grpc 1.37.1 → 1.40.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +112 -59
- data/include/grpc/event_engine/README.md +38 -0
- data/include/grpc/event_engine/endpoint_config.h +48 -0
- data/include/grpc/event_engine/event_engine.h +330 -0
- data/include/grpc/event_engine/port.h +41 -0
- data/include/grpc/event_engine/slice_allocator.h +66 -0
- data/include/grpc/grpc.h +11 -4
- data/include/grpc/grpc_security.h +32 -0
- data/include/grpc/grpc_security_constants.h +15 -0
- data/include/grpc/impl/codegen/grpc_types.h +44 -19
- data/include/grpc/impl/codegen/port_platform.h +46 -0
- data/include/grpc/module.modulemap +14 -14
- data/src/core/ext/filters/client_channel/backup_poller.cc +3 -3
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +177 -202
- data/src/core/ext/filters/client_channel/client_channel.cc +975 -3282
- data/src/core/ext/filters/client_channel/client_channel.h +513 -55
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +1 -1
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +4 -1
- data/src/core/ext/filters/client_channel/config_selector.h +20 -7
- data/src/core/ext/filters/client_channel/connector.h +1 -1
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -10
- data/src/core/ext/filters/client_channel/dynamic_filters.h +3 -3
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +28 -27
- data/src/core/ext/filters/client_channel/health/health_check_client.h +30 -29
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +24 -21
- data/src/core/ext/filters/client_channel/http_proxy.cc +16 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -6
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +53 -51
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +2 -1
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -23
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +16 -16
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +734 -0
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +10 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +10 -17
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +17 -20
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +53 -65
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +36 -44
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +33 -55
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +151 -163
- data/src/core/ext/filters/client_channel/lb_policy.cc +2 -16
- data/src/core/ext/filters/client_channel/lb_policy.h +70 -46
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +4 -4
- data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +24 -18
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +3 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +14 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +33 -24
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +18 -12
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +20 -28
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +7 -5
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +20 -13
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +158 -102
- data/src/core/ext/filters/client_channel/resolver.h +2 -2
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +32 -239
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +20 -49
- data/src/core/ext/filters/client_channel/retry_filter.cc +2598 -0
- data/src/core/ext/filters/client_channel/retry_filter.h +30 -0
- data/src/core/ext/filters/client_channel/retry_service_config.cc +316 -0
- data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
- data/src/core/ext/filters/client_channel/server_address.cc +1 -1
- data/src/core/ext/filters/client_channel/service_config.cc +15 -14
- data/src/core/ext/filters/client_channel/service_config.h +7 -6
- data/src/core/ext/filters/client_channel/service_config_call_data.h +45 -5
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +5 -4
- data/src/core/ext/filters/client_channel/service_config_parser.cc +6 -6
- data/src/core/ext/filters/client_channel/service_config_parser.h +7 -4
- data/src/core/ext/filters/client_channel/subchannel.cc +17 -16
- data/src/core/ext/filters/client_channel/subchannel.h +7 -6
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +17 -16
- data/src/core/ext/filters/deadline/deadline_filter.cc +10 -10
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +19 -18
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +5 -5
- data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
- data/src/core/ext/filters/http/client/http_client_filter.cc +33 -23
- data/src/core/ext/filters/http/client_authority_filter.cc +3 -3
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +23 -22
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +21 -21
- data/src/core/ext/filters/http/server/http_server_filter.cc +27 -23
- data/src/core/ext/filters/max_age/max_age_filter.cc +12 -10
- data/src/core/ext/filters/message_size/message_size_filter.cc +14 -11
- data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -3
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +7 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.h +7 -7
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +2 -2
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +3 -2
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -3
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +49 -46
- data/src/core/ext/transport/chttp2/server/chttp2_server.h +2 -2
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +3 -4
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +5 -4
- data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +3 -4
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.cc +66 -0
- data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.h +74 -0
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +141 -126
- data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
- data/src/core/ext/transport/chttp2/transport/context_list.h +4 -4
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
- data/src/core/ext/transport/chttp2/transport/flow_control.h +9 -9
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +12 -12
- data/src/core/ext/transport/chttp2/transport/frame_data.h +10 -10
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +15 -16
- data/src/core/ext/transport/chttp2/transport/frame_goaway.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +7 -8
- data/src/core/ext/transport/chttp2/transport/frame_ping.h +7 -6
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +7 -7
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +11 -10
- data/src/core/ext/transport/chttp2/transport/frame_settings.h +6 -6
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +4 -6
- data/src/core/ext/transport/chttp2/transport/frame_window_update.h +4 -6
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +652 -736
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +195 -74
- data/src/core/ext/transport/chttp2/transport/hpack_table.cc +4 -3
- data/src/core/ext/transport/chttp2/transport/hpack_table.h +4 -4
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +2 -2
- data/src/core/ext/transport/chttp2/transport/internal.h +33 -28
- data/src/core/ext/transport/chttp2/transport/parsing.cc +129 -106
- data/src/core/ext/transport/chttp2/transport/varint.cc +6 -4
- data/src/core/ext/transport/chttp2/transport/writing.cc +7 -3
- data/src/core/ext/transport/inproc/inproc_transport.cc +72 -60
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +56 -35
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +180 -76
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +35 -27
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +97 -48
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +45 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +67 -7
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +66 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +227 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +46 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +121 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +35 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +90 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +32 -24
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -73
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +4 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +48 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +171 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +8 -6
- data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +27 -19
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +24 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +57 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +29 -17
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +72 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +4 -0
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +6 -5
- data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +15 -11
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +85 -43
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +274 -91
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +11 -8
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +30 -13
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +33 -5
- data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +115 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +60 -0
- data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +181 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +1 -0
- data/src/core/ext/upb-generated/validate/validate.upb.c +82 -66
- data/src/core/ext/upb-generated/validate/validate.upb.h +220 -124
- data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +15 -7
- data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +53 -52
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +318 -277
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +437 -410
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +198 -170
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +9 -8
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +219 -163
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +59 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +40 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +29 -25
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +52 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +135 -125
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +131 -123
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +90 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +35 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +32 -24
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +69 -55
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +684 -664
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +13 -10
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +13 -10
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +441 -375
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +122 -114
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +1 -1
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +112 -79
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +64 -0
- data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +35 -32
- data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +4 -4
- data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +182 -160
- data/src/core/ext/xds/certificate_provider_factory.h +1 -1
- data/src/core/ext/xds/certificate_provider_store.h +3 -3
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +3 -3
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +2 -2
- data/src/core/ext/xds/xds_api.cc +665 -317
- data/src/core/ext/xds/xds_api.h +52 -14
- data/src/core/ext/xds/xds_bootstrap.cc +101 -160
- data/src/core/ext/xds/xds_bootstrap.h +19 -24
- data/src/core/ext/xds/xds_certificate_provider.cc +4 -4
- data/src/core/ext/xds/xds_certificate_provider.h +4 -4
- data/src/core/ext/xds/xds_channel_args.h +5 -2
- data/src/core/ext/xds/xds_client.cc +370 -215
- data/src/core/ext/xds/xds_client.h +38 -28
- data/src/core/ext/xds/xds_client_stats.h +3 -2
- data/src/core/ext/xds/xds_http_filters.cc +3 -2
- data/src/core/ext/xds/xds_http_filters.h +3 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +34 -20
- data/src/core/lib/{iomgr → address_utils}/parse_address.cc +17 -17
- data/src/core/lib/{iomgr → address_utils}/parse_address.h +7 -7
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +16 -20
- data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +16 -11
- data/src/core/lib/channel/call_tracer.h +85 -0
- data/src/core/lib/channel/channel_stack.cc +10 -9
- data/src/core/lib/channel/channel_stack.h +11 -10
- data/src/core/lib/channel/channel_stack_builder.cc +2 -2
- data/src/core/lib/channel/channel_stack_builder.h +1 -1
- data/src/core/lib/channel/channelz.cc +21 -13
- data/src/core/lib/channel/channelz.h +3 -0
- data/src/core/lib/channel/connected_channel.cc +4 -4
- data/src/core/lib/channel/context.h +3 -0
- data/src/core/lib/channel/handshaker.cc +7 -6
