2
  629. metadata +94 -46
  630. data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -88
  631. data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
  632. data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -219
  633. data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +0 -249
  634. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/is_fips.c +0 -29
  635. data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -246
  636. data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
@@ -162,6 +162,7 @@
162
162
  #include <openssl/ecdsa.h>
163
163
  #include <openssl/err.h>
164
164
  #include <openssl/evp.h>
165
+ #include <openssl/hpke.h>
165
166
  #include <openssl/md5.h>
166
167
  #include <openssl/mem.h>
167
168
  #include <openssl/rand.h>
@@ -201,7 +202,8 @@ enum ssl_client_hs_state_t {
201
202
 
202
203
  // ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
203
204
  // disabled algorithms.
204
- static void ssl_get_client_disabled(SSL_HANDSHAKE *hs, uint32_t *out_mask_a,
205
+ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
206
+ uint32_t *out_mask_a,
205
207
  uint32_t *out_mask_k) {
206
208
  *out_mask_a = 0;
207
209
  *out_mask_k = 0;
@@ -213,8 +215,9 @@ static void ssl_get_client_disabled(SSL_HANDSHAKE *hs, uint32_t *out_mask_a,
213
215
  }
214
216
  }
215
217
 
216
- static bool ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
217
- SSL *const ssl = hs->ssl;
218
+ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
219
+ ssl_client_hello_type_t type) {
220
+ const SSL *const ssl = hs->ssl;
218
221
  uint32_t mask_a, mask_k;
219
222
  ssl_get_client_disabled(hs, &mask_a, &mask_k);
220
223
 
@@ -223,7 +226,7 @@ static bool ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
223
226
  return false;
224
227
  }
225
228
 
226
- // Add a fake cipher suite. See draft-davidben-tls-grease-01.
229
+ // Add a fake cipher suite. See RFC 8701.
227
230
  if (ssl->ctx->grease_enabled &&
228
231
  !CBB_add_u16(&child, ssl_get_grease_value(hs, ssl_grease_cipher))) {
229
232
  return false;
@@ -246,7 +249,7 @@ static bool ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
246
249
  }
247
250
  }
248
251
 
249
- if (hs->min_version < TLS1_3_VERSION) {
252
+ if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
250
253
  bool any_enabled = false;
251
254
  for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
252
255
  // Skip disabled ciphers
@@ -280,53 +283,72 @@ static bool ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
280
283
  return CBB_flush(out);
281
284
  }
282
285
 
283
- bool ssl_write_client_hello(SSL_HANDSHAKE *hs) {
284
- SSL *const ssl = hs->ssl;
285
- ScopedCBB cbb;
286
- CBB body;
287
- if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO)) {
288
- return false;
289
- }
290
-
286
+ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
287
+ CBB *cbb,
288
+ ssl_client_hello_type_t type,
289
+ bool empty_session_id) {
290
+ const SSL *const ssl = hs->ssl;
291
291
  CBB child;
292
- if (!CBB_add_u16(&body, hs->client_version) ||
293
- !CBB_add_bytes(&body, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
294
- !CBB_add_u8_length_prefixed(&body, &child)) {
292
+ if (!CBB_add_u16(cbb, hs->client_version) ||
293
+ !CBB_add_bytes(cbb,
294
+ type == ssl_client_hello_inner ? hs->inner_client_random
295
+ : ssl->s3->client_random,
296
+ SSL3_RANDOM_SIZE) ||
297
+ !CBB_add_u8_length_prefixed(cbb, &child)) {
295
298
  return false;
296
299
  }
297
300
 
298
301
  // Do not send a session ID on renegotiation.
299
302
  if (!ssl->s3->initial_handshake_complete &&
303
+ !empty_session_id &&
300
304
  !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
301
305
  return false;
302
306
  }
303
307
 
304
308
  if (SSL_is_dtls(ssl)) {
305
- if (!CBB_add_u8_length_prefixed(&body, &child) ||
309
+ if (!CBB_add_u8_length_prefixed(cbb, &child) ||
306
310
  !CBB_add_bytes(&child, ssl->d1->cookie, ssl->d1->cookie_len)) {
307
311
  return false;
308
312
  }
309
313
  }
310
314
 
