grpc 1.55.3 → 1.56.0.pre3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (385) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +100 -70
  3. data/include/grpc/event_engine/event_engine.h +4 -3
  4. data/include/grpc/grpc_audit_logging.h +96 -0
  5. data/include/grpc/module.modulemap +2 -0
  6. data/include/grpc/support/json.h +218 -0
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
  9. data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
  10. data/src/core/ext/filters/client_channel/client_channel.cc +82 -98
  11. data/src/core/ext/filters/client_channel/client_channel.h +4 -0
  12. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
  14. data/src/core/ext/filters/client_channel/config_selector.h +9 -24
  15. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
  16. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
  17. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
  18. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
  19. data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
  20. data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
  21. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
  22. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
  23. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
  24. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
  25. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
  26. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
  27. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
  28. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
  29. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
  30. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
  31. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
  32. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
  33. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
  34. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
  35. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
  36. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
  37. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
  38. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
  39. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
  40. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
  41. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
  42. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
  43. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
  44. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
  45. data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
  46. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
  47. data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
  48. data/src/core/ext/filters/client_channel/subchannel.h +3 -43
  49. data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
  50. data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
  51. data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
  52. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
  53. data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
  54. data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
  55. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +543 -567
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +9 -150
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +32 -46
  58. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +5 -18
  59. data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
  60. data/src/core/ext/transport/chttp2/transport/parsing.cc +12 -12
  61. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
  62. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
  63. data/src/core/ext/xds/certificate_provider_store.cc +4 -9
  64. data/src/core/ext/xds/certificate_provider_store.h +1 -1
  65. data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
  66. data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
  67. data/src/core/ext/xds/xds_api.cc +9 -6
  68. data/src/core/ext/xds/xds_api.h +3 -2
  69. data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
  70. data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
  71. data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
  72. data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
  73. data/src/core/ext/xds/xds_client.cc +5 -4
  74. data/src/core/ext/xds/xds_client_stats.h +1 -1
  75. data/src/core/ext/xds/xds_cluster.cc +20 -19
  76. data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
  77. data/src/core/ext/xds/xds_common_types.cc +3 -1
  78. data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
  79. data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
  80. data/src/core/ext/xds/xds_http_filters.h +4 -2
  81. data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
  82. data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
  83. data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
  84. data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
  85. data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
  86. data/src/core/ext/xds/xds_listener.cc +1 -0
  87. data/src/core/ext/xds/xds_route_config.cc +40 -3
  88. data/src/core/ext/xds/xds_routing.cc +2 -2
  89. data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
  90. data/src/core/lib/avl/avl.h +5 -0
  91. data/src/core/lib/backoff/random_early_detection.h +0 -5
  92. data/src/core/lib/channel/channel_args.cc +80 -22
  93. data/src/core/lib/channel/channel_args.h +34 -1
  94. data/src/core/lib/channel/channel_trace.cc +16 -12
  95. data/src/core/lib/channel/channelz.cc +159 -132
  96. data/src/core/lib/channel/channelz.h +42 -35
  97. data/src/core/lib/channel/channelz_registry.cc +23 -20
  98. data/src/core/lib/channel/connected_channel.cc +17 -6
  99. data/src/core/lib/channel/promise_based_filter.cc +0 -4
  100. data/src/core/lib/channel/promise_based_filter.h +2 -0
  101. data/src/core/lib/compression/compression_internal.cc +2 -5
  102. data/src/core/lib/config/config_vars.cc +20 -18
  103. data/src/core/lib/config/config_vars.h +4 -4
  104. data/src/core/lib/config/load_config.cc +13 -0
  105. data/src/core/lib/config/load_config.h +6 -0
  106. data/src/core/lib/debug/event_log.h +1 -1
  107. data/src/core/lib/debug/stats_data.h +1 -1
  108. data/src/core/lib/debug/trace.cc +24 -55
  109. data/src/core/lib/debug/trace.h +3 -1
  110. data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
  111. data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
  112. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
  113. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
  114. data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
  115. data/src/core/lib/event_engine/default_event_engine.cc +13 -1
  116. data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
  117. data/src/core/lib/event_engine/poller.h +2 -2
  118. data/src/core/lib/event_engine/posix.h +4 -0
  119. data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
  120. data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
  121. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
  122. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +3 -2
  123. data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -2
  124. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -33
  125. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -11
  126. data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
  127. data/src/core/lib/event_engine/shim.cc +7 -1
  128. data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
  129. data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
  130. data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
  131. data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