- data/src/core/lib/channel/handshaker.h +5 -5
- data/src/core/lib/channel/status_util.h +4 -0
- data/src/core/lib/compression/stream_compression.h +1 -1
- data/src/core/lib/compression/stream_compression_gzip.h +1 -1
- data/src/core/lib/compression/stream_compression_identity.h +1 -1
- data/src/core/lib/debug/stats.h +1 -1
- data/src/core/lib/event_engine/endpoint_config.cc +46 -0
- data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
- data/src/core/lib/event_engine/event_engine.cc +50 -0
- data/src/core/lib/event_engine/sockaddr.cc +40 -0
- data/src/core/lib/event_engine/sockaddr.h +44 -0
- data/src/core/lib/gpr/murmur_hash.cc +4 -2
- data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
- data/src/core/lib/gprpp/manual_constructor.h +1 -1
- data/src/core/lib/gprpp/orphanable.h +3 -3
- data/src/core/lib/gprpp/ref_counted.h +28 -14
- data/src/core/lib/gprpp/status_helper.cc +407 -0
- data/src/core/lib/gprpp/status_helper.h +183 -0
- data/src/core/lib/gprpp/sync.h +2 -30
- data/src/core/lib/http/httpcli.cc +11 -11
- data/src/core/lib/http/httpcli_security_connector.cc +11 -7
- data/src/core/lib/http/parser.cc +16 -16
- data/src/core/lib/http/parser.h +4 -4
- data/src/core/lib/iomgr/buffer_list.cc +8 -10
- data/src/core/lib/iomgr/buffer_list.h +4 -5
- data/src/core/lib/iomgr/call_combiner.cc +15 -12
- data/src/core/lib/iomgr/call_combiner.h +12 -14
- data/src/core/lib/iomgr/cfstream_handle.cc +3 -3
- data/src/core/lib/iomgr/cfstream_handle.h +1 -1
- data/src/core/lib/iomgr/closure.h +7 -6
- data/src/core/lib/iomgr/combiner.cc +14 -12
- data/src/core/lib/iomgr/combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint.cc +1 -1
- data/src/core/lib/iomgr/endpoint.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +11 -13
- data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +33 -0
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
- data/src/core/lib/iomgr/error.cc +168 -61
- data/src/core/lib/iomgr/error.h +217 -106
- data/src/core/lib/iomgr/error_cfstream.cc +3 -2
- data/src/core/lib/iomgr/error_cfstream.h +2 -2
- data/src/core/lib/iomgr/error_internal.h +5 -1
- data/src/core/lib/iomgr/ev_apple.cc +5 -5
- data/src/core/lib/iomgr/ev_apple.h +1 -1
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -19
- data/src/core/lib/iomgr/ev_epollex_linux.cc +48 -45
- data/src/core/lib/iomgr/ev_poll_posix.cc +26 -23
- data/src/core/lib/iomgr/ev_posix.cc +9 -8
- data/src/core/lib/iomgr/ev_posix.h +9 -9
- data/src/core/lib/iomgr/event_engine/closure.cc +54 -0
- data/src/core/lib/iomgr/event_engine/closure.h +33 -0
- data/src/core/lib/iomgr/event_engine/endpoint.cc +192 -0
- data/src/core/lib/iomgr/event_engine/endpoint.h +53 -0
- data/src/core/lib/iomgr/event_engine/iomgr.cc +105 -0
- data/src/core/lib/iomgr/event_engine/iomgr.h +24 -0
- data/src/core/lib/iomgr/event_engine/pollset.cc +87 -0
- data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
- data/src/core/lib/iomgr/event_engine/promise.h +51 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
- data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
- data/src/core/lib/iomgr/event_engine/resolver.cc +110 -0
- data/src/core/lib/iomgr/event_engine/tcp.cc +263 -0
- data/src/core/lib/iomgr/event_engine/timer.cc +57 -0
- data/src/core/lib/iomgr/exec_ctx.cc +12 -4
- data/src/core/lib/iomgr/exec_ctx.h +4 -5
- data/src/core/lib/iomgr/executor/threadpool.cc +2 -3
- data/src/core/lib/iomgr/executor/threadpool.h +2 -2
- data/src/core/lib/iomgr/executor.cc +8 -8
- data/src/core/lib/iomgr/executor.h +2 -2
- data/src/core/lib/iomgr/iomgr.cc +2 -2
- data/src/core/lib/iomgr/iomgr.h +1 -1
- data/src/core/lib/iomgr/iomgr_custom.cc +1 -1
- data/src/core/lib/iomgr/iomgr_internal.cc +2 -2
- data/src/core/lib/iomgr/iomgr_internal.h +3 -3
- data/src/core/lib/iomgr/iomgr_posix.cc +3 -1
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +42 -12
- data/src/core/lib/iomgr/iomgr_windows.cc +1 -1
- data/src/core/lib/iomgr/load_file.cc +4 -4
- data/src/core/lib/iomgr/load_file.h +2 -2
- data/src/core/lib/iomgr/lockfree_event.cc +5 -5
- data/src/core/lib/iomgr/lockfree_event.h +1 -1
- data/src/core/lib/iomgr/pollset.cc +5 -5
- data/src/core/lib/iomgr/pollset.h +9 -9
- data/src/core/lib/iomgr/pollset_custom.cc +7 -7
- data/src/core/lib/iomgr/pollset_custom.h +3 -1
- data/src/core/lib/iomgr/pollset_uv.cc +3 -1
- data/src/core/lib/iomgr/pollset_uv.h +5 -1
- data/src/core/lib/iomgr/pollset_windows.cc +5 -5
- data/src/core/lib/iomgr/port.h +7 -5
- data/src/core/lib/iomgr/python_util.h +2 -2
- data/src/core/lib/iomgr/resolve_address.cc +8 -4
- data/src/core/lib/iomgr/resolve_address.h +12 -6
- data/src/core/lib/iomgr/resolve_address_custom.cc +10 -9
- data/src/core/lib/iomgr/resolve_address_custom.h +3 -3
- data/src/core/lib/iomgr/resolve_address_posix.cc +3 -3
- data/src/core/lib/iomgr/resolve_address_windows.cc +4 -4
- data/src/core/lib/iomgr/resource_quota.cc +13 -10
- data/src/core/lib/iomgr/sockaddr.h +1 -0
- data/src/core/lib/iomgr/socket_mutator.cc +15 -2
- data/src/core/lib/iomgr/socket_mutator.h +26 -2
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +24 -22
- data/src/core/lib/iomgr/socket_utils_posix.h +20 -20
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +4 -4
- data/src/core/lib/iomgr/tcp_client_custom.cc +5 -6
- data/src/core/lib/iomgr/tcp_client_posix.cc +22 -19
- data/src/core/lib/iomgr/tcp_client_posix.h +3 -4
- data/src/core/lib/iomgr/tcp_client_windows.cc +7 -5
- data/src/core/lib/iomgr/tcp_custom.cc +14 -16
- data/src/core/lib/iomgr/tcp_custom.h +13 -12
- data/src/core/lib/iomgr/tcp_posix.cc +78 -73
- data/src/core/lib/iomgr/tcp_posix.h +8 -0
- data/src/core/lib/iomgr/tcp_server.cc +6 -6
- data/src/core/lib/iomgr/tcp_server.h +12 -11
- data/src/core/lib/iomgr/tcp_server_custom.cc +26 -25
- data/src/core/lib/iomgr/tcp_server_posix.cc +29 -21
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +13 -12
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +21 -18
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +9 -9
- data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
- data/src/core/lib/iomgr/tcp_server_windows.cc +26 -25
- data/src/core/lib/iomgr/tcp_uv.cc +25 -23
- data/src/core/lib/iomgr/tcp_windows.cc +13 -13
- data/src/core/lib/iomgr/tcp_windows.h +2 -2
- data/src/core/lib/iomgr/timer.h +6 -1
- data/src/core/lib/iomgr/timer_custom.cc +2 -1
- data/src/core/lib/iomgr/timer_custom.h +1 -1
- data/src/core/lib/iomgr/timer_generic.cc +6 -6
- data/src/core/lib/iomgr/timer_manager.cc +1 -1
- data/src/core/lib/iomgr/udp_server.cc +21 -20
- data/src/core/lib/iomgr/unix_sockets_posix.cc +3 -3
- data/src/core/lib/iomgr/unix_sockets_posix.h +2 -2
- data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +10 -7
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_pipe.cc +4 -4
- data/src/core/lib/iomgr/wakeup_fd_posix.cc +3 -3
- data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
- data/src/core/lib/iomgr/work_serializer.h +17 -1
- data/src/core/lib/json/json.h +1 -1
- data/src/core/lib/json/json_reader.cc +5 -6
- data/src/core/lib/matchers/matchers.cc +46 -58
- data/src/core/lib/matchers/matchers.h +30 -29
- data/src/core/lib/security/authorization/authorization_engine.h +44 -0
- data/src/core/lib/security/authorization/authorization_policy_provider.h +32 -0
- data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
- data/src/core/lib/security/authorization/evaluate_args.cc +209 -0
- data/src/core/lib/security/authorization/evaluate_args.h +91 -0
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +4 -4
- data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
- data/src/core/lib/security/credentials/credentials.h +2 -2
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +17 -13
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +13 -11
- data/src/core/lib/security/credentials/external/aws_request_signer.cc +2 -1
- data/src/core/lib/security/credentials/external/aws_request_signer.h +1 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +15 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.h +9 -8
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +5 -4
- data/src/core/lib/security/credentials/external/file_external_account_credentials.h +4 -3
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +8 -8
- data/src/core/lib/security/credentials/external/url_external_account_credentials.h +9 -7
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +2 -2
- data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -2
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +12 -10
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +2 -2
- data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/json_token.cc +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +3 -3
- data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +7 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +21 -19
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +5 -5
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +5 -5
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -2
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +8 -7
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +9 -9
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +68 -13
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +7 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +4 -0
- data/src/core/lib/security/credentials/tls/tls_utils.cc +32 -0
- data/src/core/lib/security/credentials/tls/tls_utils.h +13 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +3 -3
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +13 -3
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +13 -3
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +2 -2
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +12 -2
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +1 -1
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +22 -9
- data/src/core/lib/security/security_connector/security_connector.h +9 -4
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +16 -6
- data/src/core/lib/security/security_connector/ssl_utils.cc +27 -4
- data/src/core/lib/security/security_connector/ssl_utils.h +4 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +60 -76
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +66 -48
- data/src/core/lib/security/transport/client_auth_filter.cc +18 -10
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -4
- data/src/core/lib/security/transport/security_handshaker.cc +45 -36
- data/src/core/lib/security/transport/server_auth_filter.cc +17 -18
- data/src/core/lib/security/transport/tsi_error.cc +2 -1
- data/src/core/lib/security/transport/tsi_error.h +2 -1
- data/src/core/lib/security/util/json_util.cc +2 -2
- data/src/core/lib/security/util/json_util.h +1 -1
- data/src/core/lib/slice/slice_internal.h +1 -0
- data/src/core/lib/surface/call.cc +72 -52
- data/src/core/lib/surface/call.h +13 -2
- data/src/core/lib/surface/channel.cc +6 -6
- data/src/core/lib/surface/channel.h +3 -2
- data/src/core/lib/surface/channel_ping.cc +1 -1
- data/src/core/lib/surface/completion_queue.cc +68 -69
- data/src/core/lib/surface/completion_queue.h +3 -2
- data/src/core/lib/surface/completion_queue_factory.cc +1 -2
- data/src/core/lib/surface/init.cc +1 -3
- data/src/core/lib/surface/init.h +10 -1
- data/src/core/lib/surface/lame_client.cc +11 -11
- data/src/core/lib/surface/lame_client.h +1 -1
- data/src/core/lib/surface/server.cc +31 -23
- data/src/core/lib/surface/server.h +19 -18
- data/src/core/lib/surface/validate_metadata.cc +7 -7
- data/src/core/lib/surface/validate_metadata.h +3 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/byte_stream.cc +5 -5
- data/src/core/lib/transport/byte_stream.h +8 -8
- data/src/core/lib/transport/connectivity_state.cc +1 -1
- data/src/core/lib/transport/error_utils.cc +21 -10
- data/src/core/lib/transport/error_utils.h +11 -5
- data/src/core/lib/transport/metadata_batch.cc +37 -37
- data/src/core/lib/transport/metadata_batch.h +19 -18
- data/src/core/lib/transport/transport.cc +4 -3
- data/src/core/lib/transport/transport.h +6 -4
- data/src/core/lib/transport/transport_op_string.cc +6 -6
- data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
- data/src/core/tsi/alts/crypt/gsec.h +6 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +5 -4
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +7 -6
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
- data/src/core/tsi/ssl_transport_security.cc +32 -14
- data/src/core/tsi/ssl_transport_security.h +3 -4
- data/src/ruby/bin/math_services_pb.rb +1 -1
- data/src/ruby/ext/grpc/extconf.rb +2 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +6 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +11 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +6 -6
- data/third_party/abseil-cpp/absl/algorithm/container.h +3 -3
- data/third_party/abseil-cpp/absl/base/attributes.h +24 -4
- data/third_party/abseil-cpp/absl/base/call_once.h +2 -9
- data/third_party/abseil-cpp/absl/base/config.h +37 -9
