grpc 1.41.0 → 1.42.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +57 -44
- data/etc/roots.pem +335 -326
- data/include/grpc/event_engine/event_engine.h +82 -42
- data/include/grpc/event_engine/internal/memory_allocator_impl.h +98 -0
- data/include/grpc/event_engine/memory_allocator.h +210 -0
- data/include/grpc/grpc.h +4 -0
- data/include/grpc/grpc_security.h +18 -0
- data/include/grpc/grpc_security_constants.h +1 -0
- data/include/grpc/impl/codegen/port_platform.h +7 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +18 -19
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -1
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +71 -89
- data/src/core/ext/filters/client_channel/client_channel.cc +187 -252
- data/src/core/ext/filters/client_channel/client_channel.h +74 -27
- data/src/core/ext/filters/client_channel/client_channel_factory.cc +1 -1
- data/src/core/ext/filters/client_channel/client_channel_factory.h +17 -19
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +8 -14
- data/src/core/ext/filters/client_channel/config_selector.cc +1 -1
- data/src/core/ext/filters/client_channel/config_selector.h +4 -5
- data/src/core/ext/filters/client_channel/connector.h +18 -18
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +1 -1
- data/src/core/ext/filters/client_channel/global_subchannel_pool.h +0 -1
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +12 -11
- data/src/core/ext/filters/client_channel/http_connect_handshaker.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +4 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -15
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +166 -82
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +4 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +2 -4
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +23 -7
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +15 -10
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +2 -3
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2502 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +7 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +6 -2
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +7 -16
- data/src/core/ext/filters/client_channel/lb_policy.h +11 -1
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -0
- data/src/core/ext/filters/client_channel/resolver/binder/binder_resolver.cc +139 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +11 -5
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +3 -3
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +12 -39
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +21 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +6 -2
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +3 -1
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +77 -68
- data/src/core/ext/filters/client_channel/resolver.h +1 -1
- data/src/core/ext/filters/client_channel/resolver_factory.h +2 -0
- data/src/core/ext/filters/client_channel/resolver_registry.cc +6 -8
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +1 -1
- data/src/core/ext/filters/client_channel/retry_filter.cc +48 -86
- data/src/core/ext/filters/client_channel/retry_service_config.h +1 -1
- data/src/core/ext/filters/client_channel/retry_throttle.cc +17 -48
- data/src/core/ext/filters/client_channel/server_address.h +1 -1
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +49 -36
- data/src/core/ext/filters/client_channel/subchannel.cc +85 -143
- data/src/core/ext/filters/client_channel/subchannel.h +29 -49
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +22 -7
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +11 -2
- data/src/core/ext/filters/client_idle/client_idle_filter.cc +27 -210
- data/src/core/ext/filters/client_idle/idle_filter_state.cc +96 -0
- data/src/core/ext/filters/client_idle/idle_filter_state.h +66 -0
- data/src/core/ext/filters/deadline/deadline_filter.cc +23 -26
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +19 -19
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +0 -1
- data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
- data/src/core/ext/filters/http/client/http_client_filter.cc +41 -44
- data/src/core/ext/filters/http/client_authority_filter.cc +14 -15
- data/src/core/ext/filters/http/http_filters_plugin.cc +53 -71
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +17 -12
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +1 -1
- data/src/core/ext/filters/http/server/http_server_filter.cc +72 -69
- data/src/core/ext/filters/max_age/max_age_filter.cc +24 -26
- data/src/core/ext/filters/message_size/message_size_filter.cc +19 -16
- data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
- data/src/core/ext/{filters/client_channel → service_config}/service_config.cc +2 -2
- data/src/core/ext/{filters/client_channel → service_config}/service_config.h +4 -4
- data/src/core/ext/service_config/service_config_call_data.h +72 -0
- data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.cc +3 -3
- data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.h +8 -6
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +2 -5
- data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +19 -24
- data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +27 -50
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +14 -16
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +59 -58
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +19 -16
- data/src/core/ext/transport/chttp2/transport/flow_control.h +4 -4
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +4 -4
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +2 -3
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +2 -2
- data/src/core/ext/transport/chttp2/transport/hpack_constants.h +1 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +41 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +8 -4
