grpc 1.37.1 → 1.39.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +96 -59
- data/include/grpc/event_engine/README.md +38 -0
- data/include/grpc/event_engine/endpoint_config.h +48 -0
- data/include/grpc/event_engine/event_engine.h +334 -0
- data/include/grpc/event_engine/port.h +41 -0
- data/include/grpc/event_engine/slice_allocator.h +91 -0
- data/include/grpc/grpc.h +11 -4
- data/include/grpc/grpc_security.h +32 -0
- data/include/grpc/grpc_security_constants.h +15 -0
- data/include/grpc/impl/codegen/grpc_types.h +28 -13
- data/include/grpc/impl/codegen/port_platform.h +22 -0
- data/include/grpc/module.modulemap +14 -14
- data/src/core/ext/filters/client_channel/backup_poller.cc +3 -3
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +177 -202
- data/src/core/ext/filters/client_channel/client_channel.cc +630 -3103
- data/src/core/ext/filters/client_channel/client_channel.h +489 -55
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +1 -1
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +4 -1
- data/src/core/ext/filters/client_channel/config_selector.h +1 -1
- data/src/core/ext/filters/client_channel/connector.h +1 -1
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -10
- data/src/core/ext/filters/client_channel/dynamic_filters.h +3 -3
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +28 -27
- data/src/core/ext/filters/client_channel/health/health_check_client.h +30 -29
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +24 -21
- data/src/core/ext/filters/client_channel/http_proxy.cc +16 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -6
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +46 -43
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +2 -1
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +5 -5
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +14 -12
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +755 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +10 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +4 -4
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +15 -15
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +46 -54
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +23 -23
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +31 -46
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +146 -155
- data/src/core/ext/filters/client_channel/lb_policy.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy.h +4 -4
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +4 -4
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +24 -18
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +3 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +14 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +33 -24
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +18 -12
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +20 -28
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +7 -5
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +20 -13
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -32
- data/src/core/ext/filters/client_channel/resolver.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +32 -239
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +20 -49
- data/src/core/ext/filters/client_channel/retry_filter.cc +2449 -0
- data/src/core/ext/filters/client_channel/retry_filter.h +30 -0
- data/src/core/ext/filters/client_channel/retry_service_config.cc +306 -0
- data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
- data/src/core/ext/filters/client_channel/server_address.cc +1 -1
- data/src/core/ext/filters/client_channel/service_config.cc +15 -14
- data/src/core/ext/filters/client_channel/service_config.h +7 -6
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +5 -4
- data/src/core/ext/filters/client_channel/service_config_parser.cc +6 -6
- data/src/core/ext/filters/client_channel/service_config_parser.h +7 -4
- data/src/core/ext/filters/client_channel/subchannel.cc +17 -16
- data/src/core/ext/filters/client_channel/subchannel.h +7 -6
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +17 -16
- data/src/core/ext/filters/deadline/deadline_filter.cc +10 -10
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +25 -18
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +5 -5
- data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
- data/src/core/ext/filters/http/client/http_client_filter.cc +28 -21
- data/src/core/ext/filters/http/client_authority_filter.cc +3 -3
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +23 -22
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +21 -21
- data/src/core/ext/filters/http/server/http_server_filter.cc +27 -23
- data/src/core/ext/filters/max_age/max_age_filter.cc +12 -10
- data/src/core/ext/filters/message_size/message_size_filter.cc +14 -11
- data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -3
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +7 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +7 -7
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +2 -2
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +3 -2
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -3
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +44 -45
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +2 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +3 -4
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +5 -4
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +3 -4
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +139 -120
- data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
- data/src/core/ext/transport/chttp2/transport/context_list.h +4 -4
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
- data/src/core/ext/transport/chttp2/transport/flow_control.h +8 -8
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +8 -8
- data/src/core/ext/transport/chttp2/transport/frame_data.h +10 -10
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +7 -8
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +7 -8
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +7 -6
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +7 -7
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +6 -5
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +4 -6
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +237 -208
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +10 -10
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +4 -3
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +4 -4
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +32 -27
- data/src/core/ext/transport/chttp2/transport/parsing.cc +65 -58
- data/src/core/ext/transport/chttp2/transport/writing.cc +7 -3
- data/src/core/ext/transport/inproc/inproc_transport.cc +72 -60
- data/src/core/ext/xds/certificate_provider_factory.h +1 -1
- data/src/core/ext/xds/certificate_provider_store.h +3 -3
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +3 -3
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +2 -2
- data/src/core/ext/xds/xds_api.cc +348 -199
- data/src/core/ext/xds/xds_api.h +21 -12
- data/src/core/ext/xds/xds_bootstrap.cc +97 -159
- data/src/core/ext/xds/xds_bootstrap.h +19 -24
- data/src/core/ext/xds/xds_certificate_provider.cc +4 -4
- data/src/core/ext/xds/xds_certificate_provider.h +4 -4
- data/src/core/ext/xds/xds_channel_args.h +5 -2
- data/src/core/ext/xds/xds_client.cc +310 -178
- data/src/core/ext/xds/xds_client.h +41 -27
- data/src/core/ext/xds/xds_client_stats.h +3 -2
- data/src/core/ext/xds/xds_server_config_fetcher.cc +34 -20
- data/src/core/lib/{iomgr → address_utils}/parse_address.cc +17 -17
- data/src/core/lib/{iomgr → address_utils}/parse_address.h +7 -7
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +16 -20
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +16 -11
- data/src/core/lib/channel/channel_stack.cc +10 -9
- data/src/core/lib/channel/channel_stack.h +10 -9
- data/src/core/lib/channel/channel_stack_builder.cc +2 -2
- data/src/core/lib/channel/channel_stack_builder.h +1 -1
- data/src/core/lib/channel/channelz.cc +21 -13
- data/src/core/lib/channel/channelz.h +3 -0
- data/src/core/lib/channel/connected_channel.cc +4 -4
- data/src/core/lib/channel/handshaker.cc +7 -6
- data/src/core/lib/channel/handshaker.h +5 -5
- data/src/core/lib/event_engine/endpoint_config.cc +46 -0
- data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
- data/src/core/lib/event_engine/event_engine.cc +50 -0
- data/src/core/lib/event_engine/slice_allocator.cc +89 -0
- data/src/core/lib/event_engine/sockaddr.cc +40 -0
- data/src/core/lib/event_engine/sockaddr.h +44 -0
