RubyGems - grpc - Versions diffs - 1.4.5 → 1.6.0.pre1 - Mend

grpc 1.4.5 → 1.6.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (928) hide show

checksums.yaml +4 -4
data/Makefile +1235 -1100
data/etc/roots.pem +0 -412
data/include/grpc/byte_buffer.h +10 -25
data/include/grpc/byte_buffer_reader.h +10 -25
data/include/grpc/census.h +10 -25
data/include/grpc/compression.h +10 -25
data/include/grpc/grpc.h +15 -26
data/include/grpc/grpc_cronet.h +10 -25
data/include/grpc/grpc_posix.h +10 -25
data/include/grpc/grpc_security.h +10 -25
data/include/grpc/grpc_security_constants.h +10 -25
data/include/grpc/impl/codegen/atm.h +11 -25
data/include/grpc/impl/codegen/atm_gcc_atomic.h +10 -25
data/include/grpc/impl/codegen/atm_gcc_sync.h +10 -25
data/include/grpc/impl/codegen/atm_windows.h +10 -25
data/include/grpc/impl/codegen/byte_buffer_reader.h +11 -26
data/include/grpc/impl/codegen/compression_types.h +12 -27
data/include/grpc/impl/codegen/connectivity_state.h +10 -25
data/include/grpc/impl/codegen/exec_ctx_fwd.h +10 -25
data/include/grpc/impl/codegen/gpr_slice.h +10 -25
data/include/grpc/impl/codegen/gpr_types.h +10 -25
data/include/grpc/impl/codegen/grpc_types.h +42 -43
data/include/grpc/impl/codegen/port_platform.h +10 -25
data/include/grpc/impl/codegen/propagation_bits.h +10 -25
data/include/grpc/impl/codegen/slice.h +13 -28
data/include/grpc/impl/codegen/status.h +10 -25
data/include/grpc/impl/codegen/sync.h +10 -25
data/include/grpc/impl/codegen/sync_generic.h +10 -25
data/include/grpc/impl/codegen/sync_posix.h +10 -25
data/include/grpc/impl/codegen/sync_windows.h +10 -25
data/include/grpc/load_reporting.h +10 -25
data/include/grpc/slice.h +10 -25
data/include/grpc/slice_buffer.h +10 -25
data/include/grpc/status.h +10 -25
data/include/grpc/support/alloc.h +10 -25
data/include/grpc/support/atm.h +10 -25
data/include/grpc/support/atm_gcc_atomic.h +10 -25
data/include/grpc/support/atm_gcc_sync.h +10 -25
data/include/grpc/support/atm_windows.h +10 -25
data/include/grpc/support/avl.h +46 -49
data/include/grpc/support/cmdline.h +10 -25
data/include/grpc/support/cpu.h +10 -25
data/include/grpc/support/histogram.h +10 -25
data/include/grpc/support/host_port.h +10 -25
data/include/grpc/support/log.h +10 -25
data/include/grpc/support/log_windows.h +10 -25
data/include/grpc/support/port_platform.h +10 -25
data/include/grpc/support/string_util.h +10 -25
data/include/grpc/support/subprocess.h +10 -25
data/include/grpc/support/sync.h +10 -25
data/include/grpc/support/sync_generic.h +10 -25
data/include/grpc/support/sync_posix.h +10 -25
data/include/grpc/support/sync_windows.h +10 -25
data/include/grpc/support/thd.h +10 -25
data/include/grpc/support/time.h +10 -25
data/include/grpc/support/tls.h +10 -25
data/include/grpc/support/tls_gcc.h +10 -25
data/include/grpc/support/tls_msvc.h +10 -25
data/include/grpc/support/tls_pthread.h +10 -25
data/include/grpc/support/useful.h +10 -25
data/include/grpc/support/workaround_list.h +11 -26
data/src/boringssl/err_data.c +277 -259
data/src/core/ext/census/aggregation.h +10 -25
data/src/core/ext/census/base_resources.c +10 -25
data/src/core/ext/census/base_resources.h +10 -25
data/src/core/ext/census/census_interface.h +10 -25
data/src/core/ext/census/census_rpc_stats.h +10 -25
data/src/core/ext/census/context.c +10 -25
data/src/core/ext/census/gen/census.pb.c +10 -25
data/src/core/ext/census/gen/census.pb.h +10 -25
data/src/core/ext/census/gen/trace_context.pb.c +10 -25
data/src/core/ext/census/gen/trace_context.pb.h +10 -25
data/src/core/ext/census/grpc_context.c +10 -25
data/src/core/ext/census/grpc_filter.c +11 -26
data/src/core/ext/census/grpc_filter.h +10 -25
data/src/core/ext/census/grpc_plugin.c +10 -25
data/src/core/ext/census/initialize.c +10 -25
data/src/core/ext/census/intrusive_hash_map.c +10 -25
data/src/core/ext/census/intrusive_hash_map.h +10 -25
data/src/core/ext/census/intrusive_hash_map_internal.h +10 -25
data/src/core/ext/census/mlog.c +10 -25
data/src/core/ext/census/mlog.h +10 -25
data/src/core/ext/census/operation.c +10 -25
data/src/core/ext/census/placeholders.c +10 -25
data/src/core/ext/census/resource.c +10 -25
data/src/core/ext/census/resource.h +10 -25
data/src/core/ext/census/rpc_metric_id.h +10 -25
data/src/core/ext/census/trace_context.c +10 -25
data/src/core/ext/census/trace_context.h +10 -25
data/src/core/ext/census/trace_label.h +10 -25
data/src/core/ext/census/trace_propagation.h +10 -25
data/src/core/ext/census/trace_status.h +10 -25
data/src/core/ext/census/trace_string.h +10 -25
data/src/core/ext/census/tracing.c +10 -26
data/src/core/ext/census/tracing.h +10 -25
data/src/core/ext/filters/client_channel/channel_connectivity.c +20 -33
data/src/core/ext/filters/client_channel/client_channel.c +617 -520
data/src/core/ext/filters/client_channel/client_channel.h +15 -28
data/src/core/ext/filters/client_channel/client_channel_factory.c +13 -31
data/src/core/ext/filters/client_channel/client_channel_factory.h +10 -25
data/src/core/ext/filters/client_channel/client_channel_plugin.c +16 -29
data/src/core/ext/filters/client_channel/connector.c +10 -25
data/src/core/ext/filters/client_channel/connector.h +10 -25
data/src/core/ext/filters/client_channel/http_connect_handshaker.c +15 -30
data/src/core/ext/filters/client_channel/http_connect_handshaker.h +10 -25
data/src/core/ext/filters/client_channel/http_proxy.c +112 -38
data/src/core/ext/filters/client_channel/http_proxy.h +10 -25
data/src/core/ext/filters/client_channel/lb_policy.c +32 -36
data/src/core/ext/filters/client_channel/lb_policy.h +24 -27
data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.c +14 -30
data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.h +10 -25
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.c +464 -279
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +10 -25
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel.h +15 -28
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_channel_secure.c +40 -48
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.c +65 -49
data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.h +31 -31
data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.c +47 -32
data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +11 -26
data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.c +13 -9
data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.h +27 -21
data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.c +373 -136
data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.c +504 -279
data/src/core/ext/filters/client_channel/lb_policy_factory.c +12 -31
data/src/core/ext/filters/client_channel/lb_policy_factory.h +12 -27
data/src/core/ext/filters/client_channel/lb_policy_registry.c +10 -25
data/src/core/ext/filters/client_channel/lb_policy_registry.h +10 -25
data/src/core/ext/filters/client_channel/parse_address.c +10 -25
data/src/core/ext/filters/client_channel/parse_address.h +10 -25
data/src/core/ext/filters/client_channel/proxy_mapper.c +10 -25
data/src/core/ext/filters/client_channel/proxy_mapper.h +10 -25
data/src/core/ext/filters/client_channel/proxy_mapper_registry.c +10 -25
data/src/core/ext/filters/client_channel/proxy_mapper_registry.h +10 -25
data/src/core/ext/filters/client_channel/resolver.c +33 -38
data/src/core/ext/filters/client_channel/resolver.h +19 -30
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.c +153 -50
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +14 -27
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.c +33 -30
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.c +326 -116
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +35 -36
data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.c +60 -0
data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.c +19 -34
data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.c +254 -0
data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h +60 -0
data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.c +16 -28
data/src/core/ext/filters/client_channel/resolver_factory.c +10 -25
data/src/core/ext/filters/client_channel/resolver_factory.h +10 -25
data/src/core/ext/filters/client_channel/resolver_registry.c +10 -25
data/src/core/ext/filters/client_channel/resolver_registry.h +10 -25
data/src/core/ext/filters/client_channel/retry_throttle.c +23 -34
data/src/core/ext/filters/client_channel/retry_throttle.h +10 -25
data/src/core/ext/filters/client_channel/subchannel.c +33 -55
data/src/core/ext/filters/client_channel/subchannel.h +16 -26
data/src/core/ext/filters/client_channel/subchannel_index.c +55 -92
data/src/core/ext/filters/client_channel/subchannel_index.h +26 -29
data/src/core/ext/filters/client_channel/uri_parser.c +10 -25
data/src/core/ext/filters/client_channel/uri_parser.h +10 -25
data/src/core/ext/filters/deadline/deadline_filter.c +30 -45
data/src/core/ext/filters/deadline/deadline_filter.h +10 -25
data/src/core/ext/filters/http/client/http_client_filter.c +255 -294
data/src/core/ext/filters/http/client/http_client_filter.h +10 -25
data/src/core/ext/filters/http/http_filters_plugin.c +11 -26
data/src/core/ext/filters/http/message_compress/message_compress_filter.c +133 -105
data/src/core/ext/filters/http/message_compress/message_compress_filter.h +10 -25
data/src/core/ext/filters/http/server/http_server_filter.c +17 -32
data/src/core/ext/filters/http/server/http_server_filter.h +10 -25
data/src/core/ext/filters/load_reporting/load_reporting.c +11 -30
data/src/core/ext/filters/load_reporting/load_reporting.h +10 -25
data/src/core/ext/filters/load_reporting/load_reporting_filter.c +11 -26
data/src/core/ext/filters/load_reporting/load_reporting_filter.h +10 -25
data/src/core/ext/filters/max_age/max_age_filter.c +28 -43
data/src/core/ext/filters/max_age/max_age_filter.h +10 -25
data/src/core/ext/filters/message_size/message_size_filter.c +24 -37
data/src/core/ext/filters/message_size/message_size_filter.h +10 -25
data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.c +16 -31
data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.h +10 -25
data/src/core/ext/filters/workarounds/workaround_utils.c +12 -26
data/src/core/ext/filters/workarounds/workaround_utils.h +11 -26
data/src/core/ext/transport/chttp2/alpn/alpn.c +10 -25
data/src/core/ext/transport/chttp2/alpn/alpn.h +10 -25
data/src/core/ext/transport/chttp2/client/chttp2_connector.c +13 -28
data/src/core/ext/transport/chttp2/client/chttp2_connector.h +10 -25
data/src/core/ext/transport/chttp2/client/insecure/channel_create.c +13 -30
data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.c +12 -29
data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c +13 -30
data/src/core/ext/transport/chttp2/server/chttp2_server.c +11 -26
data/src/core/ext/transport/chttp2/server/chttp2_server.h +10 -25
data/src/core/ext/transport/chttp2/server/insecure/server_chttp2.c +10 -25
data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.c +10 -25
data/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.c +10 -25
data/src/core/ext/transport/chttp2/transport/bin_decoder.c +11 -25
data/src/core/ext/transport/chttp2/transport/bin_decoder.h +10 -25
data/src/core/ext/transport/chttp2/transport/bin_encoder.c +10 -25
data/src/core/ext/transport/chttp2/transport/bin_encoder.h +10 -25
data/src/core/ext/transport/chttp2/transport/chttp2_plugin.c +15 -27
data/src/core/ext/transport/chttp2/transport/chttp2_transport.c +421 -443
data/src/core/ext/transport/chttp2/transport/chttp2_transport.h +14 -25
data/src/core/ext/transport/chttp2/transport/flow_control.c +500 -0
data/src/core/ext/transport/chttp2/transport/frame.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_data.c +20 -28
data/src/core/ext/transport/chttp2/transport/frame_data.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_goaway.c +10 -25
data/src/core/ext/transport/chttp2/transport/frame_goaway.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_ping.c +11 -26
data/src/core/ext/transport/chttp2/transport/frame_ping.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_rst_stream.c +11 -26
data/src/core/ext/transport/chttp2/transport/frame_rst_stream.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_settings.c +16 -29
data/src/core/ext/transport/chttp2/transport/frame_settings.h +10 -25
data/src/core/ext/transport/chttp2/transport/frame_window_update.c +17 -33
data/src/core/ext/transport/chttp2/transport/frame_window_update.h +10 -25
data/src/core/ext/transport/chttp2/transport/hpack_encoder.c +18 -31
data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +12 -25
data/src/core/ext/transport/chttp2/transport/hpack_parser.c +15 -30
