grpc 1.56.0.pre3 → 1.56.2

data/src/core/lib/iomgr/tcp_server_utils_posix.h

@@ -30,6 +30,7 @@
 #include "src/core/lib/iomgr/resolve_address.h"
 #include "src/core/lib/iomgr/socket_utils_posix.h"
 #include "src/core/lib/iomgr/tcp_server.h"
+#include "src/core/lib/iomgr/timer.h"
 #include "src/core/lib/resource_quota/memory_quota.h"
 
 // one listening port
@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
   // identified while iterating through 'next'.
   struct grpc_tcp_listener* sibling;
   int is_sibling;
+  // If an accept4() call fails, a timer is started to drain the accept queue in
+  // case no further connection attempts reach the gRPC server.
+  grpc_closure retry_closure;
+  grpc_timer retry_timer;
+  gpr_atm retry_timer_armed;
 } grpc_tcp_listener;
 
 // the overall server
@@ -139,4 +145,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket(
 // Ruturn true if the platform supports ifaddrs
 bool grpc_tcp_server_have_ifaddrs(void);
 
+// Initialize (but don't start) the timer and callback to retry accept4() on a
+// listening socket after file descriptors have been exhausted. This must be
+// called when creating a new listener.
+void grpc_tcp_server_listener_initialize_retry_timer(
+    grpc_tcp_listener* listener);
+
 #endif  // GRPC_SRC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H

data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc

@@ -18,6 +18,8 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <grpc/support/atm.h>
+
 #include "src/core/lib/iomgr/port.h"
 
 #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
   return s_max_accept_queue_size;
 }
 
+static void listener_retry_timer_cb(void* arg, grpc_error_handle err) {
+  // Do nothing if cancelled.
+  if (!err.ok()) return;
+  grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
+  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+  if (!grpc_fd_is_shutdown(listener->emfd)) {
+    grpc_fd_set_readable(listener->emfd);
+  }
+}
+
+void grpc_tcp_server_listener_initialize_retry_timer(
+    grpc_tcp_listener* listener) {
+  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+  grpc_timer_init_unset(&listener->retry_timer);
+  GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
+                    grpc_schedule_on_exec_ctx);
+}
+
 static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
                                               const grpc_resolved_address* addr,
                                               unsigned port_index,
@@ -112,6 +132,7 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
   sp->server = s;
   sp->fd = fd;
   sp->emfd = grpc_fd_create(fd, name.c_str(), true);
+  grpc_tcp_server_listener_initialize_retry_timer(sp);
 
   // Check and set fd as prellocated
   if (grpc_tcp_server_pre_allocated_fd(s) == fd) {

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -120,3 +120,11 @@ void grpc_tls_credentials_options_set_tls_session_key_log_file_path(
   }
   options->set_tls_session_key_log_file_path(path != nullptr ? path : "");
 }
+
+void grpc_tls_credentials_options_set_send_client_ca_list(
+    grpc_tls_credentials_options* options, bool send_client_ca_list) {
+  if (options == nullptr) {
+    return;
+  }
+  options->set_send_client_ca_list(send_client_ca_list);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -61,6 +61,7 @@ struct grpc_tls_credentials_options
   const std::string& identity_cert_name() const { return identity_cert_name_; }
   const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
   const std::string& crl_directory() const { return crl_directory_; }
+  bool send_client_ca_list() const { return send_client_ca_list_; }
 
   // Setters for member fields.
   void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
@@ -81,6 +82,7 @@ struct grpc_tls_credentials_options
   void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
   //  gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
   void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
+  void set_send_client_ca_list(bool send_client_ca_list) { send_client_ca_list_ = send_client_ca_list; }
 
   bool operator==(const grpc_tls_credentials_options& other) const {
     return cert_request_type_ == other.cert_request_type_ &&
@@ -95,7 +97,8 @@ struct grpc_tls_credentials_options
       watch_identity_pair_ == other.watch_identity_pair_ &&
       identity_cert_name_ == other.identity_cert_name_ &&
       tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
-      crl_directory_ == other.crl_directory_;
+      crl_directory_ == other.crl_directory_ &&
+      send_client_ca_list_ == other.send_client_ca_list_;
   }
 
  private:
@@ -112,6 +115,7 @@ struct grpc_tls_credentials_options
   std::string identity_cert_name_;
   std::string tls_session_key_log_file_path_;
   std::string crl_directory_;
+  bool send_client_ca_list_ = false;
 };
 