  132. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
  133. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
  134. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
  135. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
  136. data/src/core/lib/event_engine/windows/iocp.cc +4 -3
  137. data/src/core/lib/event_engine/windows/iocp.h +3 -3
  138. data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
  139. data/src/core/lib/event_engine/windows/win_socket.h +4 -4
  140. data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
  141. data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
  142. data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
  143. data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
  144. data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
  145. data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
  146. data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
  147. data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
  148. data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
  149. data/src/core/lib/experiments/config.cc +38 -7
  150. data/src/core/lib/experiments/config.h +16 -0
  151. data/src/core/lib/experiments/experiments.cc +67 -20
  152. data/src/core/lib/experiments/experiments.h +27 -21
  153. data/src/core/lib/gpr/log_internal.h +55 -0
  154. data/src/core/lib/gprpp/crash.cc +10 -0
  155. data/src/core/lib/gprpp/crash.h +3 -0
  156. data/src/core/lib/gprpp/per_cpu.cc +33 -0
  157. data/src/core/lib/gprpp/per_cpu.h +29 -6
  158. data/src/core/lib/gprpp/time.cc +1 -0
  159. data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
  160. data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
  161. data/src/core/lib/iomgr/ev_apple.cc +12 -12
  162. data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
  163. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
  164. data/src/core/lib/iomgr/iocp_windows.cc +24 -3
  165. data/src/core/lib/iomgr/iocp_windows.h +11 -0
  166. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
  167. data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
  168. data/src/core/lib/iomgr/socket_windows.cc +61 -7
  169. data/src/core/lib/iomgr/socket_windows.h +9 -2
  170. data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
  171. data/src/core/lib/iomgr/tcp_server_posix.cc +156 -140
  172. data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -13
  173. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
  174. data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
  175. data/src/core/lib/json/json.h +2 -166
  176. data/src/core/lib/json/json_object_loader.cc +8 -9
  177. data/src/core/lib/json/json_object_loader.h +25 -18
  178. data/src/core/lib/json/json_reader.cc +13 -6
  179. data/src/core/lib/json/json_util.cc +6 -11
  180. data/src/core/lib/json/json_writer.cc +7 -8
  181. data/src/core/lib/load_balancing/lb_policy.h +13 -0
  182. data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
  183. data/src/core/lib/matchers/matchers.cc +3 -4
  184. data/src/core/lib/matchers/matchers.h +2 -1
  185. data/src/core/lib/promise/activity.cc +5 -0
  186. data/src/core/lib/promise/activity.h +10 -0
  187. data/src/core/lib/promise/detail/promise_factory.h +1 -1
  188. data/src/core/lib/promise/party.cc +31 -13
  189. data/src/core/lib/promise/party.h +11 -2
  190. data/src/core/lib/promise/pipe.h +9 -2
  191. data/src/core/lib/promise/prioritized_race.h +95 -0
  192. data/src/core/lib/promise/sleep.cc +2 -1
  193. data/src/core/lib/resolver/server_address.cc +0 -8
  194. data/src/core/lib/resolver/server_address.h +0 -6
  195. data/src/core/lib/resource_quota/memory_quota.cc +7 -7
  196. data/src/core/lib/resource_quota/memory_quota.h +1 -2
  197. data/src/core/lib/security/authorization/audit_logging.cc +98 -0
  198. data/src/core/lib/security/authorization/audit_logging.h +73 -0
  199. data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
  200. data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
  201. data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
  202. data/src/core/lib/security/authorization/rbac_policy.h +19 -2
  203. data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
  204. data/src/core/lib/security/authorization/stdout_logger.h +61 -0
  205. data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
  206. data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
  207. data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
  208. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
  209. data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
  210. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
  211. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
  212. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
  213. data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
  214. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
  215. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
  216. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
  217. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
  218. data/src/core/lib/security/util/json_util.cc +1 -0
  219. data/src/core/lib/service_config/service_config_call_data.h +49 -20
  220. data/src/core/lib/service_config/service_config_impl.cc +2 -1
  221. data/src/core/lib/surface/call.cc +38 -23
  222. data/src/core/lib/surface/completion_queue.cc +6 -2
  223. data/src/core/lib/surface/validate_metadata.cc +22 -37
  224. data/src/core/lib/surface/validate_metadata.h +3 -13
  225. data/src/core/lib/surface/version.cc +2 -2
  226. data/src/core/lib/transport/batch_builder.cc +15 -12
  227. data/src/core/lib/transport/batch_builder.h +39 -35
  228. data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
  229. data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
  230. data/src/ruby/ext/grpc/extconf.rb +8 -9
  231. data/src/ruby/lib/grpc/version.rb +1 -1
  232. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
  233. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
  234. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
  235. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
  236. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
  237. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
  238. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
  239. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
  240. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
  241. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
  242. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
  243. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
  244. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
  245. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
  246. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
  247. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
  248. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
  249. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
  250. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
  251. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
  252. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
  253. data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
  254. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
  255. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
  256. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
  257. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
  258. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
  259. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
  260. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
  261. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