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_index.h +1 -1
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +136 -98
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +27 -8
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -25
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +37 -30
- data/src/core/ext/transport/chttp2/transport/internal.h +4 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +30 -173
- data/src/core/ext/transport/chttp2/transport/popularity_count.h +1 -1
- data/src/core/ext/transport/chttp2/transport/writing.cc +29 -22
- data/src/core/ext/transport/inproc/inproc_transport.cc +105 -109
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +68 -34
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +139 -1
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +16 -4
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +53 -4
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +15 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +13 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +23 -0
- data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +14 -11
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +17 -0
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +15 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +49 -19
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.c +55 -0
- data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.h +154 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +0 -2
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.h +182 -0
- data/src/core/ext/upb-generated/xds/core/v3/authority.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/core/v3/resource.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +1 -1
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +58 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +130 -0
- data/src/core/ext/upb-generated/{udpa/type/v1 → xds/type/v3}/typed_struct.upb.c +7 -7
- data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.h +83 -0
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +310 -286
- data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +10 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +101 -88
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +59 -56
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +59 -46
- data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.c +78 -82
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +323 -316
- data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.c +5 -4
- data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.c +19 -23
- data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.c +4 -3
- data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.c +5 -3
- data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.c +5 -4
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.c +75 -0
- data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.h +50 -0
- data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +13 -12
- data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +25 -24
- data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +16 -15
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +17 -16
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +33 -32
- data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +19 -18
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c +45 -0
- data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.h +35 -0
- data/src/core/ext/xds/xds_api.cc +325 -362
- data/src/core/ext/xds/xds_api.h +134 -82
- data/src/core/ext/xds/xds_bootstrap.h +10 -0
- data/src/core/ext/xds/xds_certificate_provider.cc +3 -3
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +113 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.h +52 -0
- data/src/core/ext/xds/xds_client.cc +527 -314
- data/src/core/ext/xds/xds_client.h +42 -37
- data/src/core/ext/xds/xds_client_stats.h +1 -1
- data/src/core/ext/xds/xds_server_config_fetcher.cc +5 -7
- data/src/core/lib/address_utils/parse_address.cc +2 -0
- data/src/core/lib/avl/avl.cc +5 -5
- data/src/core/lib/backoff/backoff.cc +1 -1
- data/src/core/lib/channel/channel_args.cc +24 -6
- data/src/core/lib/channel/channel_args.h +9 -0
- data/src/core/lib/channel/channel_stack_builder.cc +3 -3
- data/src/core/lib/channel/channel_trace.cc +1 -1
- data/src/core/lib/channel/channel_trace.h +1 -1
- data/src/core/lib/channel/channelz.cc +3 -3
- data/src/core/lib/channel/channelz.h +2 -2
- data/src/core/lib/channel/channelz_registry.cc +1 -1
- data/src/core/lib/channel/channelz_registry.h +1 -1
- data/src/core/lib/channel/connected_channel.cc +1 -3
- data/src/core/lib/channel/connected_channel.h +1 -2
- data/src/core/lib/compression/compression.cc +2 -2
- data/src/core/lib/compression/compression_args.cc +6 -4
- data/src/core/lib/compression/compression_internal.cc +2 -2
- data/src/core/lib/compression/compression_internal.h +1 -1
- data/src/core/lib/config/core_configuration.cc +44 -2
- data/src/core/lib/config/core_configuration.h +39 -1
- data/src/core/lib/debug/stats.cc +1 -1
- data/src/core/lib/debug/stats_data.cc +13 -13
- data/src/core/lib/gpr/atm.cc +1 -1
- data/src/core/lib/gpr/cpu_posix.cc +1 -1
- data/src/core/lib/gpr/string.cc +2 -2
- data/src/core/lib/gpr/tls.h +1 -1
- data/src/core/lib/gpr/useful.h +79 -32
- data/src/core/lib/gprpp/arena.h +10 -0
- data/src/core/lib/gprpp/bitset.h +38 -16
- data/src/core/lib/gprpp/chunked_vector.h +211 -0
- data/src/core/lib/gprpp/construct_destruct.h +1 -1
- data/src/core/lib/gprpp/match.h +1 -1
- data/src/core/lib/gprpp/memory.h +6 -0
- data/src/core/lib/gprpp/overload.h +1 -1
- data/src/core/lib/gprpp/status_helper.cc +23 -3
- data/src/core/lib/gprpp/status_helper.h +12 -1
