grpc 1.55.0 → 1.56.0.pre3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +100 -68
- data/include/grpc/event_engine/event_engine.h +4 -3
- data/include/grpc/grpc_audit_logging.h +96 -0
- data/include/grpc/module.modulemap +2 -0
- data/include/grpc/support/json.h +218 -0
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +86 -104
- data/src/core/ext/filters/client_channel/client_channel.h +6 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
- data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
- data/src/core/ext/filters/client_channel/config_selector.h +9 -24
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
- data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
- data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
- data/src/core/ext/filters/client_channel/subchannel.h +3 -43
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
- data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
- data/src/core/ext/xds/certificate_provider_store.cc +4 -9
- data/src/core/ext/xds/certificate_provider_store.h +1 -1
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
- data/src/core/ext/xds/xds_api.cc +9 -6
- data/src/core/ext/xds/xds_api.h +3 -2
- data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
- data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
- data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
- data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
- data/src/core/ext/xds/xds_client.cc +5 -4
- data/src/core/ext/xds/xds_client_stats.h +1 -1
- data/src/core/ext/xds/xds_cluster.cc +20 -19
- data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
- data/src/core/ext/xds/xds_common_types.cc +3 -1
- data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
- data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
- data/src/core/ext/xds/xds_http_filters.h +4 -2
- data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
- data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
- data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
- data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
- data/src/core/ext/xds/xds_listener.cc +1 -0
- data/src/core/ext/xds/xds_route_config.cc +40 -3
- data/src/core/ext/xds/xds_routing.cc +2 -2
- data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
- data/src/core/lib/avl/avl.h +5 -0
- data/src/core/lib/channel/channel_args.cc +80 -22
- data/src/core/lib/channel/channel_args.h +34 -1
- data/src/core/lib/channel/channel_trace.cc +16 -12
- data/src/core/lib/channel/channelz.cc +159 -132
- data/src/core/lib/channel/channelz.h +42 -35
- data/src/core/lib/channel/channelz_registry.cc +23 -20
- data/src/core/lib/channel/connected_channel.cc +17 -6
- data/src/core/lib/channel/promise_based_filter.cc +0 -4
- data/src/core/lib/channel/promise_based_filter.h +2 -0
- data/src/core/lib/compression/compression_internal.cc +2 -5
- data/src/core/lib/config/config_vars.cc +20 -18
- data/src/core/lib/config/config_vars.h +4 -4
- data/src/core/lib/config/load_config.cc +13 -0
- data/src/core/lib/config/load_config.h +6 -0
- data/src/core/lib/debug/event_log.h +1 -1
- data/src/core/lib/debug/stats_data.h +1 -1
- data/src/core/lib/debug/trace.cc +24 -55
- data/src/core/lib/debug/trace.h +3 -1
- data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
- data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
- data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
- data/src/core/lib/event_engine/default_event_engine.cc +13 -1
- data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
- data/src/core/lib/event_engine/poller.h +2 -2
- data/src/core/lib/event_engine/posix.h +4 -0
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +33 -19
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -8
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
- data/src/core/lib/event_engine/shim.cc +7 -1
- data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
- data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
- data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
- data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
- data/src/core/lib/event_engine/windows/iocp.cc +4 -3
- data/src/core/lib/event_engine/windows/iocp.h +3 -3
- data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
- data/src/core/lib/event_engine/windows/win_socket.h +4 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
- data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
- data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
- data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
- data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
- data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
- data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
- data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
- data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
- data/src/core/lib/experiments/config.cc +38 -7
- data/src/core/lib/experiments/config.h +16 -0
- data/src/core/lib/experiments/experiments.cc +67 -20
- data/src/core/lib/experiments/experiments.h +27 -21
- data/src/core/lib/gpr/log_internal.h +55 -0
- data/src/core/lib/gprpp/crash.cc +10 -0
- data/src/core/lib/gprpp/crash.h +3 -0
- data/src/core/lib/gprpp/per_cpu.cc +33 -0
- data/src/core/lib/gprpp/per_cpu.h +29 -6
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
- data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
- data/src/core/lib/iomgr/ev_apple.cc +12 -12
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
- data/src/core/lib/iomgr/iocp_windows.cc +24 -3
- data/src/core/lib/iomgr/iocp_windows.h +11 -0
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
- data/src/core/lib/iomgr/socket_windows.cc +61 -7
- data/src/core/lib/iomgr/socket_windows.h +9 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
- data/src/core/lib/iomgr/tcp_server_posix.cc +148 -107
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -1
- data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
- data/src/core/lib/json/json.h +2 -166
- data/src/core/lib/json/json_object_loader.cc +8 -9
- data/src/core/lib/json/json_object_loader.h +25 -18
- data/src/core/lib/json/json_reader.cc +13 -6
- data/src/core/lib/json/json_util.cc +6 -11
- data/src/core/lib/json/json_writer.cc +7 -8
- data/src/core/lib/load_balancing/lb_policy.h +13 -0
- data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
- data/src/core/lib/matchers/matchers.cc +3 -4
- data/src/core/lib/matchers/matchers.h +2 -1
- data/src/core/lib/promise/activity.cc +5 -0