data/src/core/ext/transport/chttp2/transport/hpack_parser.h +10 -25
data/src/core/ext/transport/chttp2/transport/hpack_table.c +10 -25
data/src/core/ext/transport/chttp2/transport/hpack_table.h +10 -25
data/src/core/ext/transport/chttp2/transport/http2_settings.c +10 -25
data/src/core/ext/transport/chttp2/transport/http2_settings.h +10 -25
data/src/core/ext/transport/chttp2/transport/huffsyms.c +10 -25
data/src/core/ext/transport/chttp2/transport/huffsyms.h +10 -25
data/src/core/ext/transport/chttp2/transport/incoming_metadata.c +10 -25
data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +10 -25
data/src/core/ext/transport/chttp2/transport/internal.h +191 -179
data/src/core/ext/transport/chttp2/transport/parsing.c +33 -102
data/src/core/ext/transport/chttp2/transport/stream_lists.c +26 -28
data/src/core/ext/transport/chttp2/transport/stream_map.c +10 -25
data/src/core/ext/transport/chttp2/transport/stream_map.h +10 -25
data/src/core/ext/transport/chttp2/transport/varint.c +14 -25
data/src/core/ext/transport/chttp2/transport/varint.h +10 -25
data/src/core/ext/transport/chttp2/transport/writing.c +164 -106
data/src/core/ext/transport/inproc/inproc_plugin.c +29 -0
data/src/core/ext/transport/inproc/inproc_transport.c +1303 -0
data/src/core/ext/transport/inproc/inproc_transport.h +41 -0
data/src/core/lib/channel/channel_args.c +52 -27
data/src/core/lib/channel/channel_args.h +18 -27
data/src/core/lib/channel/channel_stack.c +11 -26
data/src/core/lib/channel/channel_stack.h +12 -27
data/src/core/lib/channel/channel_stack_builder.c +11 -26
data/src/core/lib/channel/channel_stack_builder.h +10 -25
data/src/core/lib/channel/connected_channel.c +10 -25
data/src/core/lib/channel/connected_channel.h +10 -25
data/src/core/lib/channel/context.h +10 -25
data/src/core/lib/channel/handshaker.c +14 -29
data/src/core/lib/channel/handshaker.h +10 -25
data/src/core/lib/channel/handshaker_factory.c +10 -25
data/src/core/lib/channel/handshaker_factory.h +10 -25
data/src/core/lib/channel/handshaker_registry.c +10 -25
data/src/core/lib/channel/handshaker_registry.h +10 -25
data/src/core/lib/compression/algorithm_metadata.h +10 -25
data/src/core/lib/compression/compression.c +10 -25
data/src/core/lib/compression/message_compress.c +10 -25
data/src/core/lib/compression/message_compress.h +10 -25
data/src/core/lib/compression/stream_compression.c +191 -0
data/src/core/lib/compression/stream_compression.h +90 -0
data/src/core/lib/debug/trace.c +28 -29
data/src/core/lib/debug/trace.h +16 -30
data/src/core/lib/http/format_request.c +10 -25
data/src/core/lib/http/format_request.h +10 -25
data/src/core/lib/http/httpcli.c +19 -35
data/src/core/lib/http/httpcli.h +10 -25
data/src/core/lib/http/httpcli_security_connector.c +17 -30
data/src/core/lib/http/parser.c +11 -26
data/src/core/lib/http/parser.h +10 -25
data/src/core/lib/iomgr/closure.c +62 -25
data/src/core/lib/iomgr/closure.h +81 -26
data/src/core/lib/iomgr/combiner.c +103 -200
data/src/core/lib/iomgr/combiner.h +14 -32
data/src/core/lib/iomgr/endpoint.c +10 -29
data/src/core/lib/iomgr/endpoint.h +10 -29
data/src/core/lib/iomgr/endpoint_pair.h +10 -25
data/src/core/lib/iomgr/endpoint_pair_posix.c +10 -25
data/src/core/lib/iomgr/endpoint_pair_uv.c +10 -25
data/src/core/lib/iomgr/endpoint_pair_windows.c +10 -25
data/src/core/lib/iomgr/error.c +45 -46
data/src/core/lib/iomgr/error.h +21 -34
data/src/core/lib/iomgr/error_internal.h +10 -25
data/src/core/lib/iomgr/ev_epoll1_linux.c +279 -179
data/src/core/lib/iomgr/ev_epoll1_linux.h +10 -25
data/src/core/lib/iomgr/ev_epoll_limited_pollers_linux.c +75 -264
data/src/core/lib/iomgr/ev_epoll_limited_pollers_linux.h +10 -25
data/src/core/lib/iomgr/ev_epoll_thread_pool_linux.c +44 -199
data/src/core/lib/iomgr/ev_epoll_thread_pool_linux.h +10 -25
data/src/core/lib/iomgr/ev_epollex_linux.c +184 -247
data/src/core/lib/iomgr/ev_epollex_linux.h +10 -25
data/src/core/lib/iomgr/ev_epollsig_linux.c +116 -323
data/src/core/lib/iomgr/ev_epollsig_linux.h +10 -25
data/src/core/lib/iomgr/ev_poll_posix.c +328 -184
data/src/core/lib/iomgr/ev_poll_posix.h +10 -25
data/src/core/lib/iomgr/ev_posix.c +25 -56
data/src/core/lib/iomgr/ev_posix.h +15 -44
data/src/core/lib/iomgr/ev_windows.c +11 -26
data/src/core/lib/iomgr/exec_ctx.c +36 -45
data/src/core/lib/iomgr/exec_ctx.h +10 -25
data/src/core/lib/iomgr/executor.c +152 -127
data/src/core/lib/iomgr/executor.h +18 -26
data/src/core/lib/iomgr/gethostname.h +26 -0
data/src/core/lib/iomgr/gethostname_fallback.c +27 -0
data/src/core/lib/iomgr/gethostname_host_name_max.c +37 -0
data/src/core/lib/iomgr/gethostname_sysconf.c +37 -0
data/src/core/lib/iomgr/iocp_windows.c +10 -25
data/src/core/lib/iomgr/iocp_windows.h +10 -25
data/src/core/lib/iomgr/iomgr.c +17 -28
data/src/core/lib/iomgr/iomgr.h +12 -27
data/src/core/lib/iomgr/iomgr_internal.h +10 -25
data/src/core/lib/iomgr/iomgr_posix.c +11 -26
data/src/core/lib/iomgr/iomgr_posix.h +10 -25
data/src/core/lib/iomgr/iomgr_uv.c +19 -26
data/src/core/lib/iomgr/iomgr_uv.h +37 -0
data/src/core/lib/iomgr/iomgr_windows.c +10 -25
data/src/core/lib/iomgr/is_epollexclusive_available.c +10 -25
data/src/core/lib/iomgr/is_epollexclusive_available.h +10 -25
data/src/core/lib/iomgr/load_file.c +10 -25
data/src/core/lib/iomgr/load_file.h +10 -25
data/src/core/lib/iomgr/lockfree_event.c +22 -35
data/src/core/lib/iomgr/lockfree_event.h +13 -27
data/src/core/lib/iomgr/nameser.h +104 -0
data/src/core/lib/iomgr/network_status_tracker.c +10 -25
data/src/core/lib/iomgr/network_status_tracker.h +10 -25
data/src/core/lib/iomgr/polling_entity.c +10 -25
data/src/core/lib/iomgr/polling_entity.h +14 -34
data/src/core/lib/iomgr/pollset.h +14 -25
data/src/core/lib/iomgr/pollset_set.h +10 -25
data/src/core/lib/iomgr/pollset_set_uv.c +10 -25
data/src/core/lib/iomgr/pollset_set_windows.c +10 -25
data/src/core/lib/iomgr/pollset_set_windows.h +10 -25
data/src/core/lib/iomgr/pollset_uv.c +25 -26
data/src/core/lib/iomgr/pollset_uv.h +10 -25
data/src/core/lib/iomgr/pollset_windows.c +17 -27
data/src/core/lib/iomgr/pollset_windows.h +10 -25
data/src/core/lib/iomgr/port.h +24 -25
data/src/core/lib/iomgr/resolve_address.h +10 -25
data/src/core/lib/iomgr/resolve_address_posix.c +13 -28
data/src/core/lib/iomgr/resolve_address_uv.c +31 -35
data/src/core/lib/iomgr/resolve_address_windows.c +13 -28
data/src/core/lib/iomgr/resource_quota.c +52 -67
data/src/core/lib/iomgr/resource_quota.h +10 -25
data/src/core/lib/iomgr/sockaddr.h +10 -25
data/src/core/lib/iomgr/sockaddr_posix.h +10 -25
data/src/core/lib/iomgr/sockaddr_utils.c +15 -25
data/src/core/lib/iomgr/sockaddr_utils.h +12 -25
data/src/core/lib/iomgr/sockaddr_windows.h +10 -25
data/src/core/lib/iomgr/socket_factory_posix.c +13 -31
data/src/core/lib/iomgr/socket_factory_posix.h +10 -25
data/src/core/lib/iomgr/socket_mutator.c +14 -31
data/src/core/lib/iomgr/socket_mutator.h +10 -25
data/src/core/lib/iomgr/socket_utils.h +10 -25
data/src/core/lib/iomgr/socket_utils_common_posix.c +10 -25
data/src/core/lib/iomgr/socket_utils_linux.c +10 -25
data/src/core/lib/iomgr/socket_utils_posix.c +10 -25
data/src/core/lib/iomgr/socket_utils_posix.h +10 -25
data/src/core/lib/iomgr/socket_utils_uv.c +10 -25
data/src/core/lib/iomgr/socket_utils_windows.c +10 -25
data/src/core/lib/iomgr/socket_windows.c +12 -27
data/src/core/lib/iomgr/socket_windows.h +10 -25
data/src/core/lib/iomgr/sys_epoll_wrapper.h +10 -25
data/src/core/lib/iomgr/tcp_client.h +10 -25
data/src/core/lib/iomgr/tcp_client_posix.c +21 -34
data/src/core/lib/iomgr/tcp_client_posix.h +10 -25
data/src/core/lib/iomgr/tcp_client_uv.c +18 -27
data/src/core/lib/iomgr/tcp_client_windows.c +14 -29
data/src/core/lib/iomgr/tcp_posix.c +36 -55
data/src/core/lib/iomgr/tcp_posix.h +10 -25
data/src/core/lib/iomgr/tcp_server.h +10 -25
data/src/core/lib/iomgr/tcp_server_posix.c +16 -31
data/src/core/lib/iomgr/tcp_server_utils_posix.h +10 -25
data/src/core/lib/iomgr/tcp_server_utils_posix_common.c +11 -26
data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.c +10 -25
data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.c +10 -25
data/src/core/lib/iomgr/tcp_server_uv.c +103 -64
data/src/core/lib/iomgr/tcp_server_windows.c +14 -29
data/src/core/lib/iomgr/tcp_uv.c +41 -45
data/src/core/lib/iomgr/tcp_uv.h +10 -25
data/src/core/lib/iomgr/tcp_windows.c +39 -53
data/src/core/lib/iomgr/tcp_windows.h +10 -25
data/src/core/lib/iomgr/time_averaged_stats.c +10 -25
data/src/core/lib/iomgr/time_averaged_stats.h +10 -25
data/src/core/lib/iomgr/timer.h +18 -27
data/src/core/lib/iomgr/timer_generic.c +91 -87
data/src/core/lib/iomgr/timer_generic.h +10 -25
data/src/core/lib/iomgr/timer_heap.c +10 -25
data/src/core/lib/iomgr/timer_heap.h +10 -25
data/src/core/lib/iomgr/timer_manager.c +178 -100
data/src/core/lib/iomgr/timer_manager.h +10 -25
data/src/core/lib/iomgr/timer_uv.c +23 -33
data/src/core/lib/iomgr/timer_uv.h +10 -25
data/src/core/lib/iomgr/udp_server.c +17 -32
data/src/core/lib/iomgr/udp_server.h +10 -25
data/src/core/lib/iomgr/unix_sockets_posix.c +10 -25
data/src/core/lib/iomgr/unix_sockets_posix.h +10 -25
data/src/core/lib/iomgr/unix_sockets_posix_noop.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_cv.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_cv.h +13 -28
data/src/core/lib/iomgr/wakeup_fd_eventfd.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_nospecial.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_pipe.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_pipe.h +10 -25
data/src/core/lib/iomgr/wakeup_fd_posix.c +10 -25
data/src/core/lib/iomgr/wakeup_fd_posix.h +10 -25
data/src/core/lib/json/json.c +10 -25
data/src/core/lib/json/json.h +10 -25
data/src/core/lib/json/json_common.h +10 -25
data/src/core/lib/json/json_reader.c +11 -25
data/src/core/lib/json/json_reader.h +10 -25
data/src/core/lib/json/json_string.c +10 -25
data/src/core/lib/json/json_writer.c +10 -25
data/src/core/lib/json/json_writer.h +10 -25
data/src/core/lib/profiling/basic_timers.c +10 -25
data/src/core/lib/profiling/stap_timers.c +10 -25
data/src/core/lib/profiling/timers.h +10 -25
data/src/core/lib/security/context/security_context.c +32 -40
data/src/core/lib/security/context/security_context.h +15 -26
data/src/core/lib/security/credentials/composite/composite_credentials.c +76 -81
data/src/core/lib/security/credentials/composite/composite_credentials.h +10 -25
data/src/core/lib/security/credentials/credentials.c +29 -49
data/src/core/lib/security/credentials/credentials.h +48 -61
data/src/core/lib/security/credentials/credentials_metadata.c +34 -78
data/src/core/lib/security/credentials/fake/fake_credentials.c +33 -56
data/src/core/lib/security/credentials/fake/fake_credentials.h +12 -27
data/src/core/lib/security/credentials/google_default/credentials_generic.c +10 -25
data/src/core/lib/security/credentials/google_default/google_default_credentials.c +12 -27
data/src/core/lib/security/credentials/google_default/google_default_credentials.h +10 -25
data/src/core/lib/security/credentials/iam/iam_credentials.c +40 -40
data/src/core/lib/security/credentials/iam/iam_credentials.h +11 -26
data/src/core/lib/security/credentials/jwt/json_token.c +10 -25
data/src/core/lib/security/credentials/jwt/json_token.h +10 -25
data/src/core/lib/security/credentials/jwt/jwt_credentials.c +45 -48
data/src/core/lib/security/credentials/jwt/jwt_credentials.h +11 -26
data/src/core/lib/security/credentials/jwt/jwt_verifier.c +53 -33
data/src/core/lib/security/credentials/jwt/jwt_verifier.h +10 -25
data/src/core/lib/security/credentials/oauth2/oauth2_credentials.c +155 -87
data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +24 -28
data/src/core/lib/security/credentials/plugin/plugin_credentials.c +118 -82
data/src/core/lib/security/credentials/plugin/plugin_credentials.h +24 -27
data/src/core/lib/security/credentials/ssl/ssl_credentials.c +13 -32
data/src/core/lib/security/credentials/ssl/ssl_credentials.h +10 -25
data/src/core/lib/security/transport/auth_filters.h +10 -25
data/src/core/lib/security/transport/client_auth_filter.c +217 -112
data/src/core/lib/security/transport/lb_targets_info.c +16 -32
data/src/core/lib/security/transport/lb_targets_info.h +10 -25
data/src/core/lib/security/transport/secure_endpoint.c +29 -43
data/src/core/lib/security/transport/secure_endpoint.h +10 -25
data/src/core/lib/security/transport/security_connector.c +80 -61
data/src/core/lib/security/transport/security_connector.h +35 -35
data/src/core/lib/security/transport/security_handshaker.c +18 -33
data/src/core/lib/security/transport/security_handshaker.h +10 -25
