grpc 1.37.1 → 1.40.0.pre1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (738) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +112 -59
  3. data/include/grpc/event_engine/README.md +38 -0
  4. data/include/grpc/event_engine/endpoint_config.h +48 -0
  5. data/include/grpc/event_engine/event_engine.h +330 -0
  6. data/include/grpc/event_engine/port.h +41 -0
  7. data/include/grpc/event_engine/slice_allocator.h +66 -0
  8. data/include/grpc/grpc.h +11 -4
  9. data/include/grpc/grpc_security.h +32 -0
  10. data/include/grpc/grpc_security_constants.h +15 -0
  11. data/include/grpc/impl/codegen/grpc_types.h +44 -19
  12. data/include/grpc/impl/codegen/port_platform.h +46 -0
  13. data/include/grpc/module.modulemap +14 -14
  14. data/src/core/ext/filters/client_channel/backup_poller.cc +3 -3
  15. data/src/core/ext/filters/client_channel/channel_connectivity.cc +177 -202
  16. data/src/core/ext/filters/client_channel/client_channel.cc +975 -3282
  17. data/src/core/ext/filters/client_channel/client_channel.h +513 -55
  18. data/src/core/ext/filters/client_channel/client_channel_channelz.h +1 -1
  19. data/src/core/ext/filters/client_channel/client_channel_plugin.cc +4 -1
  20. data/src/core/ext/filters/client_channel/config_selector.h +20 -7
  21. data/src/core/ext/filters/client_channel/connector.h +1 -1
  22. data/src/core/ext/filters/client_channel/dynamic_filters.cc +9 -10
  23. data/src/core/ext/filters/client_channel/dynamic_filters.h +3 -3
  24. data/src/core/ext/filters/client_channel/health/health_check_client.cc +28 -27
  25. data/src/core/ext/filters/client_channel/health/health_check_client.h +30 -29
  26. data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +24 -21
  27. data/src/core/ext/filters/client_channel/http_proxy.cc +16 -1
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -6
  29. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +53 -51
  30. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.cc +1 -1
  31. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +2 -1
  32. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -23
  33. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +16 -16
  34. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +734 -0
  35. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +10 -0
  36. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +10 -17
  37. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +1 -1
  38. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +17 -20
  39. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +53 -65
  40. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +36 -44
  41. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +33 -55
  42. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +151 -163
  43. data/src/core/ext/filters/client_channel/lb_policy.cc +2 -16
  44. data/src/core/ext/filters/client_channel/lb_policy.h +70 -46
  45. data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -1
  46. data/src/core/ext/filters/client_channel/lb_policy_registry.cc +4 -4
  47. data/src/core/ext/filters/client_channel/lb_policy_registry.h +1 -1
  48. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +24 -18
  49. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +1 -1
  50. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
  51. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +3 -3
  52. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +2 -2
  53. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +14 -14
  54. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +33 -24
  55. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
  56. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
  57. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_libuv.cc +1 -1
  58. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_windows.cc +1 -1
  59. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +18 -12
  60. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +20 -28
  61. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +7 -5
  62. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +20 -13
  63. data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +1 -1
  64. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +158 -102
  65. data/src/core/ext/filters/client_channel/resolver.h +2 -2
  66. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +32 -239
  67. data/src/core/ext/filters/client_channel/resolver_result_parsing.h +20 -49
  68. data/src/core/ext/filters/client_channel/retry_filter.cc +2598 -0
  69. data/src/core/ext/filters/client_channel/retry_filter.h +30 -0
  70. data/src/core/ext/filters/client_channel/retry_service_config.cc +316 -0
  71. data/src/core/ext/filters/client_channel/retry_service_config.h +96 -0
  72. data/src/core/ext/filters/client_channel/server_address.cc +1 -1
  73. data/src/core/ext/filters/client_channel/service_config.cc +15 -14
  74. data/src/core/ext/filters/client_channel/service_config.h +7 -6
  75. data/src/core/ext/filters/client_channel/service_config_call_data.h +45 -5
  76. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +5 -4
  77. data/src/core/ext/filters/client_channel/service_config_parser.cc +6 -6
  78. data/src/core/ext/filters/client_channel/service_config_parser.h +7 -4
  79. data/src/core/ext/filters/client_channel/subchannel.cc +17 -16
  80. data/src/core/ext/filters/client_channel/subchannel.h +7 -6
  81. data/src/core/ext/filters/client_idle/client_idle_filter.cc +17 -16
  82. data/src/core/ext/filters/deadline/deadline_filter.cc +10 -10
  83. data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +19 -18
  84. data/src/core/ext/filters/fault_injection/service_config_parser.cc +5 -5
  85. data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
  86. data/src/core/ext/filters/http/client/http_client_filter.cc +33 -23
  87. data/src/core/ext/filters/http/client_authority_filter.cc +3 -3
  88. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +23 -22
  89. data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +21 -21
  90. data/src/core/ext/filters/http/server/http_server_filter.cc +27 -23
  91. data/src/core/ext/filters/max_age/max_age_filter.cc +12 -10
  92. data/src/core/ext/filters/message_size/message_size_filter.cc +14 -11
  93. data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
  94. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +4 -3
  95. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +7 -7
  96. data/src/core/ext/transport/chttp2/client/chttp2_connector.h +7 -7
  97. data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +2 -2
  98. data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +3 -2
  99. data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +3 -3
  100. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +49 -46
  101. data/src/core/ext/transport/chttp2/server/chttp2_server.h +2 -2
  102. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.cc +3 -4
  103. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +5 -4
  104. data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc +3 -4
  105. data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +1 -1
  106. data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.cc +66 -0
  107. data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.h +74 -0
  108. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +141 -126
  109. data/src/core/ext/transport/chttp2/transport/context_list.cc +4 -5
  110. data/src/core/ext/transport/chttp2/transport/context_list.h +4 -4
  111. data/src/core/ext/transport/chttp2/transport/flow_control.cc +3 -3
  112. data/src/core/ext/transport/chttp2/transport/flow_control.h +9 -9
  113. data/src/core/ext/transport/chttp2/transport/frame_data.cc +12 -12
  114. data/src/core/ext/transport/chttp2/transport/frame_data.h +10 -10
  115. data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +15 -16
  116. data/src/core/ext/transport/chttp2/transport/frame_goaway.h +6 -6
  117. data/src/core/ext/transport/chttp2/transport/frame_ping.cc +7 -8
  118. data/src/core/ext/transport/chttp2/transport/frame_ping.h +7 -6
  119. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +7 -7
  120. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +6 -6
  121. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +11 -10
  122. data/src/core/ext/transport/chttp2/transport/frame_settings.h +6 -6
  123. data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +4 -6
  124. data/src/core/ext/transport/chttp2/transport/frame_window_update.h +4 -6
  125. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +652 -736
  126. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +195 -74
  127. data/src/core/ext/transport/chttp2/transport/hpack_table.cc +4 -3
  128. data/src/core/ext/transport/chttp2/transport/hpack_table.h +4 -4
  129. data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +2 -2
  130. data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +2 -2
  131. data/src/core/ext/transport/chttp2/transport/internal.h +33 -28
  132. data/src/core/ext/transport/chttp2/transport/parsing.cc +129 -106
  133. data/src/core/ext/transport/chttp2/transport/varint.cc +6 -4
  134. data/src/core/ext/transport/chttp2/transport/writing.cc +7 -3
  135. data/src/core/ext/transport/inproc/inproc_transport.cc +72 -60
  136. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +56 -35
  137. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +180 -76
  138. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +35 -27
  139. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +97 -48
  140. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +45 -9
  141. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +67 -7
  142. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +66 -9
  143. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +227 -0
  144. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +46 -0
  145. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +121 -0
  146. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +1 -0
  147. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +35 -0
  148. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +90 -0
  149. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +32 -24
  150. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -73
  151. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +4 -2
  152. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +15 -0
  153. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +48 -0
  154. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +171 -0
  155. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +8 -6
  156. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +27 -19
  157. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +1 -0
  158. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +24 -7
  159. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +57 -0
  160. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +29 -17
  161. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +72 -0
  162. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +3 -2
  163. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +4 -0
  164. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +6 -5
  165. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +15 -11
  166. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +85 -43
  167. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +274 -91
  168. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +11 -8
  169. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +30 -13
  170. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +33 -5
  171. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +115 -0
  172. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +60 -0
  173. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +181 -0
  174. data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +1 -0
  175. data/src/core/ext/upb-generated/validate/validate.upb.c +82 -66
  176. data/src/core/ext/upb-generated/validate/validate.upb.h +220 -124
  177. data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +15 -7
  178. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +53 -52
  179. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +318 -277
  180. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +5 -0
  181. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +437 -410
  182. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +198 -170
  183. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
