grpc 1.38.0 → 1.40.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (340) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +68 -21
  3. data/include/grpc/event_engine/endpoint_config.h +48 -0
  4. data/include/grpc/event_engine/event_engine.h +23 -29
  5. data/include/grpc/event_engine/port.h +2 -0
  6. data/include/grpc/event_engine/slice_allocator.h +21 -36
  7. data/include/grpc/grpc.h +9 -2
  8. data/include/grpc/grpc_security.h +32 -0
  9. data/include/grpc/grpc_security_constants.h +1 -0
  10. data/include/grpc/impl/codegen/grpc_types.h +33 -19
  11. data/include/grpc/impl/codegen/port_platform.h +41 -0
  12. data/src/core/ext/filters/client_channel/client_channel.cc +415 -249
  13. data/src/core/ext/filters/client_channel/client_channel.h +42 -18
  14. data/src/core/ext/filters/client_channel/config_selector.h +19 -6
  15. data/src/core/ext/filters/client_channel/health/health_check_client.cc +2 -0
  16. data/src/core/ext/filters/client_channel/health/health_check_client.h +3 -3
  17. data/src/core/ext/filters/client_channel/http_proxy.cc +16 -1
  18. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +7 -8
  19. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +12 -21
  20. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +3 -5
  21. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +734 -0
  22. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +10 -0
  23. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +8 -15
  24. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +3 -6
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +18 -36
  26. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +14 -22
  27. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -9
  28. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +68 -103
  29. data/src/core/ext/filters/client_channel/lb_policy.cc +1 -15
  30. data/src/core/ext/filters/client_channel/lb_policy.h +70 -46
  31. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +1 -3
  32. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_event_engine.cc +31 -0
  33. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_event_engine.cc +28 -0
  34. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +1 -3
  35. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +7 -2
  36. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +116 -76
  37. data/src/core/ext/filters/client_channel/retry_filter.cc +967 -544
  38. data/src/core/ext/filters/client_channel/retry_service_config.cc +57 -28
  39. data/src/core/ext/filters/client_channel/retry_service_config.h +9 -3
  40. data/src/core/ext/filters/client_channel/service_config_call_data.h +45 -5
  41. data/src/core/ext/filters/client_idle/client_idle_filter.cc +1 -1
  42. data/src/core/ext/filters/http/client/http_client_filter.cc +5 -2
  43. data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +2 -1
  44. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +5 -1
  45. data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +3 -2
  46. data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +1 -1
  47. data/src/core/{lib/event_engine/slice_allocator.cc → ext/transport/chttp2/transport/chttp2_slice_allocator.cc} +23 -16
  48. data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.h +74 -0
  49. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +12 -10
  50. data/src/core/ext/transport/chttp2/transport/flow_control.h +1 -1
  51. data/src/core/ext/transport/chttp2/transport/frame_data.cc +4 -4
  52. data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +8 -8
  53. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +5 -5
  54. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +639 -752
  55. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +190 -69
  56. data/src/core/ext/transport/chttp2/transport/internal.h +2 -1
  57. data/src/core/ext/transport/chttp2/transport/parsing.cc +72 -56
  58. data/src/core/ext/transport/chttp2/transport/varint.cc +6 -4
  59. data/src/core/ext/transport/inproc/inproc_transport.cc +42 -31
  60. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +56 -35
  61. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +180 -76
  62. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +35 -27
  63. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +97 -48
  64. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +45 -9
  65. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +67 -7
  66. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +66 -9
  67. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +227 -0
  68. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.c +46 -0
  69. data/src/core/ext/upb-generated/envoy/config/core/v3/resolver.upb.h +121 -0
  70. data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +1 -0
  71. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.c +35 -0
  72. data/src/core/ext/upb-generated/envoy/config/core/v3/udp_socket_config.upb.h +90 -0
  73. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +32 -24
  74. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -73
  75. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +4 -2
  76. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +15 -0
  77. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +48 -0
  78. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +171 -0
  79. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.c +8 -6
  80. data/src/core/ext/upb-generated/envoy/config/listener/v3/udp_listener_config.upb.h +27 -19
  81. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +1 -0
  82. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.c +24 -7
  83. data/src/core/ext/upb-generated/envoy/config/route/v3/route.upb.h +57 -0
  84. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +29 -17
  85. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +72 -0
  86. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c +3 -2
  87. data/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h +4 -0
  88. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c +6 -5
  89. data/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h +15 -11
  90. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +85 -43
  91. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +274 -91
  92. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +11 -8
  93. data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +30 -13
  94. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.c +33 -5
  95. data/src/core/ext/upb-generated/envoy/service/status/v3/csds.upb.h +115 -0
  96. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.c +60 -0
  97. data/src/core/ext/upb-generated/envoy/type/http/v3/path_transformation.upb.h +181 -0
  98. data/src/core/ext/upb-generated/envoy/type/matcher/v3/regex.upb.c +1 -0
  99. data/src/core/ext/upb-generated/validate/validate.upb.c +82 -66
  100. data/src/core/ext/upb-generated/validate/validate.upb.h +220 -124
  101. data/src/core/ext/upbdefs-generated/envoy/annotations/deprecation.upbdefs.c +15 -7
  102. data/src/core/ext/upbdefs-generated/envoy/config/accesslog/v3/accesslog.upbdefs.c +53 -52
  103. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +318 -277
  104. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.h +5 -0
  105. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +437 -410
  106. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +198 -170
  107. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +10 -0
  108. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/config_source.upbdefs.c +9 -8
  109. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +219 -163
  110. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.h +15 -0
  111. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.c +59 -0
  112. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/resolver.upbdefs.h +40 -0
  113. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/substitution_format_string.upbdefs.c +29 -25
  114. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.c +52 -0
