grpc 1.41.0 → 1.42.0.pre1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (519) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +57 -44
  3. data/etc/roots.pem +335 -326
  4. data/include/grpc/event_engine/event_engine.h +82 -42
  5. data/include/grpc/event_engine/internal/memory_allocator_impl.h +98 -0
  6. data/include/grpc/event_engine/memory_allocator.h +210 -0
  7. data/include/grpc/grpc.h +4 -0
  8. data/include/grpc/grpc_security.h +18 -0
  9. data/include/grpc/grpc_security_constants.h +1 -0
  10. data/include/grpc/impl/codegen/port_platform.h +7 -0
  11. data/src/core/ext/filters/client_channel/backend_metric.cc +18 -19
  12. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -1
  13. data/src/core/ext/filters/client_channel/channel_connectivity.cc +71 -89
  14. data/src/core/ext/filters/client_channel/client_channel.cc +187 -252
  15. data/src/core/ext/filters/client_channel/client_channel.h +74 -27
  16. data/src/core/ext/filters/client_channel/client_channel_factory.cc +1 -1
  17. data/src/core/ext/filters/client_channel/client_channel_factory.h +17 -19
  18. data/src/core/ext/filters/client_channel/client_channel_plugin.cc +8 -14
  19. data/src/core/ext/filters/client_channel/config_selector.cc +1 -1
  20. data/src/core/ext/filters/client_channel/config_selector.h +4 -5
  21. data/src/core/ext/filters/client_channel/connector.h +18 -18
  22. data/src/core/ext/filters/client_channel/dynamic_filters.cc +1 -1
  23. data/src/core/ext/filters/client_channel/global_subchannel_pool.h +0 -1
  24. data/src/core/ext/filters/client_channel/health/health_check_client.cc +12 -11
  25. data/src/core/ext/filters/client_channel/http_connect_handshaker.h +1 -1
  26. data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +4 -0
  27. data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +6 -15
  28. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +166 -82
  29. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h +4 -0
  30. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +1 -1
  31. data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +2 -4
  32. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +23 -7
  33. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +15 -10
  34. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +2 -3
  35. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +2502 -0
  36. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -1
  37. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +7 -1
  38. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +6 -2
  39. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h +1 -1
  40. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +5 -0
  41. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +8 -1
  42. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +7 -16
  43. data/src/core/ext/filters/client_channel/lb_policy.h +11 -1
  44. data/src/core/ext/filters/client_channel/lb_policy_factory.h +1 -0
  45. data/src/core/ext/filters/client_channel/resolver/binder/binder_resolver.cc +139 -0
  46. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +11 -5
  47. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +3 -3
  48. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +12 -39
  49. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +21 -1
  50. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +6 -2
  51. data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +3 -1
  52. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +77 -68
  53. data/src/core/ext/filters/client_channel/resolver.h +1 -1
  54. data/src/core/ext/filters/client_channel/resolver_factory.h +2 -0
  55. data/src/core/ext/filters/client_channel/resolver_registry.cc +6 -8
  56. data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +1 -1
  57. data/src/core/ext/filters/client_channel/resolver_result_parsing.h +1 -1
  58. data/src/core/ext/filters/client_channel/retry_filter.cc +48 -86
  59. data/src/core/ext/filters/client_channel/retry_service_config.h +1 -1
  60. data/src/core/ext/filters/client_channel/retry_throttle.cc +17 -48
  61. data/src/core/ext/filters/client_channel/server_address.h +1 -1
  62. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +49 -36
  63. data/src/core/ext/filters/client_channel/subchannel.cc +85 -143
  64. data/src/core/ext/filters/client_channel/subchannel.h +29 -49
  65. data/src/core/ext/filters/client_channel/subchannel_pool_interface.cc +22 -7
  66. data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +11 -2
  67. data/src/core/ext/filters/client_idle/client_idle_filter.cc +27 -210
  68. data/src/core/ext/filters/client_idle/idle_filter_state.cc +96 -0
  69. data/src/core/ext/filters/client_idle/idle_filter_state.h +66 -0
  70. data/src/core/ext/filters/deadline/deadline_filter.cc +23 -26
  71. data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +19 -19
  72. data/src/core/ext/filters/fault_injection/service_config_parser.cc +0 -1
  73. data/src/core/ext/filters/fault_injection/service_config_parser.h +1 -1
  74. data/src/core/ext/filters/http/client/http_client_filter.cc +41 -44
  75. data/src/core/ext/filters/http/client_authority_filter.cc +14 -15
  76. data/src/core/ext/filters/http/http_filters_plugin.cc +53 -71
  77. data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +17 -12
  78. data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +1 -1
  79. data/src/core/ext/filters/http/server/http_server_filter.cc +72 -69
  80. data/src/core/ext/filters/max_age/max_age_filter.cc +24 -26
  81. data/src/core/ext/filters/message_size/message_size_filter.cc +19 -16
  82. data/src/core/ext/filters/message_size/message_size_filter.h +1 -1
  83. data/src/core/ext/{filters/client_channel → service_config}/service_config.cc +2 -2
  84. data/src/core/ext/{filters/client_channel → service_config}/service_config.h +4 -4
  85. data/src/core/ext/service_config/service_config_call_data.h +72 -0
  86. data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.cc +3 -3
  87. data/src/core/ext/{filters/client_channel → service_config}/service_config_parser.h +8 -6
  88. data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +2 -5
  89. data/src/core/ext/transport/chttp2/client/insecure/channel_create.cc +19 -24
  90. data/src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc +27 -50
  91. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +14 -16
  92. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +59 -58
  93. data/src/core/ext/transport/chttp2/transport/flow_control.cc +19 -16
  94. data/src/core/ext/transport/chttp2/transport/flow_control.h +4 -4
  95. data/src/core/ext/transport/chttp2/transport/frame_data.cc +4 -4
  96. data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +2 -1
  97. data/src/core/ext/transport/chttp2/transport/frame_ping.cc +2 -1
  98. data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +2 -3
  99. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +2 -2
  100. data/src/core/ext/transport/chttp2/transport/hpack_constants.h +1 -1
  101. data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +41 -1
  102. data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +8 -4
  103. data/src/core/ext/transport/chttp2/transport/hpack_encoder_index.h +1 -1
  104. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +136 -98
  105. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +27 -8
  106. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +12 -25
  107. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +37 -30
  108. data/src/core/ext/transport/chttp2/transport/internal.h +4 -3
  109. data/src/core/ext/transport/chttp2/transport/parsing.cc +30 -173
  110. data/src/core/ext/transport/chttp2/transport/popularity_count.h +1 -1
  111. data/src/core/ext/transport/chttp2/transport/writing.cc +29 -22
  112. data/src/core/ext/transport/inproc/inproc_transport.cc +105 -109
  113. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +68 -34
  114. data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +139 -1
  115. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +16 -4
  116. data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.h +53 -4
  117. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c +3 -2
  118. data/src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.h +15 -0
  119. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +13 -8
  120. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +23 -0
  121. data/src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c +0 -1
  122. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +14 -11
  123. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +17 -0
  124. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +15 -12
  125. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +49 -19
  126. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.c +55 -0
  127. data/src/core/ext/upb-generated/src/proto/grpc/lookup/v1/rls.upb.h +154 -0
  128. data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +0 -2
  129. data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.c +58 -0
  130. data/src/core/ext/upb-generated/xds/annotations/v3/status.upb.h +182 -0
  131. data/src/core/ext/upb-generated/xds/core/v3/authority.upb.c +1 -1
  132. data/src/core/ext/upb-generated/xds/core/v3/collection_entry.upb.c +1 -1
  133. data/src/core/ext/upb-generated/xds/core/v3/context_params.upb.c +1 -1
  134. data/src/core/ext/upb-generated/xds/core/v3/resource.upb.c +1 -1
  135. data/src/core/ext/upb-generated/xds/core/v3/resource_locator.upb.c +1 -1
  136. data/src/core/ext/upb-generated/xds/core/v3/resource_name.upb.c +1 -1
  137. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +58 -0
  138. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +130 -0
  139. data/src/core/ext/upb-generated/{udpa/type/v1 → xds/type/v3}/typed_struct.upb.c +7 -7
  140. data/src/core/ext/upb-generated/xds/type/v3/typed_struct.upb.h +83 -0
  141. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.c +310 -286
  142. data/src/core/ext/upbdefs-generated/envoy/config/cluster/v3/cluster.upbdefs.h +10 -0
  143. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.c +101 -88
  144. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/base.upbdefs.h +5 -0
  145. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/health_check.upbdefs.c +59 -56
  146. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +59 -46
  147. data/src/core/ext/upbdefs-generated/envoy/config/endpoint/v3/endpoint_components.upbdefs.c +78 -82
  148. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +323 -316
  149. data/src/core/ext/upbdefs-generated/udpa/annotations/migrate.upbdefs.c +5 -4
  150. data/src/core/ext/upbdefs-generated/udpa/annotations/security.upbdefs.c +19 -23
  151. data/src/core/ext/upbdefs-generated/udpa/annotations/sensitive.upbdefs.c +4 -3
  152. data/src/core/ext/upbdefs-generated/udpa/annotations/status.upbdefs.c +5 -3