  184. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +9 -8
  185. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +219 -163
  186. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +15 -0
  187. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +59 -0
  188. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +40 -0
  189. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +29 -25
  190. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +52 -0
  191. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +35 -0
  192. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +135 -125
  193. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +5 -0
  194. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +131 -123
  195. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +90 -0
  196. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +35 -0
  197. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +32 -24
  198. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +69 -55
  199. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +5 -0
  200. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +684 -664
  201. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
  202. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +13 -10
  203. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +13 -10
  204. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +441 -375
  205. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +10 -0
  206. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +122 -114
  207. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +1 -1
  208. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +112 -79
  209. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +5 -0
  210. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +64 -0
  211. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +50 -0
  212. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +35 -32
  213. data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +4 -4
  214. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +182 -160
  215. data/src/core/ext/xds/certificate_provider_factory.h +1 -1
  216. data/src/core/ext/xds/certificate_provider_store.h +3 -3
  217. data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +3 -3
  218. data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +2 -2
  219. data/src/core/ext/xds/xds_api.cc +665 -317
  220. data/src/core/ext/xds/xds_api.h +52 -14
  221. data/src/core/ext/xds/xds_bootstrap.cc +101 -160
  222. data/src/core/ext/xds/xds_bootstrap.h +19 -24
  223. data/src/core/ext/xds/xds_certificate_provider.cc +4 -4
  224. data/src/core/ext/xds/xds_certificate_provider.h +4 -4
  225. data/src/core/ext/xds/xds_channel_args.h +5 -2
  226. data/src/core/ext/xds/xds_client.cc +370 -215
  227. data/src/core/ext/xds/xds_client.h +38 -28
  228. data/src/core/ext/xds/xds_client_stats.h +3 -2
  229. data/src/core/ext/xds/xds_http_filters.cc +3 -2
  230. data/src/core/ext/xds/xds_http_filters.h +3 -0
  231. data/src/core/ext/xds/xds_server_config_fetcher.cc +34 -20
  232. data/src/core/lib/{iomgr → address_utils}/parse_address.cc +17 -17
  233. data/src/core/lib/{iomgr → address_utils}/parse_address.h +7 -7
  234. data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.cc +16 -20
  235. data/src/core/lib/{iomgr → address_utils}/sockaddr_utils.h +16 -11
  236. data/src/core/lib/channel/call_tracer.h +85 -0
  237. data/src/core/lib/channel/channel_stack.cc +10 -9
  238. data/src/core/lib/channel/channel_stack.h +11 -10
  239. data/src/core/lib/channel/channel_stack_builder.cc +2 -2
  240. data/src/core/lib/channel/channel_stack_builder.h +1 -1
  241. data/src/core/lib/channel/channelz.cc +21 -13
  242. data/src/core/lib/channel/channelz.h +3 -0
  243. data/src/core/lib/channel/connected_channel.cc +4 -4
  244. data/src/core/lib/channel/context.h +3 -0
  245. data/src/core/lib/channel/handshaker.cc +7 -6
  246. data/src/core/lib/channel/handshaker.h +5 -5
  247. data/src/core/lib/channel/status_util.h +4 -0
  248. data/src/core/lib/compression/stream_compression.h +1 -1
  249. data/src/core/lib/compression/stream_compression_gzip.h +1 -1
  250. data/src/core/lib/compression/stream_compression_identity.h +1 -1
  251. data/src/core/lib/debug/stats.h +1 -1
  252. data/src/core/lib/event_engine/endpoint_config.cc +46 -0
  253. data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
  254. data/src/core/lib/event_engine/event_engine.cc +50 -0
  255. data/src/core/lib/event_engine/sockaddr.cc +40 -0
  256. data/src/core/lib/event_engine/sockaddr.h +44 -0
  257. data/src/core/lib/gpr/murmur_hash.cc +4 -2
  258. data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
  259. data/src/core/lib/gprpp/manual_constructor.h +1 -1
  260. data/src/core/lib/gprpp/orphanable.h +3 -3
  261. data/src/core/lib/gprpp/ref_counted.h +28 -14
  262. data/src/core/lib/gprpp/status_helper.cc +407 -0
  263. data/src/core/lib/gprpp/status_helper.h +183 -0
  264. data/src/core/lib/gprpp/sync.h +2 -30
  265. data/src/core/lib/http/httpcli.cc +11 -11
  266. data/src/core/lib/http/httpcli_security_connector.cc +11 -7
  267. data/src/core/lib/http/parser.cc +16 -16
  268. data/src/core/lib/http/parser.h +4 -4
  269. data/src/core/lib/iomgr/buffer_list.cc +8 -10
  270. data/src/core/lib/iomgr/buffer_list.h +4 -5
  271. data/src/core/lib/iomgr/call_combiner.cc +15 -12
  272. data/src/core/lib/iomgr/call_combiner.h +12 -14
  273. data/src/core/lib/iomgr/cfstream_handle.cc +3 -3
  274. data/src/core/lib/iomgr/cfstream_handle.h +1 -1
  275. data/src/core/lib/iomgr/closure.h +7 -6
  276. data/src/core/lib/iomgr/combiner.cc +14 -12
  277. data/src/core/lib/iomgr/combiner.h +2 -2
  278. data/src/core/lib/iomgr/endpoint.cc +1 -1
  279. data/src/core/lib/iomgr/endpoint.h +2 -2
  280. data/src/core/lib/iomgr/endpoint_cfstream.cc +11 -13
  281. data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +33 -0
  282. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  283. data/src/core/lib/iomgr/error.cc +168 -61
  284. data/src/core/lib/iomgr/error.h +217 -106
  285. data/src/core/lib/iomgr/error_cfstream.cc +3 -2
  286. data/src/core/lib/iomgr/error_cfstream.h +2 -2
  287. data/src/core/lib/iomgr/error_internal.h +5 -1
  288. data/src/core/lib/iomgr/ev_apple.cc +5 -5
  289. data/src/core/lib/iomgr/ev_apple.h +1 -1
  290. data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -19
  291. data/src/core/lib/iomgr/ev_epollex_linux.cc +48 -45
  292. data/src/core/lib/iomgr/ev_poll_posix.cc +26 -23
  293. data/src/core/lib/iomgr/ev_posix.cc +9 -8
  294. data/src/core/lib/iomgr/ev_posix.h +9 -9
  295. data/src/core/lib/iomgr/event_engine/closure.cc +54 -0
  296. data/src/core/lib/iomgr/event_engine/closure.h +33 -0
  297. data/src/core/lib/iomgr/event_engine/endpoint.cc +192 -0
  298. data/src/core/lib/iomgr/event_engine/endpoint.h +53 -0
  299. data/src/core/lib/iomgr/event_engine/iomgr.cc +105 -0
  300. data/src/core/lib/iomgr/event_engine/iomgr.h +24 -0
  301. data/src/core/lib/iomgr/event_engine/pollset.cc +87 -0
  302. data/src/core/lib/iomgr/event_engine/pollset.h +25 -0
  303. data/src/core/lib/iomgr/event_engine/promise.h +51 -0
  304. data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
  305. data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
  306. data/src/core/lib/iomgr/event_engine/resolver.cc +110 -0
  307. data/src/core/lib/iomgr/event_engine/tcp.cc +263 -0
  308. data/src/core/lib/iomgr/event_engine/timer.cc +57 -0
  309. data/src/core/lib/iomgr/exec_ctx.cc +12 -4
  310. data/src/core/lib/iomgr/exec_ctx.h +4 -5
  311. data/src/core/lib/iomgr/executor/threadpool.cc +2 -3
  312. data/src/core/lib/iomgr/executor/threadpool.h +2 -2
  313. data/src/core/lib/iomgr/executor.cc +8 -8
  314. data/src/core/lib/iomgr/executor.h +2 -2
  315. data/src/core/lib/iomgr/iomgr.cc +2 -2
  316. data/src/core/lib/iomgr/iomgr.h +1 -1
  317. data/src/core/lib/iomgr/iomgr_custom.cc +1 -1
  318. data/src/core/lib/iomgr/iomgr_internal.cc +2 -2
  319. data/src/core/lib/iomgr/iomgr_internal.h +3 -3
  320. data/src/core/lib/iomgr/iomgr_posix.cc +3 -1
  321. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +42 -12
  322. data/src/core/lib/iomgr/iomgr_windows.cc +1 -1
  323. data/src/core/lib/iomgr/load_file.cc +4 -4
  324. data/src/core/lib/iomgr/load_file.h +2 -2
  325. data/src/core/lib/iomgr/lockfree_event.cc +5 -5
  326. data/src/core/lib/iomgr/lockfree_event.h +1 -1
  327. data/src/core/lib/iomgr/pollset.cc +5 -5
  328. data/src/core/lib/iomgr/pollset.h +9 -9
  329. data/src/core/lib/iomgr/pollset_custom.cc +7 -7
  330. data/src/core/lib/iomgr/pollset_custom.h +3 -1
  331. data/src/core/lib/iomgr/pollset_uv.cc +3 -1
  332. data/src/core/lib/iomgr/pollset_uv.h +5 -1
  333. data/src/core/lib/iomgr/pollset_windows.cc +5 -5
  334. data/src/core/lib/iomgr/port.h +7 -5
  335. data/src/core/lib/iomgr/python_util.h +2 -2
  336. data/src/core/lib/iomgr/resolve_address.cc +8 -4
  337. data/src/core/lib/iomgr/resolve_address.h +12 -6
  338. data/src/core/lib/iomgr/resolve_address_custom.cc +10 -9
  339. data/src/core/lib/iomgr/resolve_address_custom.h +3 -3
  340. data/src/core/lib/iomgr/resolve_address_posix.cc +3 -3
  341. data/src/core/lib/iomgr/resolve_address_windows.cc +4 -4
  342. data/src/core/lib/iomgr/resource_quota.cc +13 -10
  343. data/src/core/lib/iomgr/sockaddr.h +1 -0
  344. data/src/core/lib/iomgr/socket_mutator.cc +15 -2
  345. data/src/core/lib/iomgr/socket_mutator.h +26 -2
  346. data/src/core/lib/iomgr/socket_utils_common_posix.cc +24 -22
  347. data/src/core/lib/iomgr/socket_utils_posix.h +20 -20
  348. data/src/core/lib/iomgr/tcp_client_cfstream.cc +4 -4
  349. data/src/core/lib/iomgr/tcp_client_custom.cc +5 -6
  350. data/src/core/lib/iomgr/tcp_client_posix.cc +22 -19
  351. data/src/core/lib/iomgr/tcp_client_posix.h +3 -4
  352. data/src/core/lib/iomgr/tcp_client_windows.cc +7 -5
  353. data/src/core/lib/iomgr/tcp_custom.cc +14 -16
  354. data/src/core/lib/iomgr/tcp_custom.h +13 -12
  355. data/src/core/lib/iomgr/tcp_posix.cc +78 -73
  356. data/src/core/lib/iomgr/tcp_posix.h +8 -0
  357. data/src/core/lib/iomgr/tcp_server.cc +6 -6
  358. data/src/core/lib/iomgr/tcp_server.h +12 -11
  359. data/src/core/lib/iomgr/tcp_server_custom.cc +26 -25
  360. data/src/core/lib/iomgr/tcp_server_posix.cc +29 -21
  361. data/src/core/lib/iomgr/tcp_server_utils_posix.h +13 -12
  362. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +21 -18
  363. data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +9 -9
  364. data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +4 -4
  365. data/src/core/lib/iomgr/tcp_server_windows.cc +26 -25
  366. data/src/core/lib/iomgr/tcp_uv.cc +25 -23
  367. data/src/core/lib/iomgr/tcp_windows.cc +13 -13
  368. data/src/core/lib/iomgr/tcp_windows.h +2 -2
  369. data/src/core/lib/iomgr/timer.h +6 -1
  370. data/src/core/lib/iomgr/timer_custom.cc +2 -1
  371. data/src/core/lib/iomgr/timer_custom.h +1 -1
  372. data/src/core/lib/iomgr/timer_generic.cc +6 -6
  373. data/src/core/lib/iomgr/timer_manager.cc +1 -1
  374. data/src/core/lib/iomgr/udp_server.cc +21 -20
  375. data/src/core/lib/iomgr/unix_sockets_posix.cc +3 -3
  376. data/src/core/lib/iomgr/unix_sockets_posix.h +2 -2
  377. data/src/core/lib/iomgr/unix_sockets_posix_noop.cc +10 -7
  378. data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +3 -3
  379. data/src/core/lib/iomgr/wakeup_fd_pipe.cc +4 -4
  380. data/src/core/lib/iomgr/wakeup_fd_posix.cc +3 -3
  381. data/src/core/lib/iomgr/wakeup_fd_posix.h +8 -6
  382. data/src/core/lib/iomgr/work_serializer.h +17 -1
  383. data/src/core/lib/json/json.h +1 -1
  384. data/src/core/lib/json/json_reader.cc +5 -6
  385. data/src/core/lib/matchers/matchers.cc +46 -58
  386. data/src/core/lib/matchers/matchers.h +30 -29
  387. data/src/core/lib/security/authorization/authorization_engine.h +44 -0
  388. data/src/core/lib/security/authorization/authorization_policy_provider.h +32 -0
  389. data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
  390. data/src/core/lib/security/authorization/evaluate_args.cc +209 -0
  391. data/src/core/lib/security/authorization/evaluate_args.h +91 -0
  392. data/src/core/lib/security/credentials/composite/composite_credentials.cc +4 -4
  393. data/src/core/lib/security/credentials/composite/composite_credentials.h +2 -2
  394. data/src/core/lib/security/credentials/credentials.h +2 -2
  395. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +17 -13