311
- size_t header_len =
312
- SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;
313
- if (!ssl_write_client_cipher_list(hs, &body) ||
314
- !CBB_add_u8(&body, 1 /* one compression method */) ||
315
- !CBB_add_u8(&body, 0 /* null compression */) ||
316
- !ssl_add_clienthello_tlsext(hs, &body, header_len + CBB_len(&body))) {
315
+ if (!ssl_write_client_cipher_list(hs, cbb, type) ||
316
+ !CBB_add_u8(cbb, 1 /* one compression method */) ||
317
+ !CBB_add_u8(cbb, 0 /* null compression */)) {
317
318
  return false;
318
319
  }
320
+ return true;
321
+ }
319
322
 
323
+ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
324
+ SSL *const ssl = hs->ssl;
325
+ ScopedCBB cbb;
326
+ CBB body;
327
+ ssl_client_hello_type_t type = hs->selected_ech_config
328
+ ? ssl_client_hello_outer
329
+ : ssl_client_hello_unencrypted;
330
+ bool needs_psk_binder;
320
331
  Array<uint8_t> msg;
321
- if (!ssl->method->finish_message(ssl, cbb.get(), &msg)) {
332
+ if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||
333
+ !ssl_write_client_hello_without_extensions(hs, &body, type,
334
+ /*empty_session_id*/ false) ||
335
+ !ssl_add_clienthello_tlsext(hs, &body, /*out_encoded=*/nullptr,
336
+ &needs_psk_binder, type, CBB_len(&body),
337
+ /*omit_ech_len=*/0) ||
338
+ !ssl->method->finish_message(ssl, cbb.get(), &msg)) {
322
339
  return false;
323
340
  }
324
341
 
325
342
  // Now that the length prefixes have been computed, fill in the placeholder
326
343
  // PSK binder.
327
- if (hs->needs_psk_binder &&
328
- !tls13_write_psk_binder(hs, MakeSpan(msg))) {
329
- return false;
344
+ if (needs_psk_binder) {
345
+ // ClientHelloOuter cannot have a PSK binder. Otherwise the
346
+ // ClientHellOuterAAD computation would break.
347
+ assert(type != ssl_client_hello_outer);
348
+ if (!tls13_write_psk_binder(hs, hs->transcript, MakeSpan(msg),
349
+ /*out_binder_len=*/0)) {
350
+ return false;
351
+ }
330
352
  }
331
353
 
332
354
  return ssl->method->add_message(ssl, std::move(msg));
@@ -374,6 +396,60 @@ static bool parse_supported_versions(SSL_HANDSHAKE *hs, uint16_t *version,
374
396
  return true;
375
397
  }
376
398
 
399
+ // should_offer_early_data returns |ssl_early_data_accepted| if |hs| should
400
+ // offer early data, and some other reason code otherwise.
401
+ static ssl_early_data_reason_t should_offer_early_data(
402
+ const SSL_HANDSHAKE *hs) {
403
+ const SSL *const ssl = hs->ssl;
404
+ assert(!ssl->server);
405
+ if (!ssl->enable_early_data) {
406
+ return ssl_early_data_disabled;
407
+ }
408
+
409
+ if (hs->max_version < TLS1_3_VERSION) {
410
+ // We discard inapplicable sessions, so this is redundant with the session
411
+ // checks below, but reporting that TLS 1.3 was disabled is more useful.
412
+ return ssl_early_data_protocol_version;
413
+ }
414
+
415
+ if (ssl->session == nullptr) {
416
+ return ssl_early_data_no_session_offered;
417
+ }
418
+
419
+ if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
420
+ ssl->session->ticket_max_early_data == 0) {
421
+ return ssl_early_data_unsupported_for_session;
422
+ }
423
+
424
+ if (!ssl->session->early_alpn.empty()) {
425
+ if (!ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
426
+ // Avoid reporting a confusing value in |SSL_get0_alpn_selected|.
427
+ return ssl_early_data_alpn_mismatch;
428
+ }
429
+
430
+ // If the previous connection negotiated ALPS, only offer 0-RTT when the
431
+ // local are settings are consistent with what we'd offer for this
432
+ // connection.
433
+ if (ssl->session->has_application_settings) {
434
+ Span<const uint8_t> settings;
435
+ if (!ssl_get_local_application_settings(hs, &settings,
436
+ ssl->session->early_alpn) ||
437
+ settings != ssl->session->local_application_settings) {
438
+ return ssl_early_data_alps_mismatch;
439
+ }
440
+ }
441
+ }
442
+
443
+ // Early data has not yet been accepted, but we use it as a success code.
444
+ return ssl_early_data_accepted;
445
+ }
446
+
447
+ void ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {
448
+ hs->ech_client_bytes.Reset();
449
+ hs->cookie.Reset();
450
+ hs->key_share_bytes.Reset();
451
+ }
452
+
377
453
  static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
378
454
  SSL *const ssl = hs->ssl;
379
455
 