- data/src/core/lib/promise/activity.h +10 -0
- data/src/core/lib/promise/detail/promise_factory.h +1 -1
- data/src/core/lib/promise/party.cc +31 -13
- data/src/core/lib/promise/party.h +11 -2
- data/src/core/lib/promise/pipe.h +9 -2
- data/src/core/lib/promise/prioritized_race.h +95 -0
- data/src/core/lib/promise/sleep.cc +2 -1
- data/src/core/lib/resolver/server_address.cc +0 -8
- data/src/core/lib/resolver/server_address.h +0 -6
- data/src/core/lib/resource_quota/memory_quota.cc +7 -7
- data/src/core/lib/resource_quota/memory_quota.h +1 -2
- data/src/core/lib/security/authorization/audit_logging.cc +98 -0
- data/src/core/lib/security/authorization/audit_logging.h +73 -0
- data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
- data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
- data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
- data/src/core/lib/security/authorization/rbac_policy.h +19 -2
- data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
- data/src/core/lib/security/authorization/stdout_logger.h +61 -0
- data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
- data/src/core/lib/security/util/json_util.cc +1 -0
- data/src/core/lib/service_config/service_config_call_data.h +49 -20
- data/src/core/lib/service_config/service_config_impl.cc +2 -1
- data/src/core/lib/surface/call.cc +38 -23
- data/src/core/lib/surface/completion_queue.cc +6 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +15 -12
- data/src/core/lib/transport/batch_builder.h +39 -35
- data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
- data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
- data/src/ruby/ext/grpc/extconf.rb +8 -9
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
- data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
- data/third_party/cares/cares/include/ares.h +23 -1
- data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
- data/third_party/cares/cares/include/ares_rules.h +2 -2
- data/third_party/cares/cares/include/ares_version.h +3 -3
- data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
- data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
- data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
- data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
- data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
- data/third_party/cares/cares/src/lib/ares_data.c +16 -0
- data/third_party/cares/cares/src/lib/ares_data.h +7 -0
- data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
- data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
- data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
- data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
- data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
- data/third_party/cares/cares/src/lib/ares_init.c +97 -485
- data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
- data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
- data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
- data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
- data/third_party/cares/cares/src/lib/ares_private.h +30 -16
- data/third_party/cares/cares/src/lib/ares_process.c +55 -16
- data/third_party/cares/cares/src/lib/ares_query.c +1 -35
- data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
- data/third_party/cares/cares/src/lib/ares_send.c +5 -7
- data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
- data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
- data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
- data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
- data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
- metadata +50 -14
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
- data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
- data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -873,7 +873,6 @@ struct bio_st {
|
|
873
873
|
#define BIO_C_GET_FILE_PTR 107
|
874
874
|
#define BIO_C_SET_FILENAME 108
|
875
875
|
#define BIO_C_SET_SSL 109
|
876
|
-
#define BIO_C_GET_SSL 110
|
877
876
|
#define BIO_C_SET_MD 111
|
878
877
|
#define BIO_C_GET_MD 112
|
879
878
|
#define BIO_C_GET_CIPHER_STATUS 113
|
@@ -887,9 +886,6 @@ struct bio_st {
|
|
887
886
|
#define BIO_C_GET_PROXY_PARAM 121
|
888
887
|
#define BIO_C_SET_BUFF_READ_DATA 122 // data to read first
|
889
888
|
#define BIO_C_GET_ACCEPT 124
|
890
|
-
#define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125
|
891
|
-
#define BIO_C_GET_SSL_NUM_RENEGOTIATES 126
|
892
|
-
#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127
|
893
889
|
#define BIO_C_FILE_SEEK 128
|
894
890
|
#define BIO_C_GET_CIPHER_CTX 129
|
895
891
|
#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 // return end of input value
|
@@ -239,9 +239,9 @@ OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key);
|
|
239
239
|
// Raw keys
|
240
240
|
//
|
241
241
|
// Some keys types support a "raw" serialization. Currently the only supported
|
242
|
-
// raw
|
243
|
-
//
|
244
|
-
// prefix of |ED25519_sign|'s 64-byte private key.
|
242
|
+
// raw formats are X25519 and Ed25519, where the formats are those specified in
|
243
|
+
// RFC 7748 and RFC 8032, respectively. Note the RFC 8032 private key format is
|
244
|
+
// the 32-byte prefix of |ED25519_sign|'s 64-byte private key.
|
245
245
|
|
246
246
|
// EVP_PKEY_new_raw_private_key returns a newly allocated |EVP_PKEY| wrapping a
|
247
247
|
// private key of the specified type. It returns one on success and zero on
|
@@ -249,6 +249,34 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_recipient(
|
|
249
249
|
const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,
|
250
250
|
const uint8_t *info, size_t info_len);
|
251
251
|
|
252
|
+
// EVP_HPKE_CTX_setup_auth_sender implements the SetupAuthS HPKE operation. It
|
253
|
+
// behaves like |EVP_HPKE_CTX_setup_sender| but authenticates the resulting
|
254
|
+
// context with |key|.
|
255
|
+
OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender(
|
256
|
+
EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
|
257
|
+
const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
|
258
|
+
const uint8_t *peer_public_key, size_t peer_public_key_len,
|
259
|
+
const uint8_t *info, size_t info_len);
|
260
|
+
|
261
|
+
// EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like
|
262
|
+
// |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave
|
263
|
+
// deterministically. The seed's format depends on |kem|. For X25519, it is the
|
264
|
+
// sender's ephemeral private key.