  396. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +13 -11
  397. data/src/core/lib/security/credentials/external/aws_request_signer.cc +2 -1
  398. data/src/core/lib/security/credentials/external/aws_request_signer.h +1 -1
  399. data/src/core/lib/security/credentials/external/external_account_credentials.cc +15 -12
  400. data/src/core/lib/security/credentials/external/external_account_credentials.h +9 -8
  401. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +5 -4
  402. data/src/core/lib/security/credentials/external/file_external_account_credentials.h +4 -3
  403. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +8 -8
  404. data/src/core/lib/security/credentials/external/url_external_account_credentials.h +9 -7
  405. data/src/core/lib/security/credentials/fake/fake_credentials.cc +2 -2
  406. data/src/core/lib/security/credentials/fake/fake_credentials.h +2 -2
  407. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +12 -10
  408. data/src/core/lib/security/credentials/iam/iam_credentials.cc +2 -2
  409. data/src/core/lib/security/credentials/iam/iam_credentials.h +2 -2
  410. data/src/core/lib/security/credentials/jwt/json_token.cc +2 -2
  411. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +3 -3
  412. data/src/core/lib/security/credentials/jwt/jwt_credentials.h +2 -2
  413. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +7 -5
  414. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +21 -19
  415. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +5 -5
  416. data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +5 -5
  417. data/src/core/lib/security/credentials/plugin/plugin_credentials.h +2 -2
  418. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +8 -7
  419. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +9 -9
  420. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +68 -13
  421. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +7 -0
  422. data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc +4 -0
  423. data/src/core/lib/security/credentials/tls/tls_utils.cc +32 -0
  424. data/src/core/lib/security/credentials/tls/tls_utils.h +13 -0
  425. data/src/core/lib/security/credentials/xds/xds_credentials.cc +3 -3
  426. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +13 -3
  427. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +13 -3
  428. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +2 -2
  429. data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +12 -2
  430. data/src/core/lib/security/security_connector/load_system_roots_linux.cc +1 -1
  431. data/src/core/lib/security/security_connector/local/local_security_connector.cc +22 -9
  432. data/src/core/lib/security/security_connector/security_connector.h +9 -4
  433. data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +16 -6
  434. data/src/core/lib/security/security_connector/ssl_utils.cc +27 -4
  435. data/src/core/lib/security/security_connector/ssl_utils.h +4 -4
  436. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +60 -76
  437. data/src/core/lib/security/security_connector/tls/tls_security_connector.h +66 -48
  438. data/src/core/lib/security/transport/client_auth_filter.cc +18 -10
  439. data/src/core/lib/security/transport/secure_endpoint.cc +4 -4
  440. data/src/core/lib/security/transport/security_handshaker.cc +45 -36
  441. data/src/core/lib/security/transport/server_auth_filter.cc +17 -18
  442. data/src/core/lib/security/transport/tsi_error.cc +2 -1
  443. data/src/core/lib/security/transport/tsi_error.h +2 -1
  444. data/src/core/lib/security/util/json_util.cc +2 -2
  445. data/src/core/lib/security/util/json_util.h +1 -1
  446. data/src/core/lib/slice/slice_internal.h +1 -0
  447. data/src/core/lib/surface/call.cc +72 -52
  448. data/src/core/lib/surface/call.h +13 -2
  449. data/src/core/lib/surface/channel.cc +6 -6
  450. data/src/core/lib/surface/channel.h +3 -2
  451. data/src/core/lib/surface/channel_ping.cc +1 -1
  452. data/src/core/lib/surface/completion_queue.cc +68 -69
  453. data/src/core/lib/surface/completion_queue.h +3 -2
  454. data/src/core/lib/surface/completion_queue_factory.cc +1 -2
  455. data/src/core/lib/surface/init.cc +1 -3
  456. data/src/core/lib/surface/init.h +10 -1
  457. data/src/core/lib/surface/lame_client.cc +11 -11
  458. data/src/core/lib/surface/lame_client.h +1 -1
  459. data/src/core/lib/surface/server.cc +31 -23
  460. data/src/core/lib/surface/server.h +19 -18
  461. data/src/core/lib/surface/validate_metadata.cc +7 -7
  462. data/src/core/lib/surface/validate_metadata.h +3 -2
  463. data/src/core/lib/surface/version.cc +2 -2
  464. data/src/core/lib/transport/byte_stream.cc +5 -5
  465. data/src/core/lib/transport/byte_stream.h +8 -8
  466. data/src/core/lib/transport/connectivity_state.cc +1 -1
  467. data/src/core/lib/transport/error_utils.cc +21 -10
  468. data/src/core/lib/transport/error_utils.h +11 -5
  469. data/src/core/lib/transport/metadata_batch.cc +37 -37
  470. data/src/core/lib/transport/metadata_batch.h +19 -18
  471. data/src/core/lib/transport/transport.cc +4 -3
  472. data/src/core/lib/transport/transport.h +6 -4
  473. data/src/core/lib/transport/transport_op_string.cc +6 -6
  474. data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
  475. data/src/core/tsi/alts/crypt/gsec.h +6 -0
  476. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +5 -4
  477. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +7 -6
  478. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker_private.h +2 -1
  479. data/src/core/tsi/ssl_transport_security.cc +32 -14
  480. data/src/core/tsi/ssl_transport_security.h +3 -4
  481. data/src/ruby/bin/math_services_pb.rb +1 -1
  482. data/src/ruby/ext/grpc/extconf.rb +2 -0
  483. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +6 -0
  484. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +11 -2
  485. data/src/ruby/lib/grpc/version.rb +1 -1
  486. data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +1 -1
  487. data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +6 -6
  488. data/third_party/abseil-cpp/absl/algorithm/container.h +3 -3
  489. data/third_party/abseil-cpp/absl/base/attributes.h +24 -4
  490. data/third_party/abseil-cpp/absl/base/call_once.h +2 -9
  491. data/third_party/abseil-cpp/absl/base/config.h +37 -9
  492. data/third_party/abseil-cpp/absl/base/dynamic_annotations.h +24 -10
  493. data/third_party/abseil-cpp/absl/base/internal/direct_mmap.h +4 -1
  494. data/third_party/abseil-cpp/absl/base/internal/endian.h +61 -0
  495. data/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h +2 -3
  496. data/third_party/abseil-cpp/absl/base/internal/raw_logging.cc +34 -32
  497. data/third_party/abseil-cpp/absl/base/internal/raw_logging.h +16 -6
  498. data/third_party/abseil-cpp/absl/base/internal/spinlock.cc +11 -2
  499. data/third_party/abseil-cpp/absl/base/internal/spinlock.h +14 -5
  500. data/third_party/abseil-cpp/absl/base/internal/spinlock_akaros.inc +2 -2
  501. data/third_party/abseil-cpp/absl/base/internal/spinlock_linux.inc +3 -3
  502. data/third_party/abseil-cpp/absl/base/internal/spinlock_posix.inc +2 -2
  503. data/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h +11 -11
  504. data/third_party/abseil-cpp/absl/base/internal/spinlock_win32.inc +5 -5
  505. data/third_party/abseil-cpp/absl/base/internal/sysinfo.cc +1 -1
  506. data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +5 -2
  507. data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +43 -42
  508. data/third_party/abseil-cpp/absl/base/internal/throw_delegate.cc +111 -7
  509. data/third_party/abseil-cpp/absl/base/internal/unaligned_access.h +0 -76
  510. data/third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc +1 -3
  511. data/third_party/abseil-cpp/absl/base/log_severity.h +4 -4
  512. data/third_party/abseil-cpp/absl/base/macros.h +11 -0
  513. data/third_party/abseil-cpp/absl/base/optimization.h +10 -7
  514. data/third_party/abseil-cpp/absl/base/options.h +1 -1
  515. data/third_party/abseil-cpp/absl/base/port.h +0 -1
  516. data/third_party/abseil-cpp/absl/base/thread_annotations.h +1 -1
  517. data/third_party/abseil-cpp/absl/container/fixed_array.h +2 -2
  518. data/third_party/abseil-cpp/absl/container/inlined_vector.h +5 -3
  519. data/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h +1 -1
  520. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc +5 -1
  521. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h +2 -1
  522. data/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc +2 -1
  523. data/third_party/abseil-cpp/absl/container/internal/inlined_vector.h +141 -66
  524. data/third_party/abseil-cpp/absl/container/internal/layout.h +4 -4
  525. data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc +14 -1
  526. data/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h +136 -136
  527. data/third_party/abseil-cpp/absl/debugging/internal/demangle.cc +16 -12
  528. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_aarch64-inl.inc +5 -2
  529. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_config.h +3 -12
  530. data/third_party/abseil-cpp/absl/debugging/internal/stacktrace_powerpc-inl.inc +6 -1
  531. data/third_party/abseil-cpp/absl/debugging/internal/symbolize.h +3 -5
  532. data/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc +2 -2
  533. data/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc +2 -2
  534. data/third_party/abseil-cpp/absl/hash/internal/city.cc +15 -12
  535. data/third_party/abseil-cpp/absl/hash/internal/city.h +1 -19
  536. data/third_party/abseil-cpp/absl/hash/internal/hash.cc +25 -10
  537. data/third_party/abseil-cpp/absl/hash/internal/hash.h +86 -37
  538. data/third_party/abseil-cpp/absl/hash/internal/wyhash.cc +111 -0
  539. data/third_party/abseil-cpp/absl/hash/internal/wyhash.h +48 -0
  540. data/third_party/abseil-cpp/absl/meta/type_traits.h +16 -2
  541. data/third_party/abseil-cpp/absl/numeric/bits.h +177 -0
  542. data/third_party/abseil-cpp/absl/numeric/int128.cc +3 -3
  543. data/third_party/abseil-cpp/absl/numeric/internal/bits.h +358 -0
  544. data/third_party/abseil-cpp/absl/numeric/internal/representation.h +55 -0
  545. data/third_party/abseil-cpp/absl/status/internal/status_internal.h +18 -0
  546. data/third_party/abseil-cpp/absl/status/internal/statusor_internal.h +4 -7
  547. data/third_party/abseil-cpp/absl/status/status.cc +29 -22
  548. data/third_party/abseil-cpp/absl/status/status.h +81 -20
  549. data/third_party/abseil-cpp/absl/status/statusor.h +3 -3
  550. data/third_party/abseil-cpp/absl/strings/charconv.cc +5 -5
  551. data/third_party/abseil-cpp/absl/strings/cord.cc +326 -371
  552. data/third_party/abseil-cpp/absl/strings/cord.h +182 -64
  553. data/third_party/abseil-cpp/absl/strings/escaping.cc +4 -4
  554. data/third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc +6 -6
  555. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.cc +83 -0
  556. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +387 -17
  557. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h +146 -0
  558. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.cc +897 -0
  559. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h +589 -0
  560. data/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring_reader.h +114 -0
  561. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.cc +14 -0
  562. data/third_party/abseil-cpp/absl/strings/internal/str_format/arg.h +14 -0
  563. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.cc +15 -1
  564. data/third_party/abseil-cpp/absl/strings/internal/str_format/bind.h +19 -4
  565. data/third_party/abseil-cpp/absl/strings/internal/str_format/checker.h +14 -0
  566. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.cc +36 -18
  567. data/third_party/abseil-cpp/absl/strings/internal/str_format/float_conversion.h +14 -0
  568. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.cc +14 -0
  569. data/third_party/abseil-cpp/absl/strings/internal/str_format/parser.h +14 -0
  570. data/third_party/abseil-cpp/absl/strings/internal/str_split_internal.h +15 -40
  571. data/third_party/abseil-cpp/absl/strings/internal/string_constant.h +64 -0
  572. data/third_party/abseil-cpp/absl/strings/match.cc +6 -3
  573. data/third_party/abseil-cpp/absl/strings/match.h +16 -6
  574. data/third_party/abseil-cpp/absl/strings/numbers.cc +132 -4
  575. data/third_party/abseil-cpp/absl/strings/numbers.h +10 -10
  576. data/third_party/abseil-cpp/absl/strings/str_join.h +1 -1
