grpc 1.55.3 → 1.56.0.pre3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +100 -70
- data/include/grpc/event_engine/event_engine.h +4 -3
- data/include/grpc/grpc_audit_logging.h +96 -0
- data/include/grpc/module.modulemap +2 -0
- data/include/grpc/support/json.h +218 -0
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +82 -98
- data/src/core/ext/filters/client_channel/client_channel.h +4 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
- data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
- data/src/core/ext/filters/client_channel/config_selector.h +9 -24
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
- data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
- data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
- data/src/core/ext/filters/client_channel/subchannel.h +3 -43
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
- data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +543 -567
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +9 -150
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +32 -46
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +5 -18
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
- data/src/core/ext/transport/chttp2/transport/parsing.cc +12 -12
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
- data/src/core/ext/xds/certificate_provider_store.cc +4 -9
- data/src/core/ext/xds/certificate_provider_store.h +1 -1
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
- data/src/core/ext/xds/xds_api.cc +9 -6
- data/src/core/ext/xds/xds_api.h +3 -2
- data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
- data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
- data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
- data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
- data/src/core/ext/xds/xds_client.cc +5 -4
- data/src/core/ext/xds/xds_client_stats.h +1 -1
- data/src/core/ext/xds/xds_cluster.cc +20 -19
- data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
- data/src/core/ext/xds/xds_common_types.cc +3 -1
- data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
- data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
- data/src/core/ext/xds/xds_http_filters.h +4 -2
- data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
- data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
- data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
- data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
- data/src/core/ext/xds/xds_listener.cc +1 -0
- data/src/core/ext/xds/xds_route_config.cc +40 -3
- data/src/core/ext/xds/xds_routing.cc +2 -2
- data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
- data/src/core/lib/avl/avl.h +5 -0
- data/src/core/lib/backoff/random_early_detection.h +0 -5
- data/src/core/lib/channel/channel_args.cc +80 -22
- data/src/core/lib/channel/channel_args.h +34 -1
- data/src/core/lib/channel/channel_trace.cc +16 -12
- data/src/core/lib/channel/channelz.cc +159 -132
- data/src/core/lib/channel/channelz.h +42 -35
- data/src/core/lib/channel/channelz_registry.cc +23 -20
- data/src/core/lib/channel/connected_channel.cc +17 -6
- data/src/core/lib/channel/promise_based_filter.cc +0 -4
- data/src/core/lib/channel/promise_based_filter.h +2 -0
- data/src/core/lib/compression/compression_internal.cc +2 -5
- data/src/core/lib/config/config_vars.cc +20 -18
- data/src/core/lib/config/config_vars.h +4 -4
- data/src/core/lib/config/load_config.cc +13 -0
- data/src/core/lib/config/load_config.h +6 -0
- data/src/core/lib/debug/event_log.h +1 -1
- data/src/core/lib/debug/stats_data.h +1 -1
- data/src/core/lib/debug/trace.cc +24 -55
- data/src/core/lib/debug/trace.h +3 -1
- data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
- data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
- data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
- data/src/core/lib/event_engine/default_event_engine.cc +13 -1
- data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
- data/src/core/lib/event_engine/poller.h +2 -2
- data/src/core/lib/event_engine/posix.h +4 -0
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +3 -2
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -2
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -33
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -11
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
- data/src/core/lib/event_engine/shim.cc +7 -1
- data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
- data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
- data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