  115. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/udp_socket_config.upbdefs.h +35 -0
  116. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +135 -125
  117. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +5 -0
  118. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener_components.upbdefs.c +131 -123
  119. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +90 -0
  120. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.h +35 -0
  121. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c +32 -24
  122. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c +69 -55
  123. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h +5 -0
  124. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +684 -664
  125. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h +5 -0
  126. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c +13 -10
  127. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c +13 -10
  128. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +441 -375
  129. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h +10 -0
  130. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/common.upbdefs.c +122 -114
  131. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +1 -1
  132. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +112 -79
  133. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.h +5 -0
  134. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.c +64 -0
  135. data/src/core/ext/upbdefs-generated/envoy/type/http/v3/path_transformation.upbdefs.h +50 -0
  136. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/regex.upbdefs.c +35 -32
  137. data/src/core/ext/upbdefs-generated/google/rpc/status.upbdefs.c +4 -4
  138. data/src/core/ext/upbdefs-generated/validate/validate.upbdefs.c +182 -160
  139. data/src/core/ext/xds/certificate_provider_store.h +1 -1
  140. data/src/core/ext/xds/xds_api.cc +582 -257
  141. data/src/core/ext/xds/xds_api.h +46 -8
  142. data/src/core/ext/xds/xds_bootstrap.cc +4 -1
  143. data/src/core/ext/xds/xds_client.cc +66 -43
  144. data/src/core/ext/xds/xds_client.h +0 -4
  145. data/src/core/ext/xds/xds_http_filters.cc +3 -2
  146. data/src/core/ext/xds/xds_http_filters.h +3 -0
  147. data/src/core/lib/address_utils/sockaddr_utils.cc +13 -0
  148. data/src/core/lib/address_utils/sockaddr_utils.h +10 -0
  149. data/src/core/lib/channel/call_tracer.h +85 -0
  150. data/src/core/lib/channel/channel_stack.h +1 -1
  151. data/src/core/lib/channel/channelz.h +3 -0
  152. data/src/core/lib/channel/context.h +3 -0
  153. data/src/core/lib/channel/status_util.h +4 -0
  154. data/src/core/lib/compression/stream_compression.h +1 -1
  155. data/src/core/lib/compression/stream_compression_gzip.h +1 -1
  156. data/src/core/lib/compression/stream_compression_identity.h +1 -1
  157. data/src/core/lib/debug/stats.h +1 -1
  158. data/src/core/lib/event_engine/endpoint_config.cc +46 -0
  159. data/src/core/lib/event_engine/endpoint_config_internal.h +42 -0
  160. data/src/core/lib/event_engine/event_engine.cc +50 -0
  161. data/src/core/lib/event_engine/sockaddr.cc +14 -12
  162. data/src/core/lib/event_engine/sockaddr.h +44 -0
  163. data/src/core/lib/gpr/murmur_hash.cc +4 -2
  164. data/src/core/lib/gpr/wrap_memcpy.cc +2 -1
  165. data/src/core/lib/gprpp/manual_constructor.h +1 -1
  166. data/src/core/lib/gprpp/orphanable.h +3 -3
  167. data/src/core/lib/gprpp/status_helper.h +3 -0
  168. data/src/core/lib/gprpp/sync.h +2 -30
  169. data/src/core/lib/iomgr/buffer_list.cc +1 -1
  170. data/src/core/lib/iomgr/endpoint_pair_event_engine.cc +33 -0
  171. data/src/core/lib/iomgr/error.cc +5 -4
  172. data/src/core/lib/iomgr/error.h +1 -1
  173. data/src/core/lib/iomgr/ev_apple.h +1 -1
  174. data/src/core/lib/iomgr/event_engine/closure.cc +54 -0
  175. data/src/core/lib/iomgr/event_engine/closure.h +33 -0
  176. data/src/core/lib/iomgr/event_engine/endpoint.cc +192 -0
  177. data/src/core/lib/iomgr/event_engine/endpoint.h +53 -0
  178. data/src/core/lib/iomgr/event_engine/iomgr.cc +105 -0
  179. data/src/core/lib/iomgr/event_engine/iomgr.h +24 -0
  180. data/src/core/lib/iomgr/event_engine/pollset.cc +87 -0
  181. data/{include/grpc/event_engine/channel_args.h → src/core/lib/iomgr/event_engine/pollset.h} +7 -10
  182. data/src/core/lib/iomgr/event_engine/promise.h +51 -0
  183. data/src/core/lib/iomgr/event_engine/resolved_address_internal.cc +41 -0
  184. data/src/core/lib/iomgr/event_engine/resolved_address_internal.h +35 -0
  185. data/src/core/lib/iomgr/event_engine/resolver.cc +110 -0
  186. data/src/core/lib/iomgr/event_engine/tcp.cc +263 -0
  187. data/src/core/lib/iomgr/event_engine/timer.cc +57 -0
  188. data/src/core/lib/iomgr/exec_ctx.cc +8 -0
  189. data/src/core/lib/iomgr/exec_ctx.h +3 -4
  190. data/src/core/lib/iomgr/executor/threadpool.cc +2 -3
  191. data/src/core/lib/iomgr/executor/threadpool.h +2 -2
  192. data/src/core/lib/iomgr/iomgr.cc +1 -1
  193. data/src/core/lib/iomgr/iomgr_posix.cc +2 -0
  194. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +40 -10
  195. data/src/core/lib/iomgr/pollset_custom.cc +2 -2
  196. data/src/core/lib/iomgr/pollset_custom.h +3 -1
  197. data/src/core/lib/iomgr/pollset_uv.cc +3 -1
  198. data/src/core/lib/iomgr/pollset_uv.h +5 -1
  199. data/src/core/lib/iomgr/port.h +7 -5
  200. data/src/core/lib/iomgr/python_util.h +1 -1
  201. data/src/core/lib/iomgr/resolve_address.cc +5 -1
  202. data/src/core/lib/iomgr/resolve_address.h +6 -0
  203. data/src/core/lib/iomgr/resource_quota.cc +2 -0
  204. data/src/core/lib/iomgr/sockaddr.h +1 -0
  205. data/src/core/lib/iomgr/socket_mutator.cc +15 -2
  206. data/src/core/lib/iomgr/socket_mutator.h +26 -2
  207. data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -4
  208. data/src/core/lib/iomgr/socket_utils_posix.h +2 -2
  209. data/src/core/lib/iomgr/tcp_client_posix.cc +7 -2
  210. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -0
  211. data/src/core/lib/iomgr/tcp_posix.cc +42 -39
  212. data/src/core/lib/iomgr/tcp_posix.h +8 -0
  213. data/src/core/lib/iomgr/tcp_server_custom.cc +3 -4
  214. data/src/core/lib/iomgr/tcp_server_posix.cc +7 -0
  215. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -1
  216. data/src/core/lib/iomgr/timer.h +6 -1
  217. data/src/core/lib/iomgr/timer_manager.cc +1 -1
  218. data/src/core/lib/json/json_reader.cc +1 -2
  219. data/src/core/lib/matchers/matchers.cc +8 -20
  220. data/src/core/lib/matchers/matchers.h +2 -1
  221. data/src/core/lib/security/authorization/authorization_engine.h +44 -0
  222. data/src/core/lib/security/authorization/authorization_policy_provider.h +32 -0
  223. data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +46 -0
  224. data/src/core/lib/security/authorization/evaluate_args.cc +209 -0
  225. data/src/core/lib/security/authorization/evaluate_args.h +91 -0
  226. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +3 -1
  227. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +49 -0
  228. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +7 -0
  229. data/src/core/lib/security/credentials/tls/tls_utils.cc +32 -0
  230. data/src/core/lib/security/credentials/tls/tls_utils.h +13 -0
  231. data/src/core/lib/security/security_connector/local/local_security_connector.cc +9 -6
  232. data/src/core/lib/security/security_connector/ssl_utils.cc +5 -0
  233. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +6 -18
  234. data/src/core/lib/security/transport/security_handshaker.cc +12 -4
  235. data/src/core/lib/security/transport/server_auth_filter.cc +0 -7
  236. data/src/core/lib/slice/slice.cc +12 -2
  237. data/src/core/lib/slice/slice_internal.h +1 -0
  238. data/src/core/lib/surface/call.cc +26 -7
  239. data/src/core/lib/surface/call.h +11 -0
  240. data/src/core/lib/surface/completion_queue.cc +22 -22
  241. data/src/core/lib/surface/completion_queue.h +1 -1
  242. data/src/core/lib/surface/completion_queue_factory.cc +1 -2
  243. data/src/core/lib/surface/init.cc +1 -3
  244. data/src/core/lib/surface/init.h +10 -1