 #endif  // GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -465,7 +465,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
-    const char* crl_directory,
+    const char* crl_directory, bool send_client_ca_list,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -483,6 +483,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.max_tls_version = max_tls_version;
   options.key_logger = tls_session_key_logger;
   options.crl_directory = crl_directory;
+  options.send_client_ca_list = send_client_ca_list;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -93,7 +93,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
-    const char* crl_directory,
+    const char* crl_directory, bool send_client_ca_list,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
 // Free the memory occupied by key cert pairs.

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -830,7 +830,7 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()),
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
-      &server_handshaker_factory_);
+      options_->send_client_ca_list(), &server_handshaker_factory_);
   // Free memory.
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);

data/src/core/lib/surface/validate_metadata.cc

@@ -21,8 +21,6 @@
 #include "src/core/lib/surface/validate_metadata.h"
 
 #include "absl/status/status.h"
-#include "absl/strings/escaping.h"
-#include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc.h>
@@ -46,32 +44,49 @@ class LegalHeaderKeyBits : public BitSet<256> {
 };
 constexpr LegalHeaderKeyBits g_legal_header_key_bits;
 
-GPR_ATTRIBUTE_NOINLINE
-absl::Status DoesNotConformTo(absl::string_view x, const char* err_desc) {
-  return absl::InternalError(absl::StrCat(err_desc, ": ", x, " (hex ",
-                                          absl::BytesToHexString(x), ")"));
-}
-
-absl::Status ConformsTo(absl::string_view x, const BitSet<256>& legal_bits,
-                        const char* err_desc) {
+ValidateMetadataResult ConformsTo(absl::string_view x,
+                                  const BitSet<256>& legal_bits,
+                                  ValidateMetadataResult error) {
   for (uint8_t c : x) {
     if (!legal_bits.is_set(c)) {
-      return DoesNotConformTo(x, err_desc);
+      return error;
     }
   }
-  return absl::OkStatus();
+  return ValidateMetadataResult::kOk;
+}
+
+absl::Status UpgradeToStatus(ValidateMetadataResult result) {
+  if (result == ValidateMetadataResult::kOk) return absl::OkStatus();
+  return absl::InternalError(ValidateMetadataResultToString(result));
 }
+
 }  // namespace
 
-absl::Status ValidateHeaderKeyIsLegal(absl::string_view key) {
+ValidateMetadataResult ValidateHeaderKeyIsLegal(absl::string_view key) {
   if (key.empty()) {
-    return absl::InternalError("Metadata keys cannot be zero length");
+    return ValidateMetadataResult::kCannotBeZeroLength;
   }
   if (key.size() > UINT32_MAX) {
-    return absl::InternalError(
-        "Metadata keys cannot be larger than UINT32_MAX");
+    return ValidateMetadataResult::kTooLong;
+  }
+  return ConformsTo(key, g_legal_header_key_bits,
+                    ValidateMetadataResult::kIllegalHeaderKey);
+}
+
+const char* ValidateMetadataResultToString(ValidateMetadataResult result) {
+  switch (result) {
+    case ValidateMetadataResult::kOk:
+      return "Ok";
+    case ValidateMetadataResult::kCannotBeZeroLength:
+      return "Metadata keys cannot be zero length";
+    case ValidateMetadataResult::kTooLong:
+      return "Metadata keys cannot be larger than UINT32_MAX";
+    case ValidateMetadataResult::kIllegalHeaderKey:
+      return "Illegal header key";
+    case ValidateMetadataResult::kIllegalHeaderValue:
+      return "Illegal header value";
   }
-  return ConformsTo(key, g_legal_header_key_bits, "Illegal header key");
+  GPR_UNREACHABLE_CODE(return "Unknown");
 }
 