- data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
- data/src/core/lib/event_engine/windows/iocp.cc +4 -3
- data/src/core/lib/event_engine/windows/iocp.h +3 -3
- data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
- data/src/core/lib/event_engine/windows/win_socket.h +4 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
- data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
- data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
- data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
- data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
- data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
- data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
- data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
- data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
- data/src/core/lib/experiments/config.cc +38 -7
- data/src/core/lib/experiments/config.h +16 -0
- data/src/core/lib/experiments/experiments.cc +67 -20
- data/src/core/lib/experiments/experiments.h +27 -21
- data/src/core/lib/gpr/log_internal.h +55 -0
- data/src/core/lib/gprpp/crash.cc +10 -0
- data/src/core/lib/gprpp/crash.h +3 -0
- data/src/core/lib/gprpp/per_cpu.cc +33 -0
- data/src/core/lib/gprpp/per_cpu.h +29 -6
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
- data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
- data/src/core/lib/iomgr/ev_apple.cc +12 -12
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
- data/src/core/lib/iomgr/iocp_windows.cc +24 -3
- data/src/core/lib/iomgr/iocp_windows.h +11 -0
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
- data/src/core/lib/iomgr/socket_windows.cc +61 -7
- data/src/core/lib/iomgr/socket_windows.h +9 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
- data/src/core/lib/iomgr/tcp_server_posix.cc +156 -140
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -13
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
- data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
- data/src/core/lib/json/json.h +2 -166
- data/src/core/lib/json/json_object_loader.cc +8 -9
- data/src/core/lib/json/json_object_loader.h +25 -18
- data/src/core/lib/json/json_reader.cc +13 -6
- data/src/core/lib/json/json_util.cc +6 -11
- data/src/core/lib/json/json_writer.cc +7 -8
- data/src/core/lib/load_balancing/lb_policy.h +13 -0
- data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
- data/src/core/lib/matchers/matchers.cc +3 -4
- data/src/core/lib/matchers/matchers.h +2 -1
- data/src/core/lib/promise/activity.cc +5 -0
- data/src/core/lib/promise/activity.h +10 -0
- data/src/core/lib/promise/detail/promise_factory.h +1 -1
- data/src/core/lib/promise/party.cc +31 -13
- data/src/core/lib/promise/party.h +11 -2
- data/src/core/lib/promise/pipe.h +9 -2
- data/src/core/lib/promise/prioritized_race.h +95 -0
- data/src/core/lib/promise/sleep.cc +2 -1
- data/src/core/lib/resolver/server_address.cc +0 -8
- data/src/core/lib/resolver/server_address.h +0 -6
- data/src/core/lib/resource_quota/memory_quota.cc +7 -7
- data/src/core/lib/resource_quota/memory_quota.h +1 -2
- data/src/core/lib/security/authorization/audit_logging.cc +98 -0
- data/src/core/lib/security/authorization/audit_logging.h +73 -0
- data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
- data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
- data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
- data/src/core/lib/security/authorization/rbac_policy.h +19 -2
- data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
- data/src/core/lib/security/authorization/stdout_logger.h +61 -0
- data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
- data/src/core/lib/security/util/json_util.cc +1 -0
- data/src/core/lib/service_config/service_config_call_data.h +49 -20
- data/src/core/lib/service_config/service_config_impl.cc +2 -1
- data/src/core/lib/surface/call.cc +38 -23
- data/src/core/lib/surface/completion_queue.cc +6 -2
- data/src/core/lib/surface/validate_metadata.cc +22 -37
- data/src/core/lib/surface/validate_metadata.h +3 -13
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +15 -12
- data/src/core/lib/transport/batch_builder.h +39 -35
- data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
- data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
- data/src/ruby/ext/grpc/extconf.rb +8 -9
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
- data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
- data/third_party/cares/cares/include/ares.h +23 -1
- data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