  245. data/src/core/lib/surface/server.cc +3 -1
  246. data/src/core/lib/surface/server.h +3 -3
  247. data/src/core/lib/surface/version.cc +2 -4
  248. data/src/core/lib/transport/error_utils.cc +2 -2
  249. data/src/core/lib/transport/metadata_batch.cc +13 -2
  250. data/src/core/lib/transport/metadata_batch.h +7 -0
  251. data/src/core/lib/transport/transport.h +2 -0
  252. data/src/core/lib/transport/transport_op_string.cc +1 -1
  253. data/src/core/plugin_registry/grpc_plugin_registry.cc +4 -0
  254. data/src/core/tsi/alts/crypt/gsec.h +2 -0
  255. data/src/ruby/ext/grpc/extconf.rb +2 -0
  256. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +6 -0
  257. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +10 -1
  258. data/src/ruby/lib/grpc/version.rb +1 -1
  259. data/third_party/boringssl-with-bazel/err_data.c +269 -263
  260. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +8 -6
  261. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +4 -0
  262. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +1 -1
  263. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -1
  264. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +9 -0
  265. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +0 -4
  266. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +7 -0
  267. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/md32_common.h +87 -121
  268. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +20 -30
  269. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +19 -30
  270. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +1 -4
  271. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +0 -13
  272. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +26 -24
  273. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -7
  274. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +28 -39
  275. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +48 -66
  276. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +4 -5
  277. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +362 -371
  278. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +4 -2
  279. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +2 -2
  280. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_asn1.c +1 -2
  281. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +101 -11
  282. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +3 -0
  283. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +2 -2
  284. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +3 -0
  285. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +1 -1
  286. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +2 -0
  287. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +14 -15
  288. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +53 -73
  289. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +31 -0
  290. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +3 -0
  291. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +3 -0
  292. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +5 -8
  293. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +5 -0
  294. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +3 -0
  295. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +7 -0
  296. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
  297. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +5 -8
  298. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +1 -1
  299. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +66 -1
  300. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +40 -9
  301. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +1 -0
  302. data/third_party/boringssl-with-bazel/src/include/openssl/chacha.h +1 -1
  303. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +6 -2
  304. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +14 -0
  305. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +19 -11
  306. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +325 -0
  307. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +23 -7
  308. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +99 -63
  309. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -109
  310. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +12 -19
  311. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +48 -50
  312. data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +451 -435
  313. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +0 -1
  314. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +2 -2
  315. data/third_party/boringssl-with-bazel/src/ssl/d1_srtp.cc +1 -1
  316. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +773 -84
  317. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +80 -47
  318. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +24 -19
  319. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +189 -86
  320. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +45 -56
  321. data/third_party/boringssl-with-bazel/src/ssl/internal.h +272 -167
  322. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +2 -2
  323. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  324. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +14 -19
  325. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +34 -102
  326. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +2 -0
  327. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +8 -31
  328. data/third_party/boringssl-with-bazel/src/ssl/ssl_stat.cc +3 -0
  329. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +4 -3
  330. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +7 -3
  331. data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc +576 -648
  332. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +31 -3
  333. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +98 -39
  334. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +141 -94
  335. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +58 -68
  336. data/third_party/xxhash/xxhash.h +77 -195
  337. metadata +81 -39
  338. data/src/core/lib/gpr/arena.h +0 -47
  339. data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +0 -267
  340. data/third_party/boringssl-with-bazel/src/crypto/x509/vpm_int.h +0 -71
@@ -534,9 +534,37 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) {
534
534
  SSL3_MT_COMPRESSED_CERTIFICATE) ||
535
535
  !CBB_add_u16(body, hs->cert_compression_alg_id) ||
536
536
  !CBB_add_u24(body, msg.size()) ||
537
- !CBB_add_u24_length_prefixed(body, &compressed) ||
538
- !alg->compress(ssl, &compressed, msg.data(), msg.size()) ||
539
- !ssl_add_message_cbb(ssl, cbb.get())) {
537
+ !CBB_add_u24_length_prefixed(body, &compressed)) {
538
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
539
+ return false;
540
+ }
541
+
542
+ SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
543
+ if (hints && !hs->hints_requested &&
544
+ hints->cert_compression_alg_id == hs->cert_compression_alg_id &&
545
+ hints->cert_compression_input == MakeConstSpan(msg) &&
546
+ !hints->cert_compression_output.empty()) {
547
+ if (!CBB_add_bytes(&compressed, hints->cert_compression_output.data(),
548
+ hints->cert_compression_output.size())) {
549
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
550
+ return false;
551
+ }
552
+ } else {
553
+ if (!alg->compress(ssl, &compressed, msg.data(), msg.size())) {
554
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
555
+ return false;
556
+ }
557
+ if (hints && hs->hints_requested) {
558
+ hints->cert_compression_alg_id = hs->cert_compression_alg_id;
559
+ if (!hints->cert_compression_input.CopyFrom(msg) ||
560
+ !hints->cert_compression_output.CopyFrom(
561
+ MakeConstSpan(CBB_data(&compressed), CBB_len(&compressed)))) {
562
+ return false;
563
+ }
564
+ }
565
+ }
566
+
567
+ if (!ssl_add_message_cbb(ssl, cbb.get())) {
540
568
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
541
569
  return false;
542
570
  }
@@ -156,12 +156,6 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
156
156
 