- data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
- data/src/core/lib/gprpp/ref_counted.h +28 -14
- data/src/core/lib/gprpp/status_helper.cc +407 -0
- data/src/core/lib/gprpp/status_helper.h +183 -0
- data/src/core/lib/http/httpcli.cc +11 -11
- data/src/core/lib/http/httpcli_security_connector.cc +11 -7
- data/src/core/lib/http/parser.cc +16 -16
- data/src/core/lib/http/parser.h +4 -4
- data/src/core/lib/iomgr/buffer_list.cc +7 -9
- data/src/core/lib/iomgr/buffer_list.h +4 -5
- data/src/core/lib/iomgr/call_combiner.cc +15 -12
- data/src/core/lib/iomgr/call_combiner.h +12 -14
- data/src/core/lib/iomgr/cfstream_handle.cc +3 -3
- data/src/core/lib/iomgr/cfstream_handle.h +1 -1
- data/src/core/lib/iomgr/closure.h +7 -6
- data/src/core/lib/iomgr/combiner.cc +14 -12
- data/src/core/lib/iomgr/combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint.cc +1 -1
- data/src/core/lib/iomgr/endpoint.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +11 -13
- data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +33 -0
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
- data/src/core/lib/iomgr/error.cc +168 -61
- data/src/core/lib/iomgr/error.h +217 -106
- data/src/core/lib/iomgr/error_cfstream.cc +3 -2
- data/src/core/lib/iomgr/error_cfstream.h +2 -2
- data/src/core/lib/iomgr/error_internal.h +5 -1
- data/src/core/lib/iomgr/ev_apple.cc +5 -5
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -19
- data/src/core/lib/iomgr/ev_epollex_linux.cc +48 -45
- data/src/core/lib/iomgr/ev_poll_posix.cc +26 -23
- data/src/core/lib/iomgr/ev_posix.cc +9 -8
- data/src/core/lib/iomgr/ev_posix.h +9 -9
- data/src/core/lib/iomgr/event_engine/closure.cc +54 -0
- data/src/core/lib/iomgr/event_engine/closure.h +33 -0
- data/src/core/lib/iomgr/event_engine/endpoint.cc +194 -0
- data/src/core/lib/iomgr/event_engine/endpoint.h +53 -0
- data/src/core/lib/iomgr/event_engine/iomgr.cc +105 -0
- data/src/core/lib/iomgr/event_engine/iomgr.h +24 -0
- data/src/core/lib/iomgr/event_engine/pollset.cc +87 -0
- data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
- data/src/core/lib/iomgr/event_engine/promise.h +51 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
- data/src/core/lib/iomgr/event_engine/resolver.cc +110 -0
- data/src/core/lib/iomgr/event_engine/tcp.cc +243 -0
- data/src/core/lib/iomgr/event_engine/timer.cc +57 -0
- data/src/core/lib/iomgr/exec_ctx.cc +12 -4
- data/src/core/lib/iomgr/exec_ctx.h +4 -5
- data/src/core/lib/iomgr/executor/threadpool.cc +2 -3
- data/src/core/lib/iomgr/executor/threadpool.h +2 -2
- data/src/core/lib/iomgr/executor.cc +8 -8
- data/src/core/lib/iomgr/executor.h +2 -2
- data/src/core/lib/iomgr/iomgr.cc +2 -2
- data/src/core/lib/iomgr/iomgr.h +1 -1
- data/src/core/lib/iomgr/iomgr_custom.cc +1 -1
- data/src/core/lib/iomgr/iomgr_internal.cc +2 -2
- data/src/core/lib/iomgr/iomgr_internal.h +3 -3
- data/src/core/lib/iomgr/iomgr_posix.cc +3 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +42 -12
- data/src/core/lib/iomgr/iomgr_windows.cc +1 -1
- data/src/core/lib/iomgr/load_file.cc +4 -4
- data/src/core/lib/iomgr/load_file.h +2 -2
- data/src/core/lib/iomgr/lockfree_event.cc +5 -5
- data/src/core/lib/iomgr/lockfree_event.h +1 -1
- data/src/core/lib/iomgr/pollset.cc +5 -5
- data/src/core/lib/iomgr/pollset.h +9 -9
- data/src/core/lib/iomgr/pollset_custom.cc +7 -7
- data/src/core/lib/iomgr/pollset_custom.h +3 -1
- data/src/core/lib/iomgr/pollset_uv.cc +3 -1
- data/src/core/lib/iomgr/pollset_uv.h +5 -1
- data/src/core/lib/iomgr/pollset_windows.cc +5 -5
- data/src/core/lib/iomgr/port.h +7 -5
- data/src/core/lib/iomgr/python_util.h +1 -1
- data/src/core/lib/iomgr/resolve_address.cc +8 -4
- data/src/core/lib/iomgr/resolve_address.h +12 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +10 -9
- data/src/core/lib/iomgr/resolve_address_custom.h +3 -3
- data/src/core/lib/iomgr/resolve_address_posix.cc +3 -3
- data/src/core/lib/iomgr/resolve_address_windows.cc +4 -4
- data/src/core/lib/iomgr/resource_quota.cc +11 -10
- data/src/core/lib/iomgr/sockaddr.h +1 -0
- data/src/core/lib/iomgr/socket_mutator.cc +15 -2
- data/src/core/lib/iomgr/socket_mutator.h +26 -2
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +24 -22
- data/src/core/lib/iomgr/socket_utils_posix.h +20 -20
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +4 -4
- data/src/core/lib/iomgr/tcp_client_custom.cc +5 -6
- data/src/core/lib/iomgr/tcp_client_posix.cc +22 -19
- data/src/core/lib/iomgr/tcp_client_posix.h +3 -4
- data/src/core/lib/iomgr/tcp_client_windows.cc +5 -5
- data/src/core/lib/iomgr/tcp_custom.cc +14 -16
- data/src/core/lib/iomgr/tcp_custom.h +13 -12
- data/src/core/lib/iomgr/tcp_posix.cc +78 -73
- data/src/core/lib/iomgr/tcp_posix.h +8 -0
- data/src/core/lib/iomgr/tcp_server.cc +6 -6
- data/src/core/lib/iomgr/tcp_server.h +12 -11
- data/src/core/lib/iomgr/tcp_server_custom.cc +26 -25
- data/src/core/lib/iomgr/tcp_server_posix.cc +28 -21
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +13 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +21 -18
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +9 -9
- data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
- data/src/core/lib/iomgr/tcp_server_windows.cc +26 -25
- data/src/core/lib/iomgr/tcp_uv.cc +25 -23
- data/src/core/lib/iomgr/tcp_windows.cc +13 -13
- data/src/core/lib/iomgr/tcp_windows.h +2 -2
- data/src/core/lib/iomgr/timer.h +6 -1
- data/src/core/lib/iomgr/timer_custom.cc +2 -1
- data/src/core/lib/iomgr/timer_custom.h +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +6 -6
- data/src/core/lib/iomgr/udp_server.cc +21 -20
- data/src/core/lib/iomgr/unix_sockets_posix.cc +3 -3
- data/src/core/lib/iomgr/unix_sockets_posix.h +2 -2
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +10 -7
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_pipe.cc +4 -4
- data/src/core/lib/iomgr/wakeup_fd_posix.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
- data/src/core/lib/iomgr/work_serializer.h +17 -1
- data/src/core/lib/json/json.h +1 -1
- data/src/core/lib/json/json_reader.cc +4 -4
- data/src/core/lib/matchers/matchers.cc +39 -39
- data/src/core/lib/matchers/matchers.h +28 -28
- data/src/core/lib/security/authorization/authorization_engine.h +44 -0
- data/src/core/lib/security/authorization/authorization_policy_provider.h +32 -0
- data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
- data/src/core/lib/security/authorization/evaluate_args.cc +209 -0
- data/src/core/lib/security/authorization/evaluate_args.h +91 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +4 -4
- data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
- data/src/core/lib/security/credentials/credentials.h +2 -2
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +17 -13
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +13 -11
- data/src/core/lib/security/credentials/external/aws_request_signer.cc +2 -1
- data/src/core/lib/security/credentials/external/aws_request_signer.h +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +15 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.h +9 -8
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +5 -4
- data/src/core/lib/security/credentials/external/file_external_account_credentials.h +4 -3
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +8 -8
- data/src/core/lib/security/credentials/external/url_external_account_credentials.h +9 -7
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +2 -2
- data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -2
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +12 -10
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +2 -2
- data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +3 -3
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +7 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +21 -19
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +5 -5
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +5 -5
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -2
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +8 -7
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +9 -9
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +19 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +4 -0
- data/src/core/lib/security/credentials/tls/tls_utils.cc +32 -0
- data/src/core/lib/security/credentials/tls/tls_utils.h +13 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +3 -3
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +13 -3
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +13 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +2 -2