- data/third_party/cares/cares/include/ares_rules.h +2 -2
- data/third_party/cares/cares/include/ares_version.h +3 -3
- data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
- data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
- data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
- data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
- data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
- data/third_party/cares/cares/src/lib/ares_data.c +16 -0
- data/third_party/cares/cares/src/lib/ares_data.h +7 -0
- data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
- data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
- data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
- data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
- data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
- data/third_party/cares/cares/src/lib/ares_init.c +97 -485
- data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
- data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
- data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
- data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
- data/third_party/cares/cares/src/lib/ares_private.h +30 -16
- data/third_party/cares/cares/src/lib/ares_process.c +55 -16
- data/third_party/cares/cares/src/lib/ares_query.c +1 -35
- data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
- data/third_party/cares/cares/src/lib/ares_send.c +5 -7
- data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
- data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
- data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
- data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
- data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
- metadata +50 -16
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
- data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
- data/src/core/ext/transport/chttp2/transport/hpack_parse_result.cc +0 -176
- data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +0 -325
- data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -29,6 +29,7 @@
|
|
29
29
|
#include <openssl/mem.h>
|
30
30
|
#include <openssl/nid.h>
|
31
31
|
#include <openssl/rand.h>
|
32
|
+
#include <openssl/span.h>
|
32
33
|
|
33
34
|
#include "internal.h"
|
34
35
|
#include "../crypto/internal.h"
|
@@ -192,106 +193,13 @@ class X25519KeyShare : public SSLKeyShare {
|
|
192
193
|
uint8_t private_key_[32];
|
193
194
|
};
|
194
195
|
|
195
|
-
class CECPQ2KeyShare : public SSLKeyShare {
|
196
|
-
public:
|
197
|
-
CECPQ2KeyShare() {}
|
198
|
-
|
199
|
-
uint16_t GroupID() const override { return SSL_CURVE_CECPQ2; }
|
200
|
-
|
201
|
-
bool Generate(CBB *out) override {
|
202
|
-
uint8_t x25519_public_key[32];
|
203
|
-
X25519_keypair(x25519_public_key, x25519_private_key_);
|
204
|
-
|
205
|
-
uint8_t hrss_entropy[HRSS_GENERATE_KEY_BYTES];
|
206
|
-
HRSS_public_key hrss_public_key;
|
207
|
-
RAND_bytes(hrss_entropy, sizeof(hrss_entropy));
|
208
|
-
if (!HRSS_generate_key(&hrss_public_key, &hrss_private_key_,
|
209
|
-
hrss_entropy)) {
|
210
|
-
return false;
|
211
|
-
}
|
212
|
-
|
213
|
-
uint8_t hrss_public_key_bytes[HRSS_PUBLIC_KEY_BYTES];
|
214
|
-
HRSS_marshal_public_key(hrss_public_key_bytes, &hrss_public_key);
|
215
|
-
|
216
|
-
if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||
|
217
|
-
!CBB_add_bytes(out, hrss_public_key_bytes,
|
218
|
-
sizeof(hrss_public_key_bytes))) {
|
219
|
-
return false;
|
220
|
-
}
|
221
|
-
|
222
|
-
return true;
|
223
|
-
}
|
224
|
-
|
225
|
-
bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
|
226
|
-
uint8_t *out_alert, Span<const uint8_t> peer_key) override {
|
227
|
-
Array<uint8_t> secret;
|
228
|
-
if (!secret.Init(32 + HRSS_KEY_BYTES)) {
|
229
|
-
return false;
|
230
|
-
}
|
231
|
-
|
232
|
-
uint8_t x25519_public_key[32];
|
233
|
-
X25519_keypair(x25519_public_key, x25519_private_key_);
|
234
|
-
|
235
|
-
HRSS_public_key peer_public_key;
|
236
|
-
if (peer_key.size() != 32 + HRSS_PUBLIC_KEY_BYTES ||
|
237
|
-
!HRSS_parse_public_key(&peer_public_key, peer_key.data() + 32) ||
|
238
|
-
!X25519(secret.data(), x25519_private_key_, peer_key.data())) {
|
239
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
240
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
|
241
|
-
return false;
|
242
|
-
}
|
243
|
-
|
244
|
-
uint8_t ciphertext[HRSS_CIPHERTEXT_BYTES];
|
245
|
-
uint8_t entropy[HRSS_ENCAP_BYTES];
|
246
|
-
RAND_bytes(entropy, sizeof(entropy));
|
247
|
-
|
248
|
-
if (!HRSS_encap(ciphertext, secret.data() + 32, &peer_public_key,