157
157
  hs->new_cipher = cipher;
158
158
 
159
- if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
160
- !hs->transcript.UpdateForHelloRetryRequest()) {
161
- return ssl_hs_error;
162
- }
163
-
164
-
165
159
  bool have_cookie, have_key_share, have_supported_versions;
166
160
  CBS cookie, key_share, supported_versions;
167
161
  SSL_EXTENSION_TYPE ext_types[] = {
@@ -222,14 +216,29 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
222
216
  return ssl_hs_error;
223
217
  }
224
218
 
225
- hs->key_shares[0].reset();
226
- hs->key_shares[1].reset();
227
- hs->retry_group = group_id;
219
+ if (!ssl_setup_key_shares(hs, group_id)) {
220
+ return ssl_hs_error;
221
+ }
228
222
  }
229
223
 
230
- if (!ssl_hash_message(hs, msg)) {
224
+ // We do not know whether ECH was chosen until ServerHello and must
225
+ // concurrently update both transcripts.
226
+ //
227
+ // TODO(https://crbug.com/boringssl/275): A later draft will likely add an ECH
228
+ // signal to HRR and change this.
229
+ if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
230
+ !hs->transcript.UpdateForHelloRetryRequest() ||
231
+ !ssl_hash_message(hs, msg)) {
231
232
  return ssl_hs_error;
232
233
  }
234
+ if (hs->selected_ech_config) {
235
+ if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
236
+ hs->new_cipher) ||
237
+ !hs->inner_transcript.UpdateForHelloRetryRequest() ||
238
+ !hs->inner_transcript.Update(msg.raw)) {
239
+ return ssl_hs_error;
240
+ }
241
+ }
233
242
 
234
243
  // HelloRetryRequest should be the end of the flight.
235
244
  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
@@ -256,10 +265,17 @@ static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
256
265
  // Any 0-RTT keys must have been discarded.
257
266
  assert(hs->ssl->s3->write_level == ssl_encryption_initial);
258
267
 
259
- if (!ssl_write_client_hello(hs)) {
268
+ // Build the second ClientHelloInner, if applicable. The second ClientHello
269
+ // uses an empty string for |enc|.
270
+ if (hs->selected_ech_config && !ssl_encrypt_client_hello(hs, {})) {
271
+ return ssl_hs_error;
272
+ }
273
+
274
+ if (!ssl_add_client_hello(hs)) {
260
275
  return ssl_hs_error;
261
276
  }
262
277
 
278
+ ssl_done_writing_client_hello(hs);
263
279
  hs->tls13_state = state_read_server_hello;
264
280
  return ssl_hs_flush;
265
281
  }
@@ -388,6 +404,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
388
404
  }
389
405
 
390
406
  ssl->s3->session_reused = true;
407
+ hs->can_release_private_key = true;
391
408
  // Only authentication information carries over in TLS 1.3.
392
409
  hs->new_session =
393
410
  SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
@@ -400,7 +417,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
400
417
  // Resumption incorporates fresh key material, so refresh the timeout.
401
418
  ssl_session_renew_timeout(ssl, hs->new_session.get(),
402
419
  ssl->session_ctx->session_psk_dhe_timeout);
403
- } else if (!ssl_get_new_session(hs, 0)) {
420
+ } else if (!ssl_get_new_session(hs)) {
404
421
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
405
422
  return ssl_hs_error;
406
423
  }
@@ -412,13 +429,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
412
429
  EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
413
430
 
414
431
  // Set up the key schedule and incorporate the PSK into the running secret.
415
- if (ssl->s3->session_reused) {
416
- if (!tls13_init_key_schedule(
417
- hs, MakeConstSpan(hs->new_session->secret,
418
- hs->new_session->secret_length))) {
419
- return ssl_hs_error;
420
- }
421
- } else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
432
+ if (!tls13_init_key_schedule(
433
+ hs, ssl->s3->session_reused
434
+ ? MakeConstSpan(hs->new_session->secret,
435
+ hs->new_session->secret_length)
436
+ : MakeConstSpan(kZeroes, hash_len))) {
422
437
  return ssl_hs_error;
423
438
  }
424
439
 