data/src/core/lib/security/transport/server_auth_filter.c +62 -116
data/src/core/lib/security/transport/tsi_error.c +10 -25
data/src/core/lib/security/transport/tsi_error.h +10 -25
data/src/core/lib/security/util/json_util.c +10 -25
data/src/core/lib/security/util/json_util.h +10 -25
data/src/core/lib/slice/b64.c +10 -25
data/src/core/lib/slice/b64.h +10 -25
data/src/core/lib/slice/percent_encoding.c +10 -25
data/src/core/lib/slice/percent_encoding.h +10 -25
data/src/core/lib/slice/slice.c +10 -25
data/src/core/lib/slice/slice_buffer.c +10 -25
data/src/core/lib/slice/slice_hash_table.c +48 -26
data/src/core/lib/slice/slice_hash_table.h +26 -28
data/src/core/lib/slice/slice_intern.c +10 -25
data/src/core/lib/slice/slice_internal.h +10 -25
data/src/core/lib/slice/slice_string_helpers.c +10 -25
data/src/core/lib/slice/slice_string_helpers.h +10 -25
data/src/core/lib/support/alloc.c +10 -25
data/src/core/lib/support/arena.c +12 -27
data/src/core/lib/support/arena.h +10 -25
data/src/core/lib/support/atm.c +17 -32
data/src/core/lib/support/atomic.h +10 -25
data/src/core/lib/support/atomic_with_atm.h +10 -25
data/src/core/lib/support/atomic_with_std.h +10 -25
data/src/core/lib/support/avl.c +101 -101
data/src/core/lib/support/backoff.c +10 -25
data/src/core/lib/support/backoff.h +10 -25
data/src/core/lib/support/block_annotate.h +10 -25
data/src/core/lib/support/cmdline.c +10 -25
data/src/core/lib/support/cpu_iphone.c +10 -25
data/src/core/lib/support/cpu_linux.c +10 -25
data/src/core/lib/support/cpu_posix.c +10 -25
data/src/core/lib/support/cpu_windows.c +10 -25
data/src/core/lib/support/env.h +16 -25
data/src/core/lib/support/env_linux.c +30 -37
data/src/core/lib/support/env_posix.c +15 -25
data/src/core/lib/support/env_windows.c +15 -25
data/src/core/lib/support/histogram.c +10 -25
data/src/core/lib/support/host_port.c +10 -25
data/src/core/lib/support/log.c +20 -29
data/src/core/lib/support/log_android.c +10 -25
data/src/core/lib/support/log_linux.c +13 -26
data/src/core/lib/support/log_posix.c +10 -25
data/src/core/lib/support/log_windows.c +10 -25
data/src/core/lib/support/memory.h +10 -25
data/src/core/lib/support/mpscq.c +11 -49
data/src/core/lib/support/mpscq.h +11 -50
data/src/core/lib/support/murmur_hash.c +12 -25
data/src/core/lib/support/murmur_hash.h +10 -25
data/src/core/lib/support/spinlock.h +10 -25
data/src/core/lib/support/stack_lockfree.c +10 -25
data/src/core/lib/support/stack_lockfree.h +10 -25
data/src/core/lib/support/string.c +10 -25
data/src/core/lib/support/string.h +10 -25
data/src/core/lib/support/string_posix.c +10 -25
data/src/core/lib/support/string_util_windows.c +10 -25
data/src/core/lib/support/string_windows.c +10 -25
data/src/core/lib/support/string_windows.h +10 -25
data/src/core/lib/support/subprocess_posix.c +10 -25
data/src/core/lib/support/subprocess_windows.c +10 -25
data/src/core/lib/support/sync.c +10 -25
data/src/core/lib/support/sync_posix.c +10 -25
data/src/core/lib/support/sync_windows.c +10 -25
data/src/core/lib/support/thd.c +10 -25
data/src/core/lib/support/thd_internal.h +10 -25
data/src/core/lib/support/thd_posix.c +10 -25
data/src/core/lib/support/thd_windows.c +10 -25
data/src/core/lib/support/time.c +10 -25
data/src/core/lib/support/time_posix.c +10 -25
data/src/core/lib/support/time_precise.c +18 -33
data/src/core/lib/support/time_precise.h +10 -25
data/src/core/lib/support/time_windows.c +10 -25
data/src/core/lib/support/tls_pthread.c +10 -25
data/src/core/lib/support/tmpfile.h +10 -25
data/src/core/lib/support/tmpfile_msys.c +10 -25
data/src/core/lib/support/tmpfile_posix.c +10 -25
data/src/core/lib/support/tmpfile_windows.c +10 -25
data/src/core/lib/support/wrap_memcpy.c +10 -25
data/src/core/lib/surface/alarm.c +78 -35
data/src/core/lib/surface/alarm_internal.h +40 -0
data/src/core/lib/surface/api_trace.c +11 -26
data/src/core/lib/surface/api_trace.h +10 -25
data/src/core/lib/surface/byte_buffer.c +10 -25
data/src/core/lib/surface/byte_buffer_reader.c +10 -25
data/src/core/lib/surface/call.c +64 -84
data/src/core/lib/surface/call.h +11 -26
data/src/core/lib/surface/call_details.c +10 -25
data/src/core/lib/surface/call_log_batch.c +10 -25
data/src/core/lib/surface/call_test_only.h +10 -25
data/src/core/lib/surface/channel.c +11 -26
data/src/core/lib/surface/channel.h +11 -26
data/src/core/lib/surface/channel_init.c +10 -25
data/src/core/lib/surface/channel_init.h +10 -25
data/src/core/lib/surface/channel_ping.c +12 -27
data/src/core/lib/surface/channel_stack_type.c +10 -25
data/src/core/lib/surface/channel_stack_type.h +10 -25
data/src/core/lib/surface/completion_queue.c +442 -331
data/src/core/lib/surface/completion_queue.h +16 -33
data/src/core/lib/surface/completion_queue_factory.c +10 -25
data/src/core/lib/surface/completion_queue_factory.h +10 -25
data/src/core/lib/surface/event_string.c +10 -25
data/src/core/lib/surface/event_string.h +10 -25
data/src/core/lib/surface/init.c +38 -47
data/src/core/lib/surface/init.h +10 -25
data/src/core/lib/surface/init_secure.c +20 -27
data/src/core/lib/surface/lame_client.cc +14 -29
data/src/core/lib/surface/lame_client.h +10 -25
data/src/core/lib/surface/metadata_array.c +10 -25
data/src/core/lib/surface/server.c +128 -81
data/src/core/lib/surface/server.h +10 -25
data/src/core/lib/surface/validate_metadata.c +10 -25
data/src/core/lib/surface/validate_metadata.h +10 -25
data/src/core/lib/surface/version.c +11 -26
data/src/core/lib/transport/bdp_estimator.c +19 -29
data/src/core/lib/transport/bdp_estimator.h +16 -29
data/src/core/lib/transport/byte_stream.c +127 -36
data/src/core/lib/transport/byte_stream.h +88 -46
data/src/core/lib/transport/connectivity_state.c +17 -31
data/src/core/lib/transport/connectivity_state.h +10 -25
data/src/core/lib/transport/error_utils.c +10 -25
data/src/core/lib/transport/error_utils.h +10 -25
data/src/core/lib/transport/http2_errors.h +10 -25
data/src/core/lib/transport/metadata.c +87 -85
data/src/core/lib/transport/metadata.h +15 -28
data/src/core/lib/transport/metadata_batch.c +10 -25
data/src/core/lib/transport/metadata_batch.h +10 -25
data/src/core/lib/transport/pid_controller.c +10 -25
data/src/core/lib/transport/pid_controller.h +10 -25
data/src/core/lib/transport/service_config.c +11 -26
data/src/core/lib/transport/service_config.h +10 -25
data/src/core/lib/transport/static_metadata.c +12 -26
data/src/core/lib/transport/static_metadata.h +10 -25
data/src/core/lib/transport/status_conversion.c +10 -25
data/src/core/lib/transport/status_conversion.h +10 -25
data/src/core/lib/transport/timeout_encoding.c +10 -25
data/src/core/lib/transport/timeout_encoding.h +10 -25
data/src/core/lib/transport/transport.c +60 -53
data/src/core/lib/transport/transport.h +36 -34
data/src/core/lib/transport/transport_impl.h +10 -25
data/src/core/lib/transport/transport_op_string.c +10 -28
data/src/core/plugin_registry/grpc_plugin_registry.c +22 -25
data/src/core/tsi/fake_transport_security.c +199 -94
data/src/core/tsi/fake_transport_security.h +11 -26
data/src/core/tsi/gts_transport_security.c +40 -0
data/src/core/tsi/gts_transport_security.h +37 -0
data/src/core/tsi/ssl_transport_security.c +13 -32
data/src/core/tsi/ssl_transport_security.h +10 -25
data/src/core/tsi/ssl_types.h +10 -25
data/src/core/tsi/transport_security.c +48 -78
data/src/core/tsi/transport_security.h +18 -27
data/src/core/tsi/transport_security_adapter.c +17 -29
data/src/core/tsi/transport_security_adapter.h +10 -25
data/src/core/tsi/transport_security_grpc.c +64 -0
data/src/core/tsi/transport_security_grpc.h +80 -0
data/src/core/tsi/transport_security_interface.h +21 -27
data/src/ruby/bin/apis/google/protobuf/empty.rb +10 -25
data/src/ruby/bin/apis/pubsub_demo.rb +10 -25
data/src/ruby/bin/apis/tech/pubsub/proto/pubsub.rb +10 -25
data/src/ruby/bin/apis/tech/pubsub/proto/pubsub_services.rb +10 -25
data/src/ruby/bin/math_client.rb +10 -25
data/src/ruby/bin/math_server.rb +10 -25
data/src/ruby/bin/math_services_pb.rb +10 -25
data/src/ruby/bin/noproto_client.rb +10 -25
data/src/ruby/bin/noproto_server.rb +10 -25
data/src/ruby/ext/grpc/extconf.rb +10 -25
data/src/ruby/ext/grpc/rb_byte_buffer.c +10 -25
data/src/ruby/ext/grpc/rb_byte_buffer.h +10 -25
data/src/ruby/ext/grpc/rb_call.c +44 -25
data/src/ruby/ext/grpc/rb_call.h +10 -25
data/src/ruby/ext/grpc/rb_call_credentials.c +10 -25
data/src/ruby/ext/grpc/rb_call_credentials.h +10 -25
data/src/ruby/ext/grpc/rb_channel.c +10 -25
data/src/ruby/ext/grpc/rb_channel.h +10 -25
data/src/ruby/ext/grpc/rb_channel_args.c +10 -25
data/src/ruby/ext/grpc/rb_channel_args.h +10 -25
data/src/ruby/ext/grpc/rb_channel_credentials.c +10 -25
data/src/ruby/ext/grpc/rb_channel_credentials.h +10 -25
data/src/ruby/ext/grpc/rb_completion_queue.c +10 -25
data/src/ruby/ext/grpc/rb_completion_queue.h +10 -25
data/src/ruby/ext/grpc/rb_compression_options.c +10 -25
data/src/ruby/ext/grpc/rb_compression_options.h +10 -25
data/src/ruby/ext/grpc/rb_event_thread.c +10 -25
data/src/ruby/ext/grpc/rb_event_thread.h +10 -25
data/src/ruby/ext/grpc/rb_grpc.c +10 -25
data/src/ruby/ext/grpc/rb_grpc.h +10 -25
data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +10 -25
data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +16 -31
data/src/ruby/ext/grpc/rb_loader.c +10 -25
data/src/ruby/ext/grpc/rb_loader.h +10 -25
data/src/ruby/ext/grpc/rb_server.c +10 -25
data/src/ruby/ext/grpc/rb_server.h +10 -25
data/src/ruby/ext/grpc/rb_server_credentials.c +10 -25
data/src/ruby/ext/grpc/rb_server_credentials.h +10 -25
data/src/ruby/lib/grpc.rb +10 -25
data/src/ruby/lib/grpc/core/time_consts.rb +10 -25
data/src/ruby/lib/grpc/errors.rb +16 -30
data/src/ruby/lib/grpc/generic/active_call.rb +25 -27
data/src/ruby/lib/grpc/generic/bidi_call.rb +17 -27
data/src/ruby/lib/grpc/generic/client_stub.rb +10 -25
data/src/ruby/lib/grpc/generic/rpc_desc.rb +10 -25
data/src/ruby/lib/grpc/generic/rpc_server.rb +10 -25
data/src/ruby/lib/grpc/generic/service.rb +10 -25
data/src/ruby/lib/grpc/grpc.rb +10 -25
data/src/ruby/lib/grpc/logconfig.rb +10 -25
data/src/ruby/lib/grpc/notifier.rb +10 -25
data/src/ruby/lib/grpc/version.rb +11 -26
data/src/ruby/pb/generate_proto_ruby.sh +10 -25
data/src/ruby/pb/grpc/health/checker.rb +10 -25
data/src/ruby/pb/grpc/health/v1/health_services_pb.rb +10 -25
data/src/ruby/pb/grpc/testing/duplicate/echo_duplicate_services_pb.rb +10 -25
data/src/ruby/pb/grpc/testing/metrics_services_pb.rb +10 -25
data/src/ruby/pb/src/proto/grpc/testing/test_services_pb.rb +10 -25
data/src/ruby/pb/test/client.rb +10 -25
data/src/ruby/pb/test/server.rb +10 -25
data/src/ruby/spec/call_credentials_spec.rb +10 -25
data/src/ruby/spec/call_spec.rb +43 -25
data/src/ruby/spec/channel_connection_spec.rb +10 -25
data/src/ruby/spec/channel_credentials_spec.rb +11 -26
data/src/ruby/spec/channel_spec.rb +10 -25
data/src/ruby/spec/client_auth_spec.rb +10 -25
data/src/ruby/spec/client_server_spec.rb +66 -25
data/src/ruby/spec/compression_options_spec.rb +10 -25
data/src/ruby/spec/error_sanity_spec.rb +10 -25
data/src/ruby/spec/generic/active_call_spec.rb +10 -25
data/src/ruby/spec/generic/client_stub_spec.rb +146 -35
data/src/ruby/spec/generic/rpc_desc_spec.rb +10 -25
data/src/ruby/spec/generic/rpc_server_pool_spec.rb +10 -25
data/src/ruby/spec/generic/rpc_server_spec.rb +124 -34
data/src/ruby/spec/generic/service_spec.rb +10 -25
data/src/ruby/spec/pb/duplicate/codegen_spec.rb +10 -25
data/src/ruby/spec/pb/health/checker_spec.rb +10 -25
data/src/ruby/spec/server_credentials_spec.rb +10 -25
data/src/ruby/spec/server_spec.rb +10 -25
data/src/ruby/spec/spec_helper.rb +10 -25
data/src/ruby/spec/time_consts_spec.rb +10 -25
data/third_party/boringssl/crypto/aes/key_wrap.c +138 -0
data/third_party/boringssl/crypto/asn1/a_bitstr.c +6 -3
data/third_party/boringssl/crypto/asn1/a_enum.c +4 -1
data/third_party/boringssl/crypto/asn1/a_gentm.c +20 -15
data/third_party/boringssl/crypto/asn1/a_int.c +7 -4
data/third_party/boringssl/crypto/asn1/a_object.c +5 -2
data/third_party/boringssl/crypto/asn1/a_time.c +0 -1
data/third_party/boringssl/crypto/asn1/a_utctm.c +1 -2
data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -2
data/third_party/boringssl/crypto/asn1/asn1_locl.h +35 -0
data/third_party/boringssl/crypto/asn1/tasn_dec.c +3 -1
data/third_party/boringssl/crypto/asn1/tasn_enc.c +6 -3
data/third_party/boringssl/crypto/asn1/tasn_new.c +12 -7
data/third_party/boringssl/crypto/asn1/tasn_utl.c +22 -8
data/third_party/boringssl/crypto/{time_support.c → asn1/time_support.c} +1 -1
data/third_party/boringssl/crypto/asn1/x_long.c +5 -2
data/third_party/boringssl/crypto/base64/base64.c +7 -5