  153. data/src/core/ext/upbdefs-generated/udpa/annotations/versioning.upbdefs.c +5 -4
  154. data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.c +75 -0
  155. data/src/core/ext/upbdefs-generated/xds/annotations/v3/status.upbdefs.h +50 -0
  156. data/src/core/ext/upbdefs-generated/xds/core/v3/authority.upbdefs.c +13 -12
  157. data/src/core/ext/upbdefs-generated/xds/core/v3/collection_entry.upbdefs.c +25 -24
  158. data/src/core/ext/upbdefs-generated/xds/core/v3/context_params.upbdefs.c +16 -15
  159. data/src/core/ext/upbdefs-generated/xds/core/v3/resource.upbdefs.c +17 -16
  160. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_locator.upbdefs.c +33 -32
  161. data/src/core/ext/upbdefs-generated/xds/core/v3/resource_name.upbdefs.c +19 -18
  162. data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c +45 -0
  163. data/src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.h +35 -0
  164. data/src/core/ext/xds/xds_api.cc +325 -362
  165. data/src/core/ext/xds/xds_api.h +134 -82
  166. data/src/core/ext/xds/xds_bootstrap.h +10 -0
  167. data/src/core/ext/xds/xds_certificate_provider.cc +3 -3
  168. data/src/core/ext/xds/xds_channel_stack_modifier.cc +113 -0
  169. data/src/core/ext/xds/xds_channel_stack_modifier.h +52 -0
  170. data/src/core/ext/xds/xds_client.cc +527 -314
  171. data/src/core/ext/xds/xds_client.h +42 -37
  172. data/src/core/ext/xds/xds_client_stats.h +1 -1
  173. data/src/core/ext/xds/xds_server_config_fetcher.cc +5 -7
  174. data/src/core/lib/address_utils/parse_address.cc +2 -0
  175. data/src/core/lib/avl/avl.cc +5 -5
  176. data/src/core/lib/backoff/backoff.cc +1 -1
  177. data/src/core/lib/channel/channel_args.cc +24 -6
  178. data/src/core/lib/channel/channel_args.h +9 -0
  179. data/src/core/lib/channel/channel_stack_builder.cc +3 -3
  180. data/src/core/lib/channel/channel_trace.cc +1 -1
  181. data/src/core/lib/channel/channel_trace.h +1 -1
  182. data/src/core/lib/channel/channelz.cc +3 -3
  183. data/src/core/lib/channel/channelz.h +2 -2
  184. data/src/core/lib/channel/channelz_registry.cc +1 -1
  185. data/src/core/lib/channel/channelz_registry.h +1 -1
  186. data/src/core/lib/channel/connected_channel.cc +1 -3
  187. data/src/core/lib/channel/connected_channel.h +1 -2
  188. data/src/core/lib/compression/compression.cc +2 -2
  189. data/src/core/lib/compression/compression_args.cc +6 -4
  190. data/src/core/lib/compression/compression_internal.cc +2 -2
  191. data/src/core/lib/compression/compression_internal.h +1 -1
  192. data/src/core/lib/config/core_configuration.cc +44 -2
  193. data/src/core/lib/config/core_configuration.h +39 -1
  194. data/src/core/lib/debug/stats.cc +1 -1
  195. data/src/core/lib/debug/stats_data.cc +13 -13
  196. data/src/core/lib/gpr/atm.cc +1 -1
  197. data/src/core/lib/gpr/cpu_posix.cc +1 -1
  198. data/src/core/lib/gpr/string.cc +2 -2
  199. data/src/core/lib/gpr/tls.h +1 -1
  200. data/src/core/lib/gpr/useful.h +79 -32
  201. data/src/core/lib/gprpp/arena.h +10 -0
  202. data/src/core/lib/gprpp/bitset.h +38 -16
  203. data/src/core/lib/gprpp/chunked_vector.h +211 -0
  204. data/src/core/lib/gprpp/construct_destruct.h +1 -1
  205. data/src/core/lib/gprpp/match.h +1 -1
  206. data/src/core/lib/gprpp/memory.h +6 -0
  207. data/src/core/lib/gprpp/overload.h +1 -1
  208. data/src/core/lib/gprpp/status_helper.cc +23 -3
  209. data/src/core/lib/gprpp/status_helper.h +12 -1
  210. data/src/core/lib/gprpp/table.h +411 -0
  211. data/src/core/lib/http/httpcli.cc +200 -182
  212. data/src/core/lib/http/parser.cc +2 -2
  213. data/src/core/lib/iomgr/call_combiner.cc +28 -10
  214. data/src/core/lib/iomgr/combiner.cc +6 -21
  215. data/src/core/lib/iomgr/endpoint_cfstream.cc +7 -6
  216. data/src/core/lib/iomgr/error.cc +113 -52
  217. data/src/core/lib/iomgr/error.h +50 -9
  218. data/src/core/lib/iomgr/error_cfstream.cc +5 -0
  219. data/src/core/lib/iomgr/ev_epoll1_linux.cc +3 -2
  220. data/src/core/lib/iomgr/ev_epollex_linux.cc +7 -7
  221. data/src/core/lib/iomgr/ev_poll_posix.cc +29 -20
  222. data/src/core/lib/iomgr/event_engine/closure.cc +41 -18
  223. data/src/core/lib/iomgr/event_engine/closure.h +10 -1
  224. data/src/core/lib/iomgr/event_engine/endpoint.cc +3 -3
  225. data/src/core/lib/iomgr/event_engine/iomgr.cc +1 -1
  226. data/src/core/lib/iomgr/event_engine/pollset.cc +5 -4
  227. data/src/core/lib/iomgr/event_engine/resolver.cc +10 -7
  228. data/src/core/lib/iomgr/event_engine/tcp.cc +9 -8
  229. data/src/core/lib/iomgr/event_engine/timer.cc +7 -2
  230. data/src/core/lib/iomgr/exec_ctx.cc +1 -9
  231. data/src/core/lib/iomgr/executor/mpmcqueue.cc +5 -7
  232. data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -8
  233. data/src/core/lib/iomgr/executor.cc +6 -20
  234. data/src/core/lib/iomgr/iomgr.cc +3 -1
  235. data/src/core/lib/iomgr/iomgr_internal.cc +4 -9
  236. data/src/core/lib/iomgr/iomgr_internal.h +3 -2
  237. data/src/core/lib/iomgr/load_file.cc +2 -2
  238. data/src/core/lib/iomgr/lockfree_event.cc +18 -0
  239. data/src/core/lib/iomgr/pollset_custom.cc +1 -1
  240. data/src/core/lib/iomgr/pollset_custom.h +1 -1
  241. data/src/core/lib/iomgr/resolve_address_posix.cc +5 -7
  242. data/src/core/lib/iomgr/resource_quota.cc +13 -11
  243. data/src/core/lib/iomgr/socket_factory_posix.cc +2 -2
  244. data/src/core/lib/iomgr/socket_mutator.cc +2 -2
  245. data/src/core/lib/iomgr/socket_utils_common_posix.cc +1 -2
  246. data/src/core/lib/iomgr/tcp_client_cfstream.cc +5 -3
  247. data/src/core/lib/iomgr/tcp_client_custom.cc +1 -1
  248. data/src/core/lib/iomgr/tcp_client_posix.cc +9 -18
  249. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -3
  250. data/src/core/lib/iomgr/tcp_posix.cc +4 -5
  251. data/src/core/lib/iomgr/tcp_server_custom.cc +2 -1
  252. data/src/core/lib/iomgr/tcp_server_posix.cc +3 -4
  253. data/src/core/lib/iomgr/tcp_server_windows.cc +4 -5
  254. data/src/core/lib/iomgr/tcp_windows.cc +2 -2
  255. data/src/core/lib/iomgr/timer_generic.cc +13 -13
  256. data/src/core/lib/iomgr/timer_heap.cc +1 -1
  257. data/src/core/lib/json/json_util.cc +68 -0
  258. data/src/core/lib/json/json_util.h +57 -99
  259. data/src/core/lib/json/json_writer.cc +0 -3
  260. data/src/core/lib/security/authorization/authorization_policy_provider.h +1 -1
  261. data/src/core/lib/security/authorization/authorization_policy_provider_vtable.cc +1 -1
  262. data/src/core/lib/security/authorization/evaluate_args.cc +14 -12
  263. data/src/core/lib/security/authorization/sdk_server_authz_filter.cc +13 -1
  264. data/src/core/lib/security/context/security_context.cc +4 -2
  265. data/src/core/lib/security/credentials/composite/composite_credentials.cc +1 -1
  266. data/src/core/lib/security/credentials/credentials.cc +4 -2
  267. data/src/core/lib/security/credentials/credentials.h +6 -1
  268. data/src/core/lib/security/credentials/external/external_account_credentials.cc +47 -11
  269. data/src/core/lib/security/credentials/external/external_account_credentials.h +1 -0
  270. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -1
  271. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +5 -9
  272. data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +2 -2
  273. data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +2 -2
  274. data/src/core/lib/security/security_connector/security_connector.cc +9 -4
  275. data/src/core/lib/security/security_connector/security_connector.h +1 -1
  276. data/src/core/lib/security/security_connector/ssl_utils.cc +1 -1
  277. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +1 -0
  278. data/src/core/lib/security/security_connector/tls/tls_security_connector.h +0 -2
  279. data/src/core/lib/security/transport/client_auth_filter.cc +5 -5
  280. data/src/core/lib/security/transport/security_handshaker.cc +73 -43
  281. data/src/core/lib/security/transport/server_auth_filter.cc +3 -5
  282. data/src/core/lib/security/transport/tsi_error.cc +3 -5
  283. data/src/core/lib/slice/slice.cc +0 -16
  284. data/src/core/lib/slice/slice_api.cc +39 -0
  285. data/src/core/lib/slice/slice_buffer.cc +5 -5
  286. data/src/core/lib/slice/slice_intern.cc +8 -13
  287. data/src/core/lib/slice/slice_internal.h +1 -244
  288. data/src/core/lib/slice/slice_refcount.cc +17 -0
  289. data/src/core/lib/slice/slice_refcount.h +121 -0
  290. data/src/core/lib/slice/slice_refcount_base.h +173 -0
  291. data/src/core/lib/slice/slice_split.cc +100 -0
  292. data/src/core/lib/slice/slice_split.h +40 -0
  293. data/src/core/lib/slice/slice_string_helpers.cc +0 -83
  294. data/src/core/lib/slice/slice_string_helpers.h +0 -11
  295. data/src/core/lib/slice/static_slice.cc +529 -0
  296. data/src/core/lib/slice/static_slice.h +331 -0
  297. data/src/core/lib/surface/builtins.cc +49 -0
  298. data/src/core/{ext/filters/workarounds/workaround_cronet_compression_filter.h → lib/surface/builtins.h} +8 -9
  299. data/src/core/lib/surface/call.cc +103 -120
  300. data/src/core/lib/surface/call.h +0 -6
  301. data/src/core/lib/surface/channel.cc +19 -32
  302. data/src/core/lib/surface/channel.h +0 -9
  303. data/src/core/lib/surface/channel_init.cc +23 -76
  304. data/src/core/lib/surface/channel_init.h +52 -44
  305. data/src/core/lib/surface/completion_queue.cc +6 -5
  306. data/src/core/lib/surface/init.cc +0 -39
  307. data/src/core/lib/surface/init_secure.cc +17 -14
  308. data/src/core/lib/surface/lame_client.cc +18 -11
  309. data/src/core/lib/surface/lame_client.h +1 -1
  310. data/src/core/lib/surface/server.cc +25 -17
  311. data/src/core/lib/surface/server.h +17 -10
  312. data/src/core/lib/surface/validate_metadata.cc +5 -2
  313. data/src/core/lib/surface/version.cc +2 -2
  314. data/src/core/lib/transport/bdp_estimator.cc +1 -1
  315. data/src/core/lib/transport/error_utils.cc +42 -17
  316. data/src/core/lib/transport/error_utils.h +1 -1
  317. data/src/core/lib/transport/metadata.cc +31 -10
  318. data/src/core/lib/transport/metadata.h +2 -1
  319. data/src/core/lib/transport/metadata_batch.cc +35 -371
  320. data/src/core/lib/transport/metadata_batch.h +905 -71
  321. data/src/core/lib/transport/parsed_metadata.h +263 -0
  322. data/src/core/lib/transport/pid_controller.cc +4 -4
  323. data/src/core/lib/transport/static_metadata.cc +714 -846
  324. data/src/core/lib/transport/static_metadata.h +115 -379
  325. data/src/core/lib/transport/status_metadata.cc +1 -0
  326. data/src/core/lib/transport/transport.cc +4 -5
  327. data/src/core/lib/transport/transport_op_string.cc +40 -20
  328. data/src/core/plugin_registry/grpc_plugin_registry.cc +64 -43
  329. data/src/core/tsi/alts/crypt/aes_gcm.cc +3 -1
  330. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +13 -12
  331. data/src/core/tsi/alts/frame_protector/frame_handler.cc +10 -11
  332. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +1 -2
  333. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +12 -2
  334. data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +1 -1