@@ -438,8 +453,54 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
438
453
  return ssl_hs_error;
439
454
  }
440
455
 
441
- if (!tls13_advance_key_schedule(hs, dhe_secret) ||
442
- !ssl_hash_message(hs, msg) ||
456
+ if (!tls13_advance_key_schedule(hs, dhe_secret)) {
457
+ return ssl_hs_error;
458
+ }
459
+
460
+ // Determine whether the server accepted ECH.
461
+ //
462
+ // TODO(https://crbug.com/boringssl/275): This is a bit late in the process of
463
+ // parsing ServerHello. |ssl->session| is only valid for ClientHelloInner, so
464
+ // the decisions made based on PSK need to be double-checked. draft-11 will
465
+ // fix this, at which point this logic can be moved before any processing.
466
+ if (hs->selected_ech_config) {
467
+ uint8_t ech_confirmation[ECH_CONFIRMATION_SIGNAL_LEN];
468
+ if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
469
+ hs->new_cipher) ||
470
+ !ssl_ech_accept_confirmation(hs, ech_confirmation, hs->inner_transcript,
471
+ msg.raw)) {
472
+ return ssl_hs_error;
473
+ }
474
+
475
+ if (CRYPTO_memcmp(ech_confirmation,
476
+ ssl->s3->server_random + sizeof(ssl->s3->server_random) -
477
+ sizeof(ech_confirmation),
478
+ sizeof(ech_confirmation)) == 0) {
479
+ ssl->s3->ech_accept = true;
480
+ hs->transcript = std::move(hs->inner_transcript);
481
+ hs->extensions.sent = hs->inner_extensions_sent;
482
+ // Report the inner random value through |SSL_get_client_random|.
483
+ OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
484
+ SSL3_RANDOM_SIZE);
485
+ } else {
486
+ // Resuming against the ClientHelloOuter was an unsolicited extension.
487
+ if (have_pre_shared_key) {
488
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
489
+ ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
490
+ return ssl_hs_error;
491
+ }
492
+
493
+ // TODO(https://crbug.com/boringssl/275): If the server declines ECH, we
494
+ // handshake with ClientHelloOuter instead of ClientHelloInner. That path
495
+ // is not yet implemented. For now, terminate the handshake with a
496
+ // distiguisable error for testing.
497
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
498
+ return ssl_hs_error;
499
+ }
500
+ }
501
+
502
+
503
+ if (!ssl_hash_message(hs, msg) ||
443
504
  !tls13_derive_handshake_secrets(hs)) {
444
505
  return ssl_hs_error;
445
506
  }
@@ -489,6 +550,13 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
489
550
  }
490
551
 
491
552
  if (ssl->s3->early_data_accepted) {
553
+ // The extension parser checks the server resumed the session.
554
+ assert(ssl->s3->session_reused);
555
+ // If offering ECH, the server may not accept early data with
556
+ // ClientHelloOuter. We do not offer sessions with ClientHelloOuter, so this
557
+ // this should be implied by checking |session_reused|.
558
+ assert(hs->selected_ech_config == nullptr || ssl->s3->ech_accept);
559
+
492
560
  if (hs->early_session->cipher != hs->new_session->cipher) {
493
561
  OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
494
562
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -500,9 +568,9 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
500
568
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
501
569
  return ssl_hs_error;
502
570
  }
503
- // Channel ID and Token Binding are incompatible with 0-RTT. The ALPS
504
- // extension should be negotiated implicitly.
505
- if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated ||
571
+ // Channel ID is incompatible with 0-RTT. The ALPS extension should be
572
+ // negotiated implicitly.
573
+ if (hs->channel_id_negotiated ||
506
574
  hs->new_session->has_application_settings) {
507
575
  OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
508
576
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -712,8 +780,7 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
712
780
  SSL *const ssl = hs->ssl;
713
781
 
714
782
  if (ssl->s3->early_data_accepted) {
715
- // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
716
- // section 8.3.
783
+ // QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3.
717
784
  if (ssl->quic_method == nullptr) {
718
785
  ScopedCBB cbb;
719
786
  CBB body;
@@ -817,18 +884,10 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
817
884
 
818
885
  static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
819
886
  SSL *const ssl = hs->ssl;
887
+ hs->can_release_private_key = true;
820
888
 
821
889
  // Send a Channel ID assertion if necessary.
822
- if (ssl->s3->channel_id_valid) {
823
- if (!ssl_do_channel_id_callback(hs)) {
824
- hs->tls13_state = state_complete_second_flight;
825
- return ssl_hs_error;
826
- }
827
-
828
- if (hs->config->channel_id_private == NULL) {
829
- return ssl_hs_channel_id_lookup;
830
- }
831
-
890
+ if (hs->channel_id_negotiated) {
832
891
  ScopedCBB cbb;
833
892
  CBB body;
834
893
  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
@@ -1042,7 +1101,7 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
1042
1101
  }
1043
1102
 
1044
1103
  // QUIC does not use the max_early_data_size parameter and always sets it to
1045
- // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
1104
+ // a fixed value. See RFC 9001, section 4.6.1.
1046
1105
  if (ssl->quic_method != nullptr &&
1047
1106
  session->ticket_max_early_data != 0xffffffff) {
1048
1107
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -1051,8 +1110,8 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
1051
1110
  }
1052
1111
  }
1053
1112
 
1054
- // Generate a session ID for this session. Some callers expect all sessions to
1055
- // have a session ID.
1113
+ // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1114
+ // Envoy's tests depend on this, although perhaps they shouldn't.
1056
1115
  SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
1057
1116
  session->session_id_length = SHA256_DIGEST_LENGTH;
1058
1117
 