  262. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
  263. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
  264. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
  265. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
  266. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
  267. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
  268. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
  269. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
  270. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
  271. data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
  272. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
  273. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
  274. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
  275. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
  276. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
  277. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
  278. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
  279. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
  280. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
  281. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
  282. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
  283. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
  284. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
  285. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
  286. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
  287. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
  288. data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
  289. data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
  290. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
  291. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
  292. data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
  293. data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
  294. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
  295. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
  296. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
  297. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
  298. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
  299. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
  300. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
  301. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
  302. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
  303. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
  304. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
  305. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
  306. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
  307. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
  308. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
  309. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
  310. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
  311. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
  312. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
  313. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
  314. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
  315. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
  316. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
  317. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
  318. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
  319. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
  320. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
  321. data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
  322. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
  323. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
  324. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
  325. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
  326. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
  327. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
  328. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
  329. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
  330. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
  331. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
  332. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
  333. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
  334. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
  335. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
  336. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
  337. data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
  338. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
  339. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
  340. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
  341. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
  342. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
  343. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
  344. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
  345. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
  346. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
  347. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
  348. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
  349. data/third_party/cares/cares/include/ares.h +23 -1
  350. data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
  351. data/third_party/cares/cares/include/ares_rules.h +2 -2
  352. data/third_party/cares/cares/include/ares_version.h +3 -3
  353. data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
  354. data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
  355. data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
  356. data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
  357. data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
  358. data/third_party/cares/cares/src/lib/ares_data.c +16 -0
  359. data/third_party/cares/cares/src/lib/ares_data.h +7 -0
  360. data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
  361. data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
  362. data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
  363. data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
  364. data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
  365. data/third_party/cares/cares/src/lib/ares_init.c +97 -485
  366. data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
  367. data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
  368. data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
  369. data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
  370. data/third_party/cares/cares/src/lib/ares_private.h +30 -16
  371. data/third_party/cares/cares/src/lib/ares_process.c +55 -16
  372. data/third_party/cares/cares/src/lib/ares_query.c +1 -35
  373. data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
  374. data/third_party/cares/cares/src/lib/ares_send.c +5 -7
  375. data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
  376. data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
  377. data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
  378. data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
  379. data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
  380. metadata +50 -16
  381. data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
  382. data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
  383. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.cc +0 -176
  384. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +0 -325
  385. data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -29,6 +29,7 @@
29
29
  #include <openssl/mem.h>
30
30
  #include <openssl/nid.h>
31
31
  #include <openssl/rand.h>
32
+ #include <openssl/span.h>
32
33
 