  335. data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +2 -2
  336. data/src/core/tsi/fake_transport_security.cc +15 -7
  337. data/src/core/tsi/local_transport_security.cc +36 -73
  338. data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +16 -50
  339. data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -3
  340. data/src/core/tsi/ssl_transport_security.cc +10 -2
  341. data/src/core/tsi/transport_security.cc +12 -0
  342. data/src/core/tsi/transport_security.h +16 -1
  343. data/src/core/tsi/transport_security_interface.h +26 -0
  344. data/src/ruby/ext/grpc/extconf.rb +12 -9
  345. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +4 -0
  346. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +6 -0
  347. data/src/ruby/lib/grpc/version.rb +1 -1
  348. data/src/ruby/pb/src/proto/grpc/testing/test_pb.rb +2 -2
  349. data/src/ruby/spec/client_server_spec.rb +1 -1
  350. data/third_party/abseil-cpp/absl/base/internal/thread_identity.cc +4 -4
  351. data/third_party/abseil-cpp/absl/base/internal/thread_identity.h +11 -6
  352. data/third_party/address_sorting/address_sorting_posix.c +1 -0
  353. data/third_party/boringssl-with-bazel/err_data.c +278 -272
  354. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +21 -22
  355. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
  356. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
  357. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
  358. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
  359. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
  360. data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
  361. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +106 -153
  362. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
  363. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
  364. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
  365. data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
  366. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +38 -0
  367. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
  368. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
  369. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
  370. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
  371. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
  372. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
  373. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
  374. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
  375. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
  376. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
  377. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
  378. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
  379. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +4 -6
  380. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
  381. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
  382. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +38 -47
  383. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
  384. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
  385. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +32 -34
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +5 -9
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/des.c +10 -11
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/des/internal.h +1 -3
  393. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +4 -7
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md5/md5.c +4 -7
  395. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +35 -35
  400. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +11 -10
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +10 -37
  402. data/third_party/boringssl-with-bazel/src/crypto/internal.h +39 -0
  403. data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
  404. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
  405. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
  406. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
  407. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
  408. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
  409. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
  410. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
  411. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
  412. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
  413. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +6 -6
  414. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
  415. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
  416. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
  417. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
  418. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
  419. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
  420. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
  421. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
  422. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
  423. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
  424. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
  425. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
  426. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
  427. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
  428. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
  429. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
  430. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
  431. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
  432. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
  433. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
  434. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
  435. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
  436. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
  437. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
  438. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
  439. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
  440. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
  442. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
  443. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
  444. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -1
  445. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
  446. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +366 -227
  447. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
  448. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +10 -4
  449. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
  450. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
  451. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
  452. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
  453. data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
  454. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
  455. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
  456. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
  457. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
  458. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
  459. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +28 -14
  460. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
  461. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +529 -91
  462. data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +16 -695
  463. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
  464. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
  465. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
  466. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
  467. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
  468. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
  469. data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
  470. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
  471. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
  472. data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
  473. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -17
  474. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
  475. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
  476. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
  477. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
  478. data/third_party/re2/re2/compile.cc +91 -109
  479. data/third_party/re2/re2/dfa.cc +27 -39
  480. data/third_party/re2/re2/filtered_re2.cc +18 -2
  481. data/third_party/re2/re2/filtered_re2.h +10 -5
  482. data/third_party/re2/re2/nfa.cc +1 -1
  483. data/third_party/re2/re2/parse.cc +42 -23
  484. data/third_party/re2/re2/perl_groups.cc +34 -34
  485. data/third_party/re2/re2/prefilter.cc +3 -2
  486. data/third_party/re2/re2/prog.cc +182 -4
  487. data/third_party/re2/re2/prog.h +28 -9
  488. data/third_party/re2/re2/re2.cc +87 -118
  489. data/third_party/re2/re2/re2.h +156 -141
  490. data/third_party/re2/re2/regexp.cc +12 -5
  491. data/third_party/re2/re2/regexp.h +8 -2
  492. data/third_party/re2/re2/set.cc +31 -9
  493. data/third_party/re2/re2/set.h +9 -4
  494. data/third_party/re2/re2/simplify.cc +11 -3
  495. data/third_party/re2/re2/tostring.cc +1 -1
  496. data/third_party/re2/re2/walker-inl.h +1 -1
  497. data/third_party/re2/util/mutex.h +2 -2
  498. data/third_party/re2/util/pcre.h +3 -3
  499. metadata +83 -70
  500. data/include/grpc/event_engine/slice_allocator.h +0 -71
  501. data/src/core/ext/filters/client_channel/service_config_call_data.h +0 -126
  502. data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +0 -211
  503. data/src/core/ext/filters/workarounds/workaround_utils.cc +0 -53
  504. data/src/core/ext/filters/workarounds/workaround_utils.h +0 -39
  505. data/src/core/ext/transport/chttp2/client/authority.cc +0 -42
  506. data/src/core/ext/transport/chttp2/client/authority.h +0 -36
  507. data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.cc +0 -67
  508. data/src/core/ext/transport/chttp2/transport/chttp2_slice_allocator.h +0 -74
  509. data/src/core/ext/transport/chttp2/transport/incoming_metadata.cc +0 -66
  510. data/src/core/ext/transport/chttp2/transport/incoming_metadata.h +0 -58
  511. data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c +0 -58
  512. data/src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h +0 -130
  513. data/src/core/ext/upb-generated/udpa/type/v1/typed_struct.upb.h +0 -83
  514. data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.c +0 -44
  515. data/src/core/ext/upbdefs-generated/udpa/type/v1/typed_struct.upbdefs.h +0 -35
  516. data/src/core/lib/iomgr/udp_server.cc +0 -747
  517. data/src/core/lib/iomgr/udp_server.h +0 -103
  518. data/src/core/lib/transport/authority_override.cc +0 -40
  519. data/src/core/lib/transport/authority_override.h +0 -37
@@ -101,6 +101,73 @@ static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
101
101
  return true;
102
102
  }
103
103
 
