grpc 1.55.0 → 1.56.0.pre3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +100 -68
- data/include/grpc/event_engine/event_engine.h +4 -3
- data/include/grpc/grpc_audit_logging.h +96 -0
- data/include/grpc/module.modulemap +2 -0
- data/include/grpc/support/json.h +218 -0
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +86 -104
- data/src/core/ext/filters/client_channel/client_channel.h +6 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
- data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
- data/src/core/ext/filters/client_channel/config_selector.h +9 -24
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
- data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
- data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
- data/src/core/ext/filters/client_channel/subchannel.h +3 -43
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
- data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
- data/src/core/ext/xds/certificate_provider_store.cc +4 -9
- data/src/core/ext/xds/certificate_provider_store.h +1 -1
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
- data/src/core/ext/xds/xds_api.cc +9 -6
- data/src/core/ext/xds/xds_api.h +3 -2
- data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
- data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
- data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
- data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
- data/src/core/ext/xds/xds_client.cc +5 -4
- data/src/core/ext/xds/xds_client_stats.h +1 -1
- data/src/core/ext/xds/xds_cluster.cc +20 -19
- data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
- data/src/core/ext/xds/xds_common_types.cc +3 -1
- data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
- data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
- data/src/core/ext/xds/xds_http_filters.h +4 -2
- data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
- data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
- data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
- data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
- data/src/core/ext/xds/xds_listener.cc +1 -0
- data/src/core/ext/xds/xds_route_config.cc +40 -3
- data/src/core/ext/xds/xds_routing.cc +2 -2
- data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
- data/src/core/lib/avl/avl.h +5 -0
- data/src/core/lib/channel/channel_args.cc +80 -22
- data/src/core/lib/channel/channel_args.h +34 -1
- data/src/core/lib/channel/channel_trace.cc +16 -12
- data/src/core/lib/channel/channelz.cc +159 -132
- data/src/core/lib/channel/channelz.h +42 -35
- data/src/core/lib/channel/channelz_registry.cc +23 -20
- data/src/core/lib/channel/connected_channel.cc +17 -6
- data/src/core/lib/channel/promise_based_filter.cc +0 -4
- data/src/core/lib/channel/promise_based_filter.h +2 -0
- data/src/core/lib/compression/compression_internal.cc +2 -5
- data/src/core/lib/config/config_vars.cc +20 -18
- data/src/core/lib/config/config_vars.h +4 -4
- data/src/core/lib/config/load_config.cc +13 -0
- data/src/core/lib/config/load_config.h +6 -0
- data/src/core/lib/debug/event_log.h +1 -1
- data/src/core/lib/debug/stats_data.h +1 -1
- data/src/core/lib/debug/trace.cc +24 -55
- data/src/core/lib/debug/trace.h +3 -1
- data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
- data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
- data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
- data/src/core/lib/event_engine/default_event_engine.cc +13 -1
- data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
- data/src/core/lib/event_engine/poller.h +2 -2
- data/src/core/lib/event_engine/posix.h +4 -0
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +33 -19
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -4
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -8
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
- data/src/core/lib/event_engine/shim.cc +7 -1
- data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
- data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
- data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
- data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
- data/src/core/lib/event_engine/windows/iocp.cc +4 -3
- data/src/core/lib/event_engine/windows/iocp.h +3 -3
- data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
- data/src/core/lib/event_engine/windows/win_socket.h +4 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
- data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
- data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
- data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
- data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
- data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
- data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
- data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
- data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
- data/src/core/lib/experiments/config.cc +38 -7
- data/src/core/lib/experiments/config.h +16 -0
- data/src/core/lib/experiments/experiments.cc +67 -20
- data/src/core/lib/experiments/experiments.h +27 -21
- data/src/core/lib/gpr/log_internal.h +55 -0
- data/src/core/lib/gprpp/crash.cc +10 -0
- data/src/core/lib/gprpp/crash.h +3 -0
- data/src/core/lib/gprpp/per_cpu.cc +33 -0
- data/src/core/lib/gprpp/per_cpu.h +29 -6
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
- data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
- data/src/core/lib/iomgr/ev_apple.cc +12 -12