  577. data/third_party/abseil-cpp/absl/strings/str_split.h +38 -4
  578. data/third_party/abseil-cpp/absl/synchronization/internal/futex.h +154 -0
  579. data/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h +2 -1
  580. data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.cc +2 -2
  581. data/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h +4 -4
  582. data/third_party/abseil-cpp/absl/synchronization/internal/waiter.cc +1 -65
  583. data/third_party/abseil-cpp/absl/synchronization/internal/waiter.h +2 -6
  584. data/third_party/abseil-cpp/absl/synchronization/mutex.cc +71 -59
  585. data/third_party/abseil-cpp/absl/synchronization/mutex.h +79 -62
  586. data/third_party/abseil-cpp/absl/time/clock.cc +146 -130
  587. data/third_party/abseil-cpp/absl/time/clock.h +2 -2
  588. data/third_party/abseil-cpp/absl/time/duration.cc +3 -2
  589. data/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h +7 -11
  590. data/third_party/abseil-cpp/absl/time/internal/cctz/src/time_zone_libc.cc +7 -1
  591. data/third_party/abseil-cpp/absl/time/internal/cctz/src/tzfile.h +4 -4
  592. data/third_party/abseil-cpp/absl/time/time.cc +4 -3
  593. data/third_party/abseil-cpp/absl/time/time.h +26 -24
  594. data/third_party/abseil-cpp/absl/types/internal/variant.h +1 -1
  595. data/third_party/abseil-cpp/absl/types/variant.h +9 -4
  596. data/third_party/boringssl-with-bazel/err_data.c +483 -461
  597. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
  598. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +9 -7
  599. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +18 -8
  600. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +1 -2
  601. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_locl.h +5 -0
  602. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +1 -1
  603. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +1 -1
  604. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +4 -0
  605. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +1 -88
  606. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -3
  607. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +119 -273
  608. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
  609. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
  610. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +87 -80
  611. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
  612. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
  613. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +1 -1
  614. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
  615. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +11 -3
  616. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +25 -2
  617. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +7 -0
  618. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digests.c +10 -2
  619. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -160
  620. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +4 -0
  621. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +0 -1
  622. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +0 -4
  623. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +104 -93
  624. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +39 -0
  625. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +52 -65
  626. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +52 -66
  627. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +33 -22
  628. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +9 -8
  629. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +9 -8
  630. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +17 -13
  631. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +1 -22
  632. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +2 -1
  633. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +1 -4
  634. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +0 -13
  635. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +26 -7
  636. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +26 -24
  637. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -7
  638. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +79 -0
  639. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +14 -9
  640. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +61 -75
  641. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +80 -103
  642. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +40 -49
  643. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +367 -315
  644. data/third_party/boringssl-with-bazel/src/crypto/internal.h +65 -0
  645. data/third_party/boringssl-with-bazel/src/crypto/mem.c +14 -0
  646. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +3 -3
  647. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +5 -3
  648. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +95 -48
  649. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +2 -2
  650. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c +1 -1
  651. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
  652. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +0 -28
  653. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +120 -11
  654. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +2 -0
  655. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +3 -0
  656. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +19 -25
  657. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +3 -2
  658. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +42 -89
  659. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +9 -16
  660. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
  661. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +14 -15
  662. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +53 -73
  663. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +31 -0
  664. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
  665. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +21 -17
  666. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -0
  667. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +7 -25
  668. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +5 -0
  669. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +25 -22
  670. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
  671. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
  672. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +2 -0
  673. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +3 -0
  674. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +7 -0
  675. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +2 -4
  676. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
  677. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -0
  678. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +5 -8
  679. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -4
  680. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +66 -1
  681. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +120 -41
  682. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +47 -7
  683. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +1 -0
  684. data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
  685. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +0 -8
  686. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +24 -4
  687. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +6 -2
  688. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +5 -2
  689. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +33 -0
  690. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +3 -2
  691. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +20 -49
  692. data/third_party/boringssl-with-bazel/src/{crypto/x509/x509_r2x.c → include/openssl/evp_errors.h} +41 -58
  693. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +325 -0
  694. data/third_party/boringssl-with-bazel/src/include/openssl/obj.h +24 -5
  695. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +25 -7
  696. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +9 -1
  697. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +2 -2
  698. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +99 -63
  699. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +283 -85
  700. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +13 -19
  701. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +445 -152
  702. data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +451 -435
  703. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +2 -1
  704. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +7 -2
  705. data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
  706. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +1133 -0
  707. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +298 -22
  708. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +66 -30
  709. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +189 -86
  710. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +154 -24
  711. data/third_party/boringssl-with-bazel/src/ssl/internal.h +414 -135
  712. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +9 -3
  713. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  714. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
  715. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +4 -6
  716. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +23 -26
  717. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +51 -60
  718. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
  719. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +8 -31
  720. data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
  721. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +4 -3
  722. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
  723. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +664 -702
  724. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +65 -7
  725. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -39
  726. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +141 -94
  727. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +213 -118
  728. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +4 -2
  729. data/third_party/xxhash/xxhash.h +77 -195
  730. metadata +116 -51
  731. data/src/core/lib/gpr/arena.h +0 -47
  732. data/src/core/lib/iomgr/poller/eventmanager_libuv.cc +0 -88
  733. data/src/core/lib/iomgr/poller/eventmanager_libuv.h +0 -88
  734. data/third_party/abseil-cpp/absl/base/internal/bits.h +0 -219
  735. data/third_party/abseil-cpp/absl/synchronization/internal/mutex_nonprod.inc +0 -249
  736. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/is_fips.c +0 -29
  737. data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -246
  738. data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
@@ -175,7 +175,9 @@ OPENSSL_EXPORT int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12);
175
175
  //
176
176
  // Note if |p12| does not contain a private key, both |*out_pkey| and
177
177
  // |*out_cert| will be set to NULL and all certificates will be returned via
178
- // |*out_ca_certs|.
178
+ // |*out_ca_certs|. Also note this function differs from OpenSSL in that extra
179
+ // certificates are returned in the order they appear in the file. OpenSSL 1.1.1
180
+ // returns them in reverse order, but this will be fixed in OpenSSL 3.0.
179
181
  //
180
182
  // It returns one on success and zero on error.
181
183
  //
@@ -206,6 +208,12 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
206
208
  // Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero
207
209
  // to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,
208
210
  // |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively.
211
+ //
212
+ // |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or
213
+ // certificate, respectively. This option is not recommended and is only
214
+ // implemented for compatibility with external packages. Note the output still
215
+ // requires a password for the MAC. Unencrypted keys in PKCS#12 are also not
216
+ // widely supported and may not open in other implementations.
209
217
  OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,
210
218
  const EVP_PKEY *pkey, X509 *cert,
211
219
  const STACK_OF(X509) *chain, int key_nid,
@@ -103,8 +103,8 @@ OPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void);
103
103
  // RAND_get_rand_method returns |RAND_SSLeay()|.
104
104
  OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void);
105
105
 