- data/src/core/lib/gprpp/table.h +411 -0
- data/src/core/lib/http/httpcli.cc +200 -182
- data/src/core/lib/http/parser.cc +2 -2
- data/src/core/lib/iomgr/call_combiner.cc +28 -10
- data/src/core/lib/iomgr/combiner.cc +6 -21
- data/src/core/lib/iomgr/endpoint_cfstream.cc +7 -6
- data/src/core/lib/iomgr/error.cc +113 -52
- data/src/core/lib/iomgr/error.h +50 -9
- data/src/core/lib/iomgr/error_cfstream.cc +5 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +3 -2
- data/src/core/lib/iomgr/ev_epollex_linux.cc +7 -7
- data/src/core/lib/iomgr/ev_poll_posix.cc +29 -20
- data/src/core/lib/iomgr/event_engine/closure.cc +41 -18
- data/src/core/lib/iomgr/event_engine/closure.h +10 -1
- data/src/core/lib/iomgr/event_engine/endpoint.cc +3 -3
- data/src/core/lib/iomgr/event_engine/iomgr.cc +1 -1
- data/src/core/lib/iomgr/event_engine/pollset.cc +5 -4
- data/src/core/lib/iomgr/event_engine/resolver.cc +10 -7
- data/src/core/lib/iomgr/event_engine/tcp.cc +9 -8
- data/src/core/lib/iomgr/event_engine/timer.cc +7 -2
- data/src/core/lib/iomgr/exec_ctx.cc +1 -9
- data/src/core/lib/iomgr/executor/mpmcqueue.cc +5 -7
- data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -8
- data/src/core/lib/iomgr/executor.cc +6 -20
- data/src/core/lib/iomgr/iomgr.cc +3 -1
- data/src/core/lib/iomgr/iomgr_internal.cc +4 -9
- data/src/core/lib/iomgr/iomgr_internal.h +3 -2
- data/src/core/lib/iomgr/load_file.cc +2 -2
- data/src/core/lib/iomgr/lockfree_event.cc +18 -0
- data/src/core/lib/iomgr/pollset_custom.cc +1 -1
- data/src/core/lib/iomgr/pollset_custom.h +1 -1
- data/src/core/lib/iomgr/resolve_address_posix.cc +5 -7
- data/src/core/lib/iomgr/resource_quota.cc +13 -11
- data/src/core/lib/iomgr/socket_factory_posix.cc +2 -2
- data/src/core/lib/iomgr/socket_mutator.cc +2 -2
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +5 -3
- data/src/core/lib/iomgr/tcp_client_custom.cc +1 -1
- data/src/core/lib/iomgr/tcp_client_posix.cc +9 -18
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -3
- data/src/core/lib/iomgr/tcp_posix.cc +4 -5
- data/src/core/lib/iomgr/tcp_server_custom.cc +2 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +3 -4
- data/src/core/lib/iomgr/tcp_server_windows.cc +4 -5
- data/src/core/lib/iomgr/tcp_windows.cc +2 -2
- data/src/core/lib/iomgr/timer_generic.cc +13 -13
- data/src/core/lib/iomgr/timer_heap.cc +1 -1
- data/src/core/lib/json/json_util.cc +68 -0
- data/src/core/lib/json/json_util.h +57 -99
- data/src/core/lib/json/json_writer.cc +0 -3
- data/src/core/lib/security/authorization/authorization_policy_provider.h +1 -1
- data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +1 -1
- data/src/core/lib/security/authorization/evaluate_args.cc +14 -12
- data/src/core/lib/security/authorization/sdk_server_authz_filter.cc +13 -1
- data/src/core/lib/security/context/security_context.cc +4 -2
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +1 -1
- data/src/core/lib/security/credentials/credentials.cc +4 -2
- data/src/core/lib/security/credentials/credentials.h +6 -1
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +47 -11
- data/src/core/lib/security/credentials/external/external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -1
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +5 -9
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +2 -2
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +2 -2
- data/src/core/lib/security/security_connector/security_connector.cc +9 -4
- data/src/core/lib/security/security_connector/security_connector.h +1 -1
- data/src/core/lib/security/security_connector/ssl_utils.cc +1 -1
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +1 -0
- data/src/core/lib/security/security_connector/tls/tls_security_connector.h +0 -2
- data/src/core/lib/security/transport/client_auth_filter.cc +5 -5
- data/src/core/lib/security/transport/security_handshaker.cc +73 -43
- data/src/core/lib/security/transport/server_auth_filter.cc +3 -5
- data/src/core/lib/security/transport/tsi_error.cc +3 -5
- data/src/core/lib/slice/slice.cc +0 -16
- data/src/core/lib/slice/slice_api.cc +39 -0
- data/src/core/lib/slice/slice_buffer.cc +5 -5
- data/src/core/lib/slice/slice_intern.cc +8 -13
- data/src/core/lib/slice/slice_internal.h +1 -244
- data/src/core/lib/slice/slice_refcount.cc +17 -0
- data/src/core/lib/slice/slice_refcount.h +121 -0
- data/src/core/lib/slice/slice_refcount_base.h +173 -0
- data/src/core/lib/slice/slice_split.cc +100 -0
- data/src/core/lib/slice/slice_split.h +40 -0
- data/src/core/lib/slice/slice_string_helpers.cc +0 -83
- data/src/core/lib/slice/slice_string_helpers.h +0 -11
- data/src/core/lib/slice/static_slice.cc +529 -0
- data/src/core/lib/slice/static_slice.h +331 -0
- data/src/core/lib/surface/builtins.cc +49 -0
- data/src/core/{ext/filters/workarounds/workaround_cronet_compression_filter.h → lib/surface/builtins.h} +8 -9
- data/src/core/lib/surface/call.cc +103 -120
- data/src/core/lib/surface/call.h +0 -6
- data/src/core/lib/surface/channel.cc +19 -32
- data/src/core/lib/surface/channel.h +0 -9
- data/src/core/lib/surface/channel_init.cc +23 -76
- data/src/core/lib/surface/channel_init.h +52 -44
- data/src/core/lib/surface/completion_queue.cc +6 -5
- data/src/core/lib/surface/init.cc +0 -39
- data/src/core/lib/surface/init_secure.cc +17 -14
- data/src/core/lib/surface/lame_client.cc +18 -11
- data/src/core/lib/surface/lame_client.h +1 -1
- data/src/core/lib/surface/server.cc +25 -17
- data/src/core/lib/surface/server.h +17 -10
- data/src/core/lib/surface/validate_metadata.cc +5 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.cc +1 -1
- data/src/core/lib/transport/error_utils.cc +42 -17
- data/src/core/lib/transport/error_utils.h +1 -1
- data/src/core/lib/transport/metadata.cc +31 -10
- data/src/core/lib/transport/metadata.h +2 -1