@@ -33,24 +33,25 @@
33
33
 
34
34
  BSSL_NAMESPACE_BEGIN
35
35
 
36
- static bool init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
37
- const SSL_CIPHER *cipher) {
38
- if (!hs->transcript.InitHash(version, cipher)) {
36
+ static bool init_key_schedule(SSL_HANDSHAKE *hs, SSLTranscript *transcript,
37
+ uint16_t version, const SSL_CIPHER *cipher) {
38
+ if (!transcript->InitHash(version, cipher)) {
39
39
  return false;
40
40
  }
41
41
 
42
42
  // Initialize the secret to the zero key.
43
- hs->ResizeSecrets(hs->transcript.DigestLen());
43
+ hs->ResizeSecrets(transcript->DigestLen());
44
44
  OPENSSL_memset(hs->secret().data(), 0, hs->secret().size());
45
45
 
46
46
  return true;
47
47
  }
48
48
 
49
- static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
49
+ static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs,
50
+ const SSLTranscript &transcript,
51
+ Span<const uint8_t> in) {
50
52
  size_t len;
51
- if (!HKDF_extract(hs->secret().data(), &len, hs->transcript.Digest(),
52
- in.data(), in.size(), hs->secret().data(),
53
- hs->secret().size())) {
53
+ if (!HKDF_extract(hs->secret().data(), &len, transcript.Digest(), in.data(),
54
+ in.size(), hs->secret().data(), hs->secret().size())) {
54
55
  return false;
55
56
  }
56
57
  assert(len == hs->secret().size());
@@ -58,7 +59,8 @@ static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
58
59
  }
59
60
 
60
61
  bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
61
- if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {
62
+ if (!init_key_schedule(hs, &hs->transcript, ssl_protocol_version(hs->ssl),
63
+ hs->new_cipher)) {
62
64
  return false;
63
65
  }
64
66
 
@@ -67,14 +69,22 @@ bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
67
69
  if (!hs->handback) {
68
70
  hs->transcript.FreeBuffer();
69
71
  }
70
- return hkdf_extract_to_secret(hs, psk);
72
+ return hkdf_extract_to_secret(hs, hs->transcript, psk);
71
73
  }
72
74
 
73
- bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) {
74
- SSL *const ssl = hs->ssl;
75
- return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),
76
- ssl->session->cipher) &&
77
- hkdf_extract_to_secret(hs, psk);
75
+ bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,
76
+ const SSL_SESSION *session) {
77
+ assert(!hs->ssl->server);
78
+ // When offering ECH, early data is associated with ClientHelloInner, not
79
+ // ClientHelloOuter.
80
+ SSLTranscript *transcript =
81
+ hs->selected_ech_config ? &hs->inner_transcript : &hs->transcript;
82
+ return init_key_schedule(hs, transcript,
83
+ ssl_session_protocol_version(session),
84
+ session->cipher) &&
85
+ hkdf_extract_to_secret(
86
+ hs, *transcript,
87
+ MakeConstSpan(session->secret, session->secret_length));
78
88
  }
79
89
 
80
90
  static Span<const char> label_to_span(const char *label) {
@@ -118,25 +128,31 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
118
128
  hkdf_expand_label(hs->secret(), hs->transcript.Digest(), hs->secret(),
119
129
  label_to_span(kTLS13LabelDerived),
120
130
  MakeConstSpan(derive_context, derive_context_len)) &&
121
- hkdf_extract_to_secret(hs, in);
131
+ hkdf_extract_to_secret(hs, hs->transcript, in);
122
132
  }
123
133
 
124
- // derive_secret derives a secret of length |out.size()| and writes the result
125
- // in |out| with the given label, the current base secret, and the most
126
- // recently-saved handshake context. It returns true on success and false on
127
- // error.
128
- static bool derive_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out,
129
- Span<const char> label) {
134
+ // derive_secret_with_transcript derives a secret of length |out.size()| and
135
+ // writes the result in |out| with the given label, the current base secret, and
136
+ // the state of |transcript|. It returns true on success and false on error.
137
+ static bool derive_secret_with_transcript(const SSL_HANDSHAKE *hs,
138
+ Span<uint8_t> out,
139
+ const SSLTranscript &transcript,
140
+ Span<const char> label) {
130
141
  uint8_t context_hash[EVP_MAX_MD_SIZE];
131
142
  size_t context_hash_len;
132
- if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {
143
+ if (!transcript.GetHash(context_hash, &context_hash_len)) {
133
144
  return false;
134
145
  }
135
146
 
136
- return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret(), label,
147
+ return hkdf_expand_label(out, transcript.Digest(), hs->secret(), label,
137
148
  MakeConstSpan(context_hash, context_hash_len));
138
149
  }
139
150
 
151
+ static bool derive_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out,
152
+ Span<const char> label) {
153
+ return derive_secret_with_transcript(hs, out, hs->transcript, label);
154
+ }
155
+
140
156
  bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
141
157
  enum evp_aead_direction_t direction,
142
158
  const SSL_SESSION *session,
@@ -228,8 +244,14 @@ static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";
228
244
 
229
245
  bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
230
246
  SSL *const ssl = hs->ssl;
231
- if (!derive_secret(hs, hs->early_traffic_secret(),
232
- label_to_span(kTLS13LabelClientEarlyTraffic)) ||
247
+ // When offering ECH on the client, early data is associated with
248
+ // ClientHelloInner, not ClientHelloOuter.
249
+ const SSLTranscript &transcript = (!ssl->server && hs->selected_ech_config)
250
+ ? hs->inner_transcript
251
+ : hs->transcript;
252
+ if (!derive_secret_with_transcript(
253
+ hs, hs->early_traffic_secret(), transcript,
254
+ label_to_span(kTLS13LabelClientEarlyTraffic)) ||
233
255
  !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",
234
256
  hs->early_traffic_secret())) {
235
257
  return false;
@@ -395,74 +417,73 @@ bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
395
417
 