|
265
|
+
OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
|
266
|
+
EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
|
267
|
+
const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
|
268
|
+
const uint8_t *peer_public_key, size_t peer_public_key_len,
|
269
|
+
const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len);
|
270
|
+
|
271
|
+
// EVP_HPKE_CTX_setup_auth_recipient implements the SetupAuthR HPKE operation.
|
272
|
+
// It behaves like |EVP_HPKE_CTX_setup_recipient| but checks the resulting
|
273
|
+
// context was authenticated with |peer_public_key|.
|
274
|
+
OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient(
|
275
|
+
EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,
|
276
|
+
const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,
|
277
|
+
const uint8_t *info, size_t info_len, const uint8_t *peer_public_key,
|
278
|
+
size_t peer_public_key_len);
|
279
|
+
|
252
280
|
|
253
281
|
// Using an HPKE context.
|
254
282
|
//
|
@@ -4235,9 +4235,6 @@ extern "C" {
|
|
4235
4235
|
#define LN_auth_any "auth-any"
|
4236
4236
|
#define NID_auth_any 958
|
4237
4237
|
|
4238
|
-
#define SN_CECPQ2 "CECPQ2"
|
4239
|
-
#define NID_CECPQ2 959
|
4240
|
-
|
4241
4238
|
#define SN_ED448 "ED448"
|
4242
4239
|
#define NID_ED448 960
|
4243
4240
|
#define OBJ_ED448 1L, 3L, 101L, 113L
|
@@ -4255,14 +4252,8 @@ extern "C" {
|
|
4255
4252
|
#define LN_hkdf "hkdf"
|
4256
4253
|
#define NID_hkdf 963
|
4257
4254
|
|
4258
|
-
#define
|
4259
|
-
#define
|
4260
|
-
|
4261
|
-
#define SN_P256Kyber768 "P256Kyber768"
|
4262
|
-
#define NID_P256Kyber768 965
|
4263
|
-
|
4264
|
-
#define SN_P384Kyber768 "P384Kyber768"
|
4265
|
-
#define NID_P384Kyber768 966
|
4255
|
+
#define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00"
|
4256
|
+
#define NID_X25519Kyber768Draft00 964
|
4266
4257
|
|
4267
4258
|
|
4268
4259
|
#if defined(__cplusplus)
|
@@ -372,9 +372,6 @@ OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp,
|
|
372
372
|
// password.
|
373
373
|
OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag,
|
374
374
|
void *userdata);
|
375
|
-
OPENSSL_EXPORT void PEM_proc_type(char *buf, int type);
|
376
|
-
OPENSSL_EXPORT void PEM_dek_info(char *buf, const char *type, int len,
|
377
|
-
char *str);
|
378
375
|
|
379
376
|
|
380
377
|
DECLARE_PEM_rw(X509, X509)
|
@@ -79,7 +79,22 @@ extern "C" {
|
|
79
79
|
// documented, functions which take a |const| pointer are non-mutating and
|
80
80
|
// functions which take a non-|const| pointer are mutating.
|
81
81
|
|
82
|
-
//
|
82
|
+
// RSA_new_public_key returns a new |RSA| object containing a public key with
|
83
|
+
// the specified parameters, or NULL on error or invalid input.
|
84
|
+
OPENSSL_EXPORT RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e);
|
85
|
+
|
86
|
+
// RSA_new_private_key returns a new |RSA| object containing a private key with
|
87
|
+
// the specified parameters, or NULL on error or invalid input. All parameters
|
88
|
+
// are mandatory and may not be NULL.
|
89
|
+
//
|
90
|
+
// This function creates standard RSA private keys with CRT parameters.
|
91
|
+
OPENSSL_EXPORT RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e,
|
92
|
+
const BIGNUM *d, const BIGNUM *p,
|
93
|
+
const BIGNUM *q, const BIGNUM *dmp1,
|
94
|
+
const BIGNUM *dmq1, const BIGNUM *iqmp);
|
95
|
+
|
96
|
+
// RSA_new returns a new, empty |RSA| object or NULL on error. Prefer using
|
97
|
+
// |RSA_new_public_key| or |RSA_new_private_key| to import an RSA key.
|
83
98
|
OPENSSL_EXPORT RSA *RSA_new(void);
|
84
99
|
|
85
100
|
// RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|.
|
@@ -148,6 +163,20 @@ OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
|
|
148
163
|
const BIGNUM **out_dmq1,
|
149
164
|
const BIGNUM **out_iqmp);
|
150
165
|
|
166
|
+
|
167
|
+
// Setting individual properties.
|
168
|
+
//
|
169
|
+
// These functions allow setting individual properties of an |RSA| object. This
|
170
|
+
// is typically used with |RSA_new| to construct an RSA key field by field.
|
171
|
+
// Prefer instead to use |RSA_new_public_key| and |RSA_new_private_key|. These
|
172
|
+
// functions defer some initialization to the first use of an |RSA| object. This
|
173
|
+
// means invalid inputs may be caught late.