- data/src/core/lib/transport/metadata_batch.cc +35 -371
- data/src/core/lib/transport/metadata_batch.h +905 -71
- data/src/core/lib/transport/parsed_metadata.h +263 -0
- data/src/core/lib/transport/pid_controller.cc +4 -4
- data/src/core/lib/transport/static_metadata.cc +714 -846
- data/src/core/lib/transport/static_metadata.h +115 -379
- data/src/core/lib/transport/status_metadata.cc +1 -0
- data/src/core/lib/transport/transport.cc +4 -5
- data/src/core/lib/transport/transport_op_string.cc +40 -20
- data/src/core/plugin_registry/grpc_plugin_registry.cc +64 -43
- data/src/core/tsi/alts/crypt/aes_gcm.cc +3 -1
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +13 -12
- data/src/core/tsi/alts/frame_protector/frame_handler.cc +10 -11
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +1 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +12 -2
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +1 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +2 -2
- data/src/core/tsi/fake_transport_security.cc +15 -7
- data/src/core/tsi/local_transport_security.cc +36 -73
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +16 -50
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -3
- data/src/core/tsi/ssl_transport_security.cc +10 -2
- data/src/core/tsi/transport_security.cc +12 -0
- data/src/core/tsi/transport_security.h +16 -1
- data/src/core/tsi/transport_security_interface.h +26 -0
- data/src/ruby/ext/grpc/extconf.rb +12 -9
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/pb/src/proto/grpc/testing/test_pb.rb +2 -2
- data/src/ruby/spec/client_server_spec.rb +1 -1
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +4 -4
- data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +11 -6
- data/third_party/address_sorting/address_sorting_posix.c +1 -0
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +21 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +106 -153
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +38 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +4 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +38 -47
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/des.c +10 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/internal.h +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +4 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +4 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +35 -35
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +11 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +10 -37
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +366 -227
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +28 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +529 -91
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +16 -695
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -17
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- data/third_party/re2/re2/compile.cc +91 -109
- data/third_party/re2/re2/dfa.cc +27 -39
- data/third_party/re2/re2/filtered_re2.cc +18 -2
- data/third_party/re2/re2/filtered_re2.h +10 -5
- data/third_party/re2/re2/nfa.cc +1 -1
- data/third_party/re2/re2/parse.cc +42 -23
- data/third_party/re2/re2/perl_groups.cc +34 -34
- data/third_party/re2/re2/prefilter.cc +3 -2
- data/third_party/re2/re2/prog.cc +182 -4
- data/third_party/re2/re2/prog.h +28 -9
- data/third_party/re2/re2/re2.cc +87 -118
- data/third_party/re2/re2/re2.h +156 -141
- data/third_party/re2/re2/regexp.cc +12 -5
- data/third_party/re2/re2/regexp.h +8 -2
- data/third_party/re2/re2/set.cc +31 -9
- data/third_party/re2/re2/set.h +9 -4
- data/third_party/re2/re2/simplify.cc +11 -3
- data/third_party/re2/re2/tostring.cc +1 -1
- data/third_party/re2/re2/walker-inl.h +1 -1
- data/third_party/re2/util/mutex.h +2 -2
- data/third_party/re2/util/pcre.h +3 -3
- metadata +83 -70
- data/include/grpc/event_engine/slice_allocator.h +0 -71
- data/src/core/ext/filters/client_channel/service_config_call_data.h +0 -126
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +0 -211
- data/src/core/ext/filters/workarounds/workaround_utils.cc +0 -53
- data/src/core/ext/filters/workarounds/workaround_utils.h +0 -39
- data/src/core/ext/transport/chttp2/client/authority.cc +0 -42
- data/src/core/ext/transport/chttp2/client/authority.h +0 -36
- data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.cc +0 -67
- data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.h +0 -74
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +0 -66
- data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +0 -58
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +0 -58
- data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +0 -130
- data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.h +0 -83
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.c +0 -44
- data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.h +0 -35
- data/src/core/lib/iomgr/udp_server.cc +0 -747
- data/src/core/lib/iomgr/udp_server.h +0 -103
- data/src/core/lib/transport/authority_override.cc +0 -40
- data/src/core/lib/transport/authority_override.h +0 -37
@@ -333,8 +333,7 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
|
|
333
333
|
!ssl_write_client_hello_without_extensions(hs, &body, type,
|
334
334
|
/*empty_session_id*/ false) ||
|
335
335
|
!ssl_add_clienthello_tlsext(hs, &body, /*out_encoded=*/nullptr,
|
336
|
-
&needs_psk_binder, type, CBB_len(&body)
|
337
|
-
/*omit_ech_len=*/0) ||
|
336
|
+
&needs_psk_binder, type, CBB_len(&body)) ||
|
338
337
|
!ssl->method->finish_message(ssl, cbb.get(), &msg)) {
|
339
338
|
return false;
|
340
339
|
}
|
@@ -354,42 +353,31 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
|
|
354
353
|
return ssl->method->add_message(ssl, std::move(msg));
|
355
354
|
}
|
356
355
|
|
357
|
-
static bool
|
358
|
-
|
359
|
-
|
360
|
-
// the outer version.