104
+ static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
105
+ ParsedServerHello *out, uint8_t *out_alert,
106
+ const SSLMessage &msg) {
107
+ if (!ssl_parse_server_hello(out, out_alert, msg)) {
108
+ return false;
109
+ }
110
+ // The RFC8446 version of the structure fixes some legacy values.
111
+ // Additionally, the session ID must echo the original one.
112
+ if (out->legacy_version != TLS1_2_VERSION ||
113
+ out->compression_method != 0 ||
114
+ !CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) ||
115
+ CBS_len(&out->extensions) == 0) {
116
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
117
+ *out_alert = SSL_AD_DECODE_ERROR;
118
+ return false;
119
+ }
120
+ return true;
121
+ }
122
+
123
+ static bool is_hello_retry_request(const ParsedServerHello &server_hello) {
124
+ return Span<const uint8_t>(server_hello.random) == kHelloRetryRequest;
125
+ }
126
+
127
+ static bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted,
128
+ uint8_t *out_alert,
129
+ const ParsedServerHello &server_hello) {
130
+ const bool is_hrr = is_hello_retry_request(server_hello);
131
+ size_t offset;
132
+ if (is_hrr) {
133
+ // We check for an unsolicited extension when parsing all of them.
134
+ SSLExtension ech(TLSEXT_TYPE_encrypted_client_hello);
135
+ if (!ssl_parse_extensions(&server_hello.extensions, out_alert, {&ech},
136
+ /*ignore_unknown=*/true)) {
137
+ return false;
138
+ }
139
+ if (!ech.present) {
140
+ *out_accepted = false;
141
+ return true;
142
+ }
143
+ if (CBS_len(&ech.data) != ECH_CONFIRMATION_SIGNAL_LEN) {
144
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
145
+ *out_alert = SSL_AD_DECODE_ERROR;
146
+ return false;
147
+ }
148
+ offset = CBS_data(&ech.data) - CBS_data(&server_hello.raw);
149
+ } else {
150
+ offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
151
+ }
152
+
153
+ if (!hs->selected_ech_config) {
154
+ *out_accepted = false;
155
+ return true;
156
+ }
157
+
158
+ uint8_t expected[ECH_CONFIRMATION_SIGNAL_LEN];
159
+ if (!ssl_ech_accept_confirmation(hs, expected, hs->inner_client_random,
160
+ hs->inner_transcript, is_hrr,
161
+ server_hello.raw, offset)) {
162
+ *out_alert = SSL_AD_INTERNAL_ERROR;
163
+ return false;
164
+ }
165
+
166
+ *out_accepted = CRYPTO_memcmp(CBS_data(&server_hello.raw) + offset, expected,
167
+ sizeof(expected)) == 0;
168
+ return true;
169
+ }
170
+
104
171
  static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
105
172
  SSL *const ssl = hs->ssl;
106
173
  assert(ssl->s3->have_version);
@@ -117,36 +184,17 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
117
184
  return ssl_hs_error;
118
185
  }
119
186
 