@@ -386,6 +462,12 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
386
462
  return ssl_hs_error;
387
463
  }
388
464
 
465
+ uint8_t ech_enc[EVP_HPKE_MAX_ENC_LENGTH];
466
+ size_t ech_enc_len;
467
+ if (!ssl_select_ech_config(hs, ech_enc, &ech_enc_len)) {
468
+ return ssl_hs_error;
469
+ }
470
+
389
471
  // Always advertise the ClientHello version from the original maximum version,
390
472
  // even on renegotiation. The static RSA key exchange uses this field, and
391
473
  // some servers fail when it changes across handshakes.
@@ -397,34 +479,47 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
397
479
  hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
398
480
  }
399
481
 
400
- // If the configured session has expired or was created at a disabled
401
- // version, drop it.
402
- if (ssl->session != NULL) {
482
+ // If the configured session has expired or is not usable, drop it. We also do
483
+ // not offer sessions on renegotiation.
484
+ if (ssl->session != nullptr) {
403
485
  if (ssl->session->is_server ||
404
486
  !ssl_supports_version(hs, ssl->session->ssl_version) ||
405
- (ssl->session->session_id_length == 0 &&
406
- ssl->session->ticket.empty()) ||
407
- ssl->session->not_resumable ||
487
+ // Do not offer TLS 1.2 sessions with ECH. ClientHelloInner does not
488
+ // offer TLS 1.2, and the cleartext session ID may leak the server
489
+ // identity.
490
+ (hs->selected_ech_config &&
491
+ ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) ||
492
+ !SSL_SESSION_is_resumable(ssl->session.get()) ||
408
493
  !ssl_session_is_time_valid(ssl, ssl->session.get()) ||
409
- (ssl->quic_method != nullptr) != ssl->session->is_quic) {
410
- ssl_set_session(ssl, NULL);
494
+ (ssl->quic_method != nullptr) != ssl->session->is_quic ||
495
+ ssl->s3->initial_handshake_complete) {
496
+ ssl_set_session(ssl, nullptr);
411
497
  }
412
498
  }
413
499
 
414
500
  if (!RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
415
501
  return ssl_hs_error;
416
502
  }
503
+ if (hs->selected_ech_config &&
504
+ !RAND_bytes(hs->inner_client_random, sizeof(hs->inner_client_random))) {
505
+ return ssl_hs_error;
506
+ }
417
507
 
418
508
  // Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and
419
509
  // disables TLS 1.3 middlebox compatibility mode.
420
510
  if (ssl->quic_method == nullptr) {
421
- if (ssl->session != nullptr && !ssl->s3->initial_handshake_complete &&
422
- ssl->session->session_id_length > 0) {
511
+ const bool has_id_session = ssl->session != nullptr &&
512
+ ssl->session->session_id_length > 0 &&
513
+ ssl->session->ticket.empty();
514
+ const bool has_ticket_session =
515
+ ssl->session != nullptr && !ssl->session->ticket.empty();
516
+ if (has_id_session) {
423
517
  hs->session_id_len = ssl->session->session_id_length;
424
518
  OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
425
519
  hs->session_id_len);
426
- } else if (hs->max_version >= TLS1_3_VERSION) {
427
- // Initialize a random session ID.
520
+ } else if (has_ticket_session || hs->max_version >= TLS1_3_VERSION) {
521
+ // Send a random session ID. TLS 1.3 always sends one, and TLS 1.2 session
522
+ // tickets require a placeholder value to signal resumption.
428
523
  hs->session_id_len = sizeof(hs->session_id);
429
524
  if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
430
525
  return ssl_hs_error;
@@ -432,7 +527,17 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
432
527
  }
433
528
  }
434
529
 