396
418
  static const char kTLS13LabelPSKBinder[] = "res binder";
397
419
 
398
- static bool tls13_psk_binder(uint8_t *out, size_t *out_len, uint16_t version,
399
- const EVP_MD *digest, Span<const uint8_t> psk,
400
- Span<const uint8_t> context) {
420
+ static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
421
+ const SSL_SESSION *session,
422
+ const SSLTranscript &transcript,
423
+ Span<const uint8_t> client_hello,
424
+ size_t binders_len) {
425
+ const EVP_MD *digest = ssl_session_get_digest(session);
426
+
427
+ // Compute the binder key.
428
+ //
429
+ // TODO(davidben): Ideally we wouldn't recompute early secret and the binder
430
+ // key each time.
401
431
  uint8_t binder_context[EVP_MAX_MD_SIZE];
402
432
  unsigned binder_context_len;
403
- if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
404
- return false;
405
- }
406
-
407
433
  uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};
408
434
  size_t early_secret_len;
409
- if (!HKDF_extract(early_secret, &early_secret_len, digest, psk.data(),
410
- psk.size(), NULL, 0)) {
411
- return false;
412
- }
413
-
414
435
  uint8_t binder_key_buf[EVP_MAX_MD_SIZE] = {0};
415
436
  auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest));
416
- if (!hkdf_expand_label(binder_key, digest,
437
+ if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest,
438
+ nullptr) ||
439
+ !HKDF_extract(early_secret, &early_secret_len, digest, session->secret,
440
+ session->secret_length, nullptr, 0) ||
441
+ !hkdf_expand_label(binder_key, digest,
417
442
  MakeConstSpan(early_secret, early_secret_len),
418
443
  label_to_span(kTLS13LabelPSKBinder),
419
- MakeConstSpan(binder_context, binder_context_len)) ||
420
- !tls13_verify_data(out, out_len, digest, version, binder_key, context)) {
444
+ MakeConstSpan(binder_context, binder_context_len))) {
421
445
  return false;
422
446
  }
423
447
 
424
- assert(*out_len == EVP_MD_size(digest));
425
- return true;
426
- }
427
-
428
- static bool hash_transcript_and_truncated_client_hello(
429
- SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, const EVP_MD *digest,
430
- Span<const uint8_t> client_hello, size_t binders_len) {
431
- // Truncate the ClientHello.
432
- if (binders_len + 2 < binders_len || client_hello.size() < binders_len + 2) {
448
+ // Hash the transcript and truncated ClientHello.
449
+ if (client_hello.size() < binders_len) {
450
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
433
451
  return false;
434
452
  }
435
- client_hello = client_hello.subspan(0, client_hello.size() - binders_len - 2);
436
-
453
+ auto truncated = client_hello.subspan(0, client_hello.size() - binders_len);
454
+ uint8_t context[EVP_MAX_MD_SIZE];
455
+ unsigned context_len;
437
456
  ScopedEVP_MD_CTX ctx;
438
- unsigned len;
439
- if (!hs->transcript.CopyToHashContext(ctx.get(), digest) ||
440
- !EVP_DigestUpdate(ctx.get(), client_hello.data(), client_hello.size()) ||
441
- !EVP_DigestFinal_ex(ctx.get(), out, &len)) {
457
+ if (!transcript.CopyToHashContext(ctx.get(), digest) ||
458
+ !EVP_DigestUpdate(ctx.get(), truncated.data(),
459
+ truncated.size()) ||
460
+ !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {
442
461
  return false;
443
462
  }
444
463
 
445
- *out_len = len;
464
+ if (!tls13_verify_data(out, out_len, digest, session->ssl_version, binder_key,
465
+ MakeConstSpan(context, context_len))) {
466
+ return false;
467
+ }
468
+
469
+ assert(*out_len == EVP_MD_size(digest));
446
470
  return true;
447
471
  }
448
472
 
449
- bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, Span<uint8_t> msg) {
450
- SSL *const ssl = hs->ssl;
473
+ bool tls13_write_psk_binder(const SSL_HANDSHAKE *hs,
474
+ const SSLTranscript &transcript, Span<uint8_t> msg,
475
+ size_t *out_binder_len) {
476
+ const SSL *const ssl = hs->ssl;
451
477
  const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());
452
- size_t hash_len = EVP_MD_size(digest);
453
-
454
- ScopedEVP_MD_CTX ctx;
455
- uint8_t context[EVP_MAX_MD_SIZE];
456
- size_t context_len;
478
+ const size_t hash_len = EVP_MD_size(digest);
479
+ // We only offer one PSK, so the binders are a u16 and u8 length
480
+ // prefix, followed by the binder. The caller is assumed to have constructed
481
+ // |msg| with placeholder binders.
482
+ const size_t binders_len = 3 + hash_len;
457
483
  uint8_t verify_data[EVP_MAX_MD_SIZE];
458
484
  size_t verify_data_len;
459
- if (!hash_transcript_and_truncated_client_hello(
460
- hs, context, &context_len, digest, msg,
461
- 1 /* length prefix */ + hash_len) ||
462
- !tls13_psk_binder(
463
- verify_data, &verify_data_len, ssl->session->ssl_version, digest,
464
- MakeConstSpan(ssl->session->secret, ssl->session->secret_length),
465
- MakeConstSpan(context, context_len)) ||
485
+ if (!tls13_psk_binder(verify_data, &verify_data_len, ssl->session.get(),
486
+ transcript, msg, binders_len) ||
466
487
  verify_data_len != hash_len) {
467
488
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
468
489
  return false;
@@ -470,23 +491,23 @@ bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, Span<uint8_t> msg) {
470
491
 
471
492
  OPENSSL_memcpy(msg.data() + msg.size() - verify_data_len, verify_data,
472
493
  verify_data_len);
494
+ if (out_binder_len != nullptr) {
495
+ *out_binder_len = verify_data_len;
496
+ }
473
497
  return true;
474
498
  }
475
499
 