- data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +24 -10
- data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +4 -1
- data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
- data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +2 -3
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +34 -32
- data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +16 -6
- data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +11 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock.h +14 -5
- data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +3 -3
- data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
- data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
- data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
- data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +1 -1
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +5 -2
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +43 -42
- data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
- data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
- data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
- data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
- data/third_party/abseil-cpp/absl/base/macros.h +11 -0
- data/third_party/abseil-cpp/absl/base/optimization.h +10 -7
- data/third_party/abseil-cpp/absl/base/options.h +1 -1
- data/third_party/abseil-cpp/absl/base/port.h +0 -1
- data/third_party/abseil-cpp/absl/base/thread_annotations.h +1 -1
- data/third_party/abseil-cpp/absl/container/fixed_array.h +2 -2
- data/third_party/abseil-cpp/absl/container/inlined_vector.h +5 -3
- data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +1 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +5 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +2 -1
- data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +2 -1
- data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
- data/third_party/abseil-cpp/absl/container/internal/layout.h +4 -4
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +14 -1
- data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +136 -136
- data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +16 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +5 -2
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +3 -12
- data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +6 -1
- data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +3 -5
- data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +2 -2
- data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +2 -2
- data/third_party/abseil-cpp/absl/hash/internal/city.cc +15 -12
- data/third_party/abseil-cpp/absl/hash/internal/city.h +1 -19
- data/third_party/abseil-cpp/absl/hash/internal/hash.cc +25 -10
- data/third_party/abseil-cpp/absl/hash/internal/hash.h +86 -37
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
- data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
- data/third_party/abseil-cpp/absl/meta/type_traits.h +16 -2
- data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
- data/third_party/abseil-cpp/absl/numeric/int128.cc +3 -3
- data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
- data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
- data/third_party/abseil-cpp/absl/status/internal/status_internal.h +18 -0
- data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +4 -7
- data/third_party/abseil-cpp/absl/status/status.cc +29 -22
- data/third_party/abseil-cpp/absl/status/status.h +81 -20
- data/third_party/abseil-cpp/absl/status/statusor.h +3 -3
- data/third_party/abseil-cpp/absl/strings/charconv.cc +5 -5
- data/third_party/abseil-cpp/absl/strings/cord.cc +326 -371
- data/third_party/abseil-cpp/absl/strings/cord.h +182 -64
- data/third_party/abseil-cpp/absl/strings/escaping.cc +4 -4
- data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +6 -6
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +387 -17
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +15 -1
- data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +19 -4
- data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +36 -18
- data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +14 -0
- data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
- data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
- data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
- data/third_party/abseil-cpp/absl/strings/match.h +16 -6
- data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
- data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
- data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
- data/third_party/abseil-cpp/absl/strings/str_split.h +38 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
- data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +2 -1
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +2 -2
- data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +4 -4
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +1 -65
- data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +2 -6
- data/third_party/abseil-cpp/absl/synchronization/mutex.cc +71 -59
- data/third_party/abseil-cpp/absl/synchronization/mutex.h +79 -62
- data/third_party/abseil-cpp/absl/time/clock.cc +146 -130
- data/third_party/abseil-cpp/absl/time/clock.h +2 -2
- data/third_party/abseil-cpp/absl/time/duration.cc +3 -2
- data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +7 -11
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +7 -1
- data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +4 -4
- data/third_party/abseil-cpp/absl/time/time.cc +4 -3
- data/third_party/abseil-cpp/absl/time/time.h +26 -24
- data/third_party/abseil-cpp/absl/types/internal/variant.h +1 -1
- data/third_party/abseil-cpp/absl/types/variant.h +9 -4
- data/third_party/boringssl-with-bazel/err_data.c +483 -461
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +18 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -3
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +119 -273
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +87 -80
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +11 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +25 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +10 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +104 -93
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +52 -65
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +52 -66
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +26 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +26 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +14 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +61 -75
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +80 -103
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +40 -49
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +367 -315
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +65 -0
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +14 -0
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +95 -48
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +0 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +120 -11
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +42 -89
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +9 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +53 -73
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -17
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +7 -25
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +25 -22
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +5 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +66 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +120 -41
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +47 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +0 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +24 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +6 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +5 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +33 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +3 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +20 -49
- data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +325 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +24 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +25 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +2 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +99 -63
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +283 -85
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +13 -19
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +445 -152
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +451 -435
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +7 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1133 -0
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +298 -22
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +66 -30
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +189 -86
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +154 -24
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +414 -135
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +9 -3
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -6
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +23 -26
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +51 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +8 -31
- data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +4 -3
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
- data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +664 -702
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +65 -7
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -39
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +141 -94
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +213 -118
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +4 -2
- data/third_party/xxhash/xxhash.h +77 -195
- metadata +116 -51
- data/src/core/lib/gpr/arena.h +0 -47
- data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -88
- data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
- data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -219
- data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +0 -249
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/is_fips.c +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -246
- data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
@@ -175,7 +175,9 @@ OPENSSL_EXPORT int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12);
|
|
175
175
|
//
|
176
176
|
// Note if |p12| does not contain a private key, both |*out_pkey| and
|
177
177
|
// |*out_cert| will be set to NULL and all certificates will be returned via
|
178
|
-
// |*out_ca_certs|.
|
178
|
+
// |*out_ca_certs|. Also note this function differs from OpenSSL in that extra
|
179
|
+
// certificates are returned in the order they appear in the file. OpenSSL 1.1.1
|
180
|
+
// returns them in reverse order, but this will be fixed in OpenSSL 3.0.
|
179
181
|
//
|
180
182
|
// It returns one on success and zero on error.
|
181
183
|
//
|
@@ -206,6 +208,12 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
|
|
206
208
|
// Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero
|
207
209
|
// to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,
|
208
210
|
// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively.
|
211
|
+
//
|
212
|
+
// |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or
|
213
|
+
// certificate, respectively. This option is not recommended and is only
|
214
|
+
// implemented for compatibility with external packages. Note the output still
|
215
|
+
// requires a password for the MAC. Unencrypted keys in PKCS#12 are also not
|
216
|
+
// widely supported and may not open in other implementations.
|
209
217
|
OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,
|
210
218
|
const EVP_PKEY *pkey, X509 *cert,
|
211
219
|
const STACK_OF(X509) *chain, int key_nid,
|
@@ -103,8 +103,8 @@ OPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void);
|
|
103
103
|
// RAND_get_rand_method returns |RAND_SSLeay()|.
|
104
104
|
OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void);
|
105
105
|
|
106
|
-
// RAND_set_rand_method
|
107
|
-
OPENSSL_EXPORT
|
106
|
+
// RAND_set_rand_method returns one.
|
107
|
+
OPENSSL_EXPORT int RAND_set_rand_method(const RAND_METHOD *);
|
108
108
|
|
109
109
|
|
110
110
|
#if defined(__cplusplus)
|
@@ -283,120 +283,155 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
|
|
283
283
|
// These functions are considered non-mutating for thread-safety purposes and
|
284
284
|
// may be used concurrently.
|
285
285
|
|
286
|
-
// RSA_sign signs |
|
286
|
+
// RSA_sign signs |digest_len| bytes of digest from |digest| with |rsa| using
|
287
287
|
// RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
|
288
288
|
// successful return, the actual number of bytes written is written to
|
289
289
|
// |*out_len|.