106
- // RAND_set_rand_method does nothing.
107
- OPENSSL_EXPORT void RAND_set_rand_method(const RAND_METHOD *);
106
+ // RAND_set_rand_method returns one.
107
+ OPENSSL_EXPORT int RAND_set_rand_method(const RAND_METHOD *);
108
108
 
109
109
 
110
110
  #if defined(__cplusplus)
@@ -283,120 +283,155 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
283
283
  // These functions are considered non-mutating for thread-safety purposes and
284
284
  // may be used concurrently.
285
285
 
286
- // RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
286
+ // RSA_sign signs |digest_len| bytes of digest from |digest| with |rsa| using
287
287
  // RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
288
288
  // successful return, the actual number of bytes written is written to
289
289
  // |*out_len|.
290
290
  //
291
- // The |hash_nid| argument identifies the hash function used to calculate |in|
292
- // and is embedded in the resulting signature. For example, it might be
291
+ // The |hash_nid| argument identifies the hash function used to calculate
292
+ // |digest| and is embedded in the resulting signature. For example, it might be
293
293
  // |NID_sha256|.
294
294
  //
295
295
  // It returns 1 on success and zero on error.
296
- OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
297
- unsigned int in_len, uint8_t *out,
298
- unsigned int *out_len, RSA *rsa);
296
+ //
297
+ // WARNING: |digest| must be the result of hashing the data to be signed with
298
+ // |hash_nid|. Passing unhashed inputs will not result in a secure signature
299
+ // scheme.
300
+ OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest,
301
+ unsigned digest_len, uint8_t *out,
302
+ unsigned *out_len, RSA *rsa);
299
303
 
300
- // RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from
301
- // |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes,
302
- // at most, |max_out| bytes of signature data to |out|. The |max_out| argument
303
- // must be, at least, |RSA_size| in order to ensure success. It returns 1 on
304
- // success or zero on error.
304
+ // RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key
305
+ // from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
306
+ // writes, at most, |max_out| bytes of signature data to |out|. The |max_out|
307
+ // argument must be, at least, |RSA_size| in order to ensure success. It returns
308
+ // 1 on success or zero on error.
305
309
  //
306
- // The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
310
+ // The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|
307
311
  // and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
308
312
  // used.
309
313
  //
310
314
  // |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
311
315
  // then the salt length is the same as the hash length. If -2, then the salt
312
316
  // length is maximal given the size of |rsa|. If unsure, use -1.
317
+ //
318
+ // WARNING: |digest| must be the result of hashing the data to be signed with
319
+ // |md|. Passing unhashed inputs will not result in a secure signature scheme.
313
320
  OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,
314
- size_t max_out, const uint8_t *in,
315
- size_t in_len, const EVP_MD *md,
321
+ size_t max_out, const uint8_t *digest,
322
+ size_t digest_len, const EVP_MD *md,
316
323
  const EVP_MD *mgf1_md, int salt_len);
317
324
 
318
- // RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
319
- // and writes, at most, |max_out| bytes of signature data to |out|. The
320
- // |max_out| argument must be, at least, |RSA_size| in order to ensure success.
321
- //
322
- // It returns 1 on success or zero on error.
323
- //
324
- // The |padding| argument must be one of the |RSA_*_PADDING| values. If in
325
- // doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
326
- // (via |RSA_sign_pss_mgf1| or the |EVP_PKEY| interface) is preferred for new
327
- // protocols.
325
+ // RSA_sign_raw performs the private key portion of computing a signature with
326
+ // |rsa|. It writes, at most, |max_out| bytes of signature data to |out|. The
327
+ // |max_out| argument must be, at least, |RSA_size| in order to ensure the
328
+ // output fits. It returns 1 on success or zero on error.
329
+ //
330
+ // If |padding| is |RSA_PKCS1_PADDING|, this function wraps |in| with the
331
+ // padding portion of RSASSA-PKCS1-v1_5 and then performs the raw private key
332
+ // operation. The caller is responsible for hashing the input and wrapping it in
333
+ // a DigestInfo structure.
334
+ //
335
+ // If |padding| is |RSA_NO_PADDING|, this function only performs the raw private
336
+ // key operation, interpreting |in| as a integer modulo n. The caller is
337
+ // responsible for hashing the input and encoding it for the signature scheme
338
+ // being implemented.
339
+ //
340
+ // WARNING: This function is a building block for a signature scheme, not a
341
+ // complete one. |in| must be the result of hashing and encoding the data as
342
+ // needed for the scheme being implemented. Passing in arbitrary inputs will not
343
+ // result in a secure signature scheme.
328
344
  OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
329
345
  size_t max_out, const uint8_t *in,
330
346
  size_t in_len, int padding);
331
347
 
332
348
  // RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
333
- // RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
349
+ // RSASSA-PKCS1-v1_5 signature of |digest_len| bytes at |digest| by |rsa|.
334
350
  //
335
- // The |hash_nid| argument identifies the hash function used to calculate |msg|
336
- // and is embedded in the resulting signature in order to prevent hash
351
+ // The |hash_nid| argument identifies the hash function used to calculate
352
+ // |digest| and is embedded in the resulting signature in order to prevent hash
337
353
  // confusion attacks. For example, it might be |NID_sha256|.
338
354
  //
339
355
  // It returns one if the signature is valid and zero otherwise.
340
356
  //
341
357
  // WARNING: this differs from the original, OpenSSL function which additionally
342
358
  // returned -1 on error.
343
- OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
344
- const uint8_t *sig, size_t sig_len, RSA *rsa);
359
+ //
360
+ // WARNING: |digest| must be the result of hashing the data to be verified with
361
+ // |hash_nid|. Passing unhashed input will not result in a secure signature
362
+ // scheme.
363
+ OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *digest,
364
+ size_t digest_len, const uint8_t *sig,
365
+ size_t sig_len, RSA *rsa);
345
366
 
346
367
  // RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,
347
- // RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if
348
- // the signature is valid and zero otherwise. MGF1 is used as the mask
368
+ // RSASSA-PSS signature of |digest_len| bytes at |digest| by |rsa|. It returns
369
+ // one if the signature is valid and zero otherwise. MGF1 is used as the mask
349
370
  // generation function.
350
371
  //
351
- // The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
372
+ // The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|
352
373
  // and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
353
374
  // used. |salt_len| specifies the expected salt length in bytes.
354
375
  //
355
376
  // If |salt_len| is -1, then the salt length is the same as the hash length. If
356
377
  // -2, then the salt length is recovered and all values accepted. If unsure, use
357
378
  // -1.
358
- OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
359
- size_t msg_len, const EVP_MD *md,
379
+ //
380
+ // WARNING: |digest| must be the result of hashing the data to be verified with
381
+ // |md|. Passing unhashed input will not result in a secure signature scheme.
382
+ OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest,
383
+ size_t digest_len, const EVP_MD *md,
360
384
  const EVP_MD *mgf1_md, int salt_len,
361
385
  const uint8_t *sig, size_t sig_len);
362
386
 
363
- // RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
364
- // public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
365
- // |out|. The |max_out| argument must be, at least, |RSA_size| in order to
366
- // ensure success.
387
+ // RSA_verify_raw performs the public key portion of verifying |in_len| bytes of
388
+ // signature from |in| using the public key from |rsa|. On success, it returns
389
+ // one and writes, at most, |max_out| bytes of output to |out|. The |max_out|
390
+ // argument must be, at least, |RSA_size| in order to ensure the output fits. On
391
+ // failure or invalid input, it returns zero.
367
392
  //
368
- // It returns 1 on success or zero on error.
393
+ // If |padding| is |RSA_PKCS1_PADDING|, this function checks the padding portion
394
+ // of RSASSA-PKCS1-v1_5 and outputs the remainder of the encoded digest. The
395
+ // caller is responsible for checking the output is a DigestInfo-wrapped digest
396
+ // of the message.
369
397
  //
370
- // The |padding| argument must be one of the |RSA_*_PADDING| values. If in
371
- // doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
372
- // (via |RSA_verify_pss_mgf1| or the |EVP_PKEY| interface) is preferred for new
373
- // protocols.
398
+ // If |padding| is |RSA_NO_PADDING|, this function only performs the raw public
399
+ // key operation. The caller is responsible for checking the output is a valid
400
+ // result for the signature scheme being implemented.
401
+ //
402
+ // WARNING: This function is a building block for a signature scheme, not a
403
+ // complete one. Checking for arbitrary strings in |out| will not result in a
404
+ // secure signature scheme.
374
405
  OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
375
406
  size_t max_out, const uint8_t *in,
376
407
  size_t in_len, int padding);
377
408
 
378
- // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
379
- // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
380
- // least |RSA_size| bytes of space. It returns the number of bytes written, or
381
- // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
382
- // values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
383
- // |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
384
- // protocols.
409
+ // RSA_private_encrypt performs the private key portion of computing a signature
410
+ // with |rsa|. It takes |flen| bytes from |from| as input and writes the result
411
+ // to |to|. The |to| buffer must have at least |RSA_size| bytes of space. It
412
+ // returns the number of bytes written, or -1 on error.
385
413
  //
386
- // WARNING: this function is dangerous because it breaks the usual return value
414
+ // For the interpretation of |padding| and the input, see |RSA_sign_raw|.
415
+ //
416
+ // WARNING: This function is a building block for a signature scheme, not a
417
+ // complete one. See |RSA_sign_raw| for details.
418
+ //
419
+ // WARNING: This function is dangerous because it breaks the usual return value
387
420
  // convention. Use |RSA_sign_raw| instead.
388
421
  OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
389
422
  uint8_t *to, RSA *rsa, int padding);
390
423
 
391
- // RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
392
- // public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
393
- // have at least |RSA_size| bytes of space. It returns the number of bytes
394
- // written, or -1 on error. The |padding| argument must be one of the
395
- // |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
396
- // but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
397
- // new protocols.
424
+ // RSA_public_decrypt performs the public key portion of verifying |flen| bytes
425
+ // of signature from |from| using the public key from |rsa|. It writes the
426
+ // result to |to|, which must have at least |RSA_size| bytes of space. It
427
+ // returns the number of bytes written, or -1 on error.
398
428
  //
399
- // WARNING: this function is dangerous because it breaks the usual return value
429
+ // For the interpretation of |padding| and the result, see |RSA_verify_raw|.
430
+ //
431
+ // WARNING: This function is a building block for a signature scheme, not a
432
+ // complete one. See |RSA_verify_raw| for details.
433
+ //
434
+ // WARNING: This function is dangerous because it breaks the usual return value
400
435
  // convention. Use |RSA_verify_raw| instead.
401
436
  OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
402
437
  uint8_t *to, RSA *rsa, int padding);
@@ -479,13 +514,14 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(
479
514
  const uint8_t *param, size_t param_len, const EVP_MD *md,
480
515
  const EVP_MD *mgf1md);
481
516
 