476
- bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
477
- const SSLMessage &msg, CBS *binders) {
478
- uint8_t context[EVP_MAX_MD_SIZE];
479
- size_t context_len;
500
+ bool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs,
501
+ const SSL_SESSION *session, const SSLMessage &msg,
502
+ CBS *binders) {
480
503
  uint8_t verify_data[EVP_MAX_MD_SIZE];
481
504
  size_t verify_data_len;
482
505
  CBS binder;
483
- if (!hash_transcript_and_truncated_client_hello(hs, context, &context_len,
484
- hs->transcript.Digest(),
485
- msg.raw, CBS_len(binders)) ||
486
- !tls13_psk_binder(verify_data, &verify_data_len, hs->ssl->version,
487
- hs->transcript.Digest(),
488
- MakeConstSpan(session->secret, session->secret_length),
489
- MakeConstSpan(context, context_len)) ||
506
+ // The binders are computed over |msg| with |binders| and its u16 length
507
+ // prefix removed. The caller is assumed to have parsed |msg|, extracted
508
+ // |binders|, and verified the PSK extension is last.
509
+ if (!tls13_psk_binder(verify_data, &verify_data_len, session, hs->transcript,
510
+ msg.raw, 2 + CBS_len(binders)) ||
490
511
  // We only consider the first PSK, so compare against the first binder.
491
512
  !CBS_get_u8_length_prefixed(binders, &binder)) {
492
513
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -507,35 +528,61 @@ bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
507
528
  return true;
508
529
  }
509
530
 
510
- bool tls13_ech_accept_confirmation(
511
- SSL_HANDSHAKE *hs, bssl::Span<uint8_t> out,
512
- bssl::Span<const uint8_t> server_hello_ech_conf) {
513
- // Compute the hash of the transcript concatenated with
514
- // |server_hello_ech_conf| without modifying |hs->transcript|.
531
+ size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl) {
532
+ static_assert(ECH_CONFIRMATION_SIGNAL_LEN < SSL3_RANDOM_SIZE,
533
+ "the confirmation signal is a suffix of the random");
534
+ const size_t header_len =
535
+ SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;
536
+ return header_len + 2 /* version */ + SSL3_RANDOM_SIZE -
537
+ ECH_CONFIRMATION_SIGNAL_LEN;
538
+ }
539
+
540
+ bool ssl_ech_accept_confirmation(
541
+ const SSL_HANDSHAKE *hs, bssl::Span<uint8_t> out,
542
+ const SSLTranscript &transcript,
543
+ bssl::Span<const uint8_t> server_hello) {
544
+ // We hash |server_hello|, with the last |ECH_CONFIRMATION_SIGNAL_LEN| bytes
545
+ // of the random value zeroed.
546
+ static const uint8_t kZeroes[ECH_CONFIRMATION_SIGNAL_LEN] = {0};
547
+ const size_t offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
548
+ if (server_hello.size() < offset + ECH_CONFIRMATION_SIGNAL_LEN) {
549
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
550
+ return false;
551
+ }
552
+
553
+ auto before_zeroes = server_hello.subspan(0, offset);
554
+ auto after_zeroes =
555
+ server_hello.subspan(offset + ECH_CONFIRMATION_SIGNAL_LEN);
515
556
  uint8_t context_hash[EVP_MAX_MD_SIZE];
516
557
  unsigned context_hash_len;
517
558
  ScopedEVP_MD_CTX ctx;
518
- if (!hs->transcript.CopyToHashContext(ctx.get(), hs->transcript.Digest()) ||
519
- !EVP_DigestUpdate(ctx.get(), server_hello_ech_conf.data(),
520
- server_hello_ech_conf.size()) ||
559
+ if (!transcript.CopyToHashContext(ctx.get(), transcript.Digest()) ||
560
+ !EVP_DigestUpdate(ctx.get(), before_zeroes.data(),
561
+ before_zeroes.size()) ||
562
+ !EVP_DigestUpdate(ctx.get(), kZeroes, sizeof(kZeroes)) ||
563
+ !EVP_DigestUpdate(ctx.get(), after_zeroes.data(), after_zeroes.size()) ||
521
564
  !EVP_DigestFinal_ex(ctx.get(), context_hash, &context_hash_len)) {
522
565
  return false;
523
566
  }
524
567
 
525
- // Per draft-ietf-tls-esni-09, accept_confirmation is computed with
568
+ // Per draft-ietf-tls-esni-10, accept_confirmation is computed with
526
569
  // Derive-Secret, which derives a secret of size Hash.length. That value is
527
570
  // then truncated to the first 8 bytes. Note this differs from deriving an
528
571
  // 8-byte secret because the target length is included in the derivation.
572
+ //
573
+ // TODO(https://crbug.com/boringssl/275): draft-11 will avoid this.
529
574
  uint8_t accept_confirmation_buf[EVP_MAX_MD_SIZE];
530
575
  bssl::Span<uint8_t> accept_confirmation =
531
- MakeSpan(accept_confirmation_buf, hs->transcript.DigestLen());
532
- if (!hkdf_expand_label(accept_confirmation, hs->transcript.Digest(),
576
+ MakeSpan(accept_confirmation_buf, transcript.DigestLen());
577
+ if (!hkdf_expand_label(accept_confirmation, transcript.Digest(),
533
578
  hs->secret(), label_to_span("ech accept confirmation"),
534
579
  MakeConstSpan(context_hash, context_hash_len))) {
535
580
  return false;
536
581
  }
537
582
 
538
- if (out.size() > accept_confirmation.size()) {
583
+ static_assert(ECH_CONFIRMATION_SIGNAL_LEN < EVP_MAX_MD_SIZE,
584
+ "ECH confirmation signal too big");
585
+ if (out.size() != ECH_CONFIRMATION_SIGNAL_LEN) {
539
586
  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
540
587
  return false;
541
588
  }