|
290
290
|
//
|
291
|
-
// The |hash_nid| argument identifies the hash function used to calculate
|
292
|
-
// and is embedded in the resulting signature. For example, it might be
|
291
|
+
// The |hash_nid| argument identifies the hash function used to calculate
|
292
|
+
// |digest| and is embedded in the resulting signature. For example, it might be
|
293
293
|
// |NID_sha256|.
|
294
294
|
//
|
295
295
|
// It returns 1 on success and zero on error.
|
296
|
-
|
297
|
-
|
298
|
-
|
296
|
+
//
|
297
|
+
// WARNING: |digest| must be the result of hashing the data to be signed with
|
298
|
+
// |hash_nid|. Passing unhashed inputs will not result in a secure signature
|
299
|
+
// scheme.
|
300
|
+
OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest,
|
301
|
+
unsigned digest_len, uint8_t *out,
|
302
|
+
unsigned *out_len, RSA *rsa);
|
299
303
|
|
300
|
-
// RSA_sign_pss_mgf1 signs |
|
301
|
-
// |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
|
302
|
-
// at most, |max_out| bytes of signature data to |out|. The |max_out|
|
303
|
-
// must be, at least, |RSA_size| in order to ensure success. It returns
|
304
|
-
// success or zero on error.
|
304
|
+
// RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key
|
305
|
+
// from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
|
306
|
+
// writes, at most, |max_out| bytes of signature data to |out|. The |max_out|
|
307
|
+
// argument must be, at least, |RSA_size| in order to ensure success. It returns
|
308
|
+
// 1 on success or zero on error.
|
305
309
|
//
|
306
|
-
// The |md| and |mgf1_md| arguments identify the hash used to calculate |
|
310
|
+
// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|
|
307
311
|
// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
|
308
312
|
// used.
|
309
313
|
//
|
310
314
|
// |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
|
311
315
|
// then the salt length is the same as the hash length. If -2, then the salt
|
312
316
|
// length is maximal given the size of |rsa|. If unsure, use -1.
|
317
|
+
//
|
318
|
+
// WARNING: |digest| must be the result of hashing the data to be signed with
|
319
|
+
// |md|. Passing unhashed inputs will not result in a secure signature scheme.
|
313
320
|
OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,
|
314
|
-
size_t max_out, const uint8_t *
|
315
|
-
size_t
|
321
|
+
size_t max_out, const uint8_t *digest,
|
322
|
+
size_t digest_len, const EVP_MD *md,
|
316
323
|
const EVP_MD *mgf1_md, int salt_len);
|
317
324
|
|
318
|
-
// RSA_sign_raw
|
319
|
-
//
|
320
|
-
// |max_out| argument must be, at least, |RSA_size| in order to ensure
|
321
|
-
//
|
322
|
-
//
|
323
|
-
//
|
324
|
-
//
|
325
|
-
//
|
326
|
-
//
|
327
|
-
//
|
325
|
+
// RSA_sign_raw performs the private key portion of computing a signature with
|
326
|
+
// |rsa|. It writes, at most, |max_out| bytes of signature data to |out|. The
|
327
|
+
// |max_out| argument must be, at least, |RSA_size| in order to ensure the
|
328
|
+
// output fits. It returns 1 on success or zero on error.
|
329
|
+
//
|
330
|
+
// If |padding| is |RSA_PKCS1_PADDING|, this function wraps |in| with the
|
331
|
+
// padding portion of RSASSA-PKCS1-v1_5 and then performs the raw private key
|
332
|
+
// operation. The caller is responsible for hashing the input and wrapping it in
|
333
|
+
// a DigestInfo structure.
|
334
|
+
//
|
335
|
+
// If |padding| is |RSA_NO_PADDING|, this function only performs the raw private
|
336
|
+
// key operation, interpreting |in| as a integer modulo n. The caller is
|
337
|
+
// responsible for hashing the input and encoding it for the signature scheme
|
338
|
+
// being implemented.
|
339
|
+
//
|
340
|
+
// WARNING: This function is a building block for a signature scheme, not a
|
341
|
+
// complete one. |in| must be the result of hashing and encoding the data as
|
342
|
+
// needed for the scheme being implemented. Passing in arbitrary inputs will not
|
343
|
+
// result in a secure signature scheme.
|
328
344
|
OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
|
329
345
|
size_t max_out, const uint8_t *in,
|
330
346
|
size_t in_len, int padding);
|
331
347
|
|
332
348
|
// RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
|
333
|
-
// RSASSA-PKCS1-v1_5 signature of |
|
349
|
+
// RSASSA-PKCS1-v1_5 signature of |digest_len| bytes at |digest| by |rsa|.
|
334
350
|
//
|
335
|
-
// The |hash_nid| argument identifies the hash function used to calculate
|
336
|
-
// and is embedded in the resulting signature in order to prevent hash
|
351
|
+
// The |hash_nid| argument identifies the hash function used to calculate
|
352
|
+
// |digest| and is embedded in the resulting signature in order to prevent hash
|
337
353
|
// confusion attacks. For example, it might be |NID_sha256|.
|
338
354
|
//
|
339
355
|
// It returns one if the signature is valid and zero otherwise.
|
340
356
|
//
|
341
357
|
// WARNING: this differs from the original, OpenSSL function which additionally
|
342
358
|
// returned -1 on error.
|
343
|
-
|
344
|
-
|
359
|
+
//
|
360
|
+
// WARNING: |digest| must be the result of hashing the data to be verified with
|
361
|
+
// |hash_nid|. Passing unhashed input will not result in a secure signature
|
362
|
+
// scheme.
|
363
|
+
OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *digest,
|
364
|
+
size_t digest_len, const uint8_t *sig,
|
365
|
+
size_t sig_len, RSA *rsa);
|
345
366
|
|
346
367
|
// RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,
|
347
|
-
// RSASSA-PSS signature of |
|
348
|
-
// the signature is valid and zero otherwise. MGF1 is used as the mask
|
368
|
+
// RSASSA-PSS signature of |digest_len| bytes at |digest| by |rsa|. It returns
|
369
|
+
// one if the signature is valid and zero otherwise. MGF1 is used as the mask
|
349
370
|
// generation function.
|
350
371
|
//
|
351
|
-
// The |md| and |mgf1_md| arguments identify the hash used to calculate |
|
372
|
+
// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|
|
352
373
|
// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
|
353
374
|
// used. |salt_len| specifies the expected salt length in bytes.
|
354
375
|
//
|
355
376
|
// If |salt_len| is -1, then the salt length is the same as the hash length. If
|
356
377
|
// -2, then the salt length is recovered and all values accepted. If unsure, use
|
357
378
|
// -1.
|
358
|
-
|
359
|
-
|
379
|
+
//
|
380
|
+
// WARNING: |digest| must be the result of hashing the data to be verified with
|
381
|
+
// |md|. Passing unhashed input will not result in a secure signature scheme.
|
382
|
+
OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest,
|
383
|
+
size_t digest_len, const EVP_MD *md,
|
360
384
|
const EVP_MD *mgf1_md, int salt_len,
|
361
385
|
const uint8_t *sig, size_t sig_len);
|
362
386
|
|
363
|
-
// RSA_verify_raw
|
364
|
-
//
|
365
|
-
//
|
366
|
-
// ensure
|
387
|
+
// RSA_verify_raw performs the public key portion of verifying |in_len| bytes of
|
388
|
+
// signature from |in| using the public key from |rsa|. On success, it returns
|
389
|
+
// one and writes, at most, |max_out| bytes of output to |out|. The |max_out|
|
390
|
+
// argument must be, at least, |RSA_size| in order to ensure the output fits. On
|
391
|
+
// failure or invalid input, it returns zero.
|
367
392
|
//
|
368
|
-
//
|
393
|
+
// If |padding| is |RSA_PKCS1_PADDING|, this function checks the padding portion
|
394
|
+
// of RSASSA-PKCS1-v1_5 and outputs the remainder of the encoded digest. The
|
395
|
+
// caller is responsible for checking the output is a DigestInfo-wrapped digest
|
396
|
+
// of the message.
|
369
397
|
//
|
370
|
-
//
|
371
|
-
//
|
372
|
-
//
|
373
|
-
//
|
398
|
+
// If |padding| is |RSA_NO_PADDING|, this function only performs the raw public
|
399
|
+
// key operation. The caller is responsible for checking the output is a valid
|
400
|
+
// result for the signature scheme being implemented.
|
401
|
+
//
|
402
|
+
// WARNING: This function is a building block for a signature scheme, not a
|
403
|
+
// complete one. Checking for arbitrary strings in |out| will not result in a
|
404
|
+
// secure signature scheme.
|
374
405
|
OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
|
375
406
|
size_t max_out, const uint8_t *in,
|
376
407
|
size_t in_len, int padding);
|
377
408
|
|
378
|
-
// RSA_private_encrypt
|
379
|
-
// |rsa
|
380
|
-
// least |RSA_size| bytes of space. It
|
381
|
-
//
|
382
|
-
// values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
|
383
|
-
// |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
|
384
|
-
// protocols.
|
409
|
+
// RSA_private_encrypt performs the private key portion of computing a signature
|
410
|
+
// with |rsa|. It takes |flen| bytes from |from| as input and writes the result
|
411
|
+
// to |to|. The |to| buffer must have at least |RSA_size| bytes of space. It
|
412
|
+
// returns the number of bytes written, or -1 on error.