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
- data/src/core/lib/iomgr/iocp_windows.cc +24 -3
- data/src/core/lib/iomgr/iocp_windows.h +11 -0
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
- data/src/core/lib/iomgr/socket_windows.cc +61 -7
- data/src/core/lib/iomgr/socket_windows.h +9 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
- data/src/core/lib/iomgr/tcp_server_posix.cc +148 -107
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -1
- data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
- data/src/core/lib/json/json.h +2 -166
- data/src/core/lib/json/json_object_loader.cc +8 -9
- data/src/core/lib/json/json_object_loader.h +25 -18
- data/src/core/lib/json/json_reader.cc +13 -6
- data/src/core/lib/json/json_util.cc +6 -11
- data/src/core/lib/json/json_writer.cc +7 -8
- data/src/core/lib/load_balancing/lb_policy.h +13 -0
- data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
- data/src/core/lib/matchers/matchers.cc +3 -4
- data/src/core/lib/matchers/matchers.h +2 -1
- data/src/core/lib/promise/activity.cc +5 -0
- data/src/core/lib/promise/activity.h +10 -0
- data/src/core/lib/promise/detail/promise_factory.h +1 -1
- data/src/core/lib/promise/party.cc +31 -13
- data/src/core/lib/promise/party.h +11 -2
- data/src/core/lib/promise/pipe.h +9 -2
- data/src/core/lib/promise/prioritized_race.h +95 -0
- data/src/core/lib/promise/sleep.cc +2 -1
- data/src/core/lib/resolver/server_address.cc +0 -8
- data/src/core/lib/resolver/server_address.h +0 -6
- data/src/core/lib/resource_quota/memory_quota.cc +7 -7
- data/src/core/lib/resource_quota/memory_quota.h +1 -2
- data/src/core/lib/security/authorization/audit_logging.cc +98 -0
- data/src/core/lib/security/authorization/audit_logging.h +73 -0
- data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
- data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
- data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
- data/src/core/lib/security/authorization/rbac_policy.h +19 -2
- data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
- data/src/core/lib/security/authorization/stdout_logger.h +61 -0
- data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
- data/src/core/lib/security/util/json_util.cc +1 -0
- data/src/core/lib/service_config/service_config_call_data.h +49 -20
- data/src/core/lib/service_config/service_config_impl.cc +2 -1
- data/src/core/lib/surface/call.cc +38 -23
- data/src/core/lib/surface/completion_queue.cc +6 -2
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +15 -12
- data/src/core/lib/transport/batch_builder.h +39 -35
- data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
- data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
- data/src/ruby/ext/grpc/extconf.rb +8 -9
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
- data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
- data/third_party/cares/cares/include/ares.h +23 -1
- data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
- data/third_party/cares/cares/include/ares_rules.h +2 -2
- data/third_party/cares/cares/include/ares_version.h +3 -3
- data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
- data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
- data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
- data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
- data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
- data/third_party/cares/cares/src/lib/ares_data.c +16 -0
- data/third_party/cares/cares/src/lib/ares_data.h +7 -0
- data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
- data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
- data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
- data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
- data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
- data/third_party/cares/cares/src/lib/ares_init.c +97 -485
- data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
- data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
- data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
- data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
- data/third_party/cares/cares/src/lib/ares_private.h +30 -16
- data/third_party/cares/cares/src/lib/ares_process.c +55 -16
- data/third_party/cares/cares/src/lib/ares_query.c +1 -35
- data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
- data/third_party/cares/cares/src/lib/ares_send.c +5 -7
- data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
- data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
- data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
- data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
- data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
- metadata +50 -14
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
- data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
- data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -104,9 +104,13 @@ typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method,
|
|
104
104
|
struct v3_ext_method {
|
105
105
|
int ext_nid;
|
106
106
|
int ext_flags;
|
107
|
-
|
107
|
+
|
108
|
+
// it determines how values of this extension are allocated, released, parsed,
|
109
|
+
// and marshalled. This must be non-NULL.
|
108
110
|
ASN1_ITEM_EXP *it;
|
109
|
-
|
111
|
+
|
112
|
+
// The following functions are ignored in favor of |it|. They are retained in
|
113
|
+
// the struct only for source compatibility with existing struct definitions.
|
110
114
|
X509V3_EXT_NEW ext_new;
|
111
115
|
X509V3_EXT_FREE ext_free;
|
112
116
|
X509V3_EXT_D2I d2i;
|
@@ -130,7 +134,6 @@ struct v3_ext_method {
|
|
130
134
|
DEFINE_STACK_OF(X509V3_EXT_METHOD)
|
131
135
|
|
132
136
|
// ext_flags values
|
133
|
-
#define X509V3_EXT_DYNAMIC 0x1
|
134
137
|
#define X509V3_EXT_CTX_DEP 0x2
|
135
138
|
#define X509V3_EXT_MULTILINE 0x4
|
136
139
|
|
@@ -546,9 +549,11 @@ OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val);
|
|
546
549
|
//
|
547
550
|
// These functions are not safe to use with untrusted inputs. The string formats
|
548
551
|
// may implicitly reference context information and, in OpenSSL (though not
|
549
|
-
// BoringSSL), one even allows reading arbitrary files.
|
550
|
-
//
|
551
|
-
//
|
552
|
+
// BoringSSL), one even allows reading arbitrary files. Many formats can also
|
553
|
+
// produce far larger outputs than their inputs, so untrusted inputs may lead to
|
554
|
+
// denial-of-service attacks. Finally, the parsers see much less testing and
|
555
|
+
// review than most of the library and may have bugs including memory leaks or
|
556
|
+
// crashes.
|
552
557
|
|
553
558
|
// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for
|
554
559
|
// constructing extensions. Some string formats reference additional values in
|
@@ -663,10 +668,37 @@ OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *meth,
|
|
663
668
|
const char *value);
|
664
669
|
OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth,
|
665
670
|
const ASN1_ENUMERATED *aint);
|
666
|
-
|
667
|
-
|
668
|
-
|
669
|
-
|
671
|
+
|
672
|
+
// X509V3_EXT_add registers |ext| as a custom extension for the extension type
|
673
|
+
// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's
|
674
|
+
// lifetime. It returns one on success and zero on error.
|
675
|
+
//
|
676
|
+
// WARNING: This function modifies global state. If other code in the same
|
677
|
+
// address space also registers an extension with type |ext->ext_nid|, the two
|
678
|
+
// registrations will conflict. Which registration takes effect is undefined. If
|
679
|
+
// the two registrations use incompatible in-memory representations, code
|
680
|
+
// expecting the other registration will then cast a type to the wrong type,
|
681
|
+
// resulting in a potentially exploitable memory error. This conflict can also
|
682
|
+
// occur if BoringSSL later adds support for |ext->ext_nid|, with a different
|
683
|
+
// in-memory representation than the one expected by |ext|.
|
684
|
+
//
|
685
|
+
// This function, additionally, is not thread-safe and cannot be called
|
686
|
+
// concurrently with any other BoringSSL function.
|
687
|
+
//
|
688
|
+
// As a result, it is impossible to safely use this function. Registering a
|
689
|
+
// custom extension has no impact on certificate verification so, instead,
|
690
|
+
// callers should simply handle the custom extension with the byte-based
|
691
|
+
// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little
|
692
|
+
// practical value.
|
693
|
+
OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
|
694
|
+
|
695
|
+
// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The
|
696
|
+
// corresponding ASN.1 type is copied from |nid_from|. It returns one on success
|
697
|
+
// and zero on error.
|
698
|
+
//
|
699
|
+
// WARNING: Do not use this function. See |X509V3_EXT_add|.
|
700
|
+
OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to,
|
701
|
+
int nid_from);
|
670
702
|
|
671
703
|
OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get(
|
672
704
|
const X509_EXTENSION *ext);
|
@@ -601,8 +601,8 @@ bool ssl_is_valid_ech_config_list(Span<const uint8_t> ech_config_list) {
|
|
601
601
|
|
602
602
|
static bool select_ech_cipher_suite(const EVP_HPKE_KDF **out_kdf,
|
603
603
|
const EVP_HPKE_AEAD **out_aead,
|
604
|
-
Span<const uint8_t> cipher_suites
|
605
|
-
|
604
|
+
Span<const uint8_t> cipher_suites,
|
605
|
+
const bool has_aes_hardware) {
|
606
606
|
const EVP_HPKE_AEAD *aead = nullptr;
|
607
607
|
CBS cbs = cipher_suites;
|
608
608
|
while (CBS_len(&cbs) != 0) {
|
@@ -660,7 +660,10 @@ bool ssl_select_ech_config(SSL_HANDSHAKE *hs, Span<uint8_t> out_enc,
|
|
660
660
|
const EVP_HPKE_AEAD *aead;
|
661
661
|
if (supported && //
|
662
662
|
ech_config.kem_id == EVP_HPKE_DHKEM_X25519_HKDF_SHA256 &&
|
663
|
-
select_ech_cipher_suite(&kdf, &aead, ech_config.cipher_suites
|
663
|
+
select_ech_cipher_suite(&kdf, &aead, ech_config.cipher_suites,
|
664
|
+
hs->ssl->config->aes_hw_override
|
665
|
+
? hs->ssl->config->aes_hw_override_value
|
666
|
+
: EVP_has_aes_hardware())) {
|
664
667
|
ScopedCBB info;
|
665
668
|
static const uint8_t kInfoLabel[] = "tls ech"; // includes trailing NUL
|
666
669
|
if (!CBB_init(info.get(), sizeof(kInfoLabel) + ech_config.raw.size()) ||
|
@@ -714,9 +717,11 @@ static bool setup_ech_grease(SSL_HANDSHAKE *hs) {
|
|
714
717
|
}
|
715
718
|
|
716
719
|
const uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;
|
717
|
-
const
|
718
|
-
|
719
|
-
|
720
|
+
const bool has_aes_hw = hs->ssl->config->aes_hw_override
|
721
|
+
? hs->ssl->config->aes_hw_override_value
|
722
|
+
: EVP_has_aes_hardware();
|
723
|
+
const EVP_HPKE_AEAD *aead =
|
724
|
+
has_aes_hw ? EVP_hpke_aes_128_gcm() : EVP_hpke_chacha20_poly1305();
|
720
725
|
static_assert(ssl_grease_ech_config_id < sizeof(hs->grease_seed),
|
721
726
|
"hs->grease_seed is too small");
|
722
727
|
uint8_t config_id = hs->grease_seed[ssl_grease_ech_config_id];
|
@@ -206,9 +206,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
|
|
206
206
|
|
207
207
|
static bool is_post_quantum_group(uint16_t id) {
|
208
208
|
switch (id) {
|
209
|
-
case
|
210
|
-
case SSL_CURVE_X25519KYBER768:
|
211
|
-
case SSL_CURVE_P256KYBER768:
|
209
|
+
case SSL_CURVE_X25519_KYBER768_DRAFT00:
|
212
210
|
return true;
|
213
211
|
default:
|
214
212
|
return false;
|
@@ -414,7 +412,7 @@ bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
|
|
414
412
|
bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
|
415
413
|
if (is_post_quantum_group(group_id) &&
|
416
414
|
ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
|
417
|
-
//
|
415
|
+
// Post-quantum "groups" require TLS 1.3.
|
418
416
|
return false;
|
419
417
|
}
|
420
418
|
|
@@ -215,6 +215,14 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
|
|
215
215
|
}
|
216
216
|
}
|
217
217
|
|
218
|
+
static bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id,
|
219
|
+
ssl_compliance_policy_t policy) {
|
220
|
+
if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) {
|
221
|
+
return CBB_add_u16(cbb, cipher_id);
|
222
|
+
}
|
223
|
+
return true;
|
224
|
+
}
|
225
|
+
|
218
226
|
static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
|
219
227
|
ssl_client_hello_type_t type) {
|
220
228
|
const SSL *const ssl = hs->ssl;
|
@@ -235,22 +243,22 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
|
|
235
243
|
// Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
|
236
244
|
// hardware support.
|
237
245
|
if (hs->max_version >= TLS1_3_VERSION) {
|
238
|
-
const bool
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
if (!
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
!
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
246
|
+
const bool has_aes_hw = ssl->config->aes_hw_override
|
247
|
+
? ssl->config->aes_hw_override_value
|
248
|
+
: EVP_has_aes_hardware();
|
249
|
+
|
250
|
+
if ((!has_aes_hw && //
|
251
|
+
!ssl_add_tls13_cipher(&child,
|
252
|
+
TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
|
253
|
+
ssl->config->tls13_cipher_policy)) ||
|
254
|
+
!ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
|
255
|
+
ssl->config->tls13_cipher_policy) ||
|
256
|
+
!ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
|
257
|
+
ssl->config->tls13_cipher_policy) ||
|
258
|
+
(has_aes_hw && //
|
259
|
+
!ssl_add_tls13_cipher(&child,
|
260
|
+
TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
|
261
|
+
ssl->config->tls13_cipher_policy))) {
|
254
262
|
return false;
|
255
263
|
}
|
256
264
|
}
|
@@ -451,6 +451,27 @@ class GrowableArray {
|
|
451
451
|
// CBBFinishArray behaves like |CBB_finish| but stores the result in an Array.
|
452
452
|
OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out);
|
453
453
|
|
454
|
+
// GetAllNames helps to implement |*_get_all_*_names| style functions. It
|
455
|
+
// writes at most |max_out| string pointers to |out| and returns the number that
|
456
|
+
// it would have liked to have written. The strings written consist of
|
457
|
+
// |fixed_names_len| strings from |fixed_names| followed by |objects_len|
|
458
|
+
// strings taken by projecting |objects| through |name|.
|
459
|
+
template <typename T, typename Name>
|
460
|
+
inline size_t GetAllNames(const char **out, size_t max_out,
|
461
|
+
Span<const char *const> fixed_names, Name(T::*name),
|
462
|
+
Span<const T> objects) {
|
463
|
+
auto span = bssl::MakeSpan(out, max_out);
|
464
|
+
for (size_t i = 0; !span.empty() && i < fixed_names.size(); i++) {
|
465
|
+
span[0] = fixed_names[i];
|
466
|
+
span = span.subspan(1);
|
467
|
+
}
|
468
|
+
span = span.subspan(0, objects.size());
|
469
|
+
for (size_t i = 0; i < span.size(); i++) {
|
470
|
+
span[i] = objects[i].*name;
|
471
|
+
}
|
472
|
+
return fixed_names.size() + objects.size();
|
473
|
+
}
|
474
|
+
|
454
475
|
|
455
476
|
// Protocol versions.
|
456
477
|
//
|
@@ -547,15 +568,15 @@ BSSL_NAMESPACE_BEGIN
|
|
547
568
|
#define SSL_AES256 0x00000004u
|
548
569
|
#define SSL_AES128GCM 0x00000008u
|
549
570
|
#define SSL_AES256GCM 0x00000010u
|
550
|
-
#define
|
551
|
-
#define SSL_CHACHA20POLY1305 0x00000040u
|
571
|
+
#define SSL_CHACHA20POLY1305 0x00000020u
|
552
572
|
|
553
573
|
#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
|
554
574
|
|
555
575
|
// Bits for |algorithm_mac| (symmetric authentication).
|
556
576
|
#define SSL_SHA1 0x00000001u
|
577
|
+
#define SSL_SHA256 0x00000002u
|
557
578
|
// SSL_AEAD is set for all AEADs.
|
558
|
-
#define SSL_AEAD
|
579
|
+
#define SSL_AEAD 0x00000004u
|
559
580
|
|
560
581
|
// Bits for |algorithm_prf| (handshake digest).
|
561
582
|
#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
|
@@ -633,9 +654,11 @@ const EVP_MD *ssl_get_handshake_digest(uint16_t version,
|
|
633
654
|
// newly-allocated |SSLCipherPreferenceList| containing the result. It returns
|
634
655
|
// true on success and false on failure. If |strict| is true, nonsense will be
|
635
656
|
// rejected. If false, nonsense will be silently ignored. An empty result is
|
636
|
-
// considered an error regardless of |strict|.
|
657
|
+
// considered an error regardless of |strict|. |has_aes_hw| indicates if the
|
658
|
+
// list should be ordered based on having support for AES in hardware or not.
|
637
659
|
bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
|
638
|
-
const char *rule_str,
|
660
|
+
const bool has_aes_hw, const char *rule_str,
|
661
|
+
bool strict);
|
639
662
|
|
640
663
|
// ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
|
641
664
|
// values suitable for use with |key| in TLS 1.2 and below.
|
@@ -659,14 +682,20 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
|
|
659
682
|
|
660
683
|
// ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best
|
661
684
|
// available from |cipher_suites| compatible with |version|, |group_id|, and
|
662
|
-
// |
|
663
|
-
|
664
|
-
|
685
|
+
// |policy|. It returns NULL if there isn't a compatible cipher. |has_aes_hw|
|
686
|
+
// indicates if the choice should be made as if support for AES in hardware
|
687
|
+
// is available.
|
688
|
+
const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
|
689
|
+
uint16_t version, uint16_t group_id,
|
690
|
+
enum ssl_compliance_policy_t policy);
|
665
691
|
|
666
692
|
// ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given
|
667
|
-
// |
|
668
|
-
|
669
|
-
|
693
|
+
// |policy|.
|
694
|
+
bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
|
695
|
+
enum ssl_compliance_policy_t policy);
|
696
|
+
|
697
|
+
// ssl_cipher_is_deprecated returns true if |cipher| is deprecated.
|
698
|
+
OPENSSL_EXPORT bool ssl_cipher_is_deprecated(const SSL_CIPHER *cipher);
|
670
699
|
|
671
700
|
|
672
701
|
// Transcript layer.
|
@@ -1103,7 +1132,7 @@ class SSLKeyShare {
|
|
1103
1132
|
struct NamedGroup {
|
1104
1133
|
int nid;
|
1105
1134
|
uint16_t group_id;
|
1106
|
-
const char name[
|
1135
|
+
const char name[32], alias[32];
|
1107
1136
|
};
|
1108
1137
|
|
1109
1138
|
// NamedGroups returns all supported groups.
|
@@ -3059,6 +3088,10 @@ struct SSL_CONFIG {
|
|
3059
3088
|
// structure for the client to use when negotiating ECH.
|
3060
3089
|
Array<uint8_t> client_ech_config_list;
|
3061
3090
|
|
3091
|
+
// tls13_cipher_policy limits the set of ciphers that can be selected when
|
3092
|
+
// negotiating a TLS 1.3 connection.
|
3093
|
+
enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
|
3094
|
+
|
3062
3095
|
// verify_mode is a bitmask of |SSL_VERIFY_*| values.
|
3063
3096
|
uint8_t verify_mode = SSL_VERIFY_NONE;
|
3064
3097
|
|
@@ -3108,9 +3141,14 @@ struct SSL_CONFIG {
|
|
3108
3141
|
// permute_extensions is whether to permute extensions when sending messages.
|
3109
3142
|
bool permute_extensions : 1;
|
3110
3143
|
|
3111
|
-
//
|
3112
|
-
//
|
3113
|
-
bool
|
3144
|
+
// aes_hw_override if set indicates we should override checking for aes
|
3145
|
+
// hardware support, and use the value in aes_hw_override_value instead.
|
3146
|
+
bool aes_hw_override : 1;
|
3147
|
+
|
3148
|
+
// aes_hw_override_value is used for testing to indicate the support or lack
|
3149
|
+
// of support for AES hw. The value is only considered if |aes_hw_override| is
|
3150
|
+
// true.
|
3151
|
+
bool aes_hw_override_value : 1;
|
3114
3152
|
};
|
3115
3153
|
|
3116
3154
|
// From RFC 8446, used in determining PSK modes.
|
@@ -3671,6 +3709,10 @@ struct ssl_ctx_st {
|
|
3671
3709
|
int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr;
|
3672
3710
|
void *legacy_ocsp_callback_arg = nullptr;
|
3673
3711
|
|
3712
|
+
// tls13_cipher_policy limits the set of ciphers that can be selected when
|
3713
|
+
// negotiating a TLS 1.3 connection.
|
3714
|
+
enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
|
3715
|
+
|
3674
3716
|
// verify_sigalgs, if not empty, is the set of signature algorithms
|
3675
3717
|
// accepted from the peer in decreasing order of preference.
|
3676
3718
|
bssl::Array<uint16_t> verify_sigalgs;
|
@@ -3718,9 +3760,14 @@ struct ssl_ctx_st {
|
|
3718
3760
|
// If enable_early_data is true, early data can be sent and accepted.
|
3719
3761
|
bool enable_early_data : 1;
|
3720
3762
|
|
3721
|
-
//
|
3722
|
-
//
|
3723
|
-
bool
|
3763
|
+
// aes_hw_override if set indicates we should override checking for AES
|
3764
|
+
// hardware support, and use the value in aes_hw_override_value instead.
|
3765
|
+
bool aes_hw_override : 1;
|
3766
|
+
|
3767
|
+
// aes_hw_override_value is used for testing to indicate the support or lack
|
3768
|
+
// of support for AES hardware. The value is only considered if
|
3769
|
+
// |aes_hw_override| is true.
|
3770
|
+
bool aes_hw_override_value : 1;
|
3724
3771
|
|
3725
3772
|
private:
|
3726
3773
|
~ssl_ctx_st();
|
@@ -663,7 +663,7 @@ void tls_next_message(SSL *ssl) {
|
|
663
663
|
// the client.
|
664
664
|
class CipherScorer {
|
665
665
|
public:
|
666
|
-
CipherScorer() : aes_is_fine_(
|
666
|
+
CipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {}
|
667
667
|
|
668
668
|
typedef std::tuple<bool, bool> Score;
|
669
669
|
|
@@ -685,31 +685,50 @@ class CipherScorer {
|
|
685
685
|
const bool aes_is_fine_;
|
686
686
|
};
|
687
687
|
|
688
|
-
bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
|
689
|
-
|
690
|
-
|
691
|
-
|
692
|
-
|
693
|
-
switch (cipher_id) {
|
694
|
-
case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
|
695
|
-
case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
|
688
|
+
bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
|
689
|
+
enum ssl_compliance_policy_t policy) {
|
690
|
+
switch (policy) {
|
691
|
+
case ssl_compliance_policy_none:
|
696
692
|
return true;
|
697
|
-
|
698
|
-
|
699
|
-
|
700
|
-
|
701
|
-
|
693
|
+
|
694
|
+
case ssl_compliance_policy_fips_202205:
|
695
|
+
switch (cipher_id) {
|
696
|
+
case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
|
697
|
+
case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
|
698
|
+
return true;
|
699
|
+
case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:
|
700
|
+
return false;
|
701
|
+
default:
|
702
|
+
assert(false);
|
703
|
+
return false;
|
704
|
+
}
|
705
|
+
|
706
|
+
case ssl_compliance_policy_wpa3_192_202304:
|
707
|
+
switch (cipher_id) {
|
708
|
+
case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:
|
709
|
+
return true;
|
710
|
+
case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:
|
711
|
+
case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:
|
712
|
+
return false;
|
713
|
+
default:
|
714
|
+
assert(false);
|
715
|
+
return false;
|
716
|
+
}
|
702
717
|
}
|
718
|
+
|
719
|
+
assert(false);
|
720
|
+
return false;
|
703
721
|
}
|
704
722
|
|
705
|
-
const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites,
|
706
|
-
uint16_t
|
723
|
+
const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
|
724
|
+
uint16_t version, uint16_t group_id,
|
725
|
+
enum ssl_compliance_policy_t policy) {
|
707
726
|
if (CBS_len(&cipher_suites) % 2 != 0) {
|
708
727
|
return nullptr;
|
709
728
|
}
|
710
729
|
|
711
730
|
const SSL_CIPHER *best = nullptr;
|
712
|
-
CipherScorer scorer;
|
731
|
+
CipherScorer scorer(has_aes_hw);
|
713
732
|
CipherScorer::Score best_score = scorer.MinScore();
|
714
733
|
|
715
734
|
while (CBS_len(&cipher_suites) > 0) {
|
@@ -727,7 +746,7 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version,
|
|
727
746
|
}
|
728
747
|
|
729
748
|
if (!ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(candidate),
|
730
|
-
|
749
|
+
policy)) {
|
731
750
|
continue;
|
732
751
|
}
|
733
752
|
|