|
174
|
+
//
|
175
|
+
// TODO(crbug.com/boringssl/316): This deferred initialization also causes
|
176
|
+
// performance problems in multi-threaded applications. The preferred APIs
|
177
|
+
// currently have the same issues, but they will initialize eagerly in the
|
178
|
+
// future.
|
179
|
+
|
151
180
|
// RSA_set0_key sets |rsa|'s modulus, public exponent, and private exponent to
|
152
181
|
// |n|, |e|, and |d| respectively, if non-NULL. On success, it takes ownership
|
153
182
|
// of each argument and returns one. Otherwise, it returns zero.
|
@@ -570,6 +599,48 @@ OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,
|
|
570
599
|
size_t *out_len, const RSA *rsa);
|
571
600
|
|
572
601
|
|
602
|
+
// Obscure RSA variants.
|
603
|
+
//
|
604
|
+
// These functions allow creating RSA keys with obscure combinations of
|
605
|
+
// parameters.
|
606
|
+
|
607
|
+
// RSA_new_private_key_no_crt behaves like |RSA_new_private_key| but constructs
|
608
|
+
// an RSA key without CRT coefficients.
|
609
|
+
//
|
610
|
+
// Keys created by this function will be less performant and cannot be
|
611
|
+
// serialized.
|
612
|
+
OPENSSL_EXPORT RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,
|
613
|
+
const BIGNUM *d);
|
614
|
+
|
615
|
+
// RSA_new_private_key_no_e behaves like |RSA_new_private_key| but constructs an
|
616
|
+
// RSA key without CRT parameters or public exponent.
|
617
|
+
//
|
618
|
+
// Keys created by this function will be less performant, cannot be serialized,
|
619
|
+
// and lack hardening measures that protect against side channels and fault
|
620
|
+
// attacks.
|
621
|
+
OPENSSL_EXPORT RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d);
|
622
|
+
|
623
|
+
// RSA_new_public_key_large_e behaves like |RSA_new_public_key| but allows any
|
624
|
+
// |e| up to |n|.
|
625
|
+
//
|
626
|
+
// BoringSSL typically bounds public exponents as a denial-of-service
|
627
|
+
// mitigation. Keys created by this function may perform worse than those
|
628
|
+
// created by |RSA_new_public_key|.
|
629
|
+
OPENSSL_EXPORT RSA *RSA_new_public_key_large_e(const BIGNUM *n,
|
630
|
+
const BIGNUM *e);
|
631
|
+
|
632
|
+
// RSA_new_private_key_large_e behaves like |RSA_new_private_key| but allows any
|
633
|
+
// |e| up to |n|.
|
634
|
+
//
|
635
|
+
// BoringSSL typically bounds public exponents as a denial-of-service
|
636
|
+
// mitigation. Keys created by this function may perform worse than those
|
637
|
+
// created by |RSA_new_private_key|.
|
638
|
+
OPENSSL_EXPORT RSA *RSA_new_private_key_large_e(
|
639
|
+
const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p,
|
640
|
+
const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
|
641
|
+
const BIGNUM *iqmp);
|
642
|
+
|
643
|
+
|
573
644
|
// ex_data functions.
|
574
645
|
//
|
575
646
|
// See |ex_data.h| for details.
|
@@ -600,6 +671,17 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx);
|
|
600
671
|
// RSA_FLAG_EXT_PKEY is deprecated and ignored.
|
601
672
|
#define RSA_FLAG_EXT_PKEY 0x20
|
602
673
|
|
674
|
+
// RSA_FLAG_NO_PUBLIC_EXPONENT indicates that private keys without a public
|
675
|
+
// exponent are allowed. This is an internal constant. Use
|
676
|
+
// |RSA_new_private_key_no_e| to construct such keys.
|
677
|
+
#define RSA_FLAG_NO_PUBLIC_EXPONENT 0x40
|
678
|
+
|
679
|
+
// RSA_FLAG_LARGE_PUBLIC_EXPONENT indicates that keys with a large public
|
680
|
+
// exponent are allowed. This is an internal constant. Use
|
681
|
+
// |RSA_new_public_key_large_e| and |RSA_new_private_key_large_e| to construct
|
682
|
+
// such keys.
|
683
|
+
#define RSA_FLAG_LARGE_PUBLIC_EXPONENT 0x80
|
684
|
+
|
603
685
|
|
604
686
|
// RSA public exponent values.
|
605
687
|
|
@@ -688,6 +770,14 @@ OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent);
|
|
688
770
|
// the id-RSASSA-PSS key encoding.
|
689
771
|
OPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa);
|
690
772
|
|
773
|
+
// RSA_new_method_no_e returns a newly-allocated |RSA| object backed by
|
774
|
+
// |engine|, with a public modulus of |n| and no known public exponent.
|
775
|
+
//
|
776
|
+
// Do not use this function. It exists only to support Conscrypt, whose use
|
777
|
+
// should be replaced with a more sound mechanism. See
|
778
|
+
// https://crbug.com/boringssl/602.
|
779
|
+
OPENSSL_EXPORT RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n);
|
780
|
+
|
691
781
|
|
692
782
|
struct rsa_meth_st {
|
693
783
|
struct openssl_method_common_st common;
|
@@ -205,6 +205,11 @@ auto MakeConstSpan(const C &c) -> decltype(MakeConstSpan(c.data(), c.size())) {
|
|
205
205
|
return MakeConstSpan(c.data(), c.size());
|
206
206
|
}
|
207
207
|
|
208
|
+
template <typename T, size_t size>
|
209
|
+
Span<const T> MakeConstSpan(T (&array)[size]) {
|
210
|
+
return array;
|
211
|
+
}
|
212
|
+
|
208
213
|
BSSL_NAMESPACE_END
|
209
214
|
|
210
215
|
} // extern C++
|
@@ -1081,6 +1081,21 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
|
|
1081
1081
|
OPENSSL_EXPORT const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
|
1082
1082
|
int include_curve);
|
1083
1083
|
|
1084
|
+
// SSL_get_all_signature_algorithm_names outputs a list of possible strings
|
1085
|
+
// |SSL_get_signature_algorithm_name| may return in this version of BoringSSL.
|
1086
|
+
// It writes at most |max_out| entries to |out| and returns the total number it
|
1087
|
+
// would have written, if |max_out| had been large enough. |max_out| may be
|
1088
|
+
// initially set to zero to size the output.
|
1089
|
+
//
|
1090
|
+
// This function is only intended to help initialize tables in callers that want
|
1091
|
+
// possible strings pre-declared. This list would not be suitable to set a list
|
1092
|
+
// of supported features. It is in no particular order, and may contain
|
1093
|
+
// placeholder, experimental, or deprecated values that do not apply to every
|
1094
|
+
// caller. Future versions of BoringSSL may also return strings not in this
|
1095
|
+
// list, so this does not apply if, say, sending strings across services.
|
1096
|
+
OPENSSL_EXPORT size_t SSL_get_all_signature_algorithm_names(const char **out,
|
1097
|
+
size_t max_out);
|
1098
|
+
|
1084
1099
|
// SSL_get_signature_algorithm_key_type returns the key type associated with
|
1085
1100
|
// |sigalg| as an |EVP_PKEY_*| constant or |EVP_PKEY_NONE| if unknown.
|
1086
1101
|
OPENSSL_EXPORT int SSL_get_signature_algorithm_key_type(uint16_t sigalg);
|
@@ -1394,6 +1409,37 @@ OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
|
|
1394
1409
|
OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
|
1395
1410
|
int *out_alg_bits);
|
1396
1411
|
|
1412
|
+
// SSL_get_all_cipher_names outputs a list of possible strings
|
1413
|
+
// |SSL_CIPHER_get_name| may return in this version of BoringSSL. It writes at
|
1414
|
+
// most |max_out| entries to |out| and returns the total number it would have
|
1415
|
+
// written, if |max_out| had been large enough. |max_out| may be initially set
|
1416
|
+
// to zero to size the output.
|
1417
|
+
//
|
1418
|
+
// This function is only intended to help initialize tables in callers that want
|
1419
|
+
// possible strings pre-declared. This list would not be suitable to set a list
|
1420
|
+
// of supported features. It is in no particular order, and may contain
|
1421
|
+
// placeholder, experimental, or deprecated values that do not apply to every
|
1422
|
+
// caller. Future versions of BoringSSL may also return strings not in this
|
1423
|
+
// list, so this does not apply if, say, sending strings across services.
|
1424
|
+
OPENSSL_EXPORT size_t SSL_get_all_cipher_names(const char **out,
|
1425
|
+
size_t max_out);
|
1426
|
+
|
1427
|
+
|
1428
|
+
// SSL_get_all_standard_cipher_names outputs a list of possible strings
|
1429
|
+
// |SSL_CIPHER_standard_name| may return in this version of BoringSSL. It writes
|
1430
|
+
// at most |max_out| entries to |out| and returns the total number it would have
|
1431
|
+
// written, if |max_out| had been large enough. |max_out| may be initially set
|
1432
|
+
// to zero to size the output.
|
1433
|
+
//
|
1434
|
+
// This function is only intended to help initialize tables in callers that want
|
1435
|
+
// possible strings pre-declared. This list would not be suitable to set a list
|
1436
|
+
// of supported features. It is in no particular order, and may contain
|
1437
|
+
// placeholder, experimental, or deprecated values that do not apply to every
|
1438
|
+
// caller. Future versions of BoringSSL may also return strings not in this
|
1439
|
+
// list, so this does not apply if, say, sending strings across services.
|
1440
|
+
OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out,
|
1441
|
+
size_t max_out);
|
1442
|
+
|
1397
1443
|
|
1398
1444
|
// Cipher suite configuration.
|
1399
1445
|
//
|
@@ -1430,7 +1476,8 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
|
|
1430
1476
|
//
|
1431
1477
|
// Available cipher rules are:
|
1432
1478
|
//
|
1433
|
-
// |ALL| matches all ciphers
|
1479
|
+
// |ALL| matches all ciphers, except for deprecated ciphers which must be
|
1480
|
+
// named explicitly.
|
1434
1481
|
//
|
1435
1482
|
// |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE,
|
1436
1483
|
// ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is
|
@@ -1449,9 +1496,6 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
|
|
1449
1496
|
//
|
1450
1497
|
// |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1.