|
385
413
|
//
|
386
|
-
//
|
414
|
+
// For the interpretation of |padding| and the input, see |RSA_sign_raw|.
|
415
|
+
//
|
416
|
+
// WARNING: This function is a building block for a signature scheme, not a
|
417
|
+
// complete one. See |RSA_sign_raw| for details.
|
418
|
+
//
|
419
|
+
// WARNING: This function is dangerous because it breaks the usual return value
|
387
420
|
// convention. Use |RSA_sign_raw| instead.
|
388
421
|
OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
|
389
422
|
uint8_t *to, RSA *rsa, int padding);
|
390
423
|
|
391
|
-
// RSA_public_decrypt
|
392
|
-
//
|
393
|
-
// have at least |RSA_size| bytes of space. It
|
394
|
-
// written, or -1 on error.
|
395
|
-
// |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
|
396
|
-
// but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
|
397
|
-
// new protocols.
|
424
|
+
// RSA_public_decrypt performs the public key portion of verifying |flen| bytes
|
425
|
+
// of signature from |from| using the public key from |rsa|. It writes the
|
426
|
+
// result to |to|, which must have at least |RSA_size| bytes of space. It
|
427
|
+
// returns the number of bytes written, or -1 on error.
|
398
428
|
//
|
399
|
-
//
|
429
|
+
// For the interpretation of |padding| and the result, see |RSA_verify_raw|.
|
430
|
+
//
|
431
|
+
// WARNING: This function is a building block for a signature scheme, not a
|
432
|
+
// complete one. See |RSA_verify_raw| for details.
|
433
|
+
//
|
434
|
+
// WARNING: This function is dangerous because it breaks the usual return value
|
400
435
|
// convention. Use |RSA_verify_raw| instead.
|
401
436
|
OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
|
402
437
|
uint8_t *to, RSA *rsa, int padding);
|
@@ -479,13 +514,14 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(
|
|
479
514
|
const uint8_t *param, size_t param_len, const EVP_MD *md,
|
480
515
|
const EVP_MD *mgf1md);
|
481
516
|
|
482
|
-
// RSA_add_pkcs1_prefix builds a version of |
|
483
|
-
// header for the given hash function and sets |out_msg| to point to
|
484
|
-
// successful return, if |*is_alloced| is one, the caller must release
|
517
|
+
// RSA_add_pkcs1_prefix builds a version of |digest| prefixed with the
|
518
|
+
// DigestInfo header for the given hash function and sets |out_msg| to point to
|
519
|
+
// it. On successful return, if |*is_alloced| is one, the caller must release
|
485
520
|
// |*out_msg| with |OPENSSL_free|.
|
486
521
|
OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
|
487
522
|
int *is_alloced, int hash_nid,
|
488
|
-
const uint8_t *
|
523
|
+
const uint8_t *digest,
|
524
|
+
size_t digest_len);
|
489
525
|
|
490
526
|
|
491
527
|
// ASN.1 functions.
|
@@ -508,12 +508,10 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
|
|
508
508
|
// TODO(davidben): Remove this. It's used by accept BIOs which are bizarre.
|
509
509
|
#define SSL_ERROR_WANT_ACCEPT 8
|
510
510
|
|
511
|
-
// SSL_ERROR_WANT_CHANNEL_ID_LOOKUP
|
512
|
-
// the Channel ID key. The caller may retry the operation when |channel_id_cb|
|
513
|
-
// is ready to return a key or one has been configured with
|
514
|
-
// |SSL_set1_tls_channel_id|.
|
511
|
+
// SSL_ERROR_WANT_CHANNEL_ID_LOOKUP is never used.
|
515
512
|
//
|
516
|
-
//
|
513
|
+
// TODO(davidben): Remove this. Some callers reference it when stringifying
|
514
|
+
// errors. They should use |SSL_error_description| instead.
|
517
515
|
#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
|
518
516
|
|
519
517
|
// SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
|
@@ -567,6 +565,11 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
|
|
567
565
|
// See also |ssl_renegotiate_explicit|.
|
568
566
|
#define SSL_ERROR_WANT_RENEGOTIATE 19
|
569
567
|
|
568
|
+
// SSL_ERROR_HANDSHAKE_HINTS_READY indicates the handshake has progressed enough
|
569
|
+
// for |SSL_serialize_handshake_hints| to be called. See also
|
570
|
+
// |SSL_request_handshake_hints|.
|
571
|
+
#define SSL_ERROR_HANDSHAKE_HINTS_READY 20
|
572
|
+
|
570
573
|
// SSL_error_description returns a string representation of |err|, where |err|
|
571
574
|
// is one of the |SSL_ERROR_*| constants returned by |SSL_get_error|, or NULL
|
572
575
|
// if the value is unrecognized.
|
@@ -1276,6 +1279,15 @@ OPENSSL_EXPORT void SSL_set_private_key_method(
|
|
1276
1279
|
OPENSSL_EXPORT void SSL_CTX_set_private_key_method(
|
1277
1280
|
SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method);
|
1278
1281
|
|
1282
|
+
// SSL_can_release_private_key returns one if |ssl| will no longer call into the
|
1283
|
+
// private key and zero otherwise. If the function returns one, the caller can
|
1284
|
+
// release state associated with the private key.
|
1285
|
+
//
|
1286
|
+
// NOTE: This function assumes the caller does not use |SSL_clear| to reuse
|
1287
|
+
// |ssl| for a second connection. If |SSL_clear| is used, BoringSSL may still
|
1288
|
+
// use the private key on the second connection.
|
1289
|
+
OPENSSL_EXPORT int SSL_can_release_private_key(const SSL *ssl);
|
1290
|
+
|
1279
1291
|
|
1280
1292
|
// Cipher suites.
|
1281
1293
|
//
|
@@ -1779,8 +1791,10 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
|
|
1779
1791
|
// used without leaking a correlator.
|
1780
1792
|
OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);
|
1781
1793
|
|
1782
|
-
// SSL_SESSION_is_resumable returns one if |session| is
|
1783
|
-
// otherwise.
|
1794
|
+
// SSL_SESSION_is_resumable returns one if |session| is complete and contains a
|
1795
|
+
// session ID or ticket. It returns zero otherwise. Note this function does not
|
1796
|
+
// ensure |session| will be resumed. It may be expired, dropped by the server,
|
1797
|
+
// or associated with incompatible parameters.
|
1784
1798
|
OPENSSL_EXPORT int SSL_SESSION_is_resumable(const SSL_SESSION *session);
|
1785
1799
|
|
1786
1800
|
// SSL_SESSION_has_ticket returns one if |session| has a ticket and zero
|
@@ -2723,8 +2737,9 @@ OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
|
|
2723
2737
|
|
2724
2738
|
// SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to
|
2725
2739
|
// |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
|
2726
|
-
// length-prefixed strings)
|
2727
|
-
//
|
2740
|
+
// length-prefixed strings), or the empty string to disable ALPN. It returns
|
2741
|
+
// zero on success and one on failure. Configuring a non-empty string enables
|
2742
|
+
// ALPN on a client.
|
2728
2743
|
//
|
2729
2744
|
// WARNING: this function is dangerous because it breaks the usual return value
|
2730
2745
|
// convention.
|
@@ -2733,8 +2748,9 @@ OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
|
|
2733
2748
|
|
2734
2749
|
// SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
|
2735
2750
|
// |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
|
2736
|
-
// length-prefixed strings)
|
2737
|
-
//
|
2751
|
+
// length-prefixed strings), or the empty string to disable ALPN. It returns
|
2752
|
+
// zero on success and one on failure. Configuring a non-empty string enables
|
2753
|
+
// ALPN on a client.
|
2738
2754
|
//
|
2739
2755
|
// WARNING: this function is dangerous because it breaks the usual return value
|
2740
2756
|
// convention.
|
@@ -2956,15 +2972,16 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
|
|
2956
2972
|
|
2957
2973
|
// Channel ID.
|
2958
2974
|
//
|
2959
|
-
// See draft-balfanz-tls-channelid-01.
|
2975
|
+
// See draft-balfanz-tls-channelid-01. This is an old, experimental mechanism
|
2976
|
+
// and should not be used in new code.
|
2960
2977
|
|
2961
2978
|
// SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
|
2962
|
-
// with |ctx| should enable Channel ID.
|
2979
|
+
// with |ctx| should enable Channel ID as a server.
|
2963
2980
|
OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
|
2964
2981
|
int enabled);
|
2965
2982
|
|
2966
2983
|
// SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
|
2967
|
-
// ID.
|
2984
|
+
// ID as a server.
|
2968
2985
|
OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
|
2969
2986
|
|
2970
2987
|
// SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
|
@@ -2978,55 +2995,15 @@ OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
|
|
2978
2995
|
// success and zero on error.
|
2979
2996
|
OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
|
2980
2997
|
|
2981
|
-
// SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL
|
2998
|
+
// SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL|
|
2982
2999
|
// and copies up to the first |max_out| bytes into |out|. The Channel ID
|
2983
3000
|
// consists of the client's P-256 public key as an (x,y) pair where each is a
|
2984
3001
|
// 32-byte, big-endian field element. It returns 0 if the client didn't offer a
|
2985
|
-
// Channel ID and the length of the complete Channel ID otherwise.
|
3002
|
+
// Channel ID and the length of the complete Channel ID otherwise. This function
|
3003
|
+
// always returns zero if |ssl| is a client.