120
- if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
121
- return ssl_hs_error;
122
- }
123
-
124
- CBS body = msg.body, extensions, server_random, session_id;
125
- uint16_t server_version, cipher_suite;
126
- uint8_t compression_method;
127
- if (!CBS_get_u16(&body, &server_version) ||
128
- !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
129
- !CBS_get_u8_length_prefixed(&body, &session_id) ||
130
- !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
131
- !CBS_get_u16(&body, &cipher_suite) ||
132
- !CBS_get_u8(&body, &compression_method) ||
133
- compression_method != 0 ||
134
- !CBS_get_u16_length_prefixed(&body, &extensions) ||
135
- CBS_len(&extensions) == 0 ||
136
- CBS_len(&body) != 0) {
137
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
138
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
187
+ ParsedServerHello server_hello;
188
+ uint8_t alert = SSL_AD_DECODE_ERROR;
189
+ if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
190
+ ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
139
191
  return ssl_hs_error;
140
192
  }
141
193
 
142
- if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
143
- hs->tls13_state = state_read_server_hello;
144
- return ssl_hs_ok;
145
- }
146
-
147
- const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
148
- // Check if the cipher is a TLS 1.3 cipher.
149
- if (cipher == NULL ||
194
+ // The cipher suite must be one we offered. We currently offer all supported
195
+ // TLS 1.3 ciphers, so check the version.
196
+ const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
197
+ if (cipher == nullptr ||
150
198
  SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
151
199
  SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
152
200
  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
@@ -156,32 +204,60 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
156
204
 