 }  // namespace grpc_core
@@ -82,8 +97,8 @@ static int error2int(grpc_error_handle error) {
 }
 
 grpc_error_handle grpc_validate_header_key_is_legal(const grpc_slice& slice) {
-  return grpc_core::ValidateHeaderKeyIsLegal(
-      grpc_core::StringViewFromSlice(slice));
+  return grpc_core::UpgradeToStatus(grpc_core::ValidateHeaderKeyIsLegal(
+      grpc_core::StringViewFromSlice(slice)));
 }
 
 int grpc_header_key_is_legal(grpc_slice slice) {
@@ -104,9 +119,9 @@ constexpr LegalHeaderNonBinValueBits g_legal_header_non_bin_value_bits;
 
 grpc_error_handle grpc_validate_header_nonbin_value_is_legal(
     const grpc_slice& slice) {
-  return grpc_core::ConformsTo(grpc_core::StringViewFromSlice(slice),
-                               g_legal_header_non_bin_value_bits,
-                               "Illegal header value");
+  return grpc_core::UpgradeToStatus(grpc_core::ConformsTo(
+      grpc_core::StringViewFromSlice(slice), g_legal_header_non_bin_value_bits,
+      grpc_core::ValidateMetadataResult::kIllegalHeaderValue));
 }
 
 int grpc_header_nonbin_value_is_legal(grpc_slice slice) {

data/src/core/lib/surface/validate_metadata.h

@@ -25,7 +25,6 @@
 
 #include <cstring>
 
-#include "absl/status/status.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/slice.h>
@@ -35,9 +34,20 @@
 
 namespace grpc_core {
 
-absl::Status ValidateHeaderKeyIsLegal(absl::string_view key);
+enum class ValidateMetadataResult : uint8_t {
+  kOk,
+  kCannotBeZeroLength,
+  kTooLong,
+  kIllegalHeaderKey,
+  kIllegalHeaderValue
+};
 
-}
+const char* ValidateMetadataResultToString(ValidateMetadataResult result);
+
+// Returns nullopt if the key is legal, otherwise returns an error message.
+ValidateMetadataResult ValidateHeaderKeyIsLegal(absl::string_view key);
+
+}  // namespace grpc_core
 
 grpc_error_handle grpc_validate_header_key_is_legal(const grpc_slice& slice);
 grpc_error_handle grpc_validate_header_nonbin_value_is_legal(

data/src/core/tsi/ssl_transport_security.cc

@@ -2202,12 +2202,15 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
         STACK_OF(X509_NAME)* root_names = nullptr;
         result = ssl_ctx_load_verification_certs(
             impl->ssl_contexts[i], options->pem_client_root_certs,
-            strlen(options->pem_client_root_certs), &root_names);
+            strlen(options->pem_client_root_certs),
+            options->send_client_ca_list ? &root_names : nullptr);
         if (result != TSI_OK) {
           gpr_log(GPR_ERROR, "Invalid verification certs.");
           break;
         }
-        SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names);
+        if (options->send_client_ca_list) {
+          SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names);
+        }
       }
       switch (options->client_certificate_request) {
         case TSI_DONT_REQUEST_CLIENT_CERTIFICATE:

data/src/core/tsi/ssl_transport_security.h

@@ -325,6 +325,17 @@ struct tsi_ssl_server_handshaker_options {
   // crl checking. Only OpenSSL version > 1.1 is supported for CRL checking
   const char* crl_directory;
 
+  // If true, the SSL server sends a list of CA names to the client in the
+  // ServerHello. This list of CA names is extracted from the server's trust
+  // bundle, and the client may use this lint as a hint to decide which
+  // certificate it should send to the server.
+  //
+  // WARNING: This is an extremely dangerous option. If the server's trust
+  // bundle is sufficiently large, then setting this bit to true will result in
+  // the server being unable to generate a ServerHello, and hence the server
+  // will be unusable.
+  bool send_client_ca_list;
+
   tsi_ssl_server_handshaker_options()
       : pem_key_cert_pairs(nullptr),
         num_key_cert_pairs(0),
@@ -338,7 +349,8 @@ struct tsi_ssl_server_handshaker_options {
         min_tls_version(tsi_tls_version::TSI_TLS1_2),
         max_tls_version(tsi_tls_version::TSI_TLS1_3),
         key_logger(nullptr),
-        crl_directory(nullptr) {}
+        crl_directory(nullptr),
+        send_client_ca_list(true) {}
 };
 