|
2986
3004
|
OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
|
2987
3005
|
size_t max_out);
|
2988
3006
|
|
2989
|
-
// SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID
|
2990
|
-
// is requested. The callback may set |*out_pkey| to a key, passing a reference
|
2991
|
-
// to the caller. If none is returned, the handshake will pause and
|
2992
|
-
// |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
|
2993
|
-
//
|
2994
|
-
// See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
|
2995
|
-
OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(
|
2996
|
-
SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey));
|
2997
|
-
|
2998
|
-
// SSL_CTX_get_channel_id_cb returns the callback set by
|
2999
|
-
// |SSL_CTX_set_channel_id_cb|.
|
3000
|
-
OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(
|
3001
|
-
SSL *ssl, EVP_PKEY **out_pkey);
|
3002
|
-
|
3003
|
-
|
3004
|
-
// Token Binding.
|
3005
|
-
//
|
3006
|
-
// See draft-ietf-tokbind-protocol-16.
|
3007
|
-
|
3008
|
-
// SSL_set_token_binding_params sets |params| as the Token Binding Key
|
3009
|
-
// parameters (section 3 of draft-ietf-tokbind-protocol-16) to negotiate on the
|
3010
|
-
// connection. If this function is not called, or if |len| is 0, then this
|
3011
|
-
// endpoint will not attempt to negotiate Token Binding. |params| are provided
|
3012
|
-
// in preference order, with the more preferred parameters at the beginning of
|
3013
|
-
// the list. This function returns 1 on success and 0 on failure.
|
3014
|
-
OPENSSL_EXPORT int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params,
|
3015
|
-
size_t len);
|
3016
|
-
|
3017
|
-
// SSL_is_token_binding_negotiated returns 1 if Token Binding was negotiated
|
3018
|
-
// on this connection and 0 otherwise. On a server, it is possible for this
|
3019
|
-
// function to return 1 when the client's view of the connection is that Token
|
3020
|
-
// Binding was not negotiated. This occurs when the server indicates a version
|
3021
|
-
// of Token Binding less than the client's minimum version.
|
3022
|
-
OPENSSL_EXPORT int SSL_is_token_binding_negotiated(const SSL *ssl);
|
3023
|
-
|
3024
|
-
// SSL_get_negotiated_token_binding_param returns the TokenBindingKeyParameters
|
3025
|
-
// enum value that was negotiated. It is only valid to call this function if
|
3026
|
-
// SSL_is_token_binding_negotiated returned 1, otherwise this function returns
|
3027
|
-
// an undefined value.
|
3028
|
-
OPENSSL_EXPORT uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl);
|
3029
|
-
|
3030
3007
|
|
3031
3008
|
// DTLS-SRTP.
|
3032
3009
|
//
|
@@ -3063,8 +3040,8 @@ OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx,
|
|
3063
3040
|
OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles);
|
3064
3041
|
|
3065
3042
|
// SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|.
|
3066
|
-
OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
|
3067
|
-
SSL *ssl);
|
3043
|
+
OPENSSL_EXPORT const STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
|
3044
|
+
const SSL *ssl);
|
3068
3045
|
|
3069
3046
|
// SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if
|
3070
3047
|
// SRTP was not negotiated.
|
@@ -3195,7 +3172,7 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
|
|
3195
3172
|
//
|
3196
3173
|
// QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
|
3197
3174
|
// functions allow a QUIC implementation to serve as the underlying transport as
|
3198
|
-
// described in
|
3175
|
+
// described in RFC 9001.
|
3199
3176
|
//
|
3200
3177
|
// When configured for QUIC, |SSL_do_handshake| will drive the handshake as
|
3201
3178
|
// before, but it will not use the configured |BIO|. It will call functions on
|
@@ -3215,8 +3192,7 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
|
|
3215
3192
|
// confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and
|
3216
3193
|
// |SSL_reset_early_data_reject| behave as usual.
|
3217
3194
|
//
|
3218
|
-
// See https://
|
3219
|
-
// details.
|
3195
|
+
// See https://www.rfc-editor.org/rfc/rfc9001.html#section-4.1 for more details.
|
3220
3196
|
//
|
3221
3197
|
// To avoid DoS attacks, the QUIC implementation must limit the amount of data
|
3222
3198
|
// being queued up. The implementation can call
|
@@ -3227,7 +3203,8 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
|
|
3227
3203
|
// |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
|
3228
3204
|
// used to query the value received from the peer. BoringSSL handles this
|
3229
3205
|
// extension as an opaque byte string. The caller is responsible for serializing
|
3230
|
-
// and parsing them. See
|
3206
|
+
// and parsing them. See https://www.rfc-editor.org/rfc/rfc9000#section-7.4 for
|
3207
|
+
// details.
|
3231
3208
|
//
|
3232
3209
|
// QUIC additionally imposes restrictions on 0-RTT. In particular, the QUIC
|
3233
3210
|
// transport layer requires that if a server accepts 0-RTT data, then the
|
@@ -3339,7 +3316,7 @@ struct ssl_quic_method_st {
|
|
3339
3316
|
// that may be received at the given encryption level. This function should be
|
3340
3317
|
// used to limit buffering in the QUIC implementation.
|
3341
3318
|
//
|
3342
|
-
// See https://
|
3319
|
+
// See https://www.rfc-editor.org/rfc/rfc9000#section-7.5
|
3343
3320
|
OPENSSL_EXPORT size_t SSL_quic_max_handshake_flight_len(
|
3344
3321
|
const SSL *ssl, enum ssl_encryption_level_t level);
|
3345
3322
|
|
@@ -3402,8 +3379,8 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(
|
|
3402
3379
|
|
3403
3380
|
// SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
|
3404
3381
|
// extension codepoint 0xffa5 as opposed to the official value 57. Call with
|
3405
|
-
// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57.
|
3406
|
-
//
|
3382
|
+
// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. By default,
|
3383
|
+
// the standard code point is used.
|
3407
3384
|
OPENSSL_EXPORT void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
|
3408
3385
|
|
3409
3386
|
// SSL_set_quic_early_data_context configures a context string in QUIC servers
|
@@ -3552,8 +3529,7 @@ enum ssl_early_data_reason_t BORINGSSL_ENUM_INT {
|
|
3552
3529
|
ssl_early_data_alpn_mismatch = 9,
|
3553
3530
|
// The connection negotiated Channel ID, which is incompatible with 0-RTT.
|
3554
3531
|
ssl_early_data_channel_id = 10,
|
3555
|
-
//
|
3556
|
-
ssl_early_data_token_binding = 11,
|
3532
|
+
// Value 11 is reserved. (It has historically |ssl_early_data_token_binding|.)
|
3557
3533
|
// The client and server ticket age were too far apart.
|
3558
3534
|
ssl_early_data_ticket_age_skew = 12,
|
3559
3535
|
// QUIC parameters differ between this connection and the original.
|
@@ -3575,7 +3551,7 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string(
|
|
3575
3551
|
enum ssl_early_data_reason_t reason);
|
3576
3552
|
|
3577
3553
|
|
3578
|
-
// Encrypted
|
3554
|
+
// Encrypted ClientHello.
|
3579
3555
|
//
|
3580
3556
|
// ECH is a mechanism for encrypting the entire ClientHello message in TLS 1.3.
|
3581
3557
|
// This can prevent observers from seeing cleartext information about the
|
@@ -3583,12 +3559,129 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string(
|
|
3583
3559
|
//
|
3584
3560
|
// ECH support in BoringSSL is still experimental and under development.
|
3585
3561
|
//
|
3586
|
-
// See https://tools.ietf.org/html/draft-ietf-tls-esni-
|
3562
|
+
// See https://tools.ietf.org/html/draft-ietf-tls-esni-10.
|
3587
3563
|
|
3588
|
-
// SSL_set_enable_ech_grease configures whether the client
|
3589
|
-
//
|
3564
|
+
// SSL_set_enable_ech_grease configures whether the client will send a GREASE
|
3565
|
+
// ECH extension when no supported ECHConfig is available.
|
3590
3566
|
OPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);
|
3591
3567
|
|
3568
|
+
// SSL_set1_ech_config_list configures |ssl| to, as a client, offer ECH with the
|
3569
|
+
// specified configuration. |ech_config_list| should contain a serialized
|
3570
|
+
// ECHConfigList structure. It returns one on success and zero on error.
|
3571
|
+
//
|
3572
|
+
// This function returns an error if the input is malformed. If the input is
|
3573
|
+
// valid but none of the ECHConfigs implement supported parameters, it will
|
3574
|
+
// return success and proceed without ECH.
|
3575
|
+
//
|
3576
|
+
// WARNING: Client ECH support is still incomplete and does not yet implement
|
3577
|
+
// the recovery flow. It currently treats ECH rejection as a fatal error. Do not
|
3578
|
+
// use this API yet.
|
3579
|
+
//
|
3580
|
+
// TODO(https://crbug.com/boringssl/275): When the recovery flow is implemented,
|
3581
|
+
// fill in the remaining docs.
|
3582
|
+
OPENSSL_EXPORT int SSL_set1_ech_config_list(SSL *ssl,
|
3583
|
+
const uint8_t *ech_config_list,
|
3584
|
+
size_t ech_config_list_len);
|
3585
|
+
|
3586
|
+
// SSL_marshal_ech_config constructs a new serialized ECHConfig. On success, it
|
3587
|
+
// sets |*out| to a newly-allocated buffer containing the result and |*out_len|
|
3588
|
+
// to the size of the buffer. The caller must call |OPENSSL_free| on |*out| to
|
3589
|
+
// release the memory. On failure, it returns zero.