|
249
|
-
entropy) ||
|
250
|
-
!CBB_add_bytes(out_ciphertext, x25519_public_key,
|
251
|
-
sizeof(x25519_public_key)) ||
|
252
|
-
!CBB_add_bytes(out_ciphertext, ciphertext, sizeof(ciphertext))) {
|
253
|
-
return false;
|
254
|
-
}
|
255
|
-
|
256
|
-
*out_secret = std::move(secret);
|
257
|
-
return true;
|
258
|
-
}
|
259
|
-
|
260
|
-
bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
|
261
|
-
Span<const uint8_t> ciphertext) override {
|
262
|
-
*out_alert = SSL_AD_INTERNAL_ERROR;
|
263
|
-
|
264
|
-
Array<uint8_t> secret;
|
265
|
-
if (!secret.Init(32 + HRSS_KEY_BYTES)) {
|
266
|
-
return false;
|
267
|
-
}
|
268
|
-
|
269
|
-
if (ciphertext.size() != 32 + HRSS_CIPHERTEXT_BYTES ||
|
270
|
-
!X25519(secret.data(), x25519_private_key_, ciphertext.data())) {
|
271
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
272
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
|
273
|
-
return false;
|
274
|
-
}
|
275
|
-
|
276
|
-
if (!HRSS_decap(secret.data() + 32, &hrss_private_key_,
|
277
|
-
ciphertext.data() + 32, ciphertext.size() - 32)) {
|
278
|
-
return false;
|
279
|
-
}
|
280
|
-
|
281
|
-
*out_secret = std::move(secret);
|
282
|
-
return true;
|
283
|
-
}
|
284
|
-
|
285
|
-
private:
|
286
|
-
uint8_t x25519_private_key_[32];
|
287
|
-
HRSS_private_key hrss_private_key_;
|
288
|
-
};
|
289
|
-
|
290
196
|
class X25519Kyber768KeyShare : public SSLKeyShare {
|
291
197
|
public:
|
292
198
|
X25519Kyber768KeyShare() {}
|
293
199
|
|
294
|
-
uint16_t GroupID() const override {
|
200
|
+
uint16_t GroupID() const override {
|
201
|
+
return SSL_CURVE_X25519_KYBER768_DRAFT00;
|
202
|
+
}
|
295
203
|
|
296
204
|
bool Generate(CBB *out) override {
|
297
205
|
uint8_t x25519_public_key[32];
|
@@ -376,39 +284,14 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
|
|
376
284
|
KYBER_private_key kyber_private_key_;
|
377
285
|
};
|
378
286
|
|
379
|
-
class P256Kyber768KeyShare : public SSLKeyShare {
|
380
|
-
public:
|
381
|
-
P256Kyber768KeyShare() {}
|
382
|
-
|
383
|
-
uint16_t GroupID() const override { return SSL_CURVE_P256KYBER768; }
|
384
|
-
|
385
|
-
bool Generate(CBB *out) override {
|
386
|
-
// There is no implementation on Kyber in BoringSSL. BoringSSL must be
|
387
|
-
// patched for this KEM to be workable. It is not enabled by default.
|
388
|
-
return false;
|
389
|
-
}
|
390
|
-
|
391
|
-
bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
|
392
|
-
uint8_t *out_alert, Span<const uint8_t> peer_key) override {
|
393
|
-
return false;
|
394
|
-
}
|
395
|
-
|
396
|
-
bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
|
397
|
-
Span<const uint8_t> ciphertext) override {
|
398
|
-
return false;
|
399
|
-
}
|
400
|
-
};
|
401
|
-
|
402
287
|
constexpr NamedGroup kNamedGroups[] = {
|
403
288
|
{NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
|
404
289
|
{NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
|
405
290
|
{NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
|
406
291
|
{NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
|
407
292
|
{NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
|
408
|
-
{
|
409
|
-
|
410
|
-
"X25519Kyber"},
|
411
|
-
{NID_P256Kyber768, SSL_CURVE_P256KYBER768, "P256KYBER", "P256Kyber"},
|
293
|
+
{NID_X25519Kyber768Draft00, SSL_CURVE_X25519_KYBER768_DRAFT00,
|
294
|
+
"X25519Kyber768Draft00", ""},
|
412
295
|
};
|
413
296
|
|
414
297
|
} // namespace
|
@@ -429,12 +312,8 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
|
|
429
312
|
return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1);
|
430
313
|
case SSL_CURVE_X25519:
|
431
314
|
return MakeUnique<X25519KeyShare>();
|
432
|
-
case
|
433
|
-
return MakeUnique<CECPQ2KeyShare>();
|
434
|
-
case SSL_CURVE_X25519KYBER768:
|
315
|
+
case SSL_CURVE_X25519_KYBER768_DRAFT00:
|
435
316
|
return MakeUnique<X25519Kyber768KeyShare>();
|
436
|
-
case SSL_CURVE_P256KYBER768:
|
437
|
-
return MakeUnique<P256Kyber768KeyShare>();
|
438
317
|
default:
|
439
318
|
return nullptr;
|
440
319
|
}
|
@@ -457,7 +336,7 @@ bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len)
|
|
457
336
|
*out_group_id = group.group_id;
|
458
337
|
return true;
|
459
338
|
}
|
460
|
-
if (len == strlen(group.alias) &&
|
339
|
+
if (strlen(group.alias) > 0 && len == strlen(group.alias) &&
|
461
340
|
!strncmp(group.alias, name, len)) {
|
462
341
|
*out_group_id = group.group_id;
|
463
342
|
return true;
|
@@ -478,3 +357,8 @@ const char* SSL_get_curve_name(uint16_t group_id) {
|
|
478
357
|
}
|
479
358
|
return nullptr;
|
480
359
|
}