435
- if (!ssl_write_client_hello(hs)) {
530
+ ssl_early_data_reason_t reason = should_offer_early_data(hs);
531
+ if (reason != ssl_early_data_accepted) {
532
+ ssl->s3->early_data_reason = reason;
533
+ } else {
534
+ hs->early_data_offered = true;
535
+ }
536
+
537
+ if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||
538
+ !ssl_setup_extension_permutation(hs) ||
539
+ !ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
540
+ !ssl_add_client_hello(hs)) {
436
541
  return ssl_hs_error;
437
542
  }
438
543
 
@@ -458,9 +563,7 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
458
563
  return ssl_hs_error;
459
564
  }
460
565
 
461
- if (!tls13_init_early_key_schedule(
462
- hs,
463
- MakeConstSpan(ssl->session->secret, ssl->session->secret_length)) ||
566
+ if (!tls13_init_early_key_schedule(hs, ssl->session.get()) ||
464
567
  !tls13_derive_early_secret(hs)) {
465
568
  return ssl_hs_error;
466
569
  }
@@ -511,6 +614,10 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
511
614
 
512
615
  assert(SSL_is_dtls(ssl));
513
616
 
617
+ // When implementing DTLS 1.3, we need to handle the interactions between
618
+ // HelloVerifyRequest, DTLS 1.3's HelloVerifyRequest removal, and ECH.
619
+ assert(hs->max_version < TLS1_3_VERSION);
620
+
514
621
  SSLMessage msg;
515
622
  if (!ssl->method->get_message(ssl, &msg)) {
516
623
  return ssl_hs_read_message;
@@ -542,7 +649,7 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
542
649
  return ssl_hs_error;
543
650
  }
544
651
 
545
- if (!ssl_write_client_hello(hs)) {
652
+ if (!ssl_add_client_hello(hs)) {
546
653
  return ssl_hs_error;
547
654
  }
548
655
 
@@ -607,17 +714,32 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
607
714
  // Clear some TLS 1.3 state that no longer needs to be retained.
608
715
  hs->key_shares[0].reset();
609
716
  hs->key_shares[1].reset();
610
- hs->key_share_bytes.Reset();
717
+ ssl_done_writing_client_hello(hs);
611
718
 
612
719
  // A TLS 1.2 server would not know to skip the early data we offered. Report
613
720
  // an error code sooner. The caller may use this error code to implement the
614
721
  // fallback described in RFC 8446 appendix D.3.
615
722
  if (hs->early_data_offered) {
723
+ // Disconnect early writes. This ensures subsequent |SSL_write| calls query
724
+ // the handshake which, in turn, will replay the error code rather than fail
725
+ // at the |write_shutdown| check. See https://crbug.com/1078515.
726
+ // TODO(davidben): Should all handshake errors do this? What about record
727
+ // decryption failures?
728
+ hs->can_early_write = false;
616
729
  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
617
730
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
618
731
  return ssl_hs_error;
619
732
  }
620
733
 
734
+ // TODO(https://crbug.com/boringssl/275): If the server negotiates TLS 1.2 and
735
+ // we offer ECH, we handshake with ClientHelloOuter instead of
736
+ // ClientHelloInner. That path is not yet implemented. For now, terminate the
737
+ // handshake with a distinguishable error for testing.
738
+ if (hs->selected_ech_config) {
739
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
740
+ return ssl_hs_error;
741
+ }
742
+
621
743
  // Copy over the server random.
622
744
  OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
623
745
  SSL3_RANDOM_SIZE);
@@ -642,28 +764,29 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
642
764
  }
643
765
  }
644
766
 