|
3590
|
+
//
|
3591
|
+
// The |config_id| field is a single byte identifer for the ECHConfig. Reusing
|
3592
|
+
// config IDs is allowed, but if multiple ECHConfigs with the same config ID are
|
3593
|
+
// active at a time, server load may increase. See
|
3594
|
+
// |SSL_ECH_KEYS_has_duplicate_config_id|.
|
3595
|
+
//
|
3596
|
+
// The public key and KEM algorithm are taken from |key|. |public_name| is the
|
3597
|
+
// DNS name used to authenticate the recovery flow. |max_name_len| should be the
|
3598
|
+
// length of the longest name in the ECHConfig's anonymity set and influences
|
3599
|
+
// client padding decisions.
|
3600
|
+
OPENSSL_EXPORT int SSL_marshal_ech_config(uint8_t **out, size_t *out_len,
|
3601
|
+
uint8_t config_id,
|
3602
|
+
const EVP_HPKE_KEY *key,
|
3603
|
+
const char *public_name,
|
3604
|
+
size_t max_name_len);
|
3605
|
+
|
3606
|
+
// SSL_ECH_KEYS_new returns a newly-allocated |SSL_ECH_KEYS| or NULL on error.
|
3607
|
+
OPENSSL_EXPORT SSL_ECH_KEYS *SSL_ECH_KEYS_new(void);
|
3608
|
+
|
3609
|
+
// SSL_ECH_KEYS_up_ref increments the reference count of |keys|.
|
3610
|
+
OPENSSL_EXPORT void SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys);
|
3611
|
+
|
3612
|
+
// SSL_ECH_KEYS_free releases memory associated with |keys|.
|
3613
|
+
OPENSSL_EXPORT void SSL_ECH_KEYS_free(SSL_ECH_KEYS *keys);
|
3614
|
+
|
3615
|
+
// SSL_ECH_KEYS_add decodes |ech_config| as an ECHConfig and appends it with
|
3616
|
+
// |key| to |keys|. If |is_retry_config| is non-zero, this config will be
|
3617
|
+
// returned to the client on configuration mismatch. It returns one on success
|
3618
|
+
// and zero on error.
|
3619
|
+
//
|
3620
|
+
// This function should be called successively to register each ECHConfig in
|
3621
|
+
// decreasing order of preference. This configuration must be completed before
|
3622
|
+
// setting |keys| on an |SSL_CTX| with |SSL_CTX_set1_ech_keys|. After that
|
3623
|
+
// point, |keys| is immutable; no more ECHConfig values may be added.
|
3624
|
+
//
|
3625
|
+
// See also |SSL_CTX_set1_ech_keys|.
|
3626
|
+
OPENSSL_EXPORT int SSL_ECH_KEYS_add(SSL_ECH_KEYS *keys, int is_retry_config,
|
3627
|
+
const uint8_t *ech_config,
|
3628
|
+
size_t ech_config_len,
|
3629
|
+
const EVP_HPKE_KEY *key);
|
3630
|
+
|
3631
|
+
// SSL_ECH_KEYS_has_duplicate_config_id returns one if |keys| has duplicate
|
3632
|
+
// config IDs or zero otherwise. Duplicate config IDs still work, but may
|
3633
|
+
// increase server load due to trial decryption.
|
3634
|
+
OPENSSL_EXPORT int SSL_ECH_KEYS_has_duplicate_config_id(
|
3635
|
+
const SSL_ECH_KEYS *keys);
|
3636
|
+
|
3637
|
+
// SSL_ECH_KEYS_marshal_retry_configs serializes the retry configs in |keys| as
|
3638
|
+
// an ECHConfigList. On success, it sets |*out| to a newly-allocated buffer
|
3639
|
+
// containing the result and |*out_len| to the size of the buffer. The caller
|
3640
|
+
// must call |OPENSSL_free| on |*out| to release the memory. On failure, it
|
3641
|
+
// returns zero.
|
3642
|
+
//
|
3643
|
+
// This output may be advertised to clients in DNS.
|
3644
|
+
OPENSSL_EXPORT int SSL_ECH_KEYS_marshal_retry_configs(const SSL_ECH_KEYS *keys,
|
3645
|
+
uint8_t **out,
|
3646
|
+
size_t *out_len);
|
3647
|
+
|
3648
|
+
// SSL_CTX_set1_ech_keys configures |ctx| to use |keys| to decrypt encrypted
|
3649
|
+
// ClientHellos. It returns one on success, and zero on failure. If |keys| does
|
3650
|
+
// not contain any retry configs, this function will fail. Retry configs are
|
3651
|
+
// marked as such when they are added to |keys| with |SSL_ECH_KEYS_add|.
|
3652
|
+
//
|
3653
|
+
// Once |keys| has been passed to this function, it is immutable. Unlike most
|
3654
|
+
// |SSL_CTX| configuration functions, this function may be called even if |ctx|
|
3655
|
+
// already has associated connections on multiple threads. This may be used to
|
3656
|
+
// rotate keys in a long-lived server process.
|
3657
|
+
//
|
3658
|
+
// The configured ECHConfig values should also be advertised out-of-band via DNS
|
3659
|
+
// (see draft-ietf-dnsop-svcb-https). Before advertising an ECHConfig in DNS,
|
3660
|
+
// deployments should ensure all instances of the service are configured with
|
3661
|
+
// the ECHConfig and corresponding private key.
|
3662
|
+
//
|
3663
|
+
// Only the most recent fully-deployed ECHConfigs should be advertised in DNS.
|
3664
|
+
// |keys| may contain a newer set if those ECHConfigs are mid-deployment. It
|
3665
|
+
// should also contain older sets, until the DNS change has rolled out and the
|
3666
|
+
// old records have expired from caches.
|
3667
|
+
//
|
3668
|
+
// If there is a mismatch, |SSL| objects associated with |ctx| will complete the
|
3669
|
+
// handshake using the cleartext ClientHello and send updated ECHConfig values
|
3670
|
+
// to the client. The client will then retry to recover, but with a latency
|
3671
|
+
// penalty. This recovery flow depends on the public name in the ECHConfig.
|
3672
|
+
// Before advertising an ECHConfig in DNS, deployments must ensure all instances
|
3673
|
+
// of the service can present a valid certificate for the public name.
|
3674
|
+
//
|
3675
|
+
// BoringSSL negotiates ECH before certificate selection callbacks are called,
|
3676
|
+
// including |SSL_CTX_set_select_certificate_cb|. If ECH is negotiated, the
|
3677
|
+
// reported |SSL_CLIENT_HELLO| structure and |SSL_get_servername| function will
|
3678
|
+
// transparently reflect the inner ClientHello. Callers should select parameters
|
3679
|
+
// based on these values to correctly handle ECH as well as the recovery flow.
|
3680
|
+
OPENSSL_EXPORT int SSL_CTX_set1_ech_keys(SSL_CTX *ctx, SSL_ECH_KEYS *keys);
|
3681
|
+
|
3682
|
+
// SSL_ech_accepted returns one if |ssl| negotiated ECH and zero otherwise.
|
3683
|
+
OPENSSL_EXPORT int SSL_ech_accepted(const SSL *ssl);
|
3684
|
+
|
3592
3685
|
|
3593
3686
|
// Alerts.
|
3594
3687
|
//
|
@@ -3643,6 +3736,7 @@ OPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);
|
|
3643
3736
|
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
|
3644
3737
|
#define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED
|
3645
3738
|
#define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL
|
3739
|
+
#define SSL_AD_ECH_REQUIRED TLS1_AD_ECH_REQUIRED
|
3646
3740
|
|
3647
3741
|
// SSL_alert_type_string_long returns a string description of |value| as an
|
3648
3742
|
// alert type (warning or fatal).
|
@@ -3725,6 +3819,101 @@ OPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl);
|
|
3725
3819
|
OPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl);
|
3726
3820
|
|
3727
3821
|
|
3822
|
+
// Handshake hints.
|
3823
|
+
//
|
3824
|
+
// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
|
3825
|
+
//
|
3826
|
+
// Some server deployments make asynchronous RPC calls in both ClientHello
|
3827
|
+
// dispatch and private key operations. In TLS handshakes where the private key
|
3828
|
+
// operation occurs in the first round-trip, this results in two consecutive RPC
|
3829
|
+
// round-trips. Handshake hints allow the RPC service to predicte a signature.
|
3830
|
+
// If correctly predicted, this can skip the second RPC call.
|
3831
|
+
//
|
3832
|
+
// First, the server installs a certificate selection callback (see
|
3833
|
+
// |SSL_CTX_set_select_certificate_cb|). When that is called, it performs the
|
3834
|
+
// RPC as before, but includes the ClientHello and a capabilities string from
|
3835
|
+
// |SSL_serialize_capabilities|.
|
3836
|
+
//
|
3837
|
+
// Next, the RPC service creates its own |SSL| object, applies the results of
|
3838
|
+
// certificate selection, calls |SSL_request_handshake_hints|, and runs the
|
3839
|
+
// handshake. If this successfully computes handshake hints (see
|
3840
|
+
// |SSL_serialize_handshake_hints|), the RPC server should send the hints
|
3841
|
+
// alongside any certificate selection results.
|
3842
|
+
//
|
3843
|
+
// Finally, the server calls |SSL_set_handshake_hints| and applies any
|
3844
|
+
// configuration from the RPC server. It then completes the handshake as before.
|
3845
|
+
// If the hints apply, BoringSSL will use the predicted signature and skip the
|
3846
|
+
// private key callbacks. Otherwise, BoringSSL will call private key callbacks
|
3847
|
+
// to generate a signature as before.
|
3848
|
+
//
|
3849
|
+
// Callers should synchronize configuration across the two services.