|
360
|
+
|
361
|
+
size_t SSL_get_all_curve_names(const char **out, size_t max_out) {
|
362
|
+
return GetAllNames(out, max_out, Span<const char *>(), &NamedGroup::name,
|
363
|
+
MakeConstSpan(kNamedGroups));
|
364
|
+
}
|
@@ -484,6 +484,17 @@ bool SSL_get_traffic_secrets(const SSL *ssl,
|
|
484
484
|
return true;
|
485
485
|
}
|
486
486
|
|
487
|
+
void SSL_CTX_set_aes_hw_override_for_testing(SSL_CTX *ctx,
|
488
|
+
bool override_value) {
|
489
|
+
ctx->aes_hw_override = true;
|
490
|
+
ctx->aes_hw_override_value = override_value;
|
491
|
+
}
|
492
|
+
|
493
|
+
void SSL_set_aes_hw_override_for_testing(SSL *ssl, bool override_value) {
|
494
|
+
ssl->config->aes_hw_override = true;
|
495
|
+
ssl->config->aes_hw_override_value = override_value;
|
496
|
+
}
|
497
|
+
|
487
498
|
BSSL_NAMESPACE_END
|
488
499
|
|
489
500
|
using namespace bssl;
|
@@ -525,7 +536,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
|
|
525
536
|
false_start_allowed_without_alpn(false),
|
526
537
|
handoff(false),
|
527
538
|
enable_early_data(false),
|
528
|
-
|
539
|
+
aes_hw_override(false),
|
540
|
+
aes_hw_override_value(false) {
|
529
541
|
CRYPTO_MUTEX_init(&lock);
|
530
542
|
CRYPTO_new_ex_data(&ex_data);
|
531
543
|
}
|
@@ -645,8 +657,9 @@ SSL *SSL_new(SSL_CTX *ctx) {
|
|
645
657
|
ssl->config->retain_only_sha256_of_client_certs =
|
646
658
|
ctx->retain_only_sha256_of_client_certs;
|
647
659
|
ssl->config->permute_extensions = ctx->permute_extensions;
|
648
|
-
ssl->config->
|
649
|
-
|
660
|
+
ssl->config->aes_hw_override = ctx->aes_hw_override;
|
661
|
+
ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
|
662
|
+
ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
|
650
663
|
|
651
664
|
if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
|
652
665
|
!ssl->config->alpn_client_proto_list.CopyFrom(
|
@@ -688,7 +701,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
|
|
688
701
|
signed_cert_timestamps_enabled(false),
|
689
702
|
ocsp_stapling_enabled(false),
|
690
703
|
channel_id_enabled(false),
|
691
|
-
enforce_rsa_key_usage(
|
704
|
+
enforce_rsa_key_usage(true),
|
692
705
|
retain_only_sha256_of_client_certs(false),
|
693
706
|
handoff(false),
|
694
707
|
shed_handshake_config(false),
|
@@ -2026,18 +2039,27 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
|
|
2026
2039
|
}
|
2027
2040
|
|
2028
2041
|
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
|
2029
|
-
|
2042
|
+
const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value
|
2043
|
+
: EVP_has_aes_hardware();
|
2044
|
+
return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,
|
2045
|
+
false /* not strict */);
|
2030
2046
|
}
|
2031
2047
|
|
2032
2048
|
int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
|
2033
|
-
|
2049
|
+
const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value
|
2050
|
+
: EVP_has_aes_hardware();
|
2051
|
+
return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,
|
2052
|
+
true /* strict */);
|
2034
2053
|
}
|
2035
2054
|
|
2036
2055
|
int SSL_set_cipher_list(SSL *ssl, const char *str) {
|
2037
2056
|
if (!ssl->config) {
|
2038
2057
|
return 0;
|
2039
2058
|
}
|
2040
|
-
|
2059
|
+
const bool has_aes_hw = ssl->config->aes_hw_override
|
2060
|
+
? ssl->config->aes_hw_override_value
|
2061
|
+
: EVP_has_aes_hardware();
|
2062
|
+
return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,
|
2041
2063
|
false /* not strict */);
|
2042
2064
|
}
|
2043
2065
|
|
@@ -2045,7 +2067,10 @@ int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
|
|
2045
2067
|
if (!ssl->config) {
|
2046
2068
|
return 0;
|
2047
2069
|
}
|
2048
|
-
|
2070
|
+
const bool has_aes_hw = ssl->config->aes_hw_override
|
2071
|
+
? ssl->config->aes_hw_override_value
|
2072
|
+
: EVP_has_aes_hardware();
|
2073
|
+
return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,
|
2049
2074
|
true /* strict */);
|
2050
2075
|
}
|
2051
2076
|
|
@@ -3148,7 +3173,7 @@ static const char kTLS12Ciphers[] =
|
|
3148
3173
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
|
3149
3174
|
|
3150
3175
|
static int Configure(SSL_CTX *ctx) {
|
3151
|
-
ctx->
|
3176
|
+
ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
|
3152
3177
|
|
3153
3178
|
return
|
3154
3179
|
// Section 3.1:
|
@@ -3171,7 +3196,7 @@ static int Configure(SSL_CTX *ctx) {
|
|
3171
3196
|
}
|
3172
3197
|
|
3173
3198
|
static int Configure(SSL *ssl) {
|
3174
|
-
ssl->config->
|
3199
|
+
ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
|
3175
3200
|
|
3176
3201
|
// See |Configure(SSL_CTX)|, above, for reasoning.