|
361
|
-
|
356
|
+
static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
|
357
|
+
uint8_t *out_alert,
|
358
|
+
const ParsedServerHello &server_hello) {
|
359
|
+
// If the outer version is not TLS 1.2, use it.
|
360
|
+
// TODO(davidben): This function doesn't quite match the RFC8446 formulation.
|
361
|
+
if (server_hello.legacy_version != TLS1_2_VERSION) {
|
362
|
+
*out_version = server_hello.legacy_version;
|
362
363
|
return true;
|
363
364
|
}
|
364
365
|
|
365
|
-
|
366
|
-
CBS
|
367
|
-
if (!
|
368
|
-
|
369
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
370
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
366
|
+
SSLExtension supported_versions(TLSEXT_TYPE_supported_versions);
|
367
|
+
CBS extensions = server_hello.extensions;
|
368
|
+
if (!ssl_parse_extensions(&extensions, out_alert, {&supported_versions},
|
369
|
+
/*ignore_unknown=*/true)) {
|
371
370
|
return false;
|
372
371
|
}
|
373
372
|
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
{TLSEXT_TYPE_supported_versions, &have_supported_versions,
|
378
|
-
&supported_versions},
|
379
|
-
};
|
380
|
-
|
381
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
382
|
-
if (!ssl_parse_extensions(&extensions, &alert, ext_types,
|
383
|
-
/*ignore_unknown=*/true)) {
|
384
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
385
|
-
return false;
|
373
|
+
if (!supported_versions.present) {
|
374
|
+
*out_version = server_hello.legacy_version;
|
375
|
+
return true;
|
386
376
|
}
|
387
377
|
|
388
|
-
|
389
|
-
|
390
|
-
|
391
|
-
CBS_len(&supported_versions) != 0)) {
|
392
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
378
|
+
if (!CBS_get_u16(&supported_versions.data, out_version) ||
|
379
|
+
CBS_len(&supported_versions.data) != 0) {
|
380
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
393
381
|
return false;
|
394
382
|
}
|
395
383
|
|
@@ -445,7 +433,7 @@ static ssl_early_data_reason_t should_offer_early_data(
|
|
445
433
|
}
|
446
434
|
|
447
435
|
void ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {
|
448
|
-
hs->
|
436
|
+
hs->ech_client_outer.Reset();
|
449
437
|
hs->cookie.Reset();
|
450
438
|
hs->key_share_bytes.Reset();
|
451
439
|
}
|
@@ -657,6 +645,38 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
|
|
657
645
|
return ssl_hs_flush;
|
658
646
|
}
|
659
647
|
|
648
|
+
bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,
|
649
|
+
const SSLMessage &msg) {
|
650
|
+
if (msg.type != SSL3_MT_SERVER_HELLO) {
|
651
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
|
652
|
+
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
|
653
|
+
return false;
|
654
|
+
}
|
655
|
+
out->raw = msg.raw;
|
656
|
+
CBS body = msg.body;
|
657
|
+
if (!CBS_get_u16(&body, &out->legacy_version) ||
|
658
|
+
!CBS_get_bytes(&body, &out->random, SSL3_RANDOM_SIZE) ||
|
659
|
+
!CBS_get_u8_length_prefixed(&body, &out->session_id) ||
|
660
|
+
CBS_len(&out->session_id) > SSL3_SESSION_ID_SIZE ||
|
661
|
+
!CBS_get_u16(&body, &out->cipher_suite) ||
|
662
|
+
!CBS_get_u8(&body, &out->compression_method)) {
|
663
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
664
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
665
|
+
return false;
|
666
|
+
}
|
667
|
+
// In TLS 1.2 and below, empty extensions blocks may be omitted. In TLS 1.3,
|
668
|
+
// ServerHellos always have extensions, so this can be applied generically.
|
669
|
+
CBS_init(&out->extensions, nullptr, 0);
|
670
|
+
if ((CBS_len(&body) != 0 &&
|
671
|
+
!CBS_get_u16_length_prefixed(&body, &out->extensions)) ||
|
672
|
+
CBS_len(&body) != 0) {
|
673
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
674
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
675
|
+
return false;
|
676
|
+
}
|
677
|
+
return true;
|
678
|
+
}
|
679
|
+
|
660
680
|
static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
661
681
|
SSL *const ssl = hs->ssl;
|
662
682
|
SSLMessage msg;
|
@@ -664,26 +684,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
664
684
|
return ssl_hs_read_server_hello;
|
665
685
|
}
|
666
686
|
|
667
|
-
|
668
|
-
|
669
|
-
|
670
|
-
|
671
|
-
|
672
|
-
|
673
|
-
uint8_t compression_method;
|
674
|
-
if (!CBS_get_u16(&server_hello, &server_version) ||
|
675
|
-
!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
|
676
|
-
!CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
|
677
|
-
CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
|
678
|
-
!CBS_get_u16(&server_hello, &cipher_suite) ||
|
679
|
-
!CBS_get_u8(&server_hello, &compression_method)) {
|
680
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
681
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
682
|
-
return ssl_hs_error;
|
683
|
-
}
|
684
|
-
|
685
|
-
// Use the supported_versions extension if applicable.