|
1451
1498
|
//
|
1452
|
-
// Although implemented, authentication-only ciphers match no rules and must be
|
1453
|
-
// explicitly selected by name.
|
1454
|
-
//
|
1455
1499
|
// Deprecated cipher rules:
|
1456
1500
|
//
|
1457
1501
|
// |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
|
@@ -1490,8 +1534,7 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
|
|
1490
1534
|
//
|
1491
1535
|
// TLS 1.3 ciphers do not participate in this mechanism and instead have a
|
1492
1536
|
// built-in preference order. Functions to set cipher lists do not affect TLS
|
1493
|
-
// 1.3, and functions to query the cipher list do not include TLS 1.3
|
1494
|
-
// ciphers.
|
1537
|
+
// 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers.
|
1495
1538
|
|
1496
1539
|
// SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is
|
1497
1540
|
// substituted when a cipher string starts with 'DEFAULT'.
|
@@ -2334,9 +2377,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
|
|
2334
2377
|
#define SSL_CURVE_SECP384R1 24
|
2335
2378
|
#define SSL_CURVE_SECP521R1 25
|
2336
2379
|
#define SSL_CURVE_X25519 29
|
2337
|
-
#define
|
2338
|
-
#define SSL_CURVE_X25519KYBER768 0x6399
|
2339
|
-
#define SSL_CURVE_P256KYBER768 0xfe32
|
2380
|
+
#define SSL_CURVE_X25519_KYBER768_DRAFT00 0x6399
|
2340
2381
|
|
2341
2382
|
// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
|
2342
2383
|
// completed handshake or 0 if not applicable.
|
@@ -2349,6 +2390,20 @@ OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
|
|
2349
2390
|
// the given TLS curve id, or NULL if the curve is unknown.
|
2350
2391
|
OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
|
2351
2392
|
|
2393
|
+
// SSL_get_all_curve_names outputs a list of possible strings
|
2394
|
+
// |SSL_get_curve_name| may return in this version of BoringSSL. It writes at
|
2395
|
+
// most |max_out| entries to |out| and returns the total number it would have
|
2396
|
+
// written, if |max_out| had been large enough. |max_out| may be initially set
|
2397
|
+
// to zero to size the output.
|
2398
|
+
//
|
2399
|
+
// This function is only intended to help initialize tables in callers that want
|
2400
|
+
// possible strings pre-declared. This list would not be suitable to set a list
|
2401
|
+
// of supported features. It is in no particular order, and may contain
|
2402
|
+
// placeholder, experimental, or deprecated values that do not apply to every
|
2403
|
+
// caller. Future versions of BoringSSL may also return strings not in this
|
2404
|
+
// list, so this does not apply if, say, sending strings across services.
|
2405
|
+
OPENSSL_EXPORT size_t SSL_get_all_curve_names(const char **out, size_t max_out);
|
2406
|
+
|
2352
2407
|
// SSL_CTX_set1_groups calls |SSL_CTX_set1_curves|.
|
2353
2408
|
OPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups,
|
2354
2409
|
size_t groups_len);
|
@@ -2411,21 +2466,51 @@ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);
|
|
2411
2466
|
|
2412
2467
|
// SSL_CTX_set_verify configures certificate verification behavior. |mode| is
|
2413
2468
|
// one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is
|
2414
|
-
// used to customize certificate verification
|
2415
|
-
// |X509_STORE_CTX_set_verify_cb
|
2469
|
+
// used to customize certificate verification, but is deprecated. See
|
2470
|
+
// |X509_STORE_CTX_set_verify_cb| for details.
|
2416
2471
|
//
|
2417
2472
|
// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
|
2418
2473
|
// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
|
2474
|
+
//
|
2475
|
+
// WARNING: |callback| should be NULL. This callback does not replace the
|
2476
|
+
// default certificate verification process and is, instead, called multiple
|
2477
|
+
// times in the course of that process. It is very difficult to implement this
|
2478
|
+
// callback safely, without inadvertently relying on implementation details or
|
2479
|
+
// making incorrect assumptions about when the callback is called.
|
2480
|
+
//
|
2481
|
+
// Instead, use |SSL_CTX_set_custom_verify| or
|
2482
|
+
// |SSL_CTX_set_cert_verify_callback| to customize certificate verification.
|
2483
|
+
// Those callbacks can inspect the peer-sent chain, call |X509_verify_cert| and
|
2484
|
+
// inspect the result, or perform other operations more straightforwardly.
|
2485
|
+
//
|
2486
|
+
// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but
|
2487
|
+
// haven't documented it yet. Later that will have a more detailed warning about
|
2488
|
+
// why one should not use this callback.
|
2419
2489
|
OPENSSL_EXPORT void SSL_CTX_set_verify(
|
2420
2490
|
SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
|
2421
2491
|
|
2422
2492
|
// SSL_set_verify configures certificate verification behavior. |mode| is one of
|
2423
2493
|
// the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to
|
2424
|
-
// customize certificate verification. See the behavior of
|
2494
|
+
// customize certificate verification, but is deprecated. See the behavior of
|
2425
2495
|
// |X509_STORE_CTX_set_verify_cb|.
|
2426
2496
|
//
|
2427
2497
|
// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
|
2428
2498
|
// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
|
2499
|
+
//
|
2500
|
+
// WARNING: |callback| should be NULL. This callback does not replace the
|
2501
|
+
// default certificate verification process and is, instead, called multiple
|
2502
|
+
// times in the course of that process. It is very difficult to implement this
|
2503
|
+
// callback safely, without inadvertently relying on implementation details or
|
2504
|
+
// making incorrect assumptions about when the callback is called.
|
2505
|
+
//
|
2506
|
+
// Instead, use |SSL_set_custom_verify| or |SSL_CTX_set_cert_verify_callback| to
|
2507
|
+
// customize certificate verification. Those callbacks can inspect the peer-sent
|
2508
|
+
// chain, call |X509_verify_cert| and inspect the result, or perform other
|
2509
|
+
// operations more straightforwardly.
|
2510
|
+
//
|
2511
|
+
// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but
|
2512
|
+
// haven't documented it yet. Later that will have a more detailed warning about
|
2513
|
+
// why one should not use this callback.
|
2429
2514
|
OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode,
|
2430
2515
|
int (*callback)(int ok,
|
2431
2516
|
X509_STORE_CTX *store_ctx));
|
@@ -4528,13 +4613,6 @@ OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
|
|
4528
4613
|
// SSL_CIPHER_get_version returns the string "TLSv1/SSLv3".
|
4529
4614
|
OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
|
4530
4615
|
|
4531
|
-
// SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
|
4532
|
-
// result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
|
4533
|
-
// responsible for calling |OPENSSL_free| on the result.
|
4534
|
-
//
|
4535
|
-
// Use |SSL_CIPHER_standard_name| instead.
|
4536
|
-
OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
|
4537
|
-
|
4538
4616
|
typedef void COMP_METHOD;
|
4539
4617
|
typedef struct ssl_comp_st SSL_COMP;
|
4540
4618
|
|
@@ -4873,6 +4951,21 @@ OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl);
|
|
4873
4951
|
// For example, "TLSv1.2" or "DTLSv1".
|
4874
4952
|
OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl);
|
4875
4953
|
|
4954
|
+
// SSL_get_all_version_names outputs a list of possible strings
|
4955
|
+
// |SSL_get_version| may return in this version of BoringSSL. It writes at most
|
4956
|
+
// |max_out| entries to |out| and returns the total number it would have
|
4957
|
+
// written, if |max_out| had been large enough. |max_out| may be initially set
|
4958
|
+
// to zero to size the output.
|
4959
|
+
//
|
4960
|
+
// This function is only intended to help initialize tables in callers that want
|
4961
|
+
// possible strings pre-declared. This list would not be suitable to set a list
|
4962
|
+
// of supported features. It is in no particular order, and may contain
|
4963
|
+
// placeholder, experimental, or deprecated values that do not apply to every
|
4964
|
+
// caller. Future versions of BoringSSL may also return strings not in this
|
4965
|
+
// list, so this does not apply if, say, sending strings across services.
|
4966
|
+
OPENSSL_EXPORT size_t SSL_get_all_version_names(const char **out,
|
4967
|
+
size_t max_out);
|
4968
|
+
|
4876
4969
|
// SSL_get_cipher_list returns the name of the |n|th cipher in the output of
|
4877
4970
|
// |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead.
|
4878
4971
|
OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n);
|
@@ -5168,6 +5261,10 @@ OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher);
|
|
5168
5261
|
// parameters of a TLS connection.
|
5169
5262
|
|
5170
5263
|
enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
|
5264
|
+
// ssl_compliance_policy_none does nothing. However, since setting this
|
5265
|
+
// doesn't undo other policies it's an error to try and set it.
|
5266
|
+
ssl_compliance_policy_none,
|
5267
|
+
|
5171
5268
|
// ssl_policy_fips_202205 configures a TLS connection to use:
|
5172
5269
|
// * TLS 1.2 or 1.3
|
5173
5270
|
// * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*.
|
@@ -5182,12 +5279,32 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT {
|
|
5182
5279
|
// Note: this setting aids with compliance with NIST requirements but does not
|
5183
5280
|
// guarantee it. Careful reading of SP 800-52r2 is recommended.
|
5184
5281
|
ssl_compliance_policy_fips_202205,
|
5282
|
+
|
5283
|
+
// ssl_compliance_policy_wpa3_192_202304 configures a TLS connection to use:
|
5284
|
+
// * TLS 1.2 or 1.3.
|
5285
|
+
// * For TLS 1.2, only TLS_ECDHE_[ECDSA|RSA]_WITH_AES_256_GCM_SHA384.
|
5286
|
+
// * For TLS 1.3, only AES-256-GCM.
|
5287
|
+
// * P-384 for key agreement.
|
5288
|
+
// * For handshake signatures, only ECDSA with P-384 and SHA-384, or RSA
|
5289
|
+
// with SHA-384 or SHA-512.
|
5290
|
+
//
|
5291
|
+
// No limitations on the certificate chain nor leaf public key are imposed,
|
5292
|
+
// other than by the supported signature algorithms. But WPA3's "192-bit"
|
5293
|
+
// mode requires at least P-384 or 3072-bit along the chain. The caller must
|
5294
|
+
// enforce this themselves on the verified chain using functions such as
|
5295
|
+
// `X509_STORE_CTX_get0_chain`.