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +12 -2
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +1 -1
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +22 -9
- data/src/core/lib/security/security_connector/security_connector.h +9 -4
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +16 -6
- data/src/core/lib/security/security_connector/ssl_utils.cc +27 -4
- data/src/core/lib/security/security_connector/ssl_utils.h +4 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +56 -60
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +66 -48
- data/src/core/lib/security/transport/client_auth_filter.cc +18 -10
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -4
- data/src/core/lib/security/transport/security_handshaker.cc +33 -32
- data/src/core/lib/security/transport/server_auth_filter.cc +19 -13
- data/src/core/lib/security/transport/tsi_error.cc +2 -1
- data/src/core/lib/security/transport/tsi_error.h +2 -1
- data/src/core/lib/security/util/json_util.cc +2 -2
- data/src/core/lib/security/util/json_util.h +1 -1
- data/src/core/lib/surface/call.cc +67 -46
- data/src/core/lib/surface/call.h +13 -2
- data/src/core/lib/surface/channel.cc +6 -6
- data/src/core/lib/surface/channel.h +3 -2
- data/src/core/lib/surface/channel_ping.cc +1 -1
- data/src/core/lib/surface/completion_queue.cc +68 -69
- data/src/core/lib/surface/completion_queue.h +3 -2
- data/src/core/lib/surface/completion_queue_factory.cc +1 -2
- data/src/core/lib/surface/init.cc +1 -3
- data/src/core/lib/surface/init.h +10 -1
- data/src/core/lib/surface/lame_client.cc +11 -11
- data/src/core/lib/surface/lame_client.h +1 -1
- data/src/core/lib/surface/server.cc +28 -22
- data/src/core/lib/surface/server.h +16 -15
- data/src/core/lib/surface/validate_metadata.cc +7 -7
- data/src/core/lib/surface/validate_metadata.h +3 -2
- data/src/core/lib/surface/version.cc +4 -2
- data/src/core/lib/transport/byte_stream.cc +5 -5
- data/src/core/lib/transport/byte_stream.h +8 -8
- data/src/core/lib/transport/connectivity_state.cc +1 -1
- data/src/core/lib/transport/error_utils.cc +21 -10
- data/src/core/lib/transport/error_utils.h +11 -5
- data/src/core/lib/transport/metadata_batch.cc +37 -37
- data/src/core/lib/transport/metadata_batch.h +19 -18
- data/src/core/lib/transport/transport.cc +4 -3
- data/src/core/lib/transport/transport.h +6 -4
- data/src/core/lib/transport/transport_op_string.cc +6 -6
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
- data/src/core/tsi/alts/crypt/gsec.h +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +5 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +7 -6
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
- data/src/core/tsi/ssl_transport_security.cc +32 -14
- data/src/core/tsi/ssl_transport_security.h +3 -4
- data/src/ruby/bin/math_services_pb.rb +1 -1
- data/src/ruby/ext/grpc/extconf.rb +2 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +6 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +11 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +6 -6
- data/third_party/abseil-cpp/absl/algorithm/container.h +3 -3
- data/third_party/abseil-cpp/absl/base/attributes.h +24 -4
- data/third_party/abseil-cpp/absl/base/call_once.h +2 -9
- data/third_party/abseil-cpp/absl/base/config.h +37 -9
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +24 -10
- data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +4 -1
- data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +2 -3
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +34 -32
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +16 -6
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +11 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +14 -5
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +3 -3
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +1 -1
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +5 -2
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +43 -42
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
- data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
- data/third_party/abseil-cpp/absl/base/macros.h +11 -0
- data/third_party/abseil-cpp/absl/base/optimization.h +10 -7
- data/third_party/abseil-cpp/absl/base/options.h +1 -1
- data/third_party/abseil-cpp/absl/base/port.h +0 -1
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +1 -1
- data/third_party/abseil-cpp/absl/container/fixed_array.h +2 -2
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +5 -3
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +1 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +5 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +2 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +2 -1
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
- data/third_party/abseil-cpp/absl/container/internal/layout.h +4 -4
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +14 -1
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +136 -136
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +16 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +5 -2
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +3 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +6 -1
- data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +3 -5
- data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +2 -2
- data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +2 -2
- data/third_party/abseil-cpp/absl/hash/internal/city.cc +15 -12
- data/third_party/abseil-cpp/absl/hash/internal/city.h +1 -19
- data/third_party/abseil-cpp/absl/hash/internal/hash.cc +25 -10
- data/third_party/abseil-cpp/absl/hash/internal/hash.h +86 -37
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +16 -2
- data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +3 -3
- data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
- data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
- data/third_party/abseil-cpp/absl/status/internal/status_internal.h +18 -0
- data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +4 -7
- data/third_party/abseil-cpp/absl/status/status.cc +29 -22
- data/third_party/abseil-cpp/absl/status/status.h +81 -20
- data/third_party/abseil-cpp/absl/status/statusor.h +3 -3
- data/third_party/abseil-cpp/absl/strings/charconv.cc +5 -5
- data/third_party/abseil-cpp/absl/strings/cord.cc +326 -371
- data/third_party/abseil-cpp/absl/strings/cord.h +182 -64
- data/third_party/abseil-cpp/absl/strings/escaping.cc +4 -4
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +6 -6
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +387 -17
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +15 -1
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +19 -4
- data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +36 -18
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
- data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
- data/third_party/abseil-cpp/absl/strings/match.h +16 -6
- data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
- data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
- data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
- data/third_party/abseil-cpp/absl/strings/str_split.h +38 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +2 -1
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +2 -2
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +4 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +1 -65
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +2 -6
- data/third_party/abseil-cpp/absl/synchronization/mutex.cc +71 -59
- data/third_party/abseil-cpp/absl/synchronization/mutex.h +79 -62
- data/third_party/abseil-cpp/absl/time/clock.cc +146 -130
- data/third_party/abseil-cpp/absl/time/clock.h +2 -2
- data/third_party/abseil-cpp/absl/time/duration.cc +3 -2
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +7 -11
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +7 -1
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +4 -4
- data/third_party/abseil-cpp/absl/time/time.cc +4 -3
- data/third_party/abseil-cpp/absl/time/time.h +26 -24
- data/third_party/abseil-cpp/absl/types/internal/variant.h +1 -1
- data/third_party/abseil-cpp/absl/types/variant.h +9 -4
- data/third_party/boringssl-with-bazel/err_data.c +483 -461
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +18 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -3
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +119 -273
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +87 -80
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +11 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +25 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +10 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +104 -93