|
686
|
-
if (!parse_supported_versions(hs, &server_version, &server_hello)) {
|
687
|
+
ParsedServerHello server_hello;
|
688
|
+
uint16_t server_version;
|
689
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
690
|
+
if (!ssl_parse_server_hello(&server_hello, &alert, msg) ||
|
691
|
+
!parse_server_version(hs, &server_version, &alert, server_hello)) {
|
692
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
687
693
|
return ssl_hs_error;
|
688
694
|
}
|
689
695
|
|
@@ -737,7 +743,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
737
743
|
}
|
738
744
|
|
739
745
|
// Copy over the server random.
|
740
|
-
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&
|
746
|
+
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
|
741
747
|
SSL3_RANDOM_SIZE);
|
742
748
|
|
743
749
|
// Enforce the TLS 1.3 anti-downgrade feature.
|
@@ -760,28 +766,26 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
760
766
|
}
|
761
767
|
}
|
762
768
|
|
763
|
-
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
|
764
|
-
if (cipher == NULL) {
|
765
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
|
766
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
767
|
-
return ssl_hs_error;
|
768
|
-
}
|
769
|
-
hs->new_cipher = cipher;
|
770
|
-
|
771
769
|
// The cipher must be allowed in the selected version and enabled.
|
770
|
+
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
|
772
771
|
uint32_t mask_a, mask_k;
|
773
772
|
ssl_get_client_disabled(hs, &mask_a, &mask_k);
|
774
|
-
if (
|
773
|
+
if (cipher == nullptr ||
|
774
|
+
(cipher->algorithm_mkey & mask_k) ||
|
775
|
+
(cipher->algorithm_auth & mask_a) ||
|
775
776
|
SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
|
776
777
|
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
|
777
|
-
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl),
|
778
|
+
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), nullptr, cipher)) {
|
778
779
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
|
779
780
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
780
781
|
return ssl_hs_error;
|
781
782
|
}
|
782
783
|
|
784
|
+
hs->new_cipher = cipher;
|
785
|
+
|
783
786
|
if (hs->session_id_len != 0 &&
|
784
|
-
CBS_mem_equal(&session_id, hs->session_id,
|
787
|
+
CBS_mem_equal(&server_hello.session_id, hs->session_id,
|
788
|
+
hs->session_id_len)) {
|
785
789
|
// Echoing the ClientHello session ID in TLS 1.2, whether from the session
|
786
790
|
// or a synthetic one, indicates resumption. If there was no session (or if
|
787
791
|
// the session was only offered in ECH ClientHelloInner), this was the
|
@@ -799,7 +803,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
799
803
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
800
804
|
return ssl_hs_error;
|
801
805
|
}
|
802
|
-
if (ssl->session->cipher !=
|
806
|
+
if (ssl->session->cipher != hs->new_cipher) {
|
803
807
|
OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
|
804
808
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
805
809
|
return ssl_hs_error;
|
@@ -822,10 +826,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
822
826
|
return ssl_hs_error;
|
823
827
|
}
|
824
828
|
// Note: session_id could be empty.
|
825
|
-
hs->new_session->session_id_length = CBS_len(&session_id);
|
826
|
-
OPENSSL_memcpy(hs->new_session->session_id,
|
827
|
-
|
828
|
-
|
829
|
+
hs->new_session->session_id_length = CBS_len(&server_hello.session_id);
|
830
|
+
OPENSSL_memcpy(hs->new_session->session_id,
|
831
|
+
CBS_data(&server_hello.session_id),
|
832
|
+
CBS_len(&server_hello.session_id));
|
833
|
+
hs->new_session->cipher = hs->new_cipher;
|
829
834
|
}
|
830
835
|
|
831
836
|
// Now that the cipher is known, initialize the handshake hash and hash the
|
@@ -845,26 +850,17 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
845
850
|
}
|
846
851
|
|
847
852
|
// Only the NULL compression algorithm is supported.
|
848
|
-
if (compression_method != 0) {
|
853
|
+
if (server_hello.compression_method != 0) {
|
849
854
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
|
850
855
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
851
856
|
return ssl_hs_error;
|
852
857
|
}
|
853
858
|
|
854
|
-
|
855
|
-
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) {
|
859
|
+
if (!ssl_parse_serverhello_tlsext(hs, &server_hello.extensions)) {
|
856
860
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
857
861
|
return ssl_hs_error;
|
858
862
|
}
|
859
863
|
|
860
|
-
// There should be nothing left over in the record.