482
- // RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
483
- // header for the given hash function and sets |out_msg| to point to it. On
484
- // successful return, if |*is_alloced| is one, the caller must release
517
+ // RSA_add_pkcs1_prefix builds a version of |digest| prefixed with the
518
+ // DigestInfo header for the given hash function and sets |out_msg| to point to
519
+ // it. On successful return, if |*is_alloced| is one, the caller must release
485
520
  // |*out_msg| with |OPENSSL_free|.
486
521
  OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
487
522
  int *is_alloced, int hash_nid,
488
- const uint8_t *msg, size_t msg_len);
523
+ const uint8_t *digest,
524
+ size_t digest_len);
489
525
 
490
526
 
491
527
  // ASN.1 functions.
@@ -508,12 +508,10 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
508
508
  // TODO(davidben): Remove this. It's used by accept BIOs which are bizarre.
509
509
  #define SSL_ERROR_WANT_ACCEPT 8
510
510
 
511
- // SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up
512
- // the Channel ID key. The caller may retry the operation when |channel_id_cb|
513
- // is ready to return a key or one has been configured with
514
- // |SSL_set1_tls_channel_id|.
511
+ // SSL_ERROR_WANT_CHANNEL_ID_LOOKUP is never used.
515
512
  //
516
- // See also |SSL_CTX_set_channel_id_cb|.
513
+ // TODO(davidben): Remove this. Some callers reference it when stringifying
514
+ // errors. They should use |SSL_error_description| instead.
517
515
  #define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
518
516
 
519
517
  // SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
@@ -567,6 +565,11 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
567
565
  // See also |ssl_renegotiate_explicit|.
568
566
  #define SSL_ERROR_WANT_RENEGOTIATE 19
569
567
 
568
+ // SSL_ERROR_HANDSHAKE_HINTS_READY indicates the handshake has progressed enough
569
+ // for |SSL_serialize_handshake_hints| to be called. See also
570
+ // |SSL_request_handshake_hints|.
571
+ #define SSL_ERROR_HANDSHAKE_HINTS_READY 20
572
+
570
573
  // SSL_error_description returns a string representation of |err|, where |err|
571
574
  // is one of the |SSL_ERROR_*| constants returned by |SSL_get_error|, or NULL
572
575
  // if the value is unrecognized.
@@ -1276,6 +1279,15 @@ OPENSSL_EXPORT void SSL_set_private_key_method(
1276
1279
  OPENSSL_EXPORT void SSL_CTX_set_private_key_method(
1277
1280
  SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method);
1278
1281
 
1282
+ // SSL_can_release_private_key returns one if |ssl| will no longer call into the
1283
+ // private key and zero otherwise. If the function returns one, the caller can
1284
+ // release state associated with the private key.
1285
+ //
1286
+ // NOTE: This function assumes the caller does not use |SSL_clear| to reuse
1287
+ // |ssl| for a second connection. If |SSL_clear| is used, BoringSSL may still
1288
+ // use the private key on the second connection.
1289
+ OPENSSL_EXPORT int SSL_can_release_private_key(const SSL *ssl);
1290
+
1279
1291
 
1280
1292
  // Cipher suites.
1281
1293
  //
@@ -1779,8 +1791,10 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
1779
1791
  // used without leaking a correlator.
1780
1792
  OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);
1781
1793
 
1782
- // SSL_SESSION_is_resumable returns one if |session| is resumable and zero
1783
- // otherwise.
1794
+ // SSL_SESSION_is_resumable returns one if |session| is complete and contains a
1795
+ // session ID or ticket. It returns zero otherwise. Note this function does not
1796
+ // ensure |session| will be resumed. It may be expired, dropped by the server,
1797
+ // or associated with incompatible parameters.
1784
1798
  OPENSSL_EXPORT int SSL_SESSION_is_resumable(const SSL_SESSION *session);
1785
1799
 
1786
1800
  // SSL_SESSION_has_ticket returns one if |session| has a ticket and zero
@@ -2723,8 +2737,9 @@ OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
2723
2737
 
2724
2738
  // SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to
2725
2739
  // |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2726
- // length-prefixed strings). It returns zero on success and one on failure.
2727
- // Configuring this list enables ALPN on a client.
2740
+ // length-prefixed strings), or the empty string to disable ALPN. It returns
2741
+ // zero on success and one on failure. Configuring a non-empty string enables
2742
+ // ALPN on a client.
2728
2743
  //
2729
2744
  // WARNING: this function is dangerous because it breaks the usual return value
2730
2745
  // convention.
@@ -2733,8 +2748,9 @@ OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2733
2748
 
2734
2749
  // SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
2735
2750
  // |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2736
- // length-prefixed strings). It returns zero on success and one on failure.
2737
- // Configuring this list enables ALPN on a client.
2751
+ // length-prefixed strings), or the empty string to disable ALPN. It returns
2752
+ // zero on success and one on failure. Configuring a non-empty string enables
2753
+ // ALPN on a client.
2738
2754
  //
2739
2755
  // WARNING: this function is dangerous because it breaks the usual return value
2740
2756
  // convention.
@@ -2956,15 +2972,16 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
2956
2972
 
2957
2973
  // Channel ID.
2958
2974
  //
2959
- // See draft-balfanz-tls-channelid-01.
2975
+ // See draft-balfanz-tls-channelid-01. This is an old, experimental mechanism
2976
+ // and should not be used in new code.
2960
2977
 
2961
2978
  // SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
2962
- // with |ctx| should enable Channel ID.
2979
+ // with |ctx| should enable Channel ID as a server.
2963
2980
  OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
2964
2981
  int enabled);
2965
2982
 
2966
2983
  // SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
2967
- // ID.
2984
+ // ID as a server.
2968
2985
  OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
2969
2986
 
2970
2987
  // SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
@@ -2978,55 +2995,15 @@ OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
2978
2995
  // success and zero on error.
2979
2996
  OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
2980
2997
 
2981
- // SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*|
2998
+ // SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL|
2982
2999
  // and copies up to the first |max_out| bytes into |out|. The Channel ID
2983
3000
  // consists of the client's P-256 public key as an (x,y) pair where each is a
2984
3001
  // 32-byte, big-endian field element. It returns 0 if the client didn't offer a
2985
- // Channel ID and the length of the complete Channel ID otherwise.
3002
+ // Channel ID and the length of the complete Channel ID otherwise. This function
3003
+ // always returns zero if |ssl| is a client.
2986
3004
  OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
2987
3005
  size_t max_out);
2988
3006
 
2989
- // SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID
2990
- // is requested. The callback may set |*out_pkey| to a key, passing a reference
2991
- // to the caller. If none is returned, the handshake will pause and
2992
- // |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
2993
- //
2994
- // See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
2995
- OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(
2996
- SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey));
2997
-
2998
- // SSL_CTX_get_channel_id_cb returns the callback set by
2999
- // |SSL_CTX_set_channel_id_cb|.
3000
- OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(
3001
- SSL *ssl, EVP_PKEY **out_pkey);
3002
-
3003
-
3004
- // Token Binding.
3005
- //
3006
- // See draft-ietf-tokbind-protocol-16.
3007
-
3008
- // SSL_set_token_binding_params sets |params| as the Token Binding Key
3009
- // parameters (section 3 of draft-ietf-tokbind-protocol-16) to negotiate on the
3010
- // connection. If this function is not called, or if |len| is 0, then this
3011
- // endpoint will not attempt to negotiate Token Binding. |params| are provided
3012
- // in preference order, with the more preferred parameters at the beginning of
3013
- // the list. This function returns 1 on success and 0 on failure.
3014
- OPENSSL_EXPORT int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params,
3015
- size_t len);
3016
-
3017
- // SSL_is_token_binding_negotiated returns 1 if Token Binding was negotiated
3018
- // on this connection and 0 otherwise. On a server, it is possible for this
3019
- // function to return 1 when the client's view of the connection is that Token
3020
- // Binding was not negotiated. This occurs when the server indicates a version
3021
- // of Token Binding less than the client's minimum version.
3022
- OPENSSL_EXPORT int SSL_is_token_binding_negotiated(const SSL *ssl);
3023
-
3024
- // SSL_get_negotiated_token_binding_param returns the TokenBindingKeyParameters
3025
- // enum value that was negotiated. It is only valid to call this function if
3026
- // SSL_is_token_binding_negotiated returned 1, otherwise this function returns
3027
- // an undefined value.
3028
- OPENSSL_EXPORT uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl);
3029
-
3030
3007
 
3031
3008
  // DTLS-SRTP.
3032
3009
  //
@@ -3063,8 +3040,8 @@ OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx,
3063
3040
  OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles);
3064
3041
 
3065
3042
  // SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|.
3066
- OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
3067
- SSL *ssl);
3043
+ OPENSSL_EXPORT const STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
3044
+ const SSL *ssl);
3068
3045
 
3069
3046
  // SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if
3070
3047
  // SRTP was not negotiated.
@@ -3195,7 +3172,7 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
3195
3172
  //
3196
3173
  // QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
3197
3174
  // functions allow a QUIC implementation to serve as the underlying transport as
3198
- // described in draft-ietf-quic-tls.
3175
+ // described in RFC 9001.
3199
3176
  //
3200
3177
  // When configured for QUIC, |SSL_do_handshake| will drive the handshake as
3201
3178
  // before, but it will not use the configured |BIO|. It will call functions on
@@ -3215,8 +3192,7 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
3215
3192
  // confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and
3216
3193
  // |SSL_reset_early_data_reject| behave as usual.
3217
3194
  //
3218
- // See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
3219
- // details.
3195
+ // See https://www.rfc-editor.org/rfc/rfc9001.html#section-4.1 for more details.
3220
3196
  //
3221
3197
  // To avoid DoS attacks, the QUIC implementation must limit the amount of data
3222
3198
  // being queued up. The implementation can call
@@ -3227,7 +3203,8 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
3227
3203
  // |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
3228
3204
  // used to query the value received from the peer. BoringSSL handles this
3229
3205
  // extension as an opaque byte string. The caller is responsible for serializing
3230
- // and parsing them. See draft-ietf-quic-transport (section 7.3) for details.
3206
+ // and parsing them. See https://www.rfc-editor.org/rfc/rfc9000#section-7.4 for
3207
+ // details.
3231
3208
  //
3232
3209
  // QUIC additionally imposes restrictions on 0-RTT. In particular, the QUIC
3233
3210
  // transport layer requires that if a server accepts 0-RTT data, then the
@@ -3339,7 +3316,7 @@ struct ssl_quic_method_st {
3339
3316
  // that may be received at the given encryption level. This function should be
3340
3317
  // used to limit buffering in the QUIC implementation.
3341
3318
  //
3342
- // See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
3319
+ // See https://www.rfc-editor.org/rfc/rfc9000#section-7.5
3343
3320
  OPENSSL_EXPORT size_t SSL_quic_max_handshake_flight_len(
3344
3321
  const SSL *ssl, enum ssl_encryption_level_t level);
3345
3322
 