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +52 -65
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +52 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +26 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +26 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +14 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +61 -75
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +80 -103
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +40 -49
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +367 -315
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +65 -0
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +14 -0
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +95 -48
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +0 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +120 -11
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +42 -89
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +9 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +53 -73
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -17
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +7 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +25 -22
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +5 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +66 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +120 -41
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +47 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +0 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +24 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +6 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +5 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +33 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +3 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +20 -49
- data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +325 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +24 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +25 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +2 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +99 -63
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +283 -85
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +13 -19
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +445 -152
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +451 -435
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +7 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1133 -0
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +298 -22
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +66 -30
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +189 -86
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +154 -24
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +414 -135
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +9 -3
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -6
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +23 -26
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +51 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +8 -31
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +664 -702
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +65 -7
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -39
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +141 -94
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +213 -118
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +4 -2
- metadata +94 -46
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -88
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
- data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -219
- data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +0 -249
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/is_fips.c +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -246
- data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
@@ -534,9 +534,37 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) {
|
|
534
534
|
SSL3_MT_COMPRESSED_CERTIFICATE) ||
|
535
535
|
!CBB_add_u16(body, hs->cert_compression_alg_id) ||
|
536
536
|
!CBB_add_u24(body, msg.size()) ||
|
537
|
-
!CBB_add_u24_length_prefixed(body, &compressed)
|
538
|
-
|
539
|
-
|
537
|
+
!CBB_add_u24_length_prefixed(body, &compressed)) {
|
538
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
539
|
+
return false;
|
540
|
+
}
|
541
|
+
|
542
|
+
SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
|
543
|
+
if (hints && !hs->hints_requested &&
|
544
|
+
hints->cert_compression_alg_id == hs->cert_compression_alg_id &&
|
545
|
+
hints->cert_compression_input == MakeConstSpan(msg) &&
|
546
|
+
!hints->cert_compression_output.empty()) {
|
547
|
+
if (!CBB_add_bytes(&compressed, hints->cert_compression_output.data(),
|
548
|
+
hints->cert_compression_output.size())) {
|
549
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
550
|
+
return false;
|
551
|
+
}
|
552
|
+
} else {
|
553
|
+
if (!alg->compress(ssl, &compressed, msg.data(), msg.size())) {
|
554
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
555
|
+
return false;
|
556
|
+
}
|
557
|
+
if (hints && hs->hints_requested) {
|
558
|
+
hints->cert_compression_alg_id = hs->cert_compression_alg_id;
|
559
|
+
if (!hints->cert_compression_input.CopyFrom(msg) ||
|
560
|
+
!hints->cert_compression_output.CopyFrom(
|
561
|
+
MakeConstSpan(CBB_data(&compressed), CBB_len(&compressed)))) {
|
562
|
+
return false;
|
563
|
+
}
|
564
|
+
}
|
565
|
+
}
|
566
|
+
|
567
|
+
if (!ssl_add_message_cbb(ssl, cbb.get())) {
|
540
568
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
541
569
|
return false;
|
542
570
|
}
|
@@ -580,10 +608,40 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
580
608
|
return ssl_private_key_failure;
|
581
609
|
}
|
582
610
|
|
583
|
-
|
584
|
-
|
585
|
-
if (
|
586
|
-
|
611
|
+
SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
|
612
|
+
Array<uint8_t> spki;
|
613
|
+
if (hints) {
|
614
|
+
ScopedCBB spki_cbb;
|
615
|
+
if (!CBB_init(spki_cbb.get(), 64) ||
|
616
|
+
!EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) ||
|
617
|
+
!CBBFinishArray(spki_cbb.get(), &spki)) {
|
618
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
619
|
+
return ssl_private_key_failure;
|
620
|
+
}
|
621
|
+
}
|
622
|
+
|
623
|
+
if (hints && !hs->hints_requested &&
|
624
|
+
signature_algorithm == hints->signature_algorithm &&
|
625
|
+
MakeConstSpan(msg) == hints->signature_input &&
|
626
|
+
MakeConstSpan(spki) == hints->signature_spki &&
|
627
|
+
!hints->signature.empty() && hints->signature.size() <= max_sig_len) {
|
628
|
+
// Signature algorithm and input both match. Reuse the signature from hints.
|
629
|
+
sig_len = hints->signature.size();
|
630
|
+
OPENSSL_memcpy(sig, hints->signature.data(), sig_len);
|
631
|
+
} else {
|
632
|
+
enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
|
633
|
+
hs, sig, &sig_len, max_sig_len, signature_algorithm, msg);
|
634
|
+
if (sign_result != ssl_private_key_success) {
|
635
|
+
return sign_result;
|
636
|
+
}
|
637
|
+
if (hints && hs->hints_requested) {
|
638
|
+
hints->signature_algorithm = signature_algorithm;
|
639
|
+
hints->signature_input = std::move(msg);
|
640
|
+
hints->signature_spki = std::move(spki);
|
641
|
+
if (!hints->signature.CopyFrom(MakeSpan(sig, sig_len))) {
|
642
|
+
return ssl_private_key_failure;
|
643
|
+
}
|
644
|
+
}
|
587
645
|
}
|
588
646
|
|
589
647
|
if (!CBB_did_write(&child, sig_len) ||
|
@@ -156,12 +156,6 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
156
156
|
|
157
157
|
hs->new_cipher = cipher;
|
158
158
|
|
159
|
-
if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
|
160
|
-
!hs->transcript.UpdateForHelloRetryRequest()) {
|
161
|
-
return ssl_hs_error;
|
162
|
-
}
|
163
|
-
|
164
|
-
|
165
159
|
bool have_cookie, have_key_share, have_supported_versions;
|
166
160
|
CBS cookie, key_share, supported_versions;
|
167
161
|
SSL_EXTENSION_TYPE ext_types[] = {
|
@@ -222,14 +216,29 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
222
216
|
return ssl_hs_error;
|
223
217
|
}
|
224
218
|
|
225
|
-
hs
|
226
|
-
|
227
|
-
|
219
|
+
if (!ssl_setup_key_shares(hs, group_id)) {
|
220
|
+
return ssl_hs_error;
|
221
|
+
}
|
228
222
|
}
|
229
223
|
|
230
|
-
|
224
|
+
// We do not know whether ECH was chosen until ServerHello and must
|
225
|
+
// concurrently update both transcripts.
|
226
|
+
//
|
227
|
+
// TODO(https://crbug.com/boringssl/275): A later draft will likely add an ECH
|
228
|
+
// signal to HRR and change this.