|
861
|
-
if (CBS_len(&server_hello) != 0) {
|
862
|
-
// wrong packet length
|
863
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
864
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
865
|
-
return ssl_hs_error;
|
866
|
-
}
|
867
|
-
|
868
864
|
if (ssl->session != NULL &&
|
869
865
|
hs->extended_master_secret != ssl->session->extended_master_secret) {
|
870
866
|
if (ssl->session->extended_master_secret) {
|
@@ -504,6 +504,91 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
|
|
504
504
|
return true;
|
505
505
|
}
|
506
506
|
|
507
|
+
static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
508
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
509
|
+
SSL *const ssl = hs->ssl;
|
510
|
+
CBS body;
|
511
|
+
if (!ssl_client_hello_get_extension(client_hello, &body,
|
512
|
+
TLSEXT_TYPE_encrypted_client_hello)) {
|
513
|
+
return true;
|
514
|
+
}
|
515
|
+
uint8_t type;
|
516
|
+
if (!CBS_get_u8(&body, &type)) {
|
517
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
518
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
519
|
+
return false;
|
520
|
+
}
|
521
|
+
if (type != ECH_CLIENT_OUTER) {
|
522
|
+
return true;
|
523
|
+
}
|
524
|
+
// This is a ClientHelloOuter ECH extension. Attempt to decrypt it.
|
525
|
+
uint8_t config_id;
|
526
|
+
uint16_t kdf_id, aead_id;
|
527
|
+
CBS enc, payload;
|
528
|
+
if (!CBS_get_u16(&body, &kdf_id) || //
|
529
|
+
!CBS_get_u16(&body, &aead_id) || //
|
530
|
+
!CBS_get_u8(&body, &config_id) ||
|
531
|
+
!CBS_get_u16_length_prefixed(&body, &enc) ||
|
532
|
+
!CBS_get_u16_length_prefixed(&body, &payload) || //
|
533
|
+
CBS_len(&body) != 0) {
|
534
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
535
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
536
|
+
return false;
|
537
|
+
}
|
538
|
+
|
539
|
+
{
|
540
|
+
MutexReadLock lock(&ssl->ctx->lock);
|
541
|
+
hs->ech_keys = UpRef(ssl->ctx->ech_keys);
|
542
|
+
}
|
543
|
+
|
544
|
+
if (!hs->ech_keys) {
|
545
|
+
ssl->s3->ech_status = ssl_ech_rejected;
|
546
|
+
return true;
|
547
|
+
}
|
548
|
+
|
549
|
+
for (const auto &config : hs->ech_keys->configs) {
|
550
|
+
hs->ech_hpke_ctx.Reset();
|
551
|
+
if (config_id != config->ech_config().config_id ||
|
552
|
+
!config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) {
|
553
|
+
// Ignore the error and try another ECHConfig.
|
554
|
+
ERR_clear_error();
|
555
|
+
continue;
|
556
|
+
}
|
557
|
+
Array<uint8_t> encoded_client_hello_inner;
|
558
|
+
bool is_decrypt_error;
|
559
|
+
if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
|
560
|
+
&encoded_client_hello_inner,
|
561
|
+
&is_decrypt_error, client_hello, payload)) {
|
562
|
+
if (is_decrypt_error) {
|
563
|
+
// Ignore the error and try another ECHConfig.
|
564
|
+
ERR_clear_error();
|
565
|
+
continue;
|
566
|
+
}
|
567
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
568
|
+
return false;
|
569
|
+
}
|
570
|
+
|
571
|
+
// Recover the ClientHelloInner from the EncodedClientHelloInner.
|
572
|
+
bssl::Array<uint8_t> client_hello_inner;
|
573
|
+
if (!ssl_decode_client_hello_inner(ssl, out_alert, &client_hello_inner,
|
574
|
+
encoded_client_hello_inner,
|
575
|
+
client_hello)) {
|
576
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
577
|
+
return false;
|
578
|
+
}
|
579
|
+
hs->ech_client_hello_buf = std::move(client_hello_inner);
|
580
|
+
hs->ech_config_id = config_id;
|
581
|
+
ssl->s3->ech_status = ssl_ech_accepted;
|
582
|
+
return true;
|
583
|
+
}
|
584
|
+
|
585
|
+
// If we did not accept ECH, proceed with the ClientHelloOuter. Note this
|
586
|
+
// could be key mismatch or ECH GREASE, so we must complete the handshake
|
587
|
+
// as usual, except EncryptedExtensions will contain retry configs.
|
588
|
+
ssl->s3->ech_status = ssl_ech_rejected;
|
589
|
+
return true;
|
590
|
+
}
|
591
|
+
|
507
592
|
static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
508
593
|
const SSL_CLIENT_HELLO *client_hello) {
|
509
594
|
SSL *const ssl = hs->ssl;
|
@@ -583,98 +668,19 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
|
|
583
668
|
return ssl_hs_handoff;
|
584
669
|
}
|
585
670
|
|
586
|
-
|
587
|
-
|
588
|
-
|
589
|
-
|
590
|
-
|
591
|
-
TLSEXT_TYPE_encrypted_client_hello)) {
|
592
|
-
CBS unused;
|
593
|
-
if (ssl_client_hello_get_extension(&client_hello, &unused,
|
594
|
-
TLSEXT_TYPE_ech_is_inner)) {
|
595
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
596
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
597
|
-
return ssl_hs_error;
|
598
|
-
}
|
599
|
-
|
600
|
-
// Parse a ClientECH out of the extension body.