@@ -3402,8 +3379,8 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(
3402
3379
 
3403
3380
  // SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
3404
3381
  // extension codepoint 0xffa5 as opposed to the official value 57. Call with
3405
- // |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. The default
3406
- // value for this is currently 1 but it will change to 0 at a later date.
3382
+ // |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. By default,
3383
+ // the standard code point is used.
3407
3384
  OPENSSL_EXPORT void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
3408
3385
 
3409
3386
  // SSL_set_quic_early_data_context configures a context string in QUIC servers
@@ -3552,8 +3529,7 @@ enum ssl_early_data_reason_t BORINGSSL_ENUM_INT {
3552
3529
  ssl_early_data_alpn_mismatch = 9,
3553
3530
  // The connection negotiated Channel ID, which is incompatible with 0-RTT.
3554
3531
  ssl_early_data_channel_id = 10,
3555
- // The connection negotiated token binding, which is incompatible with 0-RTT.
3556
- ssl_early_data_token_binding = 11,
3532
+ // Value 11 is reserved. (It has historically |ssl_early_data_token_binding|.)
3557
3533
  // The client and server ticket age were too far apart.
3558
3534
  ssl_early_data_ticket_age_skew = 12,
3559
3535
  // QUIC parameters differ between this connection and the original.
@@ -3575,7 +3551,7 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string(
3575
3551
  enum ssl_early_data_reason_t reason);
3576
3552
 
3577
3553
 
3578
- // Encrypted Client Hello.
3554
+ // Encrypted ClientHello.
3579
3555
  //
3580
3556
  // ECH is a mechanism for encrypting the entire ClientHello message in TLS 1.3.
3581
3557
  // This can prevent observers from seeing cleartext information about the
@@ -3583,12 +3559,129 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string(
3583
3559
  //
3584
3560
  // ECH support in BoringSSL is still experimental and under development.
3585
3561
  //
3586
- // See https://tools.ietf.org/html/draft-ietf-tls-esni-09.
3562
+ // See https://tools.ietf.org/html/draft-ietf-tls-esni-10.
3587
3563
 
3588
- // SSL_set_enable_ech_grease configures whether the client may send ECH GREASE
3589
- // as part of this connection.
3564
+ // SSL_set_enable_ech_grease configures whether the client will send a GREASE
3565
+ // ECH extension when no supported ECHConfig is available.
3590
3566
  OPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);
3591
3567
 
3568
+ // SSL_set1_ech_config_list configures |ssl| to, as a client, offer ECH with the
3569
+ // specified configuration. |ech_config_list| should contain a serialized
3570
+ // ECHConfigList structure. It returns one on success and zero on error.
3571
+ //
3572
+ // This function returns an error if the input is malformed. If the input is
3573
+ // valid but none of the ECHConfigs implement supported parameters, it will
3574
+ // return success and proceed without ECH.
3575
+ //
3576
+ // WARNING: Client ECH support is still incomplete and does not yet implement
3577
+ // the recovery flow. It currently treats ECH rejection as a fatal error. Do not
3578
+ // use this API yet.
3579
+ //
3580
+ // TODO(https://crbug.com/boringssl/275): When the recovery flow is implemented,
3581
+ // fill in the remaining docs.
3582
+ OPENSSL_EXPORT int SSL_set1_ech_config_list(SSL *ssl,
3583
+ const uint8_t *ech_config_list,
3584
+ size_t ech_config_list_len);
3585
+
3586
+ // SSL_marshal_ech_config constructs a new serialized ECHConfig. On success, it
3587
+ // sets |*out| to a newly-allocated buffer containing the result and |*out_len|
3588
+ // to the size of the buffer. The caller must call |OPENSSL_free| on |*out| to
3589
+ // release the memory. On failure, it returns zero.
3590
+ //
3591
+ // The |config_id| field is a single byte identifer for the ECHConfig. Reusing
3592
+ // config IDs is allowed, but if multiple ECHConfigs with the same config ID are
3593
+ // active at a time, server load may increase. See
3594
+ // |SSL_ECH_KEYS_has_duplicate_config_id|.
3595
+ //
3596
+ // The public key and KEM algorithm are taken from |key|. |public_name| is the
3597
+ // DNS name used to authenticate the recovery flow. |max_name_len| should be the
3598
+ // length of the longest name in the ECHConfig's anonymity set and influences
3599
+ // client padding decisions.
3600
+ OPENSSL_EXPORT int SSL_marshal_ech_config(uint8_t **out, size_t *out_len,
3601
+ uint8_t config_id,
3602
+ const EVP_HPKE_KEY *key,
3603
+ const char *public_name,
3604
+ size_t max_name_len);
3605
+
3606
+ // SSL_ECH_KEYS_new returns a newly-allocated |SSL_ECH_KEYS| or NULL on error.
3607
+ OPENSSL_EXPORT SSL_ECH_KEYS *SSL_ECH_KEYS_new(void);
3608
+
3609
+ // SSL_ECH_KEYS_up_ref increments the reference count of |keys|.
3610
+ OPENSSL_EXPORT void SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys);
3611
+
3612
+ // SSL_ECH_KEYS_free releases memory associated with |keys|.
3613
+ OPENSSL_EXPORT void SSL_ECH_KEYS_free(SSL_ECH_KEYS *keys);
3614
+
3615
+ // SSL_ECH_KEYS_add decodes |ech_config| as an ECHConfig and appends it with
3616
+ // |key| to |keys|. If |is_retry_config| is non-zero, this config will be
3617
+ // returned to the client on configuration mismatch. It returns one on success
3618
+ // and zero on error.
3619
+ //
3620
+ // This function should be called successively to register each ECHConfig in
3621
+ // decreasing order of preference. This configuration must be completed before
3622
+ // setting |keys| on an |SSL_CTX| with |SSL_CTX_set1_ech_keys|. After that
3623
+ // point, |keys| is immutable; no more ECHConfig values may be added.
3624
+ //
3625
+ // See also |SSL_CTX_set1_ech_keys|.
3626
+ OPENSSL_EXPORT int SSL_ECH_KEYS_add(SSL_ECH_KEYS *keys, int is_retry_config,
3627
+ const uint8_t *ech_config,
3628
+ size_t ech_config_len,
3629
+ const EVP_HPKE_KEY *key);
3630
+
3631
+ // SSL_ECH_KEYS_has_duplicate_config_id returns one if |keys| has duplicate
3632
+ // config IDs or zero otherwise. Duplicate config IDs still work, but may
3633
+ // increase server load due to trial decryption.
3634
+ OPENSSL_EXPORT int SSL_ECH_KEYS_has_duplicate_config_id(
3635
+ const SSL_ECH_KEYS *keys);
3636
+
3637
+ // SSL_ECH_KEYS_marshal_retry_configs serializes the retry configs in |keys| as
3638
+ // an ECHConfigList. On success, it sets |*out| to a newly-allocated buffer
3639
+ // containing the result and |*out_len| to the size of the buffer. The caller
3640
+ // must call |OPENSSL_free| on |*out| to release the memory. On failure, it
3641
+ // returns zero.
3642
+ //
3643
+ // This output may be advertised to clients in DNS.
3644
+ OPENSSL_EXPORT int SSL_ECH_KEYS_marshal_retry_configs(const SSL_ECH_KEYS *keys,
3645
+ uint8_t **out,
3646
+ size_t *out_len);
3647
+
3648
+ // SSL_CTX_set1_ech_keys configures |ctx| to use |keys| to decrypt encrypted
3649
+ // ClientHellos. It returns one on success, and zero on failure. If |keys| does
3650
+ // not contain any retry configs, this function will fail. Retry configs are
3651
+ // marked as such when they are added to |keys| with |SSL_ECH_KEYS_add|.
3652
+ //
3653
+ // Once |keys| has been passed to this function, it is immutable. Unlike most
3654
+ // |SSL_CTX| configuration functions, this function may be called even if |ctx|
3655
+ // already has associated connections on multiple threads. This may be used to
3656
+ // rotate keys in a long-lived server process.
3657
+ //
3658
+ // The configured ECHConfig values should also be advertised out-of-band via DNS
3659
+ // (see draft-ietf-dnsop-svcb-https). Before advertising an ECHConfig in DNS,
3660
+ // deployments should ensure all instances of the service are configured with
3661
+ // the ECHConfig and corresponding private key.
3662
+ //
3663
+ // Only the most recent fully-deployed ECHConfigs should be advertised in DNS.
3664
+ // |keys| may contain a newer set if those ECHConfigs are mid-deployment. It
3665
+ // should also contain older sets, until the DNS change has rolled out and the
3666
+ // old records have expired from caches.
3667
+ //
3668
+ // If there is a mismatch, |SSL| objects associated with |ctx| will complete the
3669
+ // handshake using the cleartext ClientHello and send updated ECHConfig values
3670
+ // to the client. The client will then retry to recover, but with a latency
3671
+ // penalty. This recovery flow depends on the public name in the ECHConfig.
3672
+ // Before advertising an ECHConfig in DNS, deployments must ensure all instances
3673
+ // of the service can present a valid certificate for the public name.
3674
+ //
3675
+ // BoringSSL negotiates ECH before certificate selection callbacks are called,
3676
+ // including |SSL_CTX_set_select_certificate_cb|. If ECH is negotiated, the
3677
+ // reported |SSL_CLIENT_HELLO| structure and |SSL_get_servername| function will
3678
+ // transparently reflect the inner ClientHello. Callers should select parameters
3679
+ // based on these values to correctly handle ECH as well as the recovery flow.
3680
+ OPENSSL_EXPORT int SSL_CTX_set1_ech_keys(SSL_CTX *ctx, SSL_ECH_KEYS *keys);
3681
+
3682
+ // SSL_ech_accepted returns one if |ssl| negotiated ECH and zero otherwise.
3683
+ OPENSSL_EXPORT int SSL_ech_accepted(const SSL *ssl);
3684
+
3592
3685
 