645
- if (!ssl->s3->initial_handshake_complete && ssl->session != nullptr &&
646
- ssl->session->session_id_length != 0 &&
647
- CBS_mem_equal(&session_id, ssl->session->session_id,
648
- ssl->session->session_id_length)) {
649
- ssl->s3->session_reused = true;
650
- } else {
651
- // The server may also have echoed back the TLS 1.3 compatibility mode
652
- // session ID. As we know this is not a session the server knows about, any
653
- // server resuming it is in error. Reject the first connection
654
- // deterministicly, rather than installing an invalid session into the
655
- // session cache. https://crbug.com/796910
656
- if (hs->session_id_len != 0 &&
657
- CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len)) {
767
+ if (hs->session_id_len != 0 &&
768
+ CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len)) {
769
+ // Echoing the ClientHello session ID in TLS 1.2, whether from the session
770
+ // or a synthetic one, indicates resumption. If there was no session, this
771
+ // was the TLS 1.3 compatibility mode session ID. As we know this is not a
772
+ // session the server knows about, any server resuming it is in error.
773
+ // Reject the first connection deterministicly, rather than installing an
774
+ // invalid session into the session cache. https://crbug.com/796910
775
+ if (ssl->session == nullptr) {
658
776
  OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_ECHOED_INVALID_SESSION_ID);
659
777
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
660
778
  return ssl_hs_error;
661
779
  }
662
-
663
- // The session wasn't resumed. Create a fresh SSL_SESSION to
664
- // fill out.
780
+ // We never offer sessions on renegotiation.
781
+ assert(!ssl->s3->initial_handshake_complete);
782
+ ssl->s3->session_reused = true;
783
+ // Note |ssl->session| may be a TLS 1.3 session, offered in a separate
784
+ // extension altogether. In that case, the version check below will fail the
785
+ // connection.
786
+ } else {
787
+ // The session wasn't resumed. Create a fresh SSL_SESSION to fill out.
665
788
  ssl_set_session(ssl, NULL);
666
- if (!ssl_get_new_session(hs, 0 /* client */)) {
789
+ if (!ssl_get_new_session(hs)) {
667
790
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
668
791
  return ssl_hs_error;
669
792
  }
@@ -675,7 +798,6 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
675
798
 
676
799
  const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
677
800
  if (cipher == NULL) {
678
- // unknown cipher
679
801
  OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
680
802
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
681
803
  return ssl_hs_error;
@@ -764,13 +886,6 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
764
886
  return ssl_hs_error;
765
887
  }
766
888
 
767
- if (ssl->s3->token_binding_negotiated &&
768
- (!hs->extended_master_secret || !ssl->s3->send_connection_binding)) {
769
- OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
770
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
771
- return ssl_hs_error;
772
- }
773
-
774
889
  ssl->method->next_message(ssl);
775
890
 
776
891
  if (ssl->session != NULL) {
@@ -1482,18 +1597,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
1482
1597
 
1483
1598
  static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {
1484
1599
  SSL *const ssl = hs->ssl;
1485
- // Resolve Channel ID first, before any non-idempotent operations.
1486
- if (ssl->s3->channel_id_valid) {
1487
- if (!ssl_do_channel_id_callback(hs)) {
1488
- return ssl_hs_error;
1489
- }
1490
-
1491
- if (hs->config->channel_id_private == NULL) {
1492
- hs->state = state_send_client_finished;
1493
- return ssl_hs_channel_id_lookup;
1494
- }
1495
- }
1496
-
1600
+ hs->can_release_private_key = true;
1497
1601
  if (!ssl->method->add_change_cipher_spec(ssl) ||
1498
1602
  !tls1_change_cipher_state(hs, evp_aead_seal)) {
1499
1603
  return ssl_hs_error;
@@ -1518,7 +1622,7 @@ static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {
1518
1622
  }
1519
1623
  }
1520
1624
 
1521
- if (ssl->s3->channel_id_valid) {
1625
+ if (hs->channel_id_negotiated) {
1522
1626
  ScopedCBB cbb;
1523
1627
  CBB body;
1524
1628
  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
@@ -1659,9 +1763,8 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
1659
1763
  }
1660
1764
  session->ticket_lifetime_hint = ticket_lifetime_hint;
1661
1765
 
1662
- // Generate a session ID for this session. Some callers expect all sessions to
1663
- // have a session ID. Additionally, it acts as the session ID to signal
1664
- // resumption.
1766
+ // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1767
+ // TODO(davidben): Are external callers relying on this? Try removing this.
1665
1768
  SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
1666
1769
  session->session_id_length = SHA256_DIGEST_LENGTH;
1667
1770