 // Creates a server handshaker factory.

data/src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -188,6 +188,7 @@ grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_op
 grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
 grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
+grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
 grpc_tls_credentials_options_set_check_call_host_type grpc_tls_credentials_options_set_check_call_host_import;
 grpc_insecure_credentials_create_type grpc_insecure_credentials_create_import;
 grpc_insecure_server_credentials_create_type grpc_insecure_server_credentials_create_import;
@@ -474,6 +475,7 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
   grpc_tls_credentials_options_set_crl_directory_import = (grpc_tls_credentials_options_set_crl_directory_type) GetProcAddress(library, "grpc_tls_credentials_options_set_crl_directory");
   grpc_tls_credentials_options_set_verify_server_cert_import = (grpc_tls_credentials_options_set_verify_server_cert_type) GetProcAddress(library, "grpc_tls_credentials_options_set_verify_server_cert");
+  grpc_tls_credentials_options_set_send_client_ca_list_import = (grpc_tls_credentials_options_set_send_client_ca_list_type) GetProcAddress(library, "grpc_tls_credentials_options_set_send_client_ca_list");
   grpc_tls_credentials_options_set_check_call_host_import = (grpc_tls_credentials_options_set_check_call_host_type) GetProcAddress(library, "grpc_tls_credentials_options_set_check_call_host");
   grpc_insecure_credentials_create_import = (grpc_insecure_credentials_create_type) GetProcAddress(library, "grpc_insecure_credentials_create");
   grpc_insecure_server_credentials_create_import = (grpc_insecure_server_credentials_create_type) GetProcAddress(library, "grpc_insecure_server_credentials_create");

data/src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -539,6 +539,9 @@ extern grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_
 typedef void(*grpc_tls_credentials_options_set_verify_server_cert_type)(grpc_tls_credentials_options* options, int verify_server_cert);
 extern grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
 #define grpc_tls_credentials_options_set_verify_server_cert grpc_tls_credentials_options_set_verify_server_cert_import
+typedef void(*grpc_tls_credentials_options_set_send_client_ca_list_type)(grpc_tls_credentials_options* options, bool send_client_ca_list);
+extern grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
+#define grpc_tls_credentials_options_set_send_client_ca_list grpc_tls_credentials_options_set_send_client_ca_list_import
 typedef void(*grpc_tls_credentials_options_set_check_call_host_type)(grpc_tls_credentials_options* options, int check_call_host);
 extern grpc_tls_credentials_options_set_check_call_host_type grpc_tls_credentials_options_set_check_call_host_import;
 #define grpc_tls_credentials_options_set_check_call_host grpc_tls_credentials_options_set_check_call_host_import

data/src/ruby/lib/grpc/version.rb

@@ -14,5 +14,5 @@
 
 # GRPC contains the General RPC module.
 module GRPC
-  VERSION = '1.56.0.pre3'
+  VERSION = '1.56.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: grpc
 version: !ruby/object:Gem::Version
-  version: 1.56.0.pre3
+  version: 1.56.2
 platform: ruby
 authors:
 - gRPC Authors
 autorequire: 
 bindir: src/ruby/bin
 cert_chain: []
-date: 2023-06-13 00:00:00.000000000 Z
+date: 2023-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-protobuf
@@ -465,6 +465,8 @@ files:
 - src/core/ext/transport/chttp2/transport/hpack_encoder.h
 - src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc
 - src/core/ext/transport/chttp2/transport/hpack_encoder_table.h
+- src/core/ext/transport/chttp2/transport/hpack_parse_result.cc
+- src/core/ext/transport/chttp2/transport/hpack_parse_result.h
 - src/core/ext/transport/chttp2/transport/hpack_parser.cc
 - src/core/ext/transport/chttp2/transport/hpack_parser.h
 - src/core/ext/transport/chttp2/transport/hpack_parser_table.cc
@@ -3240,11 +3242,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.4.14
+rubygems_version: 3.4.17
 signing_key: 
 specification_version: 4
 summary: GRPC system in Ruby