3593
3686
  // Alerts.
3594
3687
  //
@@ -3643,6 +3736,7 @@ OPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);
3643
3736
  #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
3644
3737
  #define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED
3645
3738
  #define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL
3739
+ #define SSL_AD_ECH_REQUIRED TLS1_AD_ECH_REQUIRED
3646
3740
 
3647
3741
  // SSL_alert_type_string_long returns a string description of |value| as an
3648
3742
  // alert type (warning or fatal).
@@ -3725,6 +3819,101 @@ OPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl);
3725
3819
  OPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl);
3726
3820
 
3727
3821
 
3822
+ // Handshake hints.
3823
+ //
3824
+ // *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING ***
3825
+ //
3826
+ // Some server deployments make asynchronous RPC calls in both ClientHello
3827
+ // dispatch and private key operations. In TLS handshakes where the private key
3828
+ // operation occurs in the first round-trip, this results in two consecutive RPC
3829
+ // round-trips. Handshake hints allow the RPC service to predicte a signature.
3830
+ // If correctly predicted, this can skip the second RPC call.
3831
+ //
3832
+ // First, the server installs a certificate selection callback (see
3833
+ // |SSL_CTX_set_select_certificate_cb|). When that is called, it performs the
3834
+ // RPC as before, but includes the ClientHello and a capabilities string from
3835
+ // |SSL_serialize_capabilities|.
3836
+ //
3837
+ // Next, the RPC service creates its own |SSL| object, applies the results of
3838
+ // certificate selection, calls |SSL_request_handshake_hints|, and runs the
3839
+ // handshake. If this successfully computes handshake hints (see
3840
+ // |SSL_serialize_handshake_hints|), the RPC server should send the hints
3841
+ // alongside any certificate selection results.
3842
+ //
3843
+ // Finally, the server calls |SSL_set_handshake_hints| and applies any
3844
+ // configuration from the RPC server. It then completes the handshake as before.
3845
+ // If the hints apply, BoringSSL will use the predicted signature and skip the
3846
+ // private key callbacks. Otherwise, BoringSSL will call private key callbacks
3847
+ // to generate a signature as before.
3848
+ //
3849
+ // Callers should synchronize configuration across the two services.
3850
+ // Configuration mismatches and some cases of version skew are not fatal, but
3851
+ // may result in the hints not applying. Additionally, some handshake flows use
3852
+ // the private key in later round-trips, such as TLS 1.3 HelloRetryRequest. In
3853
+ // those cases, BoringSSL will not predict a signature as there is no benefit.
3854
+ // Callers must allow for handshakes to complete without a predicted signature.
3855
+ //
3856
+ // For now, only TLS 1.3 is hinted. TLS 1.2 will work, but the hints will be
3857
+ // empty.
3858
+
3859
+ // SSL_serialize_capabilities writes an opaque byte string to |out| describing
3860
+ // some of |ssl|'s capabilities. It returns one on success and zero on error.
3861
+ //
3862
+ // This string is used by BoringSSL internally to reduce the impact of version
3863
+ // skew.
3864
+ OPENSSL_EXPORT int SSL_serialize_capabilities(const SSL *ssl, CBB *out);
3865
+
3866
+ // SSL_request_handshake_hints configures |ssl| to generate a handshake hint for
3867
+ // |client_hello|. It returns one on success and zero on error. |client_hello|
3868
+ // should contain a serialized ClientHello structure, from the |client_hello|
3869
+ // and |client_hello_len| fields of the |SSL_CLIENT_HELLO| structure.
3870
+ // |capabilities| should contain the output of |SSL_serialize_capabilities|.
3871
+ //
3872
+ // When configured, |ssl| will perform no I/O (so there is no need to configure
3873
+ // |BIO|s). For QUIC, the caller should still configure an |SSL_QUIC_METHOD|,
3874
+ // but the callbacks themselves will never be called and may be left NULL or
3875
+ // report failure. |SSL_provide_quic_data| also should not be called.
3876
+ //
3877
+ // If hint generation is successful, |SSL_do_handshake| will stop the handshake
3878
+ // early with |SSL_get_error| returning |SSL_ERROR_HANDSHAKE_HINTS_READY|. At
3879
+ // this point, the caller should run |SSL_serialize_handshake_hints| to extract
3880
+ // the resulting hints.
3881
+ //
3882
+ // Hint generation may fail if, e.g., |ssl| was unable to process the
3883
+ // ClientHello. Callers should then complete the certificate selection RPC and
3884
+ // continue the original handshake with no hint. It will likely fail, but this
3885
+ // reports the correct alert to the client and is more robust in case of
3886
+ // mismatch.
3887
+ OPENSSL_EXPORT int SSL_request_handshake_hints(SSL *ssl,
3888
+ const uint8_t *client_hello,
3889
+ size_t client_hello_len,
3890
+ const uint8_t *capabilities,
3891
+ size_t capabilities_len);
3892
+
3893
+ // SSL_serialize_handshake_hints writes an opaque byte string to |out|
3894
+ // containing the handshake hints computed by |out|. It returns one on success
3895
+ // and zero on error. This function should only be called if
3896
+ // |SSL_request_handshake_hints| was configured and the handshake terminated
3897
+ // with |SSL_ERROR_HANDSHAKE_HINTS_READY|.
3898
+ //
3899
+ // This string may be passed to |SSL_set_handshake_hints| on another |SSL| to
3900
+ // avoid an extra signature call.
3901
+ OPENSSL_EXPORT int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out);
3902
+
3903
+ // SSL_set_handshake_hints configures |ssl| to use |hints| as handshake hints.
3904
+ // It returns one on success and zero on error. The handshake will then continue
3905
+ // as before, but apply predicted values from |hints| where applicable.
3906
+ //
3907
+ // Hints may contain connection and session secrets, so they must not leak and
3908
+ // must come from a source trusted to terminate the connection. However, they
3909
+ // will not change |ssl|'s configuration. The caller is responsible for
3910
+ // serializing and applying options from the RPC server as needed. This ensures
3911
+ // |ssl|'s behavior is self-consistent and consistent with the caller's local
3912
+ // decisions.
3913
+ OPENSSL_EXPORT int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints,
3914
+ size_t hints_len);
3915
+
3916
+
3728
3917
  // Obscure functions.
3729
3918
 
3730
3919
  // SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
@@ -4109,9 +4298,17 @@ OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,
4109
4298
  int enable);
4110
4299
 
4111
4300
  // SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable
4112
- // GREASE. See draft-davidben-tls-grease-01.
4301
+ // GREASE. See RFC 8701.
4113
4302
  OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
4114
4303
 
4304
+ // SSL_CTX_set_permute_extensions configures whether sockets on |ctx| should
4305
+ // permute extensions. For now, this is only implemented for the ClientHello.
4306
+ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
4307
+
4308
+ // SSL_set_permute_extensions configures whether sockets on |ssl| should
4309
+ // permute extensions. For now, this is only implemented for the ClientHello.
4310
+ OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
4311
+
4115
4312
  // SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
4116
4313
  // record with |ssl|.
4117
4314
  OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
@@ -4798,18 +4995,6 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
4798
4995
  // name and remove this one.
4799
4996
  OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
4800
4997
 
4801
- // SSL_CTX_set_ignore_tls13_downgrade does nothing.
4802
- OPENSSL_EXPORT void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx,
4803
- int ignore);
4804
-
4805
- // SSL_set_ignore_tls13_downgrade does nothing.
4806
- OPENSSL_EXPORT void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore);
4807
-
4808
- // SSL_is_tls13_downgrade returns zero. Historically, this function returned
4809
- // whether the TLS 1.3 downgrade signal would have been enforced if not
4810
- // disabled. The TLS 1.3 downgrade signal is now always enforced.
4811
- OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
4812
-
4813
4998
 
4814
4999
  // Nodejs compatibility section (hidden).
4815
5000
  //
@@ -4972,6 +5157,8 @@ BSSL_NAMESPACE_BEGIN
4972
5157
  BORINGSSL_MAKE_DELETER(SSL, SSL_free)
4973
5158
  BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
4974
5159
  BORINGSSL_MAKE_UP_REF(SSL_CTX, SSL_CTX_up_ref)
5160
+ BORINGSSL_MAKE_DELETER(SSL_ECH_KEYS, SSL_ECH_KEYS_free)
5161
+ BORINGSSL_MAKE_UP_REF(SSL_ECH_KEYS, SSL_ECH_KEYS_up_ref)
4975
5162
  BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
4976
5163
  BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)
4977
5164
 
@@ -5088,6 +5275,7 @@ OPENSSL_EXPORT bool SSL_get_traffic_secrets(
5088
5275
  const SSL *ssl, Span<const uint8_t> *out_read_traffic_secret,
5089
5276
  Span<const uint8_t> *out_write_traffic_secret);
5090
5277
 
5278
+
5091
5279
  BSSL_NAMESPACE_END
5092
5280
 
5093
5281
  } // extern C++
@@ -5305,6 +5493,15 @@ BSSL_NAMESPACE_END
5305
5493
  #define SSL_R_NO_APPLICATION_PROTOCOL 307
5306
5494
  #define SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN 308
5307
5495
  #define SSL_R_ALPS_MISMATCH_ON_EARLY_DATA 309
5496
+ #define SSL_R_ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH 310
5497
+ #define SSL_R_ECH_SERVER_CONFIG_UNSUPPORTED_EXTENSION 311
5498
+ #define SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG 312
5499
+ #define SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS 313
5500
+ #define SSL_R_INVALID_CLIENT_HELLO_INNER 314
5501
+ #define SSL_R_INVALID_ALPN_PROTOCOL_LIST 315
5502
+ #define SSL_R_COULD_NOT_PARSE_HINTS 316
5503
+ #define SSL_R_INVALID_ECH_PUBLIC_NAME 317
5504
+ #define SSL_R_INVALID_ECH_CONFIG_LIST 318
5308
5505
  #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
5309
5506
  #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
5310
5507
  #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
@@ -5338,5 +5535,6 @@ BSSL_NAMESPACE_END
5338
5535
  #define SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY 1115
5339
5536
  #define SSL_R_TLSV1_ALERT_CERTIFICATE_REQUIRED 1116
5340
5537
  #define SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL 1120
5538
+ #define SSL_R_TLSV1_ALERT_ECH_REQUIRED 1121
5341
5539
 
5342
5540
  #endif // OPENSSL_HEADER_SSL_H