data/third_party/boringssl/crypto/bio/bio.c +24 -10
data/third_party/boringssl/crypto/bio/bio_mem.c +12 -10
data/third_party/boringssl/crypto/bio/connect.c +7 -18
data/third_party/boringssl/crypto/bio/fd.c +3 -6
data/third_party/boringssl/crypto/bio/file.c +6 -6
data/third_party/boringssl/crypto/bio/hexdump.c +4 -2
data/third_party/boringssl/crypto/bio/pair.c +30 -344
data/third_party/boringssl/crypto/bio/socket.c +6 -7
data/third_party/boringssl/crypto/bio/socket_helper.c +4 -3
data/third_party/boringssl/crypto/bn/add.c +1 -1
data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +11 -10
data/third_party/boringssl/crypto/bn/bn.c +6 -20
data/third_party/boringssl/crypto/bn/cmp.c +14 -0
data/third_party/boringssl/crypto/bn/convert.c +73 -2
data/third_party/boringssl/crypto/bn/ctx.c +3 -1
data/third_party/boringssl/crypto/bn/div.c +108 -51
data/third_party/boringssl/crypto/bn/exponentiation.c +15 -33
data/third_party/boringssl/crypto/bn/gcd.c +29 -22
data/third_party/boringssl/crypto/bn/generic.c +71 -67
data/third_party/boringssl/crypto/bn/internal.h +19 -6
data/third_party/boringssl/crypto/bn/kronecker.c +1 -0
data/third_party/boringssl/crypto/bn/montgomery.c +9 -10
data/third_party/boringssl/crypto/bn/montgomery_inv.c +47 -0
data/third_party/boringssl/crypto/bn/mul.c +11 -9
data/third_party/boringssl/crypto/bn/random.c +6 -3
data/third_party/boringssl/crypto/bn/rsaz_exp.c +0 -65
data/third_party/boringssl/crypto/bn/rsaz_exp.h +0 -3
data/third_party/boringssl/crypto/bn/shift.c +9 -1
data/third_party/boringssl/crypto/bn/sqrt.c +3 -1
data/third_party/boringssl/crypto/buf/buf.c +6 -4
data/third_party/boringssl/crypto/bytestring/asn1_compat.c +2 -1
data/third_party/boringssl/crypto/bytestring/ber.c +2 -1
data/third_party/boringssl/crypto/bytestring/cbb.c +9 -7
data/third_party/boringssl/crypto/bytestring/cbs.c +54 -2
data/third_party/boringssl/crypto/chacha/chacha.c +1 -1
data/third_party/boringssl/crypto/cipher/aead.c +3 -3
data/third_party/boringssl/crypto/cipher/cipher.c +18 -13
data/third_party/boringssl/crypto/cipher/e_aes.c +335 -281
data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +113 -137
data/third_party/boringssl/crypto/cipher/e_null.c +2 -1
data/third_party/boringssl/crypto/cipher/e_rc2.c +54 -49
data/third_party/boringssl/crypto/cipher/e_ssl3.c +4 -3
data/third_party/boringssl/crypto/cipher/e_tls.c +5 -5
data/third_party/boringssl/crypto/cipher/tls_cbc.c +41 -112
data/third_party/boringssl/crypto/cmac/cmac.c +6 -4
data/third_party/boringssl/crypto/conf/conf.c +6 -3
data/third_party/boringssl/crypto/cpu-arm-linux.c +2 -2
data/third_party/boringssl/crypto/curve25519/curve25519.c +28 -34
data/third_party/boringssl/crypto/curve25519/spake25519.c +7 -6
data/third_party/boringssl/crypto/curve25519/x25519-x86_64.c +2 -1
data/third_party/boringssl/crypto/des/des.c +1 -1
data/third_party/boringssl/crypto/des/internal.h +58 -46
data/third_party/boringssl/crypto/dh/dh.c +4 -8
data/third_party/boringssl/crypto/digest/digest.c +5 -2
data/third_party/boringssl/crypto/digest/digests.c +70 -33
data/third_party/boringssl/crypto/digest/md32_common.h +39 -27
data/third_party/boringssl/crypto/dsa/dsa.c +11 -19
data/third_party/boringssl/crypto/ec/ec.c +1 -1
data/third_party/boringssl/crypto/ec/ec_asn1.c +3 -2
data/third_party/boringssl/crypto/ec/ec_key.c +1 -1
data/third_party/boringssl/crypto/ec/ec_montgomery.c +6 -11
data/third_party/boringssl/crypto/ec/oct.c +2 -14
data/third_party/boringssl/crypto/ec/p224-64.c +78 -122
data/third_party/boringssl/crypto/ec/p256-64.c +93 -133
data/third_party/boringssl/crypto/ec/p256-x86_64.c +48 -61
data/third_party/boringssl/crypto/ec/p256-x86_64.h +113 -0
data/third_party/boringssl/crypto/ec/simple.c +2 -1
data/third_party/boringssl/crypto/ec/wnaf.c +52 -43
data/third_party/boringssl/crypto/ecdh/ecdh.c +4 -2
data/third_party/boringssl/crypto/ecdsa/ecdsa.c +17 -16
data/third_party/boringssl/crypto/engine/engine.c +3 -1
data/third_party/boringssl/crypto/err/err.c +5 -5
data/third_party/boringssl/crypto/evp/evp.c +1 -1
data/third_party/boringssl/crypto/evp/evp_asn1.c +1 -1
data/third_party/boringssl/crypto/evp/evp_ctx.c +23 -29
data/third_party/boringssl/crypto/evp/p_ec.c +2 -1
data/third_party/boringssl/crypto/evp/p_rsa.c +9 -3
data/third_party/boringssl/crypto/evp/pbkdf.c +3 -1
data/third_party/boringssl/crypto/hkdf/hkdf.c +3 -1
data/third_party/boringssl/crypto/hmac/hmac.c +4 -2
data/third_party/boringssl/crypto/internal.h +81 -0
data/third_party/boringssl/crypto/lhash/lhash.c +7 -13
data/third_party/boringssl/crypto/md4/md4.c +20 -18
data/third_party/boringssl/crypto/md5/md5.c +31 -21
data/third_party/boringssl/crypto/mem.c +4 -10
data/third_party/boringssl/crypto/modes/cbc.c +2 -6
data/third_party/boringssl/crypto/modes/cfb.c +2 -2
data/third_party/boringssl/crypto/modes/ctr.c +1 -1
data/third_party/boringssl/crypto/modes/gcm.c +117 -334
data/third_party/boringssl/crypto/modes/internal.h +107 -84
data/third_party/boringssl/crypto/modes/ofb.c +3 -3
data/third_party/boringssl/crypto/modes/polyval.c +94 -0
data/third_party/boringssl/crypto/obj/obj.c +13 -8
data/third_party/boringssl/crypto/obj/obj_dat.h +6109 -5187
data/third_party/boringssl/crypto/obj/obj_xref.c +55 -57
data/third_party/boringssl/crypto/pem/pem_lib.c +6 -3
data/third_party/boringssl/crypto/pkcs8/internal.h +27 -8
data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +137 -352
data/third_party/boringssl/crypto/pkcs8/pkcs8.c +371 -364
data/third_party/boringssl/crypto/poly1305/poly1305.c +12 -18
data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +2 -2
data/third_party/boringssl/crypto/{newhope/reduce.c → pool/internal.h} +24 -21
data/third_party/boringssl/crypto/pool/pool.c +200 -0
data/third_party/boringssl/crypto/rand/deterministic.c +6 -5
data/third_party/boringssl/crypto/rand/fuchsia.c +43 -0
data/third_party/boringssl/crypto/rand/rand.c +7 -7
data/third_party/boringssl/crypto/rand/urandom.c +136 -22
data/third_party/boringssl/crypto/rand/windows.c +2 -2
data/third_party/boringssl/crypto/rsa/blinding.c +2 -1
data/third_party/boringssl/crypto/rsa/padding.c +11 -11
data/third_party/boringssl/crypto/rsa/rsa.c +4 -4
data/third_party/boringssl/crypto/rsa/rsa_asn1.c +7 -1
data/third_party/boringssl/crypto/rsa/rsa_impl.c +41 -80
data/third_party/boringssl/crypto/sha/sha1-altivec.c +346 -0
data/third_party/boringssl/crypto/sha/sha1.c +60 -42
data/third_party/boringssl/crypto/sha/sha256.c +4 -2
data/third_party/boringssl/crypto/sha/sha512.c +9 -7
data/third_party/boringssl/crypto/stack/stack.c +10 -7
data/third_party/boringssl/crypto/thread_pthread.c +2 -2
data/third_party/boringssl/crypto/thread_win.c +2 -2
data/third_party/boringssl/crypto/x509/a_verify.c +1 -1
data/third_party/boringssl/crypto/x509/asn1_gen.c +1 -1
data/third_party/boringssl/crypto/x509/by_dir.c +1 -1
data/third_party/boringssl/crypto/x509/t_x509.c +78 -38
data/third_party/boringssl/crypto/x509/x509_cmp.c +8 -5
data/third_party/boringssl/crypto/x509/x509_lu.c +6 -1
data/third_party/boringssl/crypto/x509/x509_obj.c +4 -1
data/third_party/boringssl/crypto/x509/x509_vfy.c +42 -8
data/third_party/boringssl/crypto/x509/x509_vpm.c +8 -6
data/third_party/boringssl/crypto/x509/x509name.c +4 -1
data/third_party/boringssl/crypto/x509/x_crl.c +4 -2
data/third_party/boringssl/crypto/x509/x_name.c +23 -13
data/third_party/boringssl/crypto/x509/x_pkey.c +4 -1
data/third_party/boringssl/crypto/x509/x_x509.c +42 -3
data/third_party/boringssl/crypto/x509v3/pcy_int.h +2 -2
data/third_party/boringssl/crypto/x509v3/pcy_tree.c +2 -1
data/third_party/boringssl/crypto/x509v3/v3_cpols.c +1 -1
data/third_party/boringssl/crypto/x509v3/v3_ia5.c +4 -1
data/third_party/boringssl/crypto/x509v3/v3_ncons.c +4 -1
data/third_party/boringssl/crypto/x509v3/v3_pci.c +6 -3
data/third_party/boringssl/crypto/x509v3/v3_purp.c +13 -21
data/third_party/boringssl/crypto/x509v3/v3_utl.c +19 -33
data/third_party/boringssl/include/openssl/aead.h +9 -20
data/third_party/boringssl/include/openssl/aes.h +21 -9
data/third_party/boringssl/include/openssl/asn1.h +9 -1
data/third_party/boringssl/include/openssl/base.h +33 -6
data/third_party/boringssl/include/openssl/bio.h +10 -103
data/third_party/boringssl/include/openssl/bn.h +58 -42
data/third_party/boringssl/include/openssl/bytestring.h +17 -0
data/third_party/boringssl/include/openssl/cipher.h +4 -3
data/third_party/boringssl/include/openssl/conf.h +4 -1
data/third_party/boringssl/include/openssl/curve25519.h +13 -0
data/third_party/boringssl/include/openssl/digest.h +5 -3
data/third_party/boringssl/include/openssl/dsa.h +5 -5
data/third_party/boringssl/include/openssl/ec.h +2 -2
data/third_party/boringssl/include/openssl/ecdh.h +3 -4
data/third_party/boringssl/include/openssl/ecdsa.h +10 -10
data/third_party/boringssl/include/openssl/err.h +5 -5
data/third_party/boringssl/include/openssl/evp.h +11 -7
data/third_party/boringssl/include/openssl/lhash.h +2 -3
data/third_party/boringssl/include/openssl/lhash_macros.h +56 -14
data/third_party/boringssl/include/openssl/nid.h +2949 -2916
data/third_party/boringssl/include/openssl/obj.h +1 -1
data/third_party/boringssl/include/openssl/pkcs8.h +21 -42
data/third_party/boringssl/include/openssl/pool.h +87 -0
data/third_party/boringssl/include/openssl/rand.h +1 -1
data/third_party/boringssl/include/openssl/rsa.h +4 -2
data/third_party/boringssl/include/openssl/sha.h +0 -4
data/third_party/boringssl/include/openssl/ssl.h +327 -662
data/third_party/boringssl/include/openssl/ssl3.h +1 -21
data/third_party/boringssl/include/openssl/stack.h +1 -0
data/third_party/boringssl/include/openssl/stack_macros.h +85 -0
data/third_party/boringssl/include/openssl/tls1.h +23 -52
data/third_party/boringssl/include/openssl/type_check.h +4 -0
data/third_party/boringssl/include/openssl/x509.h +10 -59
data/third_party/boringssl/include/openssl/x509_vfy.h +7 -1
data/third_party/boringssl/include/openssl/x509v3.h +4 -4
data/third_party/boringssl/ssl/bio_ssl.c +175 -0
data/third_party/boringssl/ssl/custom_extensions.c +24 -21
data/third_party/boringssl/ssl/d1_both.c +259 -289
data/third_party/boringssl/ssl/d1_lib.c +8 -20
data/third_party/boringssl/ssl/d1_pkt.c +6 -15
data/third_party/boringssl/ssl/dtls_method.c +22 -8
data/third_party/boringssl/ssl/dtls_record.c +27 -2
data/third_party/boringssl/ssl/handshake_client.c +460 -579
data/third_party/boringssl/ssl/handshake_server.c +662 -644
data/third_party/boringssl/ssl/internal.h +1009 -375
data/third_party/boringssl/ssl/s3_both.c +312 -162
data/third_party/boringssl/ssl/s3_lib.c +12 -128
data/third_party/boringssl/ssl/s3_pkt.c +22 -30
data/third_party/boringssl/ssl/ssl_aead_ctx.c +28 -22
data/third_party/boringssl/ssl/ssl_asn1.c +210 -114
data/third_party/boringssl/ssl/ssl_buffer.c +2 -1
data/third_party/boringssl/ssl/ssl_cert.c +417 -219
data/third_party/boringssl/ssl/ssl_cipher.c +191 -393
data/third_party/boringssl/ssl/ssl_ecdh.c +19 -164
data/third_party/boringssl/ssl/ssl_file.c +0 -11
data/third_party/boringssl/ssl/ssl_lib.c +325 -652
data/third_party/boringssl/ssl/{ssl_rsa.c → ssl_privkey.c} +21 -131
data/third_party/boringssl/ssl/ssl_privkey_cc.cc +76 -0
data/third_party/boringssl/ssl/ssl_session.c +206 -95
data/third_party/boringssl/ssl/ssl_stat.c +18 -84
data/third_party/boringssl/ssl/{s3_enc.c → ssl_transcript.c} +150 -157
data/third_party/boringssl/ssl/ssl_x509.c +815 -0
data/third_party/boringssl/ssl/t1_enc.c +188 -174
data/third_party/boringssl/ssl/t1_lib.c +1064 -764
data/third_party/boringssl/ssl/tls13_both.c +290 -96
data/third_party/boringssl/ssl/tls13_client.c +344 -314
data/third_party/boringssl/ssl/tls13_enc.c +239 -200
data/third_party/boringssl/ssl/tls13_server.c +374 -366
data/third_party/boringssl/ssl/tls_method.c +40 -5
data/third_party/boringssl/ssl/tls_record.c +166 -71
metadata +39 -25
data/src/core/lib/iomgr/workqueue.h +0 -87
data/src/core/lib/iomgr/workqueue_uv.c +0 -65
data/src/core/lib/iomgr/workqueue_uv.h +0 -37
data/src/core/lib/iomgr/workqueue_windows.c +0 -63
data/src/core/lib/iomgr/workqueue_windows.h +0 -37
data/third_party/boringssl/crypto/bio/buffer.c +0 -496
data/third_party/boringssl/crypto/newhope/error_correction.c +0 -131
data/third_party/boringssl/crypto/newhope/internal.h +0 -71
data/third_party/boringssl/crypto/newhope/newhope.c +0 -174
data/third_party/boringssl/crypto/newhope/ntt.c +0 -148
data/third_party/boringssl/crypto/newhope/poly.c +0 -183
data/third_party/boringssl/crypto/newhope/precomp.c +0 -306
data/third_party/boringssl/crypto/obj/obj_xref.h +0 -96
data/third_party/boringssl/crypto/pkcs8/p5_pbe.c +0 -151