33
34
  #include "internal.h"
34
35
  #include "../crypto/internal.h"
@@ -192,106 +193,13 @@ class X25519KeyShare : public SSLKeyShare {
192
193
  uint8_t private_key_[32];
193
194
  };
194
195
 
195
- class CECPQ2KeyShare : public SSLKeyShare {
196
- public:
197
- CECPQ2KeyShare() {}
198
-
199
- uint16_t GroupID() const override { return SSL_CURVE_CECPQ2; }
200
-
201
- bool Generate(CBB *out) override {
202
- uint8_t x25519_public_key[32];
203
- X25519_keypair(x25519_public_key, x25519_private_key_);
204
-
205
- uint8_t hrss_entropy[HRSS_GENERATE_KEY_BYTES];
206
- HRSS_public_key hrss_public_key;
207
- RAND_bytes(hrss_entropy, sizeof(hrss_entropy));
208
- if (!HRSS_generate_key(&hrss_public_key, &hrss_private_key_,
209
- hrss_entropy)) {
210
- return false;
211
- }
212
-
213
- uint8_t hrss_public_key_bytes[HRSS_PUBLIC_KEY_BYTES];
214
- HRSS_marshal_public_key(hrss_public_key_bytes, &hrss_public_key);
215
-
216
- if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||
217
- !CBB_add_bytes(out, hrss_public_key_bytes,
218
- sizeof(hrss_public_key_bytes))) {
219
- return false;
220
- }
221
-
222
- return true;
223
- }
224
-
225
- bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
226
- uint8_t *out_alert, Span<const uint8_t> peer_key) override {
227
- Array<uint8_t> secret;
228
- if (!secret.Init(32 + HRSS_KEY_BYTES)) {
229
- return false;
230
- }
231
-
232
- uint8_t x25519_public_key[32];
233
- X25519_keypair(x25519_public_key, x25519_private_key_);
234
-
235
- HRSS_public_key peer_public_key;
236
- if (peer_key.size() != 32 + HRSS_PUBLIC_KEY_BYTES ||
237
- !HRSS_parse_public_key(&peer_public_key, peer_key.data() + 32) ||
238
- !X25519(secret.data(), x25519_private_key_, peer_key.data())) {
239
- *out_alert = SSL_AD_DECODE_ERROR;
240
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
241
- return false;
242
- }
243
-
244
- uint8_t ciphertext[HRSS_CIPHERTEXT_BYTES];
245
- uint8_t entropy[HRSS_ENCAP_BYTES];
246
- RAND_bytes(entropy, sizeof(entropy));
247
-
248
- if (!HRSS_encap(ciphertext, secret.data() + 32, &peer_public_key,
249
- entropy) ||
250
- !CBB_add_bytes(out_ciphertext, x25519_public_key,
251
- sizeof(x25519_public_key)) ||
252
- !CBB_add_bytes(out_ciphertext, ciphertext, sizeof(ciphertext))) {
253
- return false;
254
- }
255
-
256
- *out_secret = std::move(secret);
257
- return true;
258
- }
259
-
260
- bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
261
- Span<const uint8_t> ciphertext) override {
262
- *out_alert = SSL_AD_INTERNAL_ERROR;
263
-
264
- Array<uint8_t> secret;
265
- if (!secret.Init(32 + HRSS_KEY_BYTES)) {
266
- return false;
267
- }
268
-
269
- if (ciphertext.size() != 32 + HRSS_CIPHERTEXT_BYTES ||
270
- !X25519(secret.data(), x25519_private_key_, ciphertext.data())) {
271
- *out_alert = SSL_AD_DECODE_ERROR;
272
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
273
- return false;
274
- }
275
-
276
- if (!HRSS_decap(secret.data() + 32, &hrss_private_key_,
277
- ciphertext.data() + 32, ciphertext.size() - 32)) {
278
- return false;
279
- }
280
-
281
- *out_secret = std::move(secret);
282
- return true;
283
- }
284
-
285
- private:
286
- uint8_t x25519_private_key_[32];
287
- HRSS_private_key hrss_private_key_;
288
- };
289
-
290
196
  class X25519Kyber768KeyShare : public SSLKeyShare {
291
197
  public:
292
198
  X25519Kyber768KeyShare() {}
293
199
 