|
3177
3202
|
return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
|
@@ -3186,11 +3211,59 @@ static int Configure(SSL *ssl) {
|
|
3186
3211
|
|
3187
3212
|
} // namespace fips202205
|
3188
3213
|
|
3214
|
+
namespace wpa202304 {
|
3215
|
+
|
3216
|
+
// See WPA version 3.1, section 3.5.
|
3217
|
+
|
3218
|
+
static const int kCurves[] = {NID_secp384r1};
|
3219
|
+
|
3220
|
+
static const uint16_t kSigAlgs[] = {
|
3221
|
+
SSL_SIGN_RSA_PKCS1_SHA384, //
|
3222
|
+
SSL_SIGN_RSA_PKCS1_SHA512, //
|
3223
|
+
SSL_SIGN_ECDSA_SECP384R1_SHA384, //
|
3224
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA384, //
|
3225
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA512, //
|
3226
|
+
};
|
3227
|
+
|
3228
|
+
static const char kTLS12Ciphers[] =
|
3229
|
+
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:"
|
3230
|
+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
|
3231
|
+
|
3232
|
+
static int Configure(SSL_CTX *ctx) {
|
3233
|
+
ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
|
3234
|
+
|
3235
|
+
return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
|
3236
|
+
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
|
3237
|
+
SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&
|
3238
|
+
SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
|
3239
|
+
SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,
|
3240
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
|
3241
|
+
SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,
|
3242
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs));
|
3243
|
+
}
|
3244
|
+
|
3245
|
+
static int Configure(SSL *ssl) {
|
3246
|
+
ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
|
3247
|
+
|
3248
|
+
return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
|
3249
|
+
SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
|
3250
|
+
SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&
|
3251
|
+
SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) &&
|
3252
|
+
SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,
|
3253
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs)) &&
|
3254
|
+
SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,
|
3255
|
+
OPENSSL_ARRAY_SIZE(kSigAlgs));
|
3256
|
+
}
|
3257
|
+
|
3258
|
+
} // namespace wpa202304
|
3259
|
+
|
3189
3260
|
int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
|
3190
3261
|
enum ssl_compliance_policy_t policy) {
|
3191
3262
|
switch (policy) {
|
3192
3263
|
case ssl_compliance_policy_fips_202205:
|
3193
3264
|
return fips202205::Configure(ctx);
|
3265
|
+
case ssl_compliance_policy_wpa3_192_202304:
|
3266
|
+
return wpa202304::Configure(ctx);
|
3194
3267
|
default:
|
3195
3268
|
return 0;
|
3196
3269
|
}
|
@@ -3200,6 +3273,8 @@ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
|
|
3200
3273
|
switch (policy) {
|
3201
3274
|
case ssl_compliance_policy_fips_202205:
|
3202
3275
|
return fips202205::Configure(ssl);
|
3276
|
+
case ssl_compliance_policy_wpa3_192_202304:
|
3277
|
+
return wpa202304::Configure(ssl);
|
3203
3278
|
default:
|
3204
3279
|
return 0;
|
3205
3280
|
}
|
@@ -64,6 +64,7 @@
|
|
64
64
|
#include <openssl/err.h>
|
65
65
|
#include <openssl/evp.h>
|
66
66
|
#include <openssl/mem.h>
|
67
|
+
#include <openssl/span.h>
|
67
68
|
|
68
69
|
#include "internal.h"
|
69
70
|
#include "../crypto/internal.h"
|
@@ -484,12 +485,14 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
|
|
484
485
|
|
485
486
|
static constexpr size_t kMaxSignatureAlgorithmNameLen = 23;
|
486
487
|
|
487
|
-
|
488
|
-
// where it didn't pad the strings to the correct length.
|
489
|
-
static const struct {
|
488
|
+
struct SignatureAlgorithmName {
|
490
489
|
uint16_t signature_algorithm;
|
491
490
|
const char name[kMaxSignatureAlgorithmNameLen];
|
492
|
-
}
|
491
|
+
};
|
492
|
+
|
493
|
+
// This was "constexpr" rather than "const", but that triggered a bug in MSVC
|
494
|
+
// where it didn't pad the strings to the correct length.
|
495
|
+
static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
|
493
496
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
|
494
497
|
{SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
|
495
498
|
{SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
|
@@ -515,6 +518,8 @@ const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
|
|
515
518
|
return "ecdsa_sha384";
|
516
519
|
case SSL_SIGN_ECDSA_SECP521R1_SHA512:
|
517
520
|
return "ecdsa_sha512";
|
521
|
+
// If adding more here, also update
|
522
|
+
// |SSL_get_all_signature_algorithm_names|.
|
518
523
|
}
|
519
524
|
}
|
520
525
|
|
@@ -527,6 +532,14 @@ const char *SSL_get_signature_algorithm_name(uint16_t sigalg,
|
|
527
532
|
return NULL;
|
528
533
|
}
|
529
534
|
|
535
|
+
size_t SSL_get_all_signature_algorithm_names(const char **out, size_t max_out) {
|
536
|
+
const char *kPredefinedNames[] = {"ecdsa_sha256", "ecdsa_sha384",
|
537
|
+
"ecdsa_sha512"};
|
538
|
+
return GetAllNames(out, max_out, MakeConstSpan(kPredefinedNames),
|
539
|
+
&SignatureAlgorithmName::name,
|
540
|
+
MakeConstSpan(kSignatureAlgorithmNames));
|
541
|
+
}
|
542
|
+
|
530
543
|
int SSL_get_signature_algorithm_key_type(uint16_t sigalg) {
|
531
544
|
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
|
532
545
|
return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;
|
@@ -16,8 +16,11 @@
|
|
16
16
|
|
17
17
|
#include <assert.h>
|
18
18
|
|
19
|
+
#include <algorithm>
|
20
|
+
|
19
21
|
#include <openssl/bytestring.h>
|
20
22
|
#include <openssl/err.h>
|
23
|
+
#include <openssl/span.h>
|
21
24
|
|
22
25
|
#include "internal.h"
|
23
26
|
#include "../crypto/internal.h"
|
@@ -82,29 +85,29 @@ bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
|
|
82
85
|
// The following functions map between API versions and wire versions. The
|
83
86
|
// public API works on wire versions.
|
84
87
|
|
85
|
-
static const char
|
86
|
-
switch (version) {
|
87
|
-
case TLS1_3_VERSION:
|
88
|
-
return "TLSv1.3";
|
89
|
-
|
90
|
-
case TLS1_2_VERSION:
|
91
|
-
return "TLSv1.2";
|
92
|
-
|
93
|
-
case TLS1_1_VERSION:
|
94
|
-
return "TLSv1.1";
|
95
|
-
|
96
|
-
case TLS1_VERSION:
|
97
|
-
return "TLSv1";
|
88
|
+
static const char* kUnknownVersion = "unknown";
|
98
89
|
|
99
|
-
|
100
|
-
|
90
|
+
struct VersionInfo {
|
91
|
+
uint16_t version;
|
92
|
+
const char *name;
|
93
|
+
};
|
101
94
|
|
102
|
-
|
103
|
-
|
95
|
+
static const VersionInfo kVersionNames[] = {
|
96
|
+
{TLS1_3_VERSION, "TLSv1.3"},
|
97
|
+
{TLS1_2_VERSION, "TLSv1.2"},
|
98
|
+
{TLS1_1_VERSION, "TLSv1.1"},
|
99
|
+
{TLS1_VERSION, "TLSv1"},
|
100
|
+
{DTLS1_VERSION, "DTLSv1"},
|
101
|
+
{DTLS1_2_VERSION, "DTLSv1.2"},
|
102
|
+
};
|
104
103
|
|
105
|
-
|
106
|
-
|
104
|
+
static const char *ssl_version_to_string(uint16_t version) {
|
105
|
+
for (const auto &v : kVersionNames) {
|
106
|
+
if (v.version == version) {
|
107
|
+
return v.name;
|
108
|
+
}
|
107
109
|
}
|
110
|
+
return kUnknownVersion;
|
108
111
|
}
|
109
112
|
|
110
113
|
static uint16_t wire_version_to_api(uint16_t version) {
|
@@ -383,6 +386,11 @@ const char *SSL_get_version(const SSL *ssl) {
|
|
383
386
|
return ssl_version_to_string(ssl_version(ssl));
|
384
387
|
}
|
385
388
|
|
389
|
+
size_t SSL_get_all_version_names(const char **out, size_t max_out) {
|
390
|
+
return GetAllNames(out, max_out, MakeConstSpan(&kUnknownVersion, 1),
|
391
|
+
&VersionInfo::name, MakeConstSpan(kVersionNames));
|
392
|
+
}
|
393
|
+
|
386
394
|
const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
|
387
395
|
return ssl_version_to_string(session->ssl_version);
|
388
396
|
}
|
@@ -200,7 +200,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
200
200
|
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
|
201
201
|
!ssl_tls13_cipher_meets_policy(
|
202
202
|
SSL_CIPHER_get_value(cipher),
|
203
|
-
ssl->config->
|
203
|
+
ssl->config->tls13_cipher_policy)) {
|
204
204
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
|
205
205
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
206
206
|
return ssl_hs_error;
|
@@ -27,6 +27,7 @@
|
|
27
27
|
#include <openssl/hmac.h>
|
28
28
|
#include <openssl/mem.h>
|
29
29
|
|
30
|
+
#include "../crypto/fipsmodule/tls/internal.h"
|
30
31
|
#include "../crypto/internal.h"
|
31
32
|
#include "internal.h"
|
32
33
|
|
@@ -95,27 +96,10 @@ static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
|
|
95
96
|
Span<const uint8_t> secret,
|
96
97
|
Span<const char> label,
|
97
98
|
Span<const uint8_t> hash) {
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
if (!CBB_init(cbb.get(), 2 + 1 + protocol_label.size() + label.size() + 1 +
|
103
|
-
hash.size()) ||
|
104
|
-
!CBB_add_u16(cbb.get(), out.size()) ||
|
105
|
-
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
|
106
|
-
!CBB_add_bytes(&child,
|
107
|
-
reinterpret_cast<const uint8_t *>(protocol_label.data()),
|
108
|
-
protocol_label.size()) ||
|
109
|
-
!CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
|
110
|
-
label.size()) ||
|
111
|
-
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
|
112
|
-
!CBB_add_bytes(&child, hash.data(), hash.size()) ||
|
113
|
-
!CBBFinishArray(cbb.get(), &hkdf_label)) {
|
114
|
-
return false;
|
115
|
-
}
|
116
|
-
|
117
|
-
return HKDF_expand(out.data(), out.size(), digest, secret.data(),
|
118
|
-
secret.size(), hkdf_label.data(), hkdf_label.size());
|
99
|
+
return CRYPTO_tls13_hkdf_expand_label(
|
100
|
+
out.data(), out.size(), digest, secret.data(), secret.size(),
|
101
|
+
reinterpret_cast<const uint8_t *>(label.data()), label.size(),
|
102
|
+
hash.data(), hash.size()) == 1;
|
119
103
|
}
|
120
104
|
|
121
105
|
static const char kTLS13LabelDerived[] = "derived";
|
@@ -116,8 +116,11 @@ static const SSL_CIPHER *choose_tls13_cipher(
|
|
116
116
|
|
117
117
|
const uint16_t version = ssl_protocol_version(ssl);
|
118
118
|
|
119
|
-
return ssl_choose_tls13_cipher(
|
120
|
-
|
119
|
+
return ssl_choose_tls13_cipher(
|
120
|
+
cipher_suites,
|
121
|
+
ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value
|
122
|
+
: EVP_has_aes_hardware(),
|
123
|
+
version, group_id, ssl->config->tls13_cipher_policy);
|
121
124
|
}
|
122
125
|
|
123
126
|
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
|