|
5296
|
+
//
|
5297
|
+
// Note that this setting is less secure than the default. The
|
5298
|
+
// implementation risks of using a more obscure primitive like P-384
|
5299
|
+
// dominate other considerations.
|
5300
|
+
ssl_compliance_policy_wpa3_192_202304,
|
5185
5301
|
};
|
5186
5302
|
|
5187
5303
|
// SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on
|
5188
5304
|
// the given policy requirements. Subsequently calling other functions that
|
5189
5305
|
// configure |ctx| may override |policy|, or may not. This should be the final
|
5190
|
-
// configuration function called in order to have defined behaviour.
|
5306
|
+
// configuration function called in order to have defined behaviour. It's a
|
5307
|
+
// fatal error if |policy| is |ssl_compliance_policy_none|.
|
5191
5308
|
OPENSSL_EXPORT int SSL_CTX_set_compliance_policy(
|
5192
5309
|
SSL_CTX *ctx, enum ssl_compliance_policy_t policy);
|
5193
5310
|
|
@@ -5420,6 +5537,18 @@ OPENSSL_EXPORT bool SSL_get_traffic_secrets(
|
|
5420
5537
|
const SSL *ssl, Span<const uint8_t> *out_read_traffic_secret,
|
5421
5538
|
Span<const uint8_t> *out_write_traffic_secret);
|
5422
5539
|
|
5540
|
+
// SSL_CTX_set_aes_hw_override_for_testing sets |override_value| to
|
5541
|
+
// override checking for aes hardware support for testing. If |override_value|
|
5542
|
+
// is set to true, the library will behave as if aes hardware support is
|
5543
|
+
// present. If it is set to false, the library will behave as if aes hardware
|
5544
|
+
// support is not present.
|
5545
|
+
OPENSSL_EXPORT void SSL_CTX_set_aes_hw_override_for_testing(
|
5546
|
+
SSL_CTX *ctx, bool override_value);
|
5547
|
+
|
5548
|
+
// SSL_set_aes_hw_override_for_testing acts the same as
|
5549
|
+
// |SSL_CTX_set_aes_override_for_testing| but only configures a single |SSL*|.
|
5550
|
+
OPENSSL_EXPORT void SSL_set_aes_hw_override_for_testing(SSL *ssl,
|
5551
|
+
bool override_value);
|
5423
5552
|
|
5424
5553
|
BSSL_NAMESPACE_END
|
5425
5554
|
|
@@ -78,6 +78,10 @@ typedef union crypto_mutex_st {
|
|
78
78
|
void *handle;
|
79
79
|
} CRYPTO_MUTEX;
|
80
80
|
#elif !defined(__GLIBC__)
|
81
|
+
#if defined(OPENSSL_OPENBSD)
|
82
|
+
// OpenBSD does not guarantee pthread_rwlock_t in sys/types.h yet.
|
83
|
+
#include <pthread.h>
|
84
|
+
#endif
|
81
85
|
typedef pthread_rwlock_t CRYPTO_MUTEX;
|
82
86
|
#else
|
83
87
|
// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't
|
@@ -408,6 +408,8 @@ extern "C" {
|
|
408
408
|
#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA 0x0300C013
|
409
409
|
#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA 0x0300C014
|
410
410
|
|
411
|
+
#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0x0300C027
|
412
|
+
|
411
413
|
#define TLS1_CK_ECDH_anon_WITH_NULL_SHA 0x0300C015
|
412
414
|
#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA 0x0300C016
|
413
415
|
#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA 0x0300C017
|
@@ -518,6 +520,8 @@ extern "C" {
|
|
518
520
|
#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA "ECDHE-RSA-AES128-SHA"
|
519
521
|
#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA "ECDHE-RSA-AES256-SHA"
|
520
522
|
|
523
|
+
#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256 "ECDHE-RSA-AES128-SHA256"
|
524
|
+
|
521
525
|
#define TLS1_TXT_ECDH_anon_WITH_NULL_SHA "AECDH-NULL-SHA"
|
522
526
|
#define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA "AECDH-RC4-SHA"
|
523
527
|
#define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA "AECDH-DES-CBC3-SHA"
|
@@ -48,6 +48,14 @@ OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_voprf(void);
|
|
48
48
|
// PMBTokens and P-384 with up to 3 keys, without RR verification.
|
49
49
|
OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pmb(void);
|
50
50
|
|
51
|
+
// TRUST_TOKEN_pst_v1_voprf is an experimental Trust Tokens protocol
|
52
|
+
// using VOPRFs and P-384 with up to 6 keys, without RR verification.
|
53
|
+
OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_voprf(void);
|
54
|
+
|
55
|
+
// TRUST_TOKEN_pst_v1_pmb is an experimental Trust Tokens protocol using
|
56
|
+
// PMBTokens and P-384 with up to 3 keys, without RR verification.
|
57
|
+
OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_pmb(void);
|
58
|
+
|
51
59
|
// trust_token_st represents a single-use token for the Trust Token protocol.
|
52
60
|
// For the client, this is the token and its corresponding signature. For the
|
53
61
|
// issuer, this is the token itself.
|