294
- uint16_t GroupID() const override { return SSL_CURVE_X25519KYBER768; }
200
+ uint16_t GroupID() const override {
201
+ return SSL_CURVE_X25519_KYBER768_DRAFT00;
202
+ }
295
203
 
296
204
  bool Generate(CBB *out) override {
297
205
  uint8_t x25519_public_key[32];
@@ -376,39 +284,14 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
376
284
  KYBER_private_key kyber_private_key_;
377
285
  };
378
286
 
379
- class P256Kyber768KeyShare : public SSLKeyShare {
380
- public:
381
- P256Kyber768KeyShare() {}
382
-
383
- uint16_t GroupID() const override { return SSL_CURVE_P256KYBER768; }
384
-
385
- bool Generate(CBB *out) override {
386
- // There is no implementation on Kyber in BoringSSL. BoringSSL must be
387
- // patched for this KEM to be workable. It is not enabled by default.
388
- return false;
389
- }
390
-
391
- bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
392
- uint8_t *out_alert, Span<const uint8_t> peer_key) override {
393
- return false;
394
- }
395
-
396
- bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
397
- Span<const uint8_t> ciphertext) override {
398
- return false;
399
- }
400
- };
401
-
402
287
  constexpr NamedGroup kNamedGroups[] = {
403
288
  {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
404
289
  {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
405
290
  {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
406
291
  {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
407
292
  {NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
408
- {NID_CECPQ2, SSL_CURVE_CECPQ2, "CECPQ2", "CECPQ2"},
409
- {NID_X25519Kyber768, SSL_CURVE_X25519KYBER768, "X25519KYBER",
410
- "X25519Kyber"},
411
- {NID_P256Kyber768, SSL_CURVE_P256KYBER768, "P256KYBER", "P256Kyber"},
293
+ {NID_X25519Kyber768Draft00, SSL_CURVE_X25519_KYBER768_DRAFT00,
294
+ "X25519Kyber768Draft00", ""},
412
295
  };
413
296
 
414
297
  } // namespace
@@ -429,12 +312,8 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
429
312
  return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1);
430
313
  case SSL_CURVE_X25519:
431
314
  return MakeUnique<X25519KeyShare>();
432
- case SSL_CURVE_CECPQ2:
433
- return MakeUnique<CECPQ2KeyShare>();
434
- case SSL_CURVE_X25519KYBER768:
315
+ case SSL_CURVE_X25519_KYBER768_DRAFT00:
435
316
  return MakeUnique<X25519Kyber768KeyShare>();
436
- case SSL_CURVE_P256KYBER768:
437
- return MakeUnique<P256Kyber768KeyShare>();
438
317
  default:
439
318
  return nullptr;
440
319
  }
@@ -457,7 +336,7 @@ bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len)
457
336
  *out_group_id = group.group_id;
458
337
  return true;
459
338
  }
460
- if (len == strlen(group.alias) &&
339
+ if (strlen(group.alias) > 0 && len == strlen(group.alias) &&
461
340
  !strncmp(group.alias, name, len)) {
462
341
  *out_group_id = group.group_id;
463
342
  return true;
@@ -478,3 +357,8 @@ const char* SSL_get_curve_name(uint16_t group_id) {
478
357
  }
479
358
  return nullptr;
480
359
  }
360
+
361
+ size_t SSL_get_all_curve_names(const char **out, size_t max_out) {
362
+ return GetAllNames(out, max_out, Span<const char *>(), &NamedGroup::name,
363
+ MakeConstSpan(kNamedGroups));
364
+ }
@@ -484,6 +484,17 @@ bool SSL_get_traffic_secrets(const SSL *ssl,
484
484
  return true;
485
485
  }
486
486
 
487
+ void SSL_CTX_set_aes_hw_override_for_testing(SSL_CTX *ctx,
488
+ bool override_value) {
489
+ ctx->aes_hw_override = true;
490
+ ctx->aes_hw_override_value = override_value;
491
+ }
492
+
493
+ void SSL_set_aes_hw_override_for_testing(SSL *ssl, bool override_value) {
494
+ ssl->config->aes_hw_override = true;
495
+ ssl->config->aes_hw_override_value = override_value;
496
+ }
497
+
487
498
  BSSL_NAMESPACE_END
488
499
 
489
500
  using namespace bssl;
@@ -525,7 +536,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
525
536
  false_start_allowed_without_alpn(false),
526
537
  handoff(false),
527
538
  enable_early_data(false),
528
- only_fips_cipher_suites_in_tls13(false) {
539
+ aes_hw_override(false),
540
+ aes_hw_override_value(false) {
529
541
  CRYPTO_MUTEX_init(&lock);
530
542
  CRYPTO_new_ex_data(&ex_data);
531
543
  }
@@ -645,8 +657,9 @@ SSL *SSL_new(SSL_CTX *ctx) {
645
657
  ssl->config->retain_only_sha256_of_client_certs =
646
658
  ctx->retain_only_sha256_of_client_certs;
647
659
  ssl->config->permute_extensions = ctx->permute_extensions;
648
- ssl->config->only_fips_cipher_suites_in_tls13 =
649
- ctx->only_fips_cipher_suites_in_tls13;
660
+ ssl->config->aes_hw_override = ctx->aes_hw_override;
661
+ ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
662
+ ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
650
663
 