157
205
  hs->new_cipher = cipher;
158
206
 
159
- bool have_cookie, have_key_share, have_supported_versions;
160
- CBS cookie, key_share, supported_versions;
161
- SSL_EXTENSION_TYPE ext_types[] = {
162
- {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
163
- {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
164
- {TLSEXT_TYPE_supported_versions, &have_supported_versions,
165
- &supported_versions},
166
- };
207
+ const bool is_hrr = is_hello_retry_request(server_hello);
208
+ if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
209
+ (is_hrr && !hs->transcript.UpdateForHelloRetryRequest())) {
210
+ return ssl_hs_error;
211
+ }
212
+ if (hs->selected_ech_config) {
213
+ if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
214
+ hs->new_cipher) ||
215
+ (is_hrr && !hs->inner_transcript.UpdateForHelloRetryRequest())) {
216
+ return ssl_hs_error;
217
+ }
218
+ }
167
219
 
168
- uint8_t alert = SSL_AD_DECODE_ERROR;
169
- if (!ssl_parse_extensions(&extensions, &alert, ext_types,
170
- /*ignore_unknown=*/false)) {
220
+ // Determine which ClientHello the server is responding to. Run
221
+ // |check_ech_confirmation| unconditionally, so we validate the extension
222
+ // contents.
223
+ bool ech_accepted;
224
+ if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
225
+ ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
226
+ return ssl_hs_error;
227
+ }
228
+ if (hs->selected_ech_config) {
229
+ ssl->s3->ech_status = ech_accepted ? ssl_ech_accepted : ssl_ech_rejected;
230
+ }
231
+
232
+ if (!is_hrr) {
233
+ hs->tls13_state = state_read_server_hello;
234
+ return ssl_hs_ok;
235
+ }
236
+
237
+ // The ECH extension, if present, was already parsed by
238
+ // |check_ech_confirmation|.
239
+ SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),
240
+ supported_versions(TLSEXT_TYPE_supported_versions),
241
+ ech_unused(TLSEXT_TYPE_encrypted_client_hello,
242
+ hs->selected_ech_config || hs->config->ech_grease_enabled);
243
+ if (!ssl_parse_extensions(
244
+ &server_hello.extensions, &alert,
245
+ {&cookie, &key_share, &supported_versions, &ech_unused},
246
+ /*ignore_unknown=*/false)) {
171
247
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
172
248
  return ssl_hs_error;
173
249
  }
174
250
 
175
- if (!have_cookie && !have_key_share) {
251
+ if (!cookie.present && !key_share.present) {
176
252
  OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
177
253
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
178
254
  return ssl_hs_error;
179
255
  }
180
- if (have_cookie) {
256
+ if (cookie.present) {
181
257
  CBS cookie_value;
182
- if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
258
+ if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) ||
183
259
  CBS_len(&cookie_value) == 0 ||
184
- CBS_len(&cookie) != 0) {
260
+ CBS_len(&cookie.data) != 0) {
185
261
  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
186
262
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
187
263
  return ssl_hs_error;
@@ -192,9 +268,10 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
192
268
  }
193
269
  }
194
270
 
195
- if (have_key_share) {
271
+ if (key_share.present) {
196
272
  uint16_t group_id;
197
- if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
273
+ if (!CBS_get_u16(&key_share.data, &group_id) ||
274
+ CBS_len(&key_share.data) != 0) {
198
275
  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
199
276
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
200
277
  return ssl_hs_error;
@@ -221,23 +298,16 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
221
298
  }
222
299
  }
223
300
 
224
- // We do not know whether ECH was chosen until ServerHello and must
225
- // concurrently update both transcripts.
226
- //
227
- // TODO(https://crbug.com/boringssl/275): A later draft will likely add an ECH
228
- // signal to HRR and change this.
229
- if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
230
- !hs->transcript.UpdateForHelloRetryRequest() ||
231
- !ssl_hash_message(hs, msg)) {
301
+ // Although we now know whether ClientHelloInner was used, we currently
302
+ // maintain both transcripts up to ServerHello. We could swap transcripts
303
+ // early, but then ClientHello construction and |check_ech_confirmation|
304
+ // become more complex.
305
+ if (!ssl_hash_message(hs, msg)) {
232
306
  return ssl_hs_error;
233
307
  }
234
- if (hs->selected_ech_config) {
235
- if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
236
- hs->new_cipher) ||
237
- !hs->inner_transcript.UpdateForHelloRetryRequest() ||
238
- !hs->inner_transcript.Update(msg.raw)) {
239
- return ssl_hs_error;
240
- }
308
+ if (ssl->s3->ech_status == ssl_ech_accepted &&
309
+ !hs->inner_transcript.Update(msg.raw)) {
310
+ return ssl_hs_error;
241
311
  }
242
312
 
243
313
  // HelloRetryRequest should be the end of the flight.
@@ -267,7 +337,8 @@ static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
267
337
 
268
338
  // Build the second ClientHelloInner, if applicable. The second ClientHello
269
339
  // uses an empty string for |enc|.
270
- if (hs->selected_ech_config && !ssl_encrypt_client_hello(hs, {})) {
340
+ if (hs->ssl->s3->ech_status == ssl_ech_accepted &&
341
+ !ssl_encrypt_client_hello(hs, {})) {
271
342
  return ssl_hs_error;
272
343
  }
273
344
 
@@ -286,83 +357,70 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
286
357
  if (!ssl->method->get_message(ssl, &msg)) {
287
358
  return ssl_hs_read_message;
288
359
  }
289
- if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
290
- return ssl_hs_error;
291
- }
292
-
293
- CBS body = msg.body, server_random, session_id, extensions;
294
- uint16_t server_version;
295
- uint16_t cipher_suite;
296
- uint8_t compression_method;
297
- if (!CBS_get_u16(&body, &server_version) ||
298
- !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
299
- !CBS_get_u8_length_prefixed(&body, &session_id) ||
300
- !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
301
- !CBS_get_u16(&body, &cipher_suite) ||
302
- !CBS_get_u8(&body, &compression_method) ||
303
- compression_method != 0 ||
304
- !CBS_get_u16_length_prefixed(&body, &extensions) ||
305
- CBS_len(&body) != 0) {
306
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
307
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
308
- return ssl_hs_error;
309
- }
310
-
311
- if (server_version != TLS1_2_VERSION) {
312
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
313
- OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
360
+ ParsedServerHello server_hello;
361
+ uint8_t alert = SSL_AD_DECODE_ERROR;
362
+ if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
363
+ ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
314
364
  return ssl_hs_error;
315
365
  }
316
366
 
317
367
  // Forbid a second HelloRetryRequest.
318
- if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
368
+ if (is_hello_retry_request(server_hello)) {
319
369
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
320
370
  OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
321
371
  return ssl_hs_error;
322
372
  }
323
373
 
324
- OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
325
- SSL3_RANDOM_SIZE);
326
-
327
- // Check if the cipher is a TLS 1.3 cipher.
328
- const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
329
- if (cipher == nullptr ||
330
- SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
331
- SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
374
+ // Check the cipher suite, in case this is after HelloRetryRequest.
375
+ if (SSL_CIPHER_get_value(hs->new_cipher) != server_hello.cipher_suite) {
332
376
  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
333
377
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
334
378
  return ssl_hs_error;
335
379
  }
336
380
 
337
- // Check that the cipher matches the one in the HelloRetryRequest.
338
- if (ssl->s3->used_hello_retry_request && hs->new_cipher != cipher) {
339
- OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
340
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
341
- return ssl_hs_error;
381
+ if (ssl->s3->ech_status == ssl_ech_accepted) {
382
+ if (ssl->s3->used_hello_retry_request) {
383
+ // HelloRetryRequest and ServerHello must accept ECH consistently.
384
+ bool ech_accepted;
385
+ if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
386
+ ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
387
+ return ssl_hs_error;
388
+ }
389
+ if (!ech_accepted) {
390
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_ECH_NEGOTIATION);
391
+ ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
392
+ return ssl_hs_error;
393
+ }
394
+ }
395
+
396
+ hs->transcript = std::move(hs->inner_transcript);
397
+ hs->extensions.sent = hs->inner_extensions_sent;
398
+ // Report the inner random value through |SSL_get_client_random|.
399
+ OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
400
+ SSL3_RANDOM_SIZE);
342
401
  }
343
402
 
344
- // Parse out the extensions.
345
- bool have_key_share = false, have_pre_shared_key = false,
346
- have_supported_versions = false;
347
- CBS key_share, pre_shared_key, supported_versions;
348
- SSL_EXTENSION_TYPE ext_types[] = {
349
- {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
350
- {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
351
- {TLSEXT_TYPE_supported_versions, &have_supported_versions,
352
- &supported_versions},
353
- };
403
+ OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
404
+ SSL3_RANDOM_SIZE);
354
405
 
355
- uint8_t alert = SSL_AD_DECODE_ERROR;
356
- if (!ssl_parse_extensions(&extensions, &alert, ext_types,
406
+ // When offering ECH, |ssl->session| is only offered in ClientHelloInner.
407
+ const bool pre_shared_key_allowed =
408
+ ssl->session != nullptr && ssl->s3->ech_status != ssl_ech_rejected;
409
+ SSLExtension key_share(TLSEXT_TYPE_key_share),
410
+ pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),
411
+ supported_versions(TLSEXT_TYPE_supported_versions);
412
+ if (!ssl_parse_extensions(&server_hello.extensions, &alert,
413
+ {&key_share, &pre_shared_key, &supported_versions},
357
414
  /*ignore_unknown=*/false)) {
358
415
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
359
416
  return ssl_hs_error;
360
417
  }
361
418
 
362
- // Recheck supported_versions, in case this is the second ServerHello.
419
+ // Recheck supported_versions, in case this is after HelloRetryRequest.
363
420
  uint16_t version;
364
- if (!have_supported_versions ||
365
- !CBS_get_u16(&supported_versions, &version) ||
421
+ if (!supported_versions.present ||
422
+ !CBS_get_u16(&supported_versions.data, &version) ||
423
+ CBS_len(&supported_versions.data) != 0 ||
366
424
  version != ssl->version) {
367
425
  OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
368
426
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -370,15 +428,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
370
428
  }
371
429
 
372
430
  alert = SSL_AD_DECODE_ERROR;
373
- if (have_pre_shared_key) {
374
- if (ssl->session == NULL) {
375
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
376
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
377
- return ssl_hs_error;
378
- }
379
-
431
+ if (pre_shared_key.present) {
380
432
  if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
381
- &pre_shared_key)) {
433
+ &pre_shared_key.data)) {
382
434
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
383
435
  return ssl_hs_error;
384
436
  }
@@ -389,7 +441,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
389
441
  return ssl_hs_error;
390
442
  }
391
443
 
392
- if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
444
+ if (ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
393
445
  OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
394
446
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
395
447
  return ssl_hs_error;
@@ -422,13 +474,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
422
474
  return ssl_hs_error;
423
475
  }
424
476
 
425
- hs->new_session->cipher = cipher;
426
- hs->new_cipher = cipher;
427
-
428
- size_t hash_len =
429
- EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
477
+ hs->new_session->cipher = hs->new_cipher;
430
478
 
431
479
  // Set up the key schedule and incorporate the PSK into the running secret.
480
+ size_t hash_len = EVP_MD_size(
481
+ ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
432
482
  if (!tls13_init_key_schedule(
433
483
  hs, ssl->s3->session_reused
434
484
  ? MakeConstSpan(hs->new_session->secret,
@@ -437,7 +487,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
437
487
  return ssl_hs_error;
438
488
  }
439
489
 
440
- if (!have_key_share) {
490
+ if (!key_share.present) {
441
491
  // We do not support psk_ke and thus always require a key share.
442
492
  OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
443
493
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
@@ -448,53 +498,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
448
498
  Array<uint8_t> dhe_secret;
449
499
  alert = SSL_AD_DECODE_ERROR;
450
500
  if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
451
- &key_share)) {
501
+ &key_share.data)) {
452
502
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
453
503
  return ssl_hs_error;
454
504
  }
455
505
 
456
- if (!tls13_advance_key_schedule(hs, dhe_secret)) {
457
- return ssl_hs_error;
458
- }
459
-
460
- // Determine whether the server accepted ECH.
461
- //
462
- // TODO(https://crbug.com/boringssl/275): This is a bit late in the process of
463
- // parsing ServerHello. |ssl->session| is only valid for ClientHelloInner, so
464
- // the decisions made based on PSK need to be double-checked. draft-11 will
465
- // fix this, at which point this logic can be moved before any processing.
466
- if (hs->selected_ech_config) {
467
- uint8_t ech_confirmation[ECH_CONFIRMATION_SIGNAL_LEN];
468
- if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
469
- hs->new_cipher) ||
470
- !ssl_ech_accept_confirmation(hs, ech_confirmation, hs->inner_transcript,
471
- msg.raw)) {
472
- return ssl_hs_error;
473
- }
474
-
475
- if (CRYPTO_memcmp(ech_confirmation,
476
- ssl->s3->server_random + sizeof(ssl->s3->server_random) -
477
- sizeof(ech_confirmation),
478
- sizeof(ech_confirmation)) == 0) {
479
- ssl->s3->ech_status = ssl_ech_accepted;
480
- hs->transcript = std::move(hs->inner_transcript);
481
- hs->extensions.sent = hs->inner_extensions_sent;
482
- // Report the inner random value through |SSL_get_client_random|.
483
- OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
484
- SSL3_RANDOM_SIZE);
485
- } else {
486
- // Resuming against the ClientHelloOuter was an unsolicited extension.
487
- if (have_pre_shared_key) {
488
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
489
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
490
- return ssl_hs_error;
491
- }
492
- ssl->s3->ech_status = ssl_ech_rejected;
493
- }
494
- }
495
-
496
-
497
- if (!ssl_hash_message(hs, msg) ||
506
+ if (!tls13_advance_key_schedule(hs, dhe_secret) ||
507
+ !ssl_hash_message(hs, msg) ||
498
508
  !tls13_derive_handshake_secrets(hs)) {
499
509
  return ssl_hs_error;
500
510
  }
@@ -532,17 +542,19 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
532
542
  return ssl_hs_error;
533
543
  }
534
544
 
535
- CBS body = msg.body;
536
- if (!ssl_parse_serverhello_tlsext(hs, &body)) {
537
- OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
538
- return ssl_hs_error;
539
- }
540
- if (CBS_len(&body) != 0) {
545
+ CBS body = msg.body, extensions;
546
+ if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
547
+ CBS_len(&body) != 0) {
541
548
  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
542
549
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
543
550
  return ssl_hs_error;
544
551
  }
545
552
 
553
+ if (!ssl_parse_serverhello_tlsext(hs, &extensions)) {
554
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
555
+ return ssl_hs_error;
556
+ }
557
+
546
558
  if (ssl->s3->early_data_accepted) {
547
559
  // The extension parser checks the server resumed the session.
548
560
  assert(ssl->s3->session_reused);
@@ -626,25 +638,19 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
626
638
  }
627
639
 
628
640
 
629
- bool have_sigalgs = false, have_ca = false;
630
- CBS sigalgs, ca;
631
- const SSL_EXTENSION_TYPE ext_types[] = {
632
- {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},
633
- {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},
634
- };
635
-
641
+ SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),
642
+ ca(TLSEXT_TYPE_certificate_authorities);
636
643
  CBS body = msg.body, context, extensions, supported_signature_algorithms;
637
644
  uint8_t alert = SSL_AD_DECODE_ERROR;
638
645
  if (!CBS_get_u8_length_prefixed(&body, &context) ||
639
646
  // The request context is always empty during the handshake.
640
647
  CBS_len(&context) != 0 ||
641
- !CBS_get_u16_length_prefixed(&body, &extensions) ||
648
+ !CBS_get_u16_length_prefixed(&body, &extensions) || //
642
649
  CBS_len(&body) != 0 ||
643
- !ssl_parse_extensions(&extensions, &alert, ext_types,
650
+ !ssl_parse_extensions(&extensions, &alert, {&sigalgs, &ca},
644
651
  /*ignore_unknown=*/true) ||
645
- (have_ca && CBS_len(&ca) == 0) ||
646
- !have_sigalgs ||
647
- !CBS_get_u16_length_prefixed(&sigalgs,
652
+ !sigalgs.present ||
653
+ !CBS_get_u16_length_prefixed(&sigalgs.data,
648
654
  &supported_signature_algorithms) ||
649
655
  !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
650
656
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
@@ -652,8 +658,8 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
652
658
  return ssl_hs_error;
653
659
  }
654
660
 
655
- if (have_ca) {
656
- hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);
661
+ if (ca.present) {
662
+ hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca.data);
657
663
  if (!hs->ca_names) {
658
664
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
659
665
  return ssl_hs_error;
@@ -1076,23 +1082,17 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
1076
1082
  return nullptr;
1077
1083
  }
1078
1084
 
1079
- // Parse out the extensions.
1080
- bool have_early_data = false;
1081
- CBS early_data;
1082
- const SSL_EXTENSION_TYPE ext_types[] = {
1083
- {TLSEXT_TYPE_early_data, &have_early_data, &early_data},
1084
- };
1085
-
1085
+ SSLExtension early_data(TLSEXT_TYPE_early_data);
1086
1086
  uint8_t alert = SSL_AD_DECODE_ERROR;
1087
- if (!ssl_parse_extensions(&extensions, &alert, ext_types,
1087
+ if (!ssl_parse_extensions(&extensions, &alert, {&early_data},
1088
1088
  /*ignore_unknown=*/true)) {
1089
1089
  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1090
1090
  return nullptr;
1091
1091
  }
1092
1092
 
1093
- if (have_early_data) {
1094
- if (!CBS_get_u32(&early_data, &session->ticket_max_early_data) ||
1095
- CBS_len(&early_data) != 0) {
1093
+ if (early_data.present) {
1094
+ if (!CBS_get_u32(&early_data.data, &session->ticket_max_early_data) ||
1095
+ CBS_len(&early_data.data) != 0) {
1096
1096
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1097
1097
  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1098
1098
  return nullptr;