|
229
|
+
if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
|
230
|
+
!hs->transcript.UpdateForHelloRetryRequest() ||
|
231
|
+
!ssl_hash_message(hs, msg)) {
|
231
232
|
return ssl_hs_error;
|
232
233
|
}
|
234
|
+
if (hs->selected_ech_config) {
|
235
|
+
if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
|
236
|
+
hs->new_cipher) ||
|
237
|
+
!hs->inner_transcript.UpdateForHelloRetryRequest() ||
|
238
|
+
!hs->inner_transcript.Update(msg.raw)) {
|
239
|
+
return ssl_hs_error;
|
240
|
+
}
|
241
|
+
}
|
233
242
|
|
234
243
|
// HelloRetryRequest should be the end of the flight.
|
235
244
|
if (ssl->method->has_unprocessed_handshake_data(ssl)) {
|
@@ -256,10 +265,17 @@ static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
256
265
|
// Any 0-RTT keys must have been discarded.
|
257
266
|
assert(hs->ssl->s3->write_level == ssl_encryption_initial);
|
258
267
|
|
259
|
-
if
|
268
|
+
// Build the second ClientHelloInner, if applicable. The second ClientHello
|
269
|
+
// uses an empty string for |enc|.
|
270
|
+
if (hs->selected_ech_config && !ssl_encrypt_client_hello(hs, {})) {
|
271
|
+
return ssl_hs_error;
|
272
|
+
}
|
273
|
+
|
274
|
+
if (!ssl_add_client_hello(hs)) {
|
260
275
|
return ssl_hs_error;
|
261
276
|
}
|
262
277
|
|
278
|
+
ssl_done_writing_client_hello(hs);
|
263
279
|
hs->tls13_state = state_read_server_hello;
|
264
280
|
return ssl_hs_flush;
|
265
281
|
}
|
@@ -388,6 +404,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
388
404
|
}
|
389
405
|
|
390
406
|
ssl->s3->session_reused = true;
|
407
|
+
hs->can_release_private_key = true;
|
391
408
|
// Only authentication information carries over in TLS 1.3.
|
392
409
|
hs->new_session =
|
393
410
|
SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
|
@@ -400,7 +417,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
400
417
|
// Resumption incorporates fresh key material, so refresh the timeout.
|
401
418
|
ssl_session_renew_timeout(ssl, hs->new_session.get(),
|
402
419
|
ssl->session_ctx->session_psk_dhe_timeout);
|
403
|
-
} else if (!ssl_get_new_session(hs
|
420
|
+
} else if (!ssl_get_new_session(hs)) {
|
404
421
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
405
422
|
return ssl_hs_error;
|
406
423
|
}
|
@@ -412,13 +429,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
412
429
|
EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
|
413
430
|
|
414
431
|
// Set up the key schedule and incorporate the PSK into the running secret.
|
415
|
-
if (
|
416
|
-
|
417
|
-
|
418
|
-
|
419
|
-
|
420
|
-
}
|
421
|
-
} else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
|
432
|
+
if (!tls13_init_key_schedule(
|
433
|
+
hs, ssl->s3->session_reused
|
434
|
+
? MakeConstSpan(hs->new_session->secret,
|
435
|
+
hs->new_session->secret_length)
|
436
|
+
: MakeConstSpan(kZeroes, hash_len))) {
|
422
437
|
return ssl_hs_error;
|
423
438
|
}
|
424
439
|
|
@@ -438,8 +453,54 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
438
453
|
return ssl_hs_error;
|
439
454
|
}
|
440
455
|
|
441
|
-
if (!tls13_advance_key_schedule(hs, dhe_secret)
|
442
|
-
|
456
|
+
if (!tls13_advance_key_schedule(hs, dhe_secret)) {
|
457
|
+
return ssl_hs_error;
|
458
|
+
}
|
459
|
+
|
460
|
+
// Determine whether the server accepted ECH.
|
461
|
+
//
|
462
|
+
// TODO(https://crbug.com/boringssl/275): This is a bit late in the process of
|
463
|
+
// parsing ServerHello. |ssl->session| is only valid for ClientHelloInner, so
|
464
|
+
// the decisions made based on PSK need to be double-checked. draft-11 will
|
465
|
+
// fix this, at which point this logic can be moved before any processing.
|
466
|
+
if (hs->selected_ech_config) {
|
467
|
+
uint8_t ech_confirmation[ECH_CONFIRMATION_SIGNAL_LEN];
|
468
|
+
if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
|
469
|
+
hs->new_cipher) ||
|
470
|
+
!ssl_ech_accept_confirmation(hs, ech_confirmation, hs->inner_transcript,
|
471
|
+
msg.raw)) {
|
472
|
+
return ssl_hs_error;
|
473
|
+
}
|
474
|
+
|
475
|
+
if (CRYPTO_memcmp(ech_confirmation,
|
476
|
+
ssl->s3->server_random + sizeof(ssl->s3->server_random) -
|
477
|
+
sizeof(ech_confirmation),
|
478
|
+
sizeof(ech_confirmation)) == 0) {
|
479
|
+
ssl->s3->ech_accept = true;
|
480
|
+
hs->transcript = std::move(hs->inner_transcript);
|
481
|
+
hs->extensions.sent = hs->inner_extensions_sent;
|
482
|
+
// Report the inner random value through |SSL_get_client_random|.
|
483
|
+
OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
|
484
|
+
SSL3_RANDOM_SIZE);
|
485
|
+
} else {
|
486
|
+
// Resuming against the ClientHelloOuter was an unsolicited extension.
|
487
|
+
if (have_pre_shared_key) {
|
488
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
489
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
490
|
+
return ssl_hs_error;
|
491
|
+
}
|
492
|
+
|
493
|
+
// TODO(https://crbug.com/boringssl/275): If the server declines ECH, we
|
494
|
+
// handshake with ClientHelloOuter instead of ClientHelloInner. That path
|
495
|
+
// is not yet implemented. For now, terminate the handshake with a
|
496
|
+
// distiguisable error for testing.
|
497
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
|
498
|
+
return ssl_hs_error;
|
499
|
+
}
|
500
|
+
}
|
501
|
+
|
502
|
+
|
503
|
+
if (!ssl_hash_message(hs, msg) ||
|
443
504
|
!tls13_derive_handshake_secrets(hs)) {
|
444
505
|
return ssl_hs_error;
|
445
506
|
}
|
@@ -489,6 +550,13 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
|
|
489
550
|
}
|
490
551
|
|
491
552
|
if (ssl->s3->early_data_accepted) {
|
553
|
+
// The extension parser checks the server resumed the session.
|
554
|
+
assert(ssl->s3->session_reused);
|
555
|
+
// If offering ECH, the server may not accept early data with
|
556
|
+
// ClientHelloOuter. We do not offer sessions with ClientHelloOuter, so this
|
557
|
+
// this should be implied by checking |session_reused|.
|
558
|
+
assert(hs->selected_ech_config == nullptr || ssl->s3->ech_accept);
|
559
|
+
|
492
560
|
if (hs->early_session->cipher != hs->new_session->cipher) {
|
493
561
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
|
494
562
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
@@ -500,9 +568,9 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
|
|
500
568
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
501
569
|
return ssl_hs_error;
|
502
570
|
}
|
503
|
-
// Channel ID
|
504
|
-
//
|
505
|
-
if (
|
571
|
+
// Channel ID is incompatible with 0-RTT. The ALPS extension should be
|
572
|
+
// negotiated implicitly.
|
573
|
+
if (hs->channel_id_negotiated ||
|
506
574
|
hs->new_session->has_application_settings) {
|
507
575
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
|
508
576
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
@@ -712,8 +780,7 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
|
|
712
780
|
SSL *const ssl = hs->ssl;
|
713
781
|
|
714
782
|
if (ssl->s3->early_data_accepted) {
|
715
|
-
// QUIC omits the EndOfEarlyData message. See
|
716
|
-
// section 8.3.
|
783
|
+
// QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3.
|
717
784
|
if (ssl->quic_method == nullptr) {
|
718
785
|
ScopedCBB cbb;
|
719
786
|
CBB body;
|
@@ -817,18 +884,10 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
817
884
|
|
818
885
|
static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
|
819
886
|
SSL *const ssl = hs->ssl;
|
887
|
+
hs->can_release_private_key = true;
|
820
888
|
|
821
889
|
// Send a Channel ID assertion if necessary.
|
822
|
-
if (
|
823
|
-
if (!ssl_do_channel_id_callback(hs)) {
|
824
|
-
hs->tls13_state = state_complete_second_flight;
|
825
|
-
return ssl_hs_error;
|
826
|
-
}
|
827
|
-
|
828
|
-
if (hs->config->channel_id_private == NULL) {
|
829
|
-
return ssl_hs_channel_id_lookup;
|
830
|
-
}
|
831
|
-
|
890
|
+
if (hs->channel_id_negotiated) {
|
832
891
|
ScopedCBB cbb;
|
833
892
|
CBB body;
|
834
893
|
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
|
@@ -1042,7 +1101,7 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
|
|
1042
1101
|
}
|
1043
1102
|
|
1044
1103
|
// QUIC does not use the max_early_data_size parameter and always sets it to
|
1045
|
-
// a fixed value. See
|
1104
|
+
// a fixed value. See RFC 9001, section 4.6.1.
|
1046
1105
|
if (ssl->quic_method != nullptr &&
|
1047
1106
|
session->ticket_max_early_data != 0xffffffff) {
|
1048
1107
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
@@ -1051,8 +1110,8 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
|
|
1051
1110
|
}
|
1052
1111
|
}
|
1053
1112
|
|
1054
|
-
//
|
1055
|
-
//
|
1113
|
+
// Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
|
1114
|
+
// Envoy's tests depend on this, although perhaps they shouldn't.
|
1056
1115
|
SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
|
1057
1116
|
session->session_id_length = SHA256_DIGEST_LENGTH;
|
1058
1117
|
|
@@ -33,24 +33,25 @@
|
|
33
33
|
|
34
34
|
BSSL_NAMESPACE_BEGIN
|
35
35
|
|
36
|
-
static bool init_key_schedule(SSL_HANDSHAKE *hs,
|
37
|
-
const SSL_CIPHER *cipher) {
|
38
|
-
if (!
|
36
|
+
static bool init_key_schedule(SSL_HANDSHAKE *hs, SSLTranscript *transcript,
|
37
|
+
uint16_t version, const SSL_CIPHER *cipher) {
|
38
|
+
if (!transcript->InitHash(version, cipher)) {
|
39
39
|
return false;
|
40
40
|
}
|
41
41
|
|
42
42
|
// Initialize the secret to the zero key.
|
43
|
-
hs->ResizeSecrets(
|
43
|
+
hs->ResizeSecrets(transcript->DigestLen());
|
44
44
|
OPENSSL_memset(hs->secret().data(), 0, hs->secret().size());
|
45
45
|
|
46
46
|
return true;
|
47
47
|
}
|
48
48
|
|
49
|
-
static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs,
|
49
|
+
static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs,
|
50
|
+
const SSLTranscript &transcript,
|
51
|
+
Span<const uint8_t> in) {
|
50
52
|
size_t len;
|
51
|
-
if (!HKDF_extract(hs->secret().data(), &len,
|
52
|
-
in.
|
53
|
-
hs->secret().size())) {
|
53
|
+
if (!HKDF_extract(hs->secret().data(), &len, transcript.Digest(), in.data(),
|
54
|
+
in.size(), hs->secret().data(), hs->secret().size())) {
|
54
55
|
return false;
|
55
56
|
}
|
56
57
|
assert(len == hs->secret().size());
|
@@ -58,7 +59,8 @@ static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
|
|
58
59
|
}
|
59
60
|
|
60
61
|
bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
|
61
|
-
if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl),
|
62
|
+
if (!init_key_schedule(hs, &hs->transcript, ssl_protocol_version(hs->ssl),
|
63
|
+
hs->new_cipher)) {
|
62
64
|
return false;
|
63
65
|
}
|
64
66
|
|
@@ -67,14 +69,22 @@ bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
|
|
67
69
|
if (!hs->handback) {
|
68
70
|
hs->transcript.FreeBuffer();
|
69
71
|
}
|
70
|
-
return hkdf_extract_to_secret(hs, psk);
|
72
|
+
return hkdf_extract_to_secret(hs, hs->transcript, psk);
|
71
73
|
}
|
72
74
|
|
73
|
-
bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
75
|
+
bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,
|
76
|
+
const SSL_SESSION *session) {
|
77
|
+
assert(!hs->ssl->server);
|
78
|
+
// When offering ECH, early data is associated with ClientHelloInner, not
|
79
|
+
// ClientHelloOuter.
|
80
|
+
SSLTranscript *transcript =
|
81
|
+
hs->selected_ech_config ? &hs->inner_transcript : &hs->transcript;
|
82
|
+
return init_key_schedule(hs, transcript,
|
83
|
+
ssl_session_protocol_version(session),
|
84
|
+
session->cipher) &&
|
85
|
+
hkdf_extract_to_secret(
|
86
|
+
hs, *transcript,
|
87
|
+
MakeConstSpan(session->secret, session->secret_length));
|
78
88
|
}
|
79
89
|
|
80
90
|
static Span<const char> label_to_span(const char *label) {
|
@@ -118,25 +128,31 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
|
|
118
128
|
hkdf_expand_label(hs->secret(), hs->transcript.Digest(), hs->secret(),
|
119
129
|
label_to_span(kTLS13LabelDerived),
|
120
130
|
MakeConstSpan(derive_context, derive_context_len)) &&
|
121
|
-
hkdf_extract_to_secret(hs, in);
|
131
|
+
hkdf_extract_to_secret(hs, hs->transcript, in);
|
122
132
|
}
|
123
133
|
|
124
|
-
//
|
125
|
-
// in |out| with the given label, the current base secret, and
|
126
|
-
//
|
127
|
-
|
128
|
-
|
129
|
-
|
134
|
+
// derive_secret_with_transcript derives a secret of length |out.size()| and
|
135
|
+
// writes the result in |out| with the given label, the current base secret, and
|
136
|
+
// the state of |transcript|. It returns true on success and false on error.
|
137
|
+
static bool derive_secret_with_transcript(const SSL_HANDSHAKE *hs,
|
138
|
+
Span<uint8_t> out,
|
139
|
+
const SSLTranscript &transcript,
|
140
|
+
Span<const char> label) {
|
130
141
|
uint8_t context_hash[EVP_MAX_MD_SIZE];
|
131
142
|
size_t context_hash_len;
|
132
|
-
if (!
|
143
|
+
if (!transcript.GetHash(context_hash, &context_hash_len)) {
|
133
144
|
return false;
|
134
145
|
}
|
135
146
|
|
136
|
-
return hkdf_expand_label(out,
|
147
|
+
return hkdf_expand_label(out, transcript.Digest(), hs->secret(), label,
|
137
148
|
MakeConstSpan(context_hash, context_hash_len));
|
138
149
|
}
|
139
150
|
|
151
|
+
static bool derive_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out,
|
152
|
+
Span<const char> label) {
|
153
|
+
return derive_secret_with_transcript(hs, out, hs->transcript, label);
|
154
|
+
}
|
155
|
+
|
140
156
|
bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
|
141
157
|
enum evp_aead_direction_t direction,
|
142
158
|
const SSL_SESSION *session,
|
@@ -228,8 +244,14 @@ static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";
|
|
228
244
|
|
229
245
|
bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
|
230
246
|
SSL *const ssl = hs->ssl;
|
231
|
-
|
232
|
-
|
247
|
+
// When offering ECH on the client, early data is associated with
|
248
|
+
// ClientHelloInner, not ClientHelloOuter.
|
249
|
+
const SSLTranscript &transcript = (!ssl->server && hs->selected_ech_config)
|
250
|
+
? hs->inner_transcript
|
251
|
+
: hs->transcript;
|
252
|
+
if (!derive_secret_with_transcript(
|
253
|
+
hs, hs->early_traffic_secret(), transcript,
|
254
|
+
label_to_span(kTLS13LabelClientEarlyTraffic)) ||
|
233
255
|
!ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",
|
234
256
|
hs->early_traffic_secret())) {
|
235
257
|
return false;
|
@@ -395,74 +417,73 @@ bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
|
|
395
417
|
|
396
418
|
static const char kTLS13LabelPSKBinder[] = "res binder";
|
397
419
|
|
398
|
-
static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
|
399
|
-
const
|
400
|
-
|
420
|
+
static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
|
421
|
+
const SSL_SESSION *session,
|
422
|
+
const SSLTranscript &transcript,
|
423
|
+
Span<const uint8_t> client_hello,
|
424
|
+
size_t binders_len) {
|
425
|
+
const EVP_MD *digest = ssl_session_get_digest(session);
|
426
|
+
|
427
|
+
// Compute the binder key.
|
428
|
+
//
|
429
|
+
// TODO(davidben): Ideally we wouldn't recompute early secret and the binder
|
430
|
+
// key each time.
|
401
431
|
uint8_t binder_context[EVP_MAX_MD_SIZE];
|
402
432
|
unsigned binder_context_len;
|
403
|
-
if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
|
404
|
-
return false;
|
405
|
-
}
|
406
|
-
|
407
433
|
uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};
|
408
434
|
size_t early_secret_len;
|
409
|
-
if (!HKDF_extract(early_secret, &early_secret_len, digest, psk.data(),
|
410
|
-
psk.size(), NULL, 0)) {
|
411
|
-
return false;
|
412
|
-
}
|
413
|
-
|
414
435
|
uint8_t binder_key_buf[EVP_MAX_MD_SIZE] = {0};
|
415
436
|
auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest));
|
416
|
-
if (!
|
437
|
+
if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest,
|
438
|
+
nullptr) ||
|
439
|
+
!HKDF_extract(early_secret, &early_secret_len, digest, session->secret,
|
440
|
+
session->secret_length, nullptr, 0) ||
|
441
|
+
!hkdf_expand_label(binder_key, digest,
|
417
442
|
MakeConstSpan(early_secret, early_secret_len),
|
418
443
|
label_to_span(kTLS13LabelPSKBinder),
|
419
|
-
MakeConstSpan(binder_context, binder_context_len))
|
420
|
-
!tls13_verify_data(out, out_len, digest, version, binder_key, context)) {
|
444
|
+
MakeConstSpan(binder_context, binder_context_len))) {
|
421
445
|
return false;
|
422
446
|
}
|
423
447
|
|
424
|
-
|
425
|
-
|
426
|
-
|
427
|
-
|
428
|
-
static bool hash_transcript_and_truncated_client_hello(
|
429
|
-
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, const EVP_MD *digest,
|
430
|
-
Span<const uint8_t> client_hello, size_t binders_len) {
|
431
|
-
// Truncate the ClientHello.
|
432
|
-
if (binders_len + 2 < binders_len || client_hello.size() < binders_len + 2) {
|
448
|
+
// Hash the transcript and truncated ClientHello.
|
449
|
+
if (client_hello.size() < binders_len) {
|
450
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
433
451
|
return false;
|
434
452
|
}
|
435
|
-
|
436
|
-
|
453
|
+
auto truncated = client_hello.subspan(0, client_hello.size() - binders_len);
|
454
|
+
uint8_t context[EVP_MAX_MD_SIZE];
|
455
|
+
unsigned context_len;
|
437
456
|
ScopedEVP_MD_CTX ctx;
|
438
|
-
|
439
|
-
|
440
|
-
|
441
|
-
!EVP_DigestFinal_ex(ctx.get(),
|
457
|
+
if (!transcript.CopyToHashContext(ctx.get(), digest) ||
|
458
|
+
!EVP_DigestUpdate(ctx.get(), truncated.data(),
|
459
|
+
truncated.size()) ||
|
460
|
+
!EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {
|
442
461
|
return false;
|
443
462
|
}
|
444
463
|
|
445
|
-
|
464
|
+
if (!tls13_verify_data(out, out_len, digest, session->ssl_version, binder_key,
|
465
|
+
MakeConstSpan(context, context_len))) {
|
466
|
+
return false;
|
467
|
+
}
|
468
|
+
|
469
|
+
assert(*out_len == EVP_MD_size(digest));
|
446
470
|
return true;
|
447
471
|
}
|
448
472
|
|
449
|
-
bool tls13_write_psk_binder(SSL_HANDSHAKE *hs,
|
450
|
-
|
473
|
+
bool tls13_write_psk_binder(const SSL_HANDSHAKE *hs,
|
474
|
+
const SSLTranscript &transcript, Span<uint8_t> msg,
|
475
|
+
size_t *out_binder_len) {
|
476
|
+
const SSL *const ssl = hs->ssl;
|
451
477
|
const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());
|
452
|
-
size_t hash_len = EVP_MD_size(digest);
|
453
|
-
|
454
|
-
|
455
|
-
|
456
|
-
size_t
|
478
|
+
const size_t hash_len = EVP_MD_size(digest);
|
479
|
+
// We only offer one PSK, so the binders are a u16 and u8 length
|
480
|
+
// prefix, followed by the binder. The caller is assumed to have constructed
|
481
|
+
// |msg| with placeholder binders.