651
664
  if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
652
665
  !ssl->config->alpn_client_proto_list.CopyFrom(
@@ -688,7 +701,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
688
701
  signed_cert_timestamps_enabled(false),
689
702
  ocsp_stapling_enabled(false),
690
703
  channel_id_enabled(false),
691
- enforce_rsa_key_usage(false),
704
+ enforce_rsa_key_usage(true),
692
705
  retain_only_sha256_of_client_certs(false),
693
706
  handoff(false),
694
707
  shed_handshake_config(false),
@@ -2026,18 +2039,27 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
2026
2039
  }
2027
2040
 
2028
2041
  int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
2029
- return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
2042
+ const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value
2043
+ : EVP_has_aes_hardware();
2044
+ return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,
2045
+ false /* not strict */);
2030
2046
  }
2031
2047
 
2032
2048
  int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
2033
- return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
2049
+ const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value
2050
+ : EVP_has_aes_hardware();
2051
+ return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,
2052
+ true /* strict */);
2034
2053
  }
2035
2054
 
2036
2055
  int SSL_set_cipher_list(SSL *ssl, const char *str) {
2037
2056
  if (!ssl->config) {
2038
2057
  return 0;
2039
2058
  }
2040
- return ssl_create_cipher_list(&ssl->config->cipher_list, str,
2059
+ const bool has_aes_hw = ssl->config->aes_hw_override
2060
+ ? ssl->config->aes_hw_override_value
2061
+ : EVP_has_aes_hardware();
2062
+ return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,
2041
2063
  false /* not strict */);
2042
2064
  }
2043
2065
 
@@ -2045,7 +2067,10 @@ int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
2045
2067
  if (!ssl->config) {
2046
2068
  return 0;
2047
2069
  }
2048
- return ssl_create_cipher_list(&ssl->config->cipher_list, str,
2070
+ const bool has_aes_hw = ssl->config->aes_hw_override
2071
+ ? ssl->config->aes_hw_override_value
2072
+ : EVP_has_aes_hardware();
2073
+ return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,
2049
2074
  true /* strict */);
2050
2075
  }
2051
2076
 
@@ -3148,7 +3173,7 @@ static const char kTLS12Ciphers[] =
3148
3173
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
3149
3174
 
3150
3175
  static int Configure(SSL_CTX *ctx) {
3151
- ctx->only_fips_cipher_suites_in_tls13 = true;
3176
+ ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
3152
3177
 
3153
3178
  return
3154
3179
  // Section 3.1:
@@ -3171,7 +3196,7 @@ static int Configure(SSL_CTX *ctx) {
3171
3196
  }
3172
3197
 
3173
3198
  static int Configure(SSL *ssl) {
3174
- ssl->config->only_fips_cipher_suites_in_tls13 = true;
3199
+ ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
3175
3200
 
3176
3201
  // See |Configure(SSL_CTX)|, above, for reasoning.
3177
3202
  return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
@@ -3186,11 +3211,59 @@ static int Configure(SSL *ssl) {
3186
3211
 
3187
3212
  } // namespace fips202205
3188
3213
 
3214
+ namespace wpa202304 {
3215
+
3216
+ // See WPA version 3.1, section 3.5.
3217
+
3218
+ static const int kCurves[] = {NID_secp384r1};
3219
+
3220
+ static const uint16_t kSigAlgs[] = {
3221
+ SSL_SIGN_RSA_PKCS1_SHA384, //
3222
+ SSL_SIGN_RSA_PKCS1_SHA512, //
3223
+ SSL_SIGN_ECDSA_SECP384R1_SHA384, //
3224
+ SSL_SIGN_RSA_PSS_RSAE_SHA384, //
3225
+ SSL_SIGN_RSA_PSS_RSAE_SHA512, //
3226
+ };
3227
+
3228
+ static const char kTLS12Ciphers[] =
3229
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:"
3230
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
3231
+
3232
+ static int Configure(SSL_CTX *ctx) {
3233
+ ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
3234
+
3235
+ return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
3236
+ SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
3237
+ SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&
3238
+ SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
3239
+ SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,
3240
+ OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
3241
+ SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,
3242
+ OPENSSL_ARRAY_SIZE(kSigAlgs));
3243
+ }
3244
+
3245
+ static int Configure(SSL *ssl) {
3246
+ ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
3247
+
3248
+ return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
3249
+ SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
3250
+ SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&
3251
+ SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
3252
+ SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,
3253
+ OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
3254
+ SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,
3255
+ OPENSSL_ARRAY_SIZE(kSigAlgs));
3256
+ }
3257
+
3258
+ } // namespace wpa202304
3259
+
3189
3260
  int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
3190
3261
  enum ssl_compliance_policy_t policy) {
3191
3262
  switch (policy) {
3192
3263
  case ssl_compliance_policy_fips_202205:
3193
3264
  return fips202205::Configure(ctx);
3265
+ case ssl_compliance_policy_wpa3_192_202304:
3266
+ return wpa202304::Configure(ctx);
3194
3267
  default:
3195
3268
  return 0;
3196
3269
  }
@@ -3200,6 +3273,8 @@ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
3200
3273
  switch (policy) {
3201
3274
  case ssl_compliance_policy_fips_202205:
3202
3275
  return fips202205::Configure(ssl);
3276
+ case ssl_compliance_policy_wpa3_192_202304:
3277
+ return wpa202304::Configure(ssl);
3203
3278
  default:
3204
3279
  return 0;
3205
3280
  }
@@ -64,6 +64,7 @@
64
64
  #include <openssl/err.h>
65
65
  #include <openssl/evp.h>
66
66
  #include <openssl/mem.h>
67
+ #include <openssl/span.h>
67
68
 