|
3850
|
+
// Configuration mismatches and some cases of version skew are not fatal, but
|
3851
|
+
// may result in the hints not applying. Additionally, some handshake flows use
|
3852
|
+
// the private key in later round-trips, such as TLS 1.3 HelloRetryRequest. In
|
3853
|
+
// those cases, BoringSSL will not predict a signature as there is no benefit.
|
3854
|
+
// Callers must allow for handshakes to complete without a predicted signature.
|
3855
|
+
//
|
3856
|
+
// For now, only TLS 1.3 is hinted. TLS 1.2 will work, but the hints will be
|
3857
|
+
// empty.
|
3858
|
+
|
3859
|
+
// SSL_serialize_capabilities writes an opaque byte string to |out| describing
|
3860
|
+
// some of |ssl|'s capabilities. It returns one on success and zero on error.
|
3861
|
+
//
|
3862
|
+
// This string is used by BoringSSL internally to reduce the impact of version
|
3863
|
+
// skew.
|
3864
|
+
OPENSSL_EXPORT int SSL_serialize_capabilities(const SSL *ssl, CBB *out);
|
3865
|
+
|
3866
|
+
// SSL_request_handshake_hints configures |ssl| to generate a handshake hint for
|
3867
|
+
// |client_hello|. It returns one on success and zero on error. |client_hello|
|
3868
|
+
// should contain a serialized ClientHello structure, from the |client_hello|
|
3869
|
+
// and |client_hello_len| fields of the |SSL_CLIENT_HELLO| structure.
|
3870
|
+
// |capabilities| should contain the output of |SSL_serialize_capabilities|.
|
3871
|
+
//
|
3872
|
+
// When configured, |ssl| will perform no I/O (so there is no need to configure
|
3873
|
+
// |BIO|s). For QUIC, the caller should still configure an |SSL_QUIC_METHOD|,
|
3874
|
+
// but the callbacks themselves will never be called and may be left NULL or
|
3875
|
+
// report failure. |SSL_provide_quic_data| also should not be called.
|
3876
|
+
//
|
3877
|
+
// If hint generation is successful, |SSL_do_handshake| will stop the handshake
|
3878
|
+
// early with |SSL_get_error| returning |SSL_ERROR_HANDSHAKE_HINTS_READY|. At
|
3879
|
+
// this point, the caller should run |SSL_serialize_handshake_hints| to extract
|
3880
|
+
// the resulting hints.
|
3881
|
+
//
|
3882
|
+
// Hint generation may fail if, e.g., |ssl| was unable to process the
|
3883
|
+
// ClientHello. Callers should then complete the certificate selection RPC and
|
3884
|
+
// continue the original handshake with no hint. It will likely fail, but this
|
3885
|
+
// reports the correct alert to the client and is more robust in case of
|
3886
|
+
// mismatch.
|
3887
|
+
OPENSSL_EXPORT int SSL_request_handshake_hints(SSL *ssl,
|
3888
|
+
const uint8_t *client_hello,
|
3889
|
+
size_t client_hello_len,
|
3890
|
+
const uint8_t *capabilities,
|
3891
|
+
size_t capabilities_len);
|
3892
|
+
|
3893
|
+
// SSL_serialize_handshake_hints writes an opaque byte string to |out|
|
3894
|
+
// containing the handshake hints computed by |out|. It returns one on success
|
3895
|
+
// and zero on error. This function should only be called if
|
3896
|
+
// |SSL_request_handshake_hints| was configured and the handshake terminated
|
3897
|
+
// with |SSL_ERROR_HANDSHAKE_HINTS_READY|.
|
3898
|
+
//
|
3899
|
+
// This string may be passed to |SSL_set_handshake_hints| on another |SSL| to
|
3900
|
+
// avoid an extra signature call.
|
3901
|
+
OPENSSL_EXPORT int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out);
|
3902
|
+
|
3903
|
+
// SSL_set_handshake_hints configures |ssl| to use |hints| as handshake hints.
|
3904
|
+
// It returns one on success and zero on error. The handshake will then continue
|
3905
|
+
// as before, but apply predicted values from |hints| where applicable.
|
3906
|
+
//
|
3907
|
+
// Hints may contain connection and session secrets, so they must not leak and
|
3908
|
+
// must come from a source trusted to terminate the connection. However, they
|
3909
|
+
// will not change |ssl|'s configuration. The caller is responsible for
|
3910
|
+
// serializing and applying options from the RPC server as needed. This ensures
|
3911
|
+
// |ssl|'s behavior is self-consistent and consistent with the caller's local
|
3912
|
+
// decisions.
|
3913
|
+
OPENSSL_EXPORT int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints,
|
3914
|
+
size_t hints_len);
|
3915
|
+
|
3916
|
+
|
3728
3917
|
// Obscure functions.
|
3729
3918
|
|
3730
3919
|
// SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
|
@@ -4109,9 +4298,17 @@ OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,
|
|
4109
4298
|
int enable);
|
4110
4299
|
|
4111
4300
|
// SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable
|
4112
|
-
// GREASE. See
|
4301
|
+
// GREASE. See RFC 8701.
|
4113
4302
|
OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
|
4114
4303
|
|
4304
|
+
// SSL_CTX_set_permute_extensions configures whether sockets on |ctx| should
|
4305
|
+
// permute extensions. For now, this is only implemented for the ClientHello.
|
4306
|
+
OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
|
4307
|
+
|
4308
|
+
// SSL_set_permute_extensions configures whether sockets on |ssl| should
|
4309
|
+
// permute extensions. For now, this is only implemented for the ClientHello.
|
4310
|
+
OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
|
4311
|
+
|
4115
4312
|
// SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
4116
4313
|
// record with |ssl|.
|
4117
4314
|
OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
|
@@ -4798,18 +4995,6 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
|
|
4798
4995
|
// name and remove this one.
|
4799
4996
|
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
|
4800
4997
|
|
4801
|
-
// SSL_CTX_set_ignore_tls13_downgrade does nothing.
|
4802
|
-
OPENSSL_EXPORT void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx,
|
4803
|
-
int ignore);
|
4804
|
-
|
4805
|
-
// SSL_set_ignore_tls13_downgrade does nothing.
|
4806
|
-
OPENSSL_EXPORT void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore);
|
4807
|
-
|
4808
|
-
// SSL_is_tls13_downgrade returns zero. Historically, this function returned
|
4809
|
-
// whether the TLS 1.3 downgrade signal would have been enforced if not
|
4810
|
-
// disabled. The TLS 1.3 downgrade signal is now always enforced.
|
4811
|
-
OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
|
4812
|
-
|
4813
4998
|
|
4814
4999
|
// Nodejs compatibility section (hidden).
|
4815
5000
|
//
|
@@ -4972,6 +5157,8 @@ BSSL_NAMESPACE_BEGIN
|
|
4972
5157
|
BORINGSSL_MAKE_DELETER(SSL, SSL_free)
|
4973
5158
|
BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
|
4974
5159
|
BORINGSSL_MAKE_UP_REF(SSL_CTX, SSL_CTX_up_ref)
|
5160
|
+
BORINGSSL_MAKE_DELETER(SSL_ECH_KEYS, SSL_ECH_KEYS_free)
|
5161
|
+
BORINGSSL_MAKE_UP_REF(SSL_ECH_KEYS, SSL_ECH_KEYS_up_ref)
|
4975
5162
|
BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
|
4976
5163
|
BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)
|
4977
5164
|
|
@@ -5088,6 +5275,7 @@ OPENSSL_EXPORT bool SSL_get_traffic_secrets(
|
|
5088
5275
|
const SSL *ssl, Span<const uint8_t> *out_read_traffic_secret,
|
5089
5276
|
Span<const uint8_t> *out_write_traffic_secret);
|
5090
5277
|
|
5278
|
+
|
5091
5279
|
BSSL_NAMESPACE_END
|
5092
5280
|
|
5093
5281
|
} // extern C++
|
@@ -5305,6 +5493,15 @@ BSSL_NAMESPACE_END
|
|
5305
5493
|
#define SSL_R_NO_APPLICATION_PROTOCOL 307
|
5306
5494
|
#define SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN 308
|
5307
5495
|
#define SSL_R_ALPS_MISMATCH_ON_EARLY_DATA 309
|
5496
|
+
#define SSL_R_ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH 310
|
5497
|
+
#define SSL_R_ECH_SERVER_CONFIG_UNSUPPORTED_EXTENSION 311
|
5498
|
+
#define SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG 312
|
5499
|
+
#define SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS 313
|
5500
|
+
#define SSL_R_INVALID_CLIENT_HELLO_INNER 314
|
5501
|
+
#define SSL_R_INVALID_ALPN_PROTOCOL_LIST 315
|
5502
|
+
#define SSL_R_COULD_NOT_PARSE_HINTS 316
|
5503
|
+
#define SSL_R_INVALID_ECH_PUBLIC_NAME 317
|
5504
|
+
#define SSL_R_INVALID_ECH_CONFIG_LIST 318
|
5308
5505
|
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
|
5309
5506
|
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
|
5310
5507
|
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
|
@@ -5338,5 +5535,6 @@ BSSL_NAMESPACE_END
|
|
5338
5535
|
#define SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY 1115
|
5339
5536
|
#define SSL_R_TLSV1_ALERT_CERTIFICATE_REQUIRED 1116
|
5340
5537
|
#define SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL 1120
|
5538
|
+
#define SSL_R_TLSV1_ALERT_ECH_REQUIRED 1121
|
5341
5539
|
|
5342
5540
|
#endif // OPENSSL_HEADER_SSL_H
|