|
482
|
+
const size_t binders_len = 3 + hash_len;
|
457
483
|
uint8_t verify_data[EVP_MAX_MD_SIZE];
|
458
484
|
size_t verify_data_len;
|
459
|
-
if (!
|
460
|
-
|
461
|
-
1 /* length prefix */ + hash_len) ||
|
462
|
-
!tls13_psk_binder(
|
463
|
-
verify_data, &verify_data_len, ssl->session->ssl_version, digest,
|
464
|
-
MakeConstSpan(ssl->session->secret, ssl->session->secret_length),
|
465
|
-
MakeConstSpan(context, context_len)) ||
|
485
|
+
if (!tls13_psk_binder(verify_data, &verify_data_len, ssl->session.get(),
|
486
|
+
transcript, msg, binders_len) ||
|
466
487
|
verify_data_len != hash_len) {
|
467
488
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
468
489
|
return false;
|
@@ -470,23 +491,23 @@ bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, Span<uint8_t> msg) {
|
|
470
491
|
|
471
492
|
OPENSSL_memcpy(msg.data() + msg.size() - verify_data_len, verify_data,
|
472
493
|
verify_data_len);
|
494
|
+
if (out_binder_len != nullptr) {
|
495
|
+
*out_binder_len = verify_data_len;
|
496
|
+
}
|
473
497
|
return true;
|
474
498
|
}
|
475
499
|
|
476
|
-
bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs,
|
477
|
-
const SSLMessage &msg,
|
478
|
-
|
479
|
-
size_t context_len;
|
500
|
+
bool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs,
|
501
|
+
const SSL_SESSION *session, const SSLMessage &msg,
|
502
|
+
CBS *binders) {
|
480
503
|
uint8_t verify_data[EVP_MAX_MD_SIZE];
|
481
504
|
size_t verify_data_len;
|
482
505
|
CBS binder;
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
|
487
|
-
|
488
|
-
MakeConstSpan(session->secret, session->secret_length),
|
489
|
-
MakeConstSpan(context, context_len)) ||
|
506
|
+
// The binders are computed over |msg| with |binders| and its u16 length
|
507
|
+
// prefix removed. The caller is assumed to have parsed |msg|, extracted
|
508
|
+
// |binders|, and verified the PSK extension is last.
|
509
|
+
if (!tls13_psk_binder(verify_data, &verify_data_len, session, hs->transcript,
|
510
|
+
msg.raw, 2 + CBS_len(binders)) ||
|
490
511
|
// We only consider the first PSK, so compare against the first binder.
|
491
512
|
!CBS_get_u8_length_prefixed(binders, &binder)) {
|
492
513
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
@@ -507,35 +528,61 @@ bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
|
|
507
528
|
return true;
|
508
529
|
}
|
509
530
|
|
510
|
-
|
511
|
-
|
512
|
-
|
513
|
-
|
514
|
-
|
531
|
+
size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl) {
|
532
|
+
static_assert(ECH_CONFIRMATION_SIGNAL_LEN < SSL3_RANDOM_SIZE,
|
533
|
+
"the confirmation signal is a suffix of the random");
|
534
|
+
const size_t header_len =
|
535
|
+
SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;
|
536
|
+
return header_len + 2 /* version */ + SSL3_RANDOM_SIZE -
|
537
|
+
ECH_CONFIRMATION_SIGNAL_LEN;
|
538
|
+
}
|
539
|
+
|
540
|
+
bool ssl_ech_accept_confirmation(
|
541
|
+
const SSL_HANDSHAKE *hs, bssl::Span<uint8_t> out,
|
542
|
+
const SSLTranscript &transcript,
|
543
|
+
bssl::Span<const uint8_t> server_hello) {
|
544
|
+
// We hash |server_hello|, with the last |ECH_CONFIRMATION_SIGNAL_LEN| bytes
|
545
|
+
// of the random value zeroed.
|
546
|
+
static const uint8_t kZeroes[ECH_CONFIRMATION_SIGNAL_LEN] = {0};
|
547
|
+
const size_t offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
|
548
|
+
if (server_hello.size() < offset + ECH_CONFIRMATION_SIGNAL_LEN) {
|
549
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
550
|
+
return false;
|
551
|
+
}
|
552
|
+
|
553
|
+
auto before_zeroes = server_hello.subspan(0, offset);
|
554
|
+
auto after_zeroes =
|
555
|
+
server_hello.subspan(offset + ECH_CONFIRMATION_SIGNAL_LEN);
|
515
556
|
uint8_t context_hash[EVP_MAX_MD_SIZE];
|
516
557
|
unsigned context_hash_len;
|
517
558
|
ScopedEVP_MD_CTX ctx;
|
518
|
-
if (!
|
519
|
-
!EVP_DigestUpdate(ctx.get(),
|
520
|
-
|
559
|
+
if (!transcript.CopyToHashContext(ctx.get(), transcript.Digest()) ||
|
560
|
+
!EVP_DigestUpdate(ctx.get(), before_zeroes.data(),
|
561
|
+
before_zeroes.size()) ||
|
562
|
+
!EVP_DigestUpdate(ctx.get(), kZeroes, sizeof(kZeroes)) ||
|
563
|
+
!EVP_DigestUpdate(ctx.get(), after_zeroes.data(), after_zeroes.size()) ||
|
521
564
|
!EVP_DigestFinal_ex(ctx.get(), context_hash, &context_hash_len)) {
|
522
565
|
return false;
|
523
566
|
}
|
524
567
|
|
525
|
-
// Per draft-ietf-tls-esni-
|
568
|
+
// Per draft-ietf-tls-esni-10, accept_confirmation is computed with
|
526
569
|
// Derive-Secret, which derives a secret of size Hash.length. That value is
|
527
570
|
// then truncated to the first 8 bytes. Note this differs from deriving an
|
528
571
|
// 8-byte secret because the target length is included in the derivation.
|
572
|
+
//
|
573
|
+
// TODO(https://crbug.com/boringssl/275): draft-11 will avoid this.
|
529
574
|
uint8_t accept_confirmation_buf[EVP_MAX_MD_SIZE];
|
530
575
|
bssl::Span<uint8_t> accept_confirmation =
|
531
|
-
MakeSpan(accept_confirmation_buf,
|
532
|
-
if (!hkdf_expand_label(accept_confirmation,
|
576
|
+
MakeSpan(accept_confirmation_buf, transcript.DigestLen());
|
577
|
+
if (!hkdf_expand_label(accept_confirmation, transcript.Digest(),
|
533
578
|
hs->secret(), label_to_span("ech accept confirmation"),
|
534
579
|
MakeConstSpan(context_hash, context_hash_len))) {
|
535
580
|
return false;
|
536
581
|
}
|
537
582
|
|
538
|
-
|
583
|
+
static_assert(ECH_CONFIRMATION_SIGNAL_LEN < EVP_MAX_MD_SIZE,
|
584
|
+
"ECH confirmation signal too big");
|
585
|
+
if (out.size() != ECH_CONFIRMATION_SIGNAL_LEN) {
|
539
586
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
540
587
|
return false;
|
541
588
|
}
|