|
601
|
-
uint8_t config_id;
|
602
|
-
uint16_t kdf_id, aead_id;
|
603
|
-
CBS enc, payload;
|
604
|
-
if (!CBS_get_u16(&ech_body, &kdf_id) || //
|
605
|
-
!CBS_get_u16(&ech_body, &aead_id) ||
|
606
|
-
!CBS_get_u8(&ech_body, &config_id) ||
|
607
|
-
!CBS_get_u16_length_prefixed(&ech_body, &enc) ||
|
608
|
-
!CBS_get_u16_length_prefixed(&ech_body, &payload) ||
|
609
|
-
CBS_len(&ech_body) != 0) {
|
610
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
611
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
612
|
-
return ssl_hs_error;
|
613
|
-
}
|
614
|
-
|
615
|
-
{
|
616
|
-
MutexReadLock lock(&ssl->ctx->lock);
|
617
|
-
hs->ech_keys = UpRef(ssl->ctx->ech_keys);
|
618
|
-
}
|
619
|
-
|
620
|
-
if (hs->ech_keys) {
|
621
|
-
for (const auto &config : hs->ech_keys->configs) {
|
622
|
-
hs->ech_hpke_ctx.Reset();
|
623
|
-
if (config_id != config->ech_config().config_id ||
|
624
|
-
!config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id,
|
625
|
-
enc)) {
|
626
|
-
// Ignore the error and try another ECHConfig.
|
627
|
-
ERR_clear_error();
|
628
|
-
continue;
|
629
|
-
}
|
630
|
-
Array<uint8_t> encoded_client_hello_inner;
|
631
|
-
bool is_decrypt_error;
|
632
|
-
if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
|
633
|
-
&encoded_client_hello_inner,
|
634
|
-
&is_decrypt_error, &client_hello, kdf_id,
|
635
|
-
aead_id, config_id, enc, payload)) {
|
636
|
-
if (is_decrypt_error) {
|
637
|
-
// Ignore the error and try another ECHConfig.
|
638
|
-
ERR_clear_error();
|
639
|
-
continue;
|
640
|
-
}
|
641
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
642
|
-
return ssl_hs_error;
|
643
|
-
}
|
644
|
-
|
645
|
-
// Recover the ClientHelloInner from the EncodedClientHelloInner.
|
646
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
647
|
-
bssl::Array<uint8_t> client_hello_inner;
|
648
|
-
if (!ssl_decode_client_hello_inner(ssl, &alert, &client_hello_inner,
|
649
|
-
encoded_client_hello_inner,
|
650
|
-
&client_hello)) {
|
651
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
652
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
653
|
-
return ssl_hs_error;
|
654
|
-
}
|
655
|
-
hs->ech_client_hello_buf = std::move(client_hello_inner);
|
656
|
-
|
657
|
-
// Load the ClientHelloInner into |client_hello|.
|
658
|
-
if (!hs->GetClientHello(&msg, &client_hello)) {
|
659
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
660
|
-
return ssl_hs_error;
|
661
|
-
}
|
662
|
-
|
663
|
-
hs->ech_config_id = config_id;
|
664
|
-
ssl->s3->ech_status = ssl_ech_accepted;
|
665
|
-
break;
|
666
|
-
}
|
667
|
-
}
|
671
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
672
|
+
if (!decrypt_ech(hs, &alert, &client_hello)) {
|
673
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
674
|
+
return ssl_hs_error;
|
675
|
+
}
|
668
676
|
|
669
|
-
|
670
|
-
|
671
|
-
|
672
|
-
|
673
|
-
|
674
|
-
}
|
677
|
+
// ECH may have changed which ClientHello we process. Update |msg| and
|
678
|
+
// |client_hello| in case.
|
679
|
+
if (!hs->GetClientHello(&msg, &client_hello)) {
|
680
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
681
|
+
return ssl_hs_error;
|
675
682
|
}
|
676
683
|
|
677
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
678
684
|
if (!extract_sni(hs, &alert, &client_hello)) {
|
679
685
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
680
686
|
return ssl_hs_error;
|
@@ -751,12 +757,6 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
|
|
751
757
|
return ssl_hs_error;
|
752
758
|
}
|
753
759
|
|
754
|
-
if (hs->ech_present && hs->ech_is_inner_present) {
|
755
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
756
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
757
|
-
return ssl_hs_error;
|
758
|
-
}
|
759
|
-
|
760
760
|
hs->state = state12_select_certificate;
|
761
761
|
return ssl_hs_ok;
|
762
762
|
}
|
@@ -973,8 +973,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
973
973
|
}
|
974
974
|
|
975
975
|
static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
|
976
|
-
out = out.
|
977
|
-
assert(out.size() == in.size());
|
976
|
+
out = out.last(in.size());
|
978
977
|
OPENSSL_memcpy(out.data(), in.data(), in.size());
|
979
978
|
}
|
980
979
|
|