68
69
  #include "internal.h"
69
70
  #include "../crypto/internal.h"
@@ -484,12 +485,14 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
484
485
 
485
486
  static constexpr size_t kMaxSignatureAlgorithmNameLen = 23;
486
487
 
487
- // This was "constexpr" rather than "const", but that triggered a bug in MSVC
488
- // where it didn't pad the strings to the correct length.
489
- static const struct {
488
+ struct SignatureAlgorithmName {
490
489
  uint16_t signature_algorithm;
491
490
  const char name[kMaxSignatureAlgorithmNameLen];
492
- } kSignatureAlgorithmNames[] = {
491
+ };
492
+
493
+ // This was "constexpr" rather than "const", but that triggered a bug in MSVC
494
+ // where it didn't pad the strings to the correct length.
495
+ static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
493
496
  {SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
494
497
  {SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
495
498
  {SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
@@ -515,6 +518,8 @@ const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
515
518
  return "ecdsa_sha384";
516
519
  case SSL_SIGN_ECDSA_SECP521R1_SHA512:
517
520
  return "ecdsa_sha512";
521
+ // If adding more here, also update
522
+ // |SSL_get_all_signature_algorithm_names|.
518
523
  }
519
524
  }
520
525
 
@@ -527,6 +532,14 @@ const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
527
532
  return NULL;
528
533
  }
529
534
 
535
+ size_t SSL_get_all_signature_algorithm_names(const char **out, size_t max_out) {
536
+ const char *kPredefinedNames[] = {"ecdsa_sha256", "ecdsa_sha384",
537
+ "ecdsa_sha512"};
538
+ return GetAllNames(out, max_out, MakeConstSpan(kPredefinedNames),
539
+ &SignatureAlgorithmName::name,
540
+ MakeConstSpan(kSignatureAlgorithmNames));
541
+ }
542
+
530
543
  int SSL_get_signature_algorithm_key_type(uint16_t sigalg) {
531
544
  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
532
545
  return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;
@@ -16,8 +16,11 @@
16
16
 
17
17
  #include <assert.h>
18
18
 
19
+ #include <algorithm>
20
+
19
21
  #include <openssl/bytestring.h>
20
22
  #include <openssl/err.h>
23
+ #include <openssl/span.h>
21
24
 
22
25
  #include "internal.h"
23
26
  #include "../crypto/internal.h"
@@ -82,29 +85,29 @@ bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
82
85
  // The following functions map between API versions and wire versions. The
83
86
  // public API works on wire versions.
84
87
 
85
- static const char *ssl_version_to_string(uint16_t version) {
86
- switch (version) {
87
- case TLS1_3_VERSION:
88
- return "TLSv1.3";
89
-
90
- case TLS1_2_VERSION:
91
- return "TLSv1.2";
92
-
93
- case TLS1_1_VERSION:
94
- return "TLSv1.1";
95
-
96
- case TLS1_VERSION:
97
- return "TLSv1";
88
+ static const char* kUnknownVersion = "unknown";
98
89
 
99
- case DTLS1_VERSION:
100
- return "DTLSv1";
90
+ struct VersionInfo {
91
+ uint16_t version;
92
+ const char *name;
93
+ };
101
94
 