data/third_party/boringssl/include/openssl/newhope.h +0 -158
data/third_party/boringssl/include/openssl/time_support.h +0 -91

data/third_party/boringssl/ssl/ssl_ecdh.c CHANGED

@@ -23,7 +23,6 @@
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/newhope.h>
 #include <openssl/nid.h>
 #include "internal.h"
@@ -220,153 +219,6 @@ static int ssl_x25519_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
 }
-/* Combined X25119 + New Hope (post-quantum) implementation. */
-typedef struct {
-  uint8_t x25519_key[32];
-  NEWHOPE_POLY *newhope_sk;
-} cecpq1_data;
-#define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH)
-#define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH)
-#define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH)
-static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) {
-  if (ctx->data == NULL) {
-    return;
-  }
-  cecpq1_data *data = ctx->data;
-  NEWHOPE_POLY_free(data->newhope_sk);
-  OPENSSL_cleanse(data, sizeof(cecpq1_data));
-  OPENSSL_free(data);
-}
-static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) {
-  assert(ctx->data == NULL);
-  cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));
-  if (data == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  ctx->data = data;
-  data->newhope_sk = NEWHOPE_POLY_new();
-  if (data->newhope_sk == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  uint8_t x25519_public_key[32];
-  X25519_keypair(x25519_public_key, data->x25519_key);
-  uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH];
-  NEWHOPE_offer(newhope_offermsg, data->newhope_sk);
-  if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||
-      !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) {
-    return 0;
-  }
-  return 1;
-}
-static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,
-                             size_t *out_secret_len, uint8_t *out_alert,
-                             const uint8_t *peer_key, size_t peer_key_len) {
-  if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    return 0;
-  }
-  *out_alert = SSL_AD_INTERNAL_ERROR;
-  assert(ctx->data == NULL);
-  cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));
-  if (data == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  data->newhope_sk = NULL;
-  ctx->data = data;
-  uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
-  if (secret == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  /* Generate message to server, and secret key, at once. */
-  uint8_t x25519_public_key[32];
-  X25519_keypair(x25519_public_key, data->x25519_key);
-  if (!X25519(secret, data->x25519_key, peer_key)) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
-    goto err;
-  }
-  uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
-  if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,
-                      NEWHOPE_OFFERMSG_LENGTH)) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    goto err;
-  }
-  if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||
-      !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {
-    goto err;
-  }
-  *out_secret = secret;
-  *out_secret_len = CECPQ1_SECRET_LENGTH;
-  return 1;
- err:
-  OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
-  OPENSSL_free(secret);
-  return 0;
-}
-static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
-                             size_t *out_secret_len, uint8_t *out_alert,
-                             const uint8_t *peer_key, size_t peer_key_len) {
-  if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    return 0;
-  }
-  *out_alert = SSL_AD_INTERNAL_ERROR;
-  assert(ctx->data != NULL);
-  cecpq1_data *data = ctx->data;
-  uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
-  if (secret == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  if (!X25519(secret, data->x25519_key, peer_key)) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
-    goto err;
-  }
-  if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,
-                      NEWHOPE_ACCEPTMSG_LENGTH)) {
-    *out_alert = SSL_AD_DECODE_ERROR;
-    goto err;
-  }
-  *out_secret = secret;
-  *out_secret_len = CECPQ1_SECRET_LENGTH;
-  return 1;
- err:
-  OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
-  OPENSSL_free(secret);
-  return 0;
-}
 /* Legacy DHE-based implementation. */
 static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {
@@ -446,16 +298,6 @@ static const SSL_ECDH_METHOD kDHEMethod = {
     CBB_add_u16_length_prefixed,
 };
-static const SSL_ECDH_METHOD kCECPQ1Method = {
-    NID_undef, 0, "",
-    ssl_cecpq1_cleanup,
-    ssl_cecpq1_offer,
-    ssl_cecpq1_accept,
-    ssl_cecpq1_finish,
-    CBS_get_u16_length_prefixed,
-    CBB_add_u16_length_prefixed,
-};
 static const SSL_ECDH_METHOD kMethods[] = {
     {
         NID_X9_62_prime256v1,
@@ -521,6 +363,16 @@ static const SSL_ECDH_METHOD *method_from_nid(int nid) {
   return NULL;
 }
+static const SSL_ECDH_METHOD *method_from_name(const char *name, size_t len) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {
+    if (len == strlen(kMethods[i].name) &&
+        !strncmp(kMethods[i].name, name, len)) {
+      return &kMethods[i];
+    }
+  }
+  return NULL;
+}
 const char* SSL_get_curve_name(uint16_t group_id) {
   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);
   if (method == NULL) {
@@ -538,6 +390,15 @@ int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
   return 1;
 }
+int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
+  const SSL_ECDH_METHOD *method = method_from_name(name, len);
+  if (method == NULL) {
+    return 0;
+  }
+  *out_group_id = method->group_id;
+  return 1;
+}
 int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id) {
   SSL_ECDH_CTX_cleanup(ctx);
@@ -557,12 +418,6 @@ void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params) {
   ctx->data = params;
 }
-void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) {
-  SSL_ECDH_CTX_cleanup(ctx);
-  ctx->method = &kCECPQ1Method;
-}
 void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {
   if (ctx->method == NULL) {
     return;

data/third_party/boringssl/ssl/ssl_file.c CHANGED

@@ -573,14 +573,3 @@ void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *data) {
   ctx->default_passwd_callback_userdata = data;
 }
-SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out) {
-  return ASN1_d2i_bio_of(SSL_SESSION, SSL_SESSION_new, d2i_SSL_SESSION, bio,
-                         out);
-}
-int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session) {
-  return ASN1_i2d_bio_of(SSL_SESSION, i2d_SSL_SESSION, bio, session);
-}
-IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)

data/third_party/boringssl/ssl/ssl_lib.c CHANGED

@@ -151,7 +151,6 @@
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/rand.h>
-#include <openssl/x509v3.h>
 #include "internal.h"
 #include "../crypto/internal.h"
@@ -197,8 +196,8 @@ static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
   uint8_t tmp_storage[sizeof(uint32_t)];
   if (sess->session_id_length < sizeof(tmp_storage)) {
-    memset(tmp_storage, 0, sizeof(tmp_storage));
-    memcpy(tmp_storage, sess->session_id, sess->session_id_length);
+    OPENSSL_memset(tmp_storage, 0, sizeof(tmp_storage));
+    OPENSSL_memcpy(tmp_storage, sess->session_id, sess->session_id_length);
     session_id = tmp_storage;
   }
@@ -225,7 +224,7 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
     return 1;
   }
-  return memcmp(a->session_id, b->session_id, a->session_id_length);
+  return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length);
 }
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
@@ -246,23 +245,24 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
     goto err;
   }
-  memset(ret, 0, sizeof(SSL_CTX));
+  OPENSSL_memset(ret, 0, sizeof(SSL_CTX));
   ret->method = method->method;
+  ret->x509_method = method->x509_method;
   CRYPTO_MUTEX_init(&ret->lock);
   ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
   ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
-  /* We take the system default */
   ret->session_timeout = SSL_DEFAULT_SESSION_TIMEOUT;
+  ret->session_psk_dhe_timeout = SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT;
   ret->references = 1;
   ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
   ret->verify_mode = SSL_VERIFY_NONE;
-  ret->cert = ssl_cert_new();
+  ret->cert = ssl_cert_new(method->x509_method);
   if (ret->cert == NULL) {
     goto err;
   }
@@ -277,7 +277,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
   }
   ssl_create_cipher_list(ret->method, &ret->cipher_list,
-                         &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
+                         SSL_DEFAULT_CIPHER_LIST, 1 /* strict */);
   if (ret->cipher_list == NULL ||
       sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
@@ -305,6 +305,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
     ret->options |= SSL_OP_NO_TICKET;
   }
+  /* Disable the auto-chaining feature by default. Once this has stuck without
+   * problems, the feature will be removed entirely. */
+  ret->mode = SSL_MODE_NO_AUTO_CHAIN;
   /* Lock the SSL_CTX to the specified version, for compatibility with legacy
    * uses of SSL_METHOD. */
   if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
@@ -349,9 +353,6 @@ void SSL_CTX_free(SSL_CTX *ctx) {
   lh_SSL_SESSION_free(ctx->sessions);
   X509_STORE_free(ctx->cert_store);
   ssl_cipher_preference_list_free(ctx->cipher_list);
-  sk_SSL_CIPHER_free(ctx->cipher_list_by_id);
-  ssl_cipher_preference_list_free(ctx->cipher_list_tls10);
-  ssl_cipher_preference_list_free(ctx->cipher_list_tls11);
   ssl_cert_free(ctx->cert);
   sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->client_custom_extensions,
                                    SSL_CUSTOM_EXTENSION_free);
@@ -362,8 +363,6 @@ void SSL_CTX_free(SSL_CTX *ctx) {
   OPENSSL_free(ctx->psk_identity_hint);
   OPENSSL_free(ctx->supported_group_list);
   OPENSSL_free(ctx->alpn_client_proto_list);
-  OPENSSL_free(ctx->ocsp_response);
-  OPENSSL_free(ctx->signed_cert_timestamp_list);
   EVP_PKEY_free(ctx->tlsext_channel_id_private);
   OPENSSL_free(ctx);
@@ -383,13 +382,11 @@ SSL *SSL_new(SSL_CTX *ctx) {
   if (ssl == NULL) {
     goto err;
   }
-  memset(ssl, 0, sizeof(SSL));
+  OPENSSL_memset(ssl, 0, sizeof(SSL));
   ssl->min_version = ctx->min_version;
   ssl->max_version = ctx->max_version;
-  ssl->state = SSL_ST_INIT;
   /* RFC 6347 states that implementations SHOULD use an initial timer value of
    * 1 second. */
   ssl->initial_timeout_duration_ms = 1000;
@@ -406,10 +403,9 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->msg_callback = ctx->msg_callback;
   ssl->msg_callback_arg = ctx->msg_callback_arg;
   ssl->verify_mode = ctx->verify_mode;
-  ssl->sid_ctx_length = ctx->sid_ctx_length;
-  assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
-  memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
   ssl->verify_callback = ctx->default_verify_callback;
+  ssl->retain_only_sha256_of_client_certs =
+      ctx->retain_only_sha256_of_client_certs;
   ssl->param = X509_VERIFY_PARAM_new();
   if (!ssl->param) {
@@ -419,28 +415,27 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->quiet_shutdown = ctx->quiet_shutdown;
   ssl->max_send_fragment = ctx->max_send_fragment;
-  CRYPTO_refcount_inc(&ctx->references);
+  SSL_CTX_up_ref(ctx);
   ssl->ctx = ctx;
-  CRYPTO_refcount_inc(&ctx->references);
+  SSL_CTX_up_ref(ctx);
   ssl->initial_ctx = ctx;
   if (ctx->supported_group_list) {
-    ssl->supported_group_list =
-        BUF_memdup(ctx->supported_group_list,
-                   ctx->supported_group_list_len * 2);
+    ssl->supported_group_list = BUF_memdup(ctx->supported_group_list,
+                                           ctx->supported_group_list_len * 2);
     if (!ssl->supported_group_list) {
       goto err;
     }
     ssl->supported_group_list_len = ctx->supported_group_list_len;
   }
-  if (ssl->ctx->alpn_client_proto_list) {
-    ssl->alpn_client_proto_list = BUF_memdup(
-        ssl->ctx->alpn_client_proto_list, ssl->ctx->alpn_client_proto_list_len);
+  if (ctx->alpn_client_proto_list) {
+    ssl->alpn_client_proto_list = BUF_memdup(ctx->alpn_client_proto_list,
+                                             ctx->alpn_client_proto_list_len);
     if (ssl->alpn_client_proto_list == NULL) {
       goto err;
     }
-    ssl->alpn_client_proto_list_len = ssl->ctx->alpn_client_proto_list_len;
+    ssl->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len;
   }
   ssl->method = ctx->method;
@@ -469,9 +464,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
     ssl->tlsext_channel_id_private = ctx->tlsext_channel_id_private;
   }
-  ssl->signed_cert_timestamps_enabled =
-      ssl->ctx->signed_cert_timestamps_enabled;
-  ssl->ocsp_stapling_enabled = ssl->ctx->ocsp_stapling_enabled;
+  ssl->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled;
+  ssl->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
   return ssl;
@@ -491,9 +485,6 @@ void SSL_free(SSL *ssl) {
   CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data);
-  ssl_free_wbio_buffer(ssl);
-  assert(ssl->bbio == NULL);
   BIO_free_all(ssl->rbio);
   BIO_free_all(ssl->wbio);
@@ -501,7 +492,6 @@ void SSL_free(SSL *ssl) {
   /* add extra stuff */
   ssl_cipher_preference_list_free(ssl->cipher_list);
-  sk_SSL_CIPHER_free(ssl->cipher_list_by_id);
   SSL_SESSION_free(ssl->session);
@@ -540,18 +530,8 @@ void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
 }
 void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
-  /* If the output buffering BIO is still in place, remove it. */
-  if (ssl->bbio != NULL) {
-    ssl->wbio = BIO_pop(ssl->wbio);
-  }
   BIO_free_all(ssl->wbio);
   ssl->wbio = wbio;
-  /* Re-attach |bbio| to the new |wbio|. */
-  if (ssl->bbio != NULL) {
-    ssl->wbio = BIO_push(ssl->bbio, ssl->wbio);
-  }
 }
 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
@@ -590,20 +570,18 @@ void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
-BIO *SSL_get_wbio(const SSL *ssl) {
-  if (ssl->bbio != NULL) {
-    /* If |bbio| is active, the true caller-configured BIO is its |next_bio|. */
-    assert(ssl->bbio == ssl->wbio);
-    return ssl->bbio->next_bio;
-  }
-  return ssl->wbio;
-}
+BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
-int SSL_do_handshake(SSL *ssl) {
+void ssl_reset_error_state(SSL *ssl) {
+  /* Functions which use |SSL_get_error| must reset I/O and error state on
+   * entry. */
   ssl->rwstate = SSL_NOTHING;
-  /* Functions which use SSL_get_error must clear the error queue on entry. */
   ERR_clear_error();
   ERR_clear_system_error();
+}
+int SSL_do_handshake(SSL *ssl) {
+  ssl_reset_error_state(ssl);
   if (ssl->handshake_func == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
@@ -614,7 +592,25 @@ int SSL_do_handshake(SSL *ssl) {
     return 1;
   }
-  return ssl->handshake_func(ssl);
+  if (ssl->s3->hs == NULL) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return -1;
+  }
+  /* Run the handshake. */
+  assert(ssl->s3->hs != NULL);
+  int ret = ssl->handshake_func(ssl->s3->hs);
+  if (ret <= 0) {
+    return ret;
+  }
+  /* Destroy the handshake object if the handshake has completely finished. */
+  if (!SSL_in_init(ssl)) {
+    ssl_handshake_free(ssl->s3->hs);
+    ssl->s3->hs = NULL;
+  }
+  return 1;
 }
 int SSL_connect(SSL *ssl) {
@@ -636,8 +632,10 @@ int SSL_accept(SSL *ssl) {
 }
 static int ssl_do_renegotiate(SSL *ssl) {
-  /* We do not accept renegotiations as a server. */
-  if (ssl->server) {
+  /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
+   * removed entirely in the future and requires retaining more data for
+   * renegotiation_info. */
+  if (ssl->server || ssl->version == SSL3_VERSION) {
     goto no_renegotiation;
   }
@@ -675,8 +673,16 @@ static int ssl_do_renegotiate(SSL *ssl) {
   }
   /* Begin a new handshake. */
+  if (ssl->s3->hs != NULL) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+  ssl->s3->hs = ssl_handshake_new(ssl);
+  if (ssl->s3->hs == NULL) {
+    return 0;
+  }
   ssl->s3->total_renegotiations++;
-  ssl->state = SSL_ST_INIT;
   return 1;
 no_renegotiation:
@@ -694,10 +700,7 @@ static int ssl_do_post_handshake(SSL *ssl) {
 }
 static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
-  ssl->rwstate = SSL_NOTHING;
-  /* Functions which use SSL_get_error must clear the error queue on entry. */
-  ERR_clear_error();
-  ERR_clear_system_error();
+  ssl_reset_error_state(ssl);
   if (ssl->handshake_func == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
@@ -743,10 +746,7 @@ int SSL_peek(SSL *ssl, void *buf, int num) {
 }
 int SSL_write(SSL *ssl, const void *buf, int num) {
-  ssl->rwstate = SSL_NOTHING;
-  /* Functions which use SSL_get_error must clear the error queue on entry. */
-  ERR_clear_error();
-  ERR_clear_system_error();
+  ssl_reset_error_state(ssl);
   if (ssl->handshake_func == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
@@ -774,20 +774,18 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
 }
 int SSL_shutdown(SSL *ssl) {
-  ssl->rwstate = SSL_NOTHING;
-  /* Functions which use SSL_get_error must clear the error queue on entry. */
-  ERR_clear_error();
-  ERR_clear_system_error();
+  ssl_reset_error_state(ssl);
   if (ssl->handshake_func == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
     return -1;
   }
-  /* We can't shutdown properly if we are in the middle of a handshake. */
+  /* If we are in the middle of a handshake, silently succeed. Consumers often
+   * call this function before |SSL_free|, whether the handshake succeeded or
+   * not. We assume the caller has already handled failed handshakes. */
   if (SSL_in_init(ssl)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT);
-    return -1;
+    return 1;
   }
   if (ssl->quiet_shutdown) {
@@ -837,18 +835,29 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
   return ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
 }
-int SSL_get_error(const SSL *ssl, int ret_code) {
-  int reason;
-  uint32_t err;
-  BIO *bio;
+void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->enable_early_data = !!enabled;
+}
+static int bio_retry_reason_to_error(int reason) {
+  switch (reason) {
+    case BIO_RR_CONNECT:
+      return SSL_ERROR_WANT_CONNECT;
+    case BIO_RR_ACCEPT:
+      return SSL_ERROR_WANT_ACCEPT;
+    default:
+      return SSL_ERROR_SYSCALL;
+  }
+}
+int SSL_get_error(const SSL *ssl, int ret_code) {
   if (ret_code > 0) {
     return SSL_ERROR_NONE;
   }
   /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
    * where we do encode the error */
-  err = ERR_peek_error();
+  uint32_t err = ERR_peek_error();
   if (err != 0) {
     if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
       return SSL_ERROR_SYSCALL;
@@ -866,79 +875,59 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
     return SSL_ERROR_SYSCALL;
   }
-  if (SSL_want_session(ssl)) {
-    return SSL_ERROR_PENDING_SESSION;
-  }
-  if (SSL_want_certificate(ssl)) {
-    return SSL_ERROR_PENDING_CERTIFICATE;
-  }
+  switch (ssl->rwstate) {
+    case SSL_PENDING_SESSION:
+      return SSL_ERROR_PENDING_SESSION;
-  if (SSL_want_read(ssl)) {
-    bio = SSL_get_rbio(ssl);
-    if (BIO_should_read(bio)) {
-      return SSL_ERROR_WANT_READ;
-    }
-    if (BIO_should_write(bio)) {
-      /* This one doesn't make too much sense ... We never try to write to the
-       * rbio, and an application program where rbio and wbio are separate
-       * couldn't even know what it should wait for. However if we ever set
-       * ssl->rwstate incorrectly (so that we have SSL_want_read(ssl) instead of
-       * SSL_want_write(ssl)) and rbio and wbio *are* the same, this test works
-       * around that bug; so it might be safer to keep it. */
-      return SSL_ERROR_WANT_WRITE;
-    }
+    case SSL_CERTIFICATE_SELECTION_PENDING:
+      return SSL_ERROR_PENDING_CERTIFICATE;
-    if (BIO_should_io_special(bio)) {
-      reason = BIO_get_retry_reason(bio);
-      if (reason == BIO_RR_CONNECT) {
-        return SSL_ERROR_WANT_CONNECT;
+    case SSL_READING: {
+      BIO *bio = SSL_get_rbio(ssl);
+      if (BIO_should_read(bio)) {
+        return SSL_ERROR_WANT_READ;
       }
-      if (reason == BIO_RR_ACCEPT) {
-        return SSL_ERROR_WANT_ACCEPT;
+      if (BIO_should_write(bio)) {
+        /* TODO(davidben): OpenSSL historically checked for writes on the read
+         * BIO. Can this be removed? */
+        return SSL_ERROR_WANT_WRITE;
       }
-      return SSL_ERROR_SYSCALL; /* unknown */
-    }
-  }
+      if (BIO_should_io_special(bio)) {
+        return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
+      }
-  if (SSL_want_write(ssl)) {
-    bio = SSL_get_wbio(ssl);
-    if (BIO_should_write(bio)) {
-      return SSL_ERROR_WANT_WRITE;
+      break;
     }
-    if (BIO_should_read(bio)) {
-      /* See above (SSL_want_read(ssl) with BIO_should_write(bio)) */
-      return SSL_ERROR_WANT_READ;
-    }
+    case SSL_WRITING: {
+      BIO *bio = SSL_get_wbio(ssl);
+      if (BIO_should_write(bio)) {
+        return SSL_ERROR_WANT_WRITE;
+      }
-    if (BIO_should_io_special(bio)) {
-      reason = BIO_get_retry_reason(bio);
-      if (reason == BIO_RR_CONNECT) {
-        return SSL_ERROR_WANT_CONNECT;
+      if (BIO_should_read(bio)) {
+        /* TODO(davidben): OpenSSL historically checked for reads on the write
+         * BIO. Can this be removed? */
+        return SSL_ERROR_WANT_READ;
       }
-      if (reason == BIO_RR_ACCEPT) {
-        return SSL_ERROR_WANT_ACCEPT;
+      if (BIO_should_io_special(bio)) {
+        return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
       }
-      return SSL_ERROR_SYSCALL;
+      break;
     }
-  }
-  if (SSL_want_x509_lookup(ssl)) {
-    return SSL_ERROR_WANT_X509_LOOKUP;
-  }
+    case SSL_X509_LOOKUP:
+      return SSL_ERROR_WANT_X509_LOOKUP;
-  if (SSL_want_channel_id_lookup(ssl)) {
-    return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
-  }
+    case SSL_CHANNEL_ID_LOOKUP:
+      return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
-  if (SSL_want_private_key_operation(ssl)) {
-    return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
+    case SSL_PRIVATE_KEY_OPERATION:
+      return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
   }
   return SSL_ERROR_SYSCALL;
@@ -1040,31 +1029,19 @@ uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
-X509 *SSL_get_peer_certificate(const SSL *ssl) {
-  if (ssl == NULL) {
-    return NULL;
-  }
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL || session->peer == NULL) {
-    return NULL;
-  }
-  X509_up_ref(session->peer);
-  return session->peer;
-}
-STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
-  if (ssl == NULL) {
-    return NULL;
-  }
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL) {
-    return NULL;
-  }
-  return session->cert_chain;
+void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {
+  ctx->pool = pool;
 }
 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
                        size_t max_out) {
+  /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    goto err;
+  }
   /* The tls-unique value is the first Finished message in the handshake, which
    * is the client's in a full handshake and the server's for a resumption. See
    * https://tools.ietf.org/html/rfc5929#section-3.1. */
@@ -1079,71 +1056,46 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
     finished_len = ssl->s3->previous_server_finished_len;
   }
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl->version < TLS1_VERSION) {
-    goto err;
-  }
   *out_len = finished_len;
   if (finished_len > max_out) {
     *out_len = max_out;
   }
-  memcpy(out, finished, *out_len);
+  OPENSSL_memcpy(out, finished, *out_len);
   return 1;
 err:
   *out_len = 0;
-  memset(out, 0, max_out);
+  OPENSSL_memset(out, 0, max_out);
   return 0;
 }
-int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,
-                                   unsigned sid_ctx_len) {
-  if (sid_ctx_len > sizeof(ctx->sid_ctx)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-    return 0;
-  }
-  ctx->sid_ctx_length = sid_ctx_len;
-  memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
-  return 1;
-}
-int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
-                               unsigned sid_ctx_len) {
-  if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
+static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
+                                   size_t sid_ctx_len) {
+  if (sid_ctx_len > sizeof(cert->sid_ctx)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
     return 0;
   }
-  ssl->sid_ctx_length = sid_ctx_len;
-  memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
+  OPENSSL_COMPILE_ASSERT(sizeof(cert->sid_ctx) < 256, sid_ctx_too_large);
+  cert->sid_ctx_length = (uint8_t)sid_ctx_len;
+  OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len);
   return 1;
 }
-int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose) {
-  return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
-}
-int SSL_set_purpose(SSL *ssl, int purpose) {
-  return X509_VERIFY_PARAM_set_purpose(ssl->param, purpose);
-}
-int SSL_CTX_set_trust(SSL_CTX *ctx, int trust) {
-  return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
-}
-int SSL_set_trust(SSL *ssl, int trust) {
-  return X509_VERIFY_PARAM_set_trust(ssl->param, trust);
+int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,
+                                   size_t sid_ctx_len) {
+  return set_session_id_context(ctx->cert, sid_ctx, sid_ctx_len);
 }
-int SSL_CTX_set1_param(SSL_CTX *ctx, const X509_VERIFY_PARAM *param) {
-  return X509_VERIFY_PARAM_set1(ctx->param, param);
+int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
+                               size_t sid_ctx_len) {
+  return set_session_id_context(ssl->cert, sid_ctx, sid_ctx_len);
 }
-int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {
-  return X509_VERIFY_PARAM_set1(ssl->param, param);
+const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
+  *out_len = ssl->cert->sid_ctx_length;
+  return ssl->cert->sid_ctx;
 }
 void ssl_cipher_preference_list_free(
@@ -1156,10 +1108,6 @@ void ssl_cipher_preference_list_free(
   OPENSSL_free(cipher_list);
 }
-X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) { return ctx->param; }
-X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) { return ssl->param; }
 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); }
 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
@@ -1232,73 +1180,70 @@ int SSL_set_rfd(SSL *ssl, int fd) {
   return 1;
 }
+static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
+                            size_t in_len) {
+  if (out_len > in_len) {
+    out_len = in_len;
+  }
+  OPENSSL_memcpy(out, in, out_len);
+  return in_len;
+}
 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
-  size_t ret = 0;
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 0;
+  }
-  if (ssl->s3 != NULL) {
-    ret = ssl->s3->tmp.finish_md_len;
-    if (count > ret) {
-      count = ret;
-    }
-    memcpy(buf, ssl->s3->tmp.finish_md, count);
+  if (ssl->server) {
+    return copy_finished(buf, count, ssl->s3->previous_server_finished,
+                         ssl->s3->previous_server_finished_len);
   }
-  return ret;
+  return copy_finished(buf, count, ssl->s3->previous_client_finished,
+                       ssl->s3->previous_client_finished_len);
 }
 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
-  size_t ret = 0;
+  if (!ssl->s3->initial_handshake_complete ||
+      ssl3_protocol_version(ssl) < TLS1_VERSION ||
+      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 0;
+  }
-  if (ssl->s3 != NULL) {
-    ret = ssl->s3->tmp.peer_finish_md_len;
-    if (count > ret) {
-      count = ret;
-    }
-    memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
+  if (ssl->server) {
+    return copy_finished(buf, count, ssl->s3->previous_client_finished,
+                         ssl->s3->previous_client_finished_len);
   }
-  return ret;
+  return copy_finished(buf, count, ssl->s3->previous_server_finished,
+                       ssl->s3->previous_server_finished_len);
 }
 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
-int SSL_get_verify_depth(const SSL *ssl) {
-  return X509_VERIFY_PARAM_get_depth(ssl->param);
-}
 int SSL_get_extms_support(const SSL *ssl) {
+  /* TLS 1.3 does not require extended master secret and always reports as
+   * supporting it. */
   if (!ssl->s3->have_version) {
     return 0;
   }
-  return ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
-         ssl->s3->tmp.extended_master_secret == 1;
-}
-int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {
-  return ssl->verify_callback;
-}
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { return ctx->verify_mode; }
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) {
-  return X509_VERIFY_PARAM_get_depth(ctx->param);
-}
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
-    int ok, X509_STORE_CTX *store_ctx) {
-  return ctx->default_verify_callback;
-}
+  if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 1;
+  }
-void SSL_set_verify(SSL *ssl, int mode,
-                    int (*callback)(int ok, X509_STORE_CTX *store_ctx)) {
-  ssl->verify_mode = mode;
-  if (callback != NULL) {
-    ssl->verify_callback = callback;
+  /* If the initial handshake completed, query the established session. */
+  if (ssl->s3->established_session != NULL) {
+    return ssl->s3->established_session->extended_master_secret;
   }
-}
-void SSL_set_verify_depth(SSL *ssl, int depth) {
-  X509_VERIFY_PARAM_set_depth(ssl->param, depth);
+  /* Otherwise, query the in-progress handshake. */
+  if (ssl->s3->hs != NULL) {
+    return ssl->s3->hs->extended_master_secret;
+  }
+  assert(0);
+  return 0;
 }
 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }
@@ -1318,32 +1263,12 @@ int SSL_pending(const SSL *ssl) {
 /* Fix this so it checks all the valid key/cert options */
 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
-  if (ctx->cert->x509 == NULL) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
-    return 0;
-  }
-  if (ctx->cert->privatekey == NULL) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-    return 0;
-  }
-  return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey);
+  return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
 }
 /* Fix this function so that it takes an optional type parameter */
 int SSL_check_private_key(const SSL *ssl) {
-  if (ssl->cert->x509 == NULL) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
-    return 0;
-  }
-  if (ssl->cert->privatekey == NULL) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-    return 0;
-  }
-  return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey);
+  return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
 }
 long SSL_get_default_timeout(const SSL *ssl) {
@@ -1419,7 +1344,11 @@ int SSL_set_mtu(SSL *ssl, unsigned mtu) {
 }
 int SSL_get_secure_renegotiation_support(const SSL *ssl) {
-  return ssl->s3->send_connection_binding;
+  if (!ssl->s3->have_version) {
+    return 0;
+  }
+  return ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
+         ssl->s3->send_connection_binding;
 }
 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }
@@ -1458,9 +1387,9 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
     return 0;
   }
   uint8_t *out_bytes = out;
-  memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
-  memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
-  memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
+  OPENSSL_memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
+  OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
+  OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
   return 1;
 }
@@ -1473,9 +1402,9 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
     return 0;
   }
   const uint8_t *in_bytes = in;
-  memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
-  memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
-  memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
+  OPENSSL_memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
+  OPENSSL_memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
+  OPENSSL_memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
   return 1;
 }
@@ -1499,17 +1428,25 @@ int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) {
                          curves_len);
 }
+int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) {
+  return tls1_set_curves_list(&ctx->supported_group_list,
+                              &ctx->supported_group_list_len, curves);
+}
+int SSL_set1_curves_list(SSL *ssl, const char *curves) {
+  return tls1_set_curves_list(&ssl->supported_group_list,
+                              &ssl->supported_group_list_len, curves);
+}
 uint16_t SSL_get_curve_id(const SSL *ssl) {
   /* TODO(davidben): This checks the wrong session if there is a renegotiation in
    * progress. */
   SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL ||
-      session->cipher == NULL ||
-      !SSL_CIPHER_is_ECDHE(session->cipher)) {
+  if (session == NULL) {
     return 0;
   }
-  return (uint16_t)session->key_exchange_info;
+  return session->group_id;
 }
 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
@@ -1537,41 +1474,13 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
     return NULL;
   }
-  if (ssl->cipher_list != NULL) {
-    return ssl->cipher_list->ciphers;
-  }
-  if (ssl->version >= TLS1_1_VERSION && ssl->ctx->cipher_list_tls11 != NULL) {
-    return ssl->ctx->cipher_list_tls11->ciphers;
-  }
-  if (ssl->version >= TLS1_VERSION && ssl->ctx->cipher_list_tls10 != NULL) {
-    return ssl->ctx->cipher_list_tls10->ciphers;
-  }
-  if (ssl->ctx->cipher_list != NULL) {
-    return ssl->ctx->cipher_list->ciphers;
-  }
-  return NULL;
-}
-/* return a STACK of the ciphers available for the SSL and in order of
- * algorithm id */
-STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl) {
-  if (ssl == NULL) {
+  const struct ssl_cipher_preference_list_st *prefs =
+      ssl_get_cipher_preferences(ssl);
+  if (prefs == NULL) {
     return NULL;
   }
-  if (ssl->cipher_list_by_id != NULL) {
-    return ssl->cipher_list_by_id;
-  }
-  if (ssl->ctx->cipher_list_by_id != NULL) {
-    return ssl->ctx->cipher_list_by_id;
-  }
-  return NULL;
+  return prefs->ciphers;
 }
 const char *SSL_get_cipher_list(const SSL *ssl, int n) {
@@ -1596,8 +1505,9 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
 }
 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list(
-      ctx->method, &ctx->cipher_list, &ctx->cipher_list_by_id, str);
+  STACK_OF(SSL_CIPHER) *cipher_list =
+      ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
+                             0 /* not strict */);
   if (cipher_list == NULL) {
     return 0;
   }
@@ -1611,9 +1521,10 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
   return 1;
 }
-int SSL_CTX_set_cipher_list_tls10(SSL_CTX *ctx, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list(
-      ctx->method, &ctx->cipher_list_tls10, NULL, str);
+int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
+  STACK_OF(SSL_CIPHER) *cipher_list =
+      ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
+                             1 /* strict */);
   if (cipher_list == NULL) {
     return 0;
   }
@@ -1627,9 +1538,10 @@ int SSL_CTX_set_cipher_list_tls10(SSL_CTX *ctx, const char *str) {
   return 1;
 }
-int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list(
-      ctx->method, &ctx->cipher_list_tls11, NULL, str);
+int SSL_set_cipher_list(SSL *ssl, const char *str) {
+  STACK_OF(SSL_CIPHER) *cipher_list =
+      ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
+                             0 /* not strict */);
   if (cipher_list == NULL) {
     return 0;
   }
@@ -1643,9 +1555,10 @@ int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) {
   return 1;
 }
-int SSL_set_cipher_list(SSL *ssl, const char *str) {
-  STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list(
-      ssl->ctx->method, &ssl->cipher_list, &ssl->cipher_list_by_id, str);
+int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
+  STACK_OF(SSL_CIPHER) *cipher_list =
+      ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
+                             1 /* strict */);
   if (cipher_list == NULL) {
     return 0;
   }
@@ -1659,39 +1572,6 @@ int SSL_set_cipher_list(SSL *ssl, const char *str) {
   return 1;
 }
-STACK_OF(SSL_CIPHER) *
-    ssl_parse_client_cipher_list(const struct ssl_early_callback_ctx *ctx) {
-  CBS cipher_suites;
-  CBS_init(&cipher_suites, ctx->cipher_suites, ctx->cipher_suites_len);
-  STACK_OF(SSL_CIPHER) *sk = sk_SSL_CIPHER_new_null();
-  if (sk == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-  while (CBS_len(&cipher_suites) > 0) {
-    uint16_t cipher_suite;
-    if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-      goto err;
-    }
-    const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);
-    if (c != NULL && !sk_SSL_CIPHER_push(sk, c)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
-  }
-  return sk;
-err:
-  sk_SSL_CIPHER_free(sk);
-  return NULL;
-}
 const char *SSL_get_servername(const SSL *ssl, const int type) {
   if (type != TLSEXT_NAMETYPE_host_name) {
     return NULL;
@@ -1703,6 +1583,15 @@ const char *SSL_get_servername(const SSL *ssl, const int type) {
     return ssl->tlsext_hostname;
   }
+  /* During the handshake, report the handshake value. */
+  if (ssl->s3->hs != NULL) {
+    return ssl->s3->hs->hostname;
+  }
+  /* SSL_get_servername may also be called after the handshake to look up the
+   * SNI value.
+   *
+   * TODO(davidben): This is almost unused. Can we remove it? */
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return NULL;
@@ -1722,18 +1611,16 @@ void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) {
   ctx->signed_cert_timestamps_enabled = 1;
 }
-int SSL_enable_signed_cert_timestamps(SSL *ssl) {
+void SSL_enable_signed_cert_timestamps(SSL *ssl) {
   ssl->signed_cert_timestamps_enabled = 1;
-  return 1;
 }
 void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) {
   ctx->ocsp_stapling_enabled = 1;
 }
-int SSL_enable_ocsp_stapling(SSL *ssl) {
+void SSL_enable_ocsp_stapling(SSL *ssl) {
   ssl->ocsp_stapling_enabled = 1;
-  return 1;
 }
 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
@@ -1763,34 +1650,6 @@ void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
   *out_len = session->ocsp_response_length;
 }
-int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,
-                                           size_t list_len) {
-  OPENSSL_free(ctx->signed_cert_timestamp_list);
-  ctx->signed_cert_timestamp_list_length = 0;
-  ctx->signed_cert_timestamp_list = BUF_memdup(list, list_len);
-  if (ctx->signed_cert_timestamp_list == NULL) {
-    return 0;
-  }
-  ctx->signed_cert_timestamp_list_length = list_len;
-  return 1;
-}
-int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,
-                              size_t response_len) {
-  OPENSSL_free(ctx->ocsp_response);
-  ctx->ocsp_response_length = 0;
-  ctx->ocsp_response = BUF_memdup(response, response_len);
-  if (ctx->ocsp_response == NULL) {
-    return 0;
-  }
-  ctx->ocsp_response_length = response_len;
-  return 1;
-}
 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
   OPENSSL_free(ssl->tlsext_hostname);
   ssl->tlsext_hostname = NULL;
@@ -1834,7 +1693,7 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
   for (i = 0; i < server_len;) {
     for (j = 0; j < client_len;) {
       if (server[i] == client[j] &&
-          memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+          OPENSSL_memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
         /* We found a match */
         result = &server[i];
         status = OPENSSL_NPN_NEGOTIATED;
@@ -1929,13 +1788,21 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
 }
+void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->tlsext_channel_id_enabled = !!enabled;
+}
 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
-  ctx->tlsext_channel_id_enabled = 1;
+  SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
   return 1;
 }
+void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
+  ssl->tlsext_channel_id_enabled = !!enabled;
+}
 int SSL_enable_tls_channel_id(SSL *ssl) {
-  ssl->tlsext_channel_id_enabled = 1;
+  SSL_set_tls_channel_id_enabled(ssl, 1);
   return 1;
 }
@@ -1978,95 +1845,22 @@ size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
   if (!ssl->s3->tlsext_channel_id_valid) {
     return 0;
   }
-  memcpy(out, ssl->s3->tlsext_channel_id, (max_out < 64) ? max_out : 64);
+  OPENSSL_memcpy(out, ssl->s3->tlsext_channel_id,
+                 (max_out < 64) ? max_out : 64);
   return 64;
 }
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
-                                      int (*cb)(X509_STORE_CTX *store_ctx,
-                                                void *arg),
-                                      void *arg) {
-  ctx->app_verify_callback = cb;
-  ctx->app_verify_arg = arg;
-}
-void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
-                        int (*cb)(int, X509_STORE_CTX *)) {
-  ctx->verify_mode = mode;
-  ctx->default_verify_callback = cb;
-}
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) {
-  X509_VERIFY_PARAM_set_depth(ctx->param, depth);
-}
-void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
-                         void *arg) {
-  ssl_cert_set_cert_cb(ctx->cert, cb, arg);
-}
-void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
-  ssl_cert_set_cert_cb(ssl->cert, cb, arg);
-}
 size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {
-  if (ssl->server) {
+  if (ssl->server || ssl->s3->hs == NULL) {
     *out_types = NULL;
     return 0;
   }
-  *out_types = ssl->s3->tmp.certificate_types;
-  return ssl->s3->tmp.num_certificate_types;
-}
-void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k,
-                                       uint32_t *out_mask_a) {
-  uint32_t mask_k = 0;
-  uint32_t mask_a = 0;
-  if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
-    int type = ssl_private_key_type(ssl);
-    if (type == NID_rsaEncryption) {
-      mask_k |= SSL_kRSA;
-      mask_a |= SSL_aRSA;
-    } else if (ssl_is_ecdsa_key_type(type)) {
-      /* An ECC certificate may be usable for ECDSA cipher suites depending on
-       * the key usage extension and on the client's group preferences. */
-      X509 *x = ssl->cert->x509;
-      /* This call populates extension flags (ex_flags). */
-      X509_check_purpose(x, -1, 0);
-      int ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE)
-                         ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)
-                         : 1;
-      if (ecdsa_ok && tls1_check_ec_cert(ssl, x)) {
-        mask_a |= SSL_aECDSA;
-      }
-    }
-  }
-  if (ssl->cert->dh_tmp != NULL || ssl->cert->dh_tmp_cb != NULL) {
-    mask_k |= SSL_kDHE;
-  }
-  /* Check for a shared group to consider ECDHE ciphers. */
-  uint16_t unused;
-  if (tls1_get_shared_group(ssl, &unused)) {
-    mask_k |= SSL_kECDHE;
-  }
-  /* CECPQ1 ciphers are always acceptable if supported by both sides. */
-  mask_k |= SSL_kCECPQ1;
-  /* PSK requires a server callback. */
-  if (ssl->psk_server_callback != NULL) {
-    mask_k |= SSL_kPSK;
-    mask_a |= SSL_aPSK;
-  }
-  *out_mask_k = mask_k;
-  *out_mask_a = mask_a;
+  *out_types = ssl->s3->hs->certificate_types;
+  return ssl->s3->hs->num_certificate_types;
 }
-void ssl_update_cache(SSL *ssl, int mode) {
+void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
+  SSL *const ssl = hs->ssl;
   SSL_CTX *ctx = ssl->initial_ctx;
   /* Never cache sessions with empty session IDs. */
   if (ssl->s3->established_session->session_id_length == 0 ||
@@ -2082,7 +1876,7 @@ void ssl_update_cache(SSL *ssl, int mode) {
    * decides to renew the ticket. Once the handshake is completed, it should be
    * inserted into the cache. */
   if (ssl->s3->established_session != ssl->session ||
-      (!ssl->server && ssl->tlsext_ticket_expected)) {
+      (!ssl->server && hs->ticket_expected)) {
     if (use_internal_cache) {
       SSL_CTX_add_session(ctx, ssl->s3->established_session);
     }
@@ -2152,14 +1946,6 @@ const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
   return ssl_get_version(session->ssl_version);
 }
-X509 *SSL_get_certificate(const SSL *ssl) {
-  if (ssl->cert != NULL) {
-    return ssl->cert->x509;
-  }
-  return NULL;
-}
 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
   if (ssl->cert != NULL) {
     return ssl->cert->privatekey;
@@ -2168,14 +1954,6 @@ EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
   return NULL;
 }
-X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
-  if (ctx->cert != NULL) {
-    return ctx->cert->x509;
-  }
-  return NULL;
-}
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
   if (ctx->cert != NULL) {
     return ctx->cert->privatekey;
@@ -2201,41 +1979,6 @@ const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
 int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; }
-int ssl_is_wbio_buffered(const SSL *ssl) {
-  return ssl->bbio != NULL;
-}
-int ssl_init_wbio_buffer(SSL *ssl) {
-  if (ssl->bbio != NULL) {
-    /* Already buffered. */
-    assert(ssl->bbio == ssl->wbio);
-    return 1;
-  }
-  BIO *bbio = BIO_new(BIO_f_buffer());
-  if (bbio == NULL ||
-      !BIO_set_read_buffer_size(bbio, 1)) {
-    BIO_free(bbio);
-    return 0;
-  }
-  ssl->bbio = bbio;
-  ssl->wbio = BIO_push(bbio, ssl->wbio);
-  return 1;
-}
-void ssl_free_wbio_buffer(SSL *ssl) {
-  if (ssl->bbio == NULL) {
-    return;
-  }
-  assert(ssl->bbio == ssl->wbio);
-  ssl->wbio = BIO_pop(ssl->wbio);
-  BIO_free(ssl->bbio);
-  ssl->bbio = NULL;
-}
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) {
   ctx->quiet_shutdown = (mode != 0);
 }
@@ -2296,6 +2039,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
     return ssl->ctx;
   }
+  /* One cannot change the X.509 callbacks during a connection. */
+  if (ssl->ctx->x509_method != ctx->x509_method) {
+    assert(0);
+    return NULL;
+  }
   if (ctx == NULL) {
     ctx = ssl->initial_ctx;
   }
@@ -2303,26 +2052,13 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
   ssl_cert_free(ssl->cert);
   ssl->cert = ssl_cert_dup(ctx->cert);
-  CRYPTO_refcount_inc(&ctx->references);
-  SSL_CTX_free(ssl->ctx); /* decrement reference count */
+  SSL_CTX_up_ref(ctx);
+  SSL_CTX_free(ssl->ctx);
   ssl->ctx = ctx;
-  ssl->sid_ctx_length = ctx->sid_ctx_length;
-  assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx));
-  memcpy(ssl->sid_ctx, ctx->sid_ctx, sizeof(ssl->sid_ctx));
   return ssl->ctx;
 }
-int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) {
-  return X509_STORE_set_default_paths(ctx->cert_store);
-}
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file,
-                                  const char *ca_dir) {
-  return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir);
-}
 void SSL_set_info_callback(SSL *ssl,
                            void (*cb)(const SSL *ssl, int type, int value)) {
   ssl->info_callback = cb;
@@ -2333,7 +2069,9 @@ void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,
   return ssl->info_callback;
 }
-int SSL_state(const SSL *ssl) { return ssl->state; }
+int SSL_state(const SSL *ssl) {
+  return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
+}
 void SSL_set_state(SSL *ssl, int state) { }
@@ -2345,20 +2083,6 @@ char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
   return buf;
 }
-void SSL_set_verify_result(SSL *ssl, long result) {
-  if (result != X509_V_OK) {
-    abort();
-  }
-}
-long SSL_get_verify_result(const SSL *ssl) {
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL) {
-    return X509_V_ERR_INVALID_CALL;
-  }
-  return session->verify_result;
-}
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
   int index;
@@ -2396,15 +2120,6 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
   return CRYPTO_get_ex_data(&ctx->ex_data, idx);
 }
-X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
-  return ctx->cert_store;
-}
-void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {
-  X509_STORE_free(ctx->cert_store);
-  ctx->cert_store = store;
-}
 int SSL_want(const SSL *ssl) { return ssl->rwstate; }
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
@@ -2427,19 +2142,6 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
   ssl->cert->dh_tmp_cb = callback;
 }
-unsigned SSL_get_dhe_group_size(const SSL *ssl) {
-  /* TODO(davidben): This checks the wrong session if there is a renegotiation in
-   * progress. */
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL ||
-      session->cipher == NULL ||
-      !SSL_CIPHER_is_DHE(session->cipher)) {
-    return 0;
-  }
-  return session->key_exchange_info;
-}
 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
   if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2586,41 +2288,6 @@ static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) {
   return 1;
 }
-int ssl_log_rsa_client_key_exchange(const SSL *ssl,
-                                    const uint8_t *encrypted_premaster,
-                                    size_t encrypted_premaster_len,
-                                    const uint8_t *premaster,
-                                    size_t premaster_len) {
-  if (ssl->ctx->keylog_callback == NULL) {
-    return 1;
-  }
-  if (encrypted_premaster_len < 8) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-  CBB cbb;
-  uint8_t *out;
-  size_t out_len;
-  if (!CBB_init(&cbb, 4 + 16 + 1 + premaster_len * 2 + 1) ||
-      !CBB_add_bytes(&cbb, (const uint8_t *)"RSA ", 4) ||
-      /* Only the first 8 bytes of the encrypted premaster secret are
-       * logged. */
-      !cbb_add_hex(&cbb, encrypted_premaster, 8) ||
-      !CBB_add_bytes(&cbb, (const uint8_t *)" ", 1) ||
-      !cbb_add_hex(&cbb, premaster, premaster_len) ||
-      !CBB_add_u8(&cbb, 0 /* NUL */) ||
-      !CBB_finish(&cbb, &out, &out_len)) {
-    CBB_cleanup(&cbb);
-    return 0;
-  }
-  ssl->ctx->keylog_callback(ssl, (const char *)out);
-  OPENSSL_free(out);
-  return 1;
-}
 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
                    size_t secret_len) {
   if (ssl->ctx->keylog_callback == NULL) {
@@ -2649,15 +2316,19 @@ int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
 }
 int SSL_is_init_finished(const SSL *ssl) {
-  return ssl->state == SSL_ST_OK;
+  return !SSL_in_init(ssl);
 }
 int SSL_in_init(const SSL *ssl) {
-  return (ssl->state & SSL_ST_INIT) != 0;
+  SSL_HANDSHAKE *hs = ssl->s3->hs;
+  return hs != NULL && hs->state != SSL_ST_OK;
 }
 int SSL_in_false_start(const SSL *ssl) {
-  return ssl->s3->tmp.in_false_start;
+  if (ssl->s3->hs == NULL) {
+    return 0;
+  }
+  return ssl->s3->hs->in_false_start;
 }
 int SSL_cutthrough_complete(const SSL *ssl) {
@@ -2677,29 +2348,13 @@ int ssl3_can_false_start(const SSL *ssl) {
   /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
   return !SSL_is_dtls(ssl) &&
       SSL_version(ssl) == TLS1_2_VERSION &&
-      (ssl->s3->alpn_selected || ssl->s3->next_proto_neg_seen) &&
+      (ssl->s3->alpn_selected != NULL ||
+       ssl->s3->next_proto_negotiated != NULL) &&
       cipher != NULL &&
-      (cipher->algorithm_mkey == SSL_kECDHE ||
-       cipher->algorithm_mkey == SSL_kCECPQ1) &&
+      cipher->algorithm_mkey == SSL_kECDHE &&
       cipher->algorithm_mac == SSL_AEAD;
 }
-const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version) {
-  switch (version) {
-    case SSL3_VERSION:
-      return &SSLv3_enc_data;
-    case TLS1_VERSION:
-    case TLS1_1_VERSION:
-    case TLS1_2_VERSION:
-    case TLS1_3_VERSION:
-      return &TLSv1_enc_data;
-    default:
-      return NULL;
-  }
-}
 const struct {
   uint16_t version;
   uint32_t flag;
@@ -2800,13 +2455,13 @@ int SSL_is_server(const SSL *ssl) { return ssl->server; }
 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
-void SSL_CTX_set_select_certificate_cb(
-    SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)) {
+void SSL_CTX_set_select_certificate_cb(SSL_CTX *ctx,
+                                       int (*cb)(const SSL_CLIENT_HELLO *)) {
   ctx->select_certificate_cb = cb;
 }
-void SSL_CTX_set_dos_protection_cb(
-    SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)) {
+void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx,
+                                   int (*cb)(const SSL_CLIENT_HELLO *)) {
   ctx->dos_protection_cb = cb;
 }
@@ -2814,11 +2469,6 @@ void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
   ssl->renegotiate_mode = mode;
 }
-void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject) {
-  SSL_set_renegotiate_mode(
-      ssl, reject ? ssl_renegotiate_never : ssl_renegotiate_freely);
-}
 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
                 const uint8_t **out_write_iv, size_t *out_iv_len) {
   if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
@@ -2864,7 +2514,14 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) {
 }
 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
-  return ssl->s3->tmp.peer_signature_algorithm;
+  /* TODO(davidben): This checks the wrong session if there is a renegotiation
+   * in progress. */
+  SSL_SESSION *session = SSL_get_session(ssl);
+  if (session == NULL) {
+    return 0;
+  }
+  return session->peer_signature_algorithm;
 }
 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
@@ -2874,7 +2531,7 @@ size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
   if (max_out > sizeof(ssl->s3->client_random)) {
     max_out = sizeof(ssl->s3->client_random);
   }
-  memcpy(out, ssl->s3->client_random, max_out);
+  OPENSSL_memcpy(out, ssl->s3->client_random, max_out);
   return max_out;
 }
@@ -2885,15 +2542,20 @@ size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {
   if (max_out > sizeof(ssl->s3->server_random)) {
     max_out = sizeof(ssl->s3->server_random);
   }
-  memcpy(out, ssl->s3->server_random, max_out);
+  OPENSSL_memcpy(out, ssl->s3->server_random, max_out);
   return max_out;
 }
 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
-  if (!SSL_in_init(ssl)) {
+  SSL_HANDSHAKE *hs = ssl->s3->hs;
+  if (hs == NULL) {
     return NULL;
   }
-  return ssl->s3->tmp.new_cipher;
+  return hs->new_cipher;
+}
+void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) {
+  ssl->retain_only_sha256_of_client_certs = !!enabled;
 }
 void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) {
@@ -2904,10 +2566,18 @@ void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {
   ctx->grease_enabled = !!enabled;
 }
+void SSL_CTX_set_short_header_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->short_header_enabled = !!enabled;
+}
 int SSL_clear(SSL *ssl) {
-  if (ssl->method == NULL) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);
-    return 0;
+  /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
+   * established session to be offered the next time around. wpa_supplicant
+   * depends on this behavior, so emulate it. */
+  SSL_SESSION *session = NULL;
+  if (!ssl->server && ssl->s3->established_session != NULL) {
+    session = ssl->s3->established_session;
+    SSL_SESSION_up_ref(session);
   }
   /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
@@ -2916,7 +2586,6 @@ int SSL_clear(SSL *ssl) {
    * naturally reset at the right points between |SSL_new|, |SSL_clear|, and
    * |ssl3_new|. */
-  ssl->state = SSL_ST_INIT;
   ssl->rwstate = SSL_NOTHING;
   BUF_MEM_free(ssl->init_buf);
@@ -2935,6 +2604,7 @@ int SSL_clear(SSL *ssl) {
   ssl->method->ssl_free(ssl);
   if (!ssl->method->ssl_new(ssl)) {
+    SSL_SESSION_free(session);
     return 0;
   }
@@ -2942,7 +2612,10 @@ int SSL_clear(SSL *ssl) {
     ssl->d1->mtu = mtu;
   }
-  ssl->client_version = ssl->version;
+  if (session != NULL) {
+    SSL_set_session(ssl, session);
+    SSL_SESSION_free(session);
+  }
   return 1;
 }
@@ -3033,7 +2706,7 @@ void ssl_get_current_time(const SSL *ssl, struct timeval *out_clock) {
     return;
   }
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
   out_clock->tv_sec = 1234;
   out_clock->tv_usec = 1234;
 #elif defined(OPENSSL_WINDOWS)