102
- case DTLS1_2_VERSION:
103
- return "DTLSv1.2";
95
+ static const VersionInfo kVersionNames[] = {
96
+ {TLS1_3_VERSION, "TLSv1.3"},
97
+ {TLS1_2_VERSION, "TLSv1.2"},
98
+ {TLS1_1_VERSION, "TLSv1.1"},
99
+ {TLS1_VERSION, "TLSv1"},
100
+ {DTLS1_VERSION, "DTLSv1"},
101
+ {DTLS1_2_VERSION, "DTLSv1.2"},
102
+ };
104
103
 
105
- default:
106
- return "unknown";
104
+ static const char *ssl_version_to_string(uint16_t version) {
105
+ for (const auto &v : kVersionNames) {
106
+ if (v.version == version) {
107
+ return v.name;
108
+ }
107
109
  }
110
+ return kUnknownVersion;
108
111
  }
109
112
 
110
113
  static uint16_t wire_version_to_api(uint16_t version) {
@@ -383,6 +386,11 @@ const char *SSL_get_version(const SSL *ssl) {
383
386
  return ssl_version_to_string(ssl_version(ssl));
384
387
  }
385
388
 
389
+ size_t SSL_get_all_version_names(const char **out, size_t max_out) {
390
+ return GetAllNames(out, max_out, MakeConstSpan(&kUnknownVersion, 1),
391
+ &VersionInfo::name, MakeConstSpan(kVersionNames));
392
+ }
393
+
386
394
  const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
387
395
  return ssl_version_to_string(session->ssl_version);
388
396
  }
@@ -200,7 +200,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
200
200
  SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
201
201
  !ssl_tls13_cipher_meets_policy(
202
202
  SSL_CIPHER_get_value(cipher),
203
- ssl->config->only_fips_cipher_suites_in_tls13)) {
203
+ ssl->config->tls13_cipher_policy)) {
204
204
  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
205
205
  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
206
206
  return ssl_hs_error;
@@ -27,6 +27,7 @@
27
27
  #include <openssl/hmac.h>
28
28
  #include <openssl/mem.h>
29
29
 
30
+ #include "../crypto/fipsmodule/tls/internal.h"
30
31
  #include "../crypto/internal.h"
31
32
  #include "internal.h"
32
33
 
@@ -95,27 +96,10 @@ static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
95
96
  Span<const uint8_t> secret,
96
97
  Span<const char> label,
97
98
  Span<const uint8_t> hash) {
98
- Span<const char> protocol_label = label_to_span("tls13 ");
99
- ScopedCBB cbb;
100
- CBB child;
101
- Array<uint8_t> hkdf_label;
102
- if (!CBB_init(cbb.get(), 2 + 1 + protocol_label.size() + label.size() + 1 +
103
- hash.size()) ||
104
- !CBB_add_u16(cbb.get(), out.size()) ||
105
- !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
106
- !CBB_add_bytes(&child,
107
- reinterpret_cast<const uint8_t *>(protocol_label.data()),
108
- protocol_label.size()) ||
109
- !CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
110
- label.size()) ||
111
- !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
112
- !CBB_add_bytes(&child, hash.data(), hash.size()) ||
113
- !CBBFinishArray(cbb.get(), &hkdf_label)) {
114
- return false;
115
- }
116
-
117
- return HKDF_expand(out.data(), out.size(), digest, secret.data(),
118
- secret.size(), hkdf_label.data(), hkdf_label.size());
99
+ return CRYPTO_tls13_hkdf_expand_label(
100
+ out.data(), out.size(), digest, secret.data(), secret.size(),
101
+ reinterpret_cast<const uint8_t *>(label.data()), label.size(),
102
+ hash.data(), hash.size()) == 1;
119
103
  }
120
104
 
121
105
  static const char kTLS13LabelDerived[] = "derived";
@@ -116,8 +116,11 @@ static const SSL_CIPHER *choose_tls13_cipher(
116
116
 
117
117
  const uint16_t version = ssl_protocol_version(ssl);
118
118
 
119
- return ssl_choose_tls13_cipher(cipher_suites, version, group_id,
120
- ssl->config->only_fips_cipher_suites_in_tls13);
119
+ return ssl_choose_tls13_cipher(
120
+ cipher_suites,
121
+ ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value
122
+ : EVP_has_aes_hardware(),
123
+ version, group_id, ssl->config->tls13_cipher_policy);
121
124
  }
122
125
 
123
126
  static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {