grpc 1.13.0 → 1.14.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +403 -153
- data/include/grpc/grpc.h +0 -8
- data/include/grpc/grpc_security.h +59 -2
- data/include/grpc/impl/codegen/grpc_types.h +8 -2
- data/include/grpc/impl/codegen/log.h +112 -0
- data/include/grpc/module.modulemap +2 -0
- data/include/grpc/support/log.h +2 -88
- data/include/grpc/support/string_util.h +2 -0
- data/src/boringssl/err_data.c +597 -593
- data/src/core/ext/filters/client_channel/client_channel.cc +715 -770
- data/src/core/ext/filters/client_channel/client_channel.h +5 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +111 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.h +69 -0
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +9 -0
- data/src/core/ext/filters/client_channel/http_proxy.cc +22 -5
- data/src/core/ext/filters/client_channel/lb_policy.h +15 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/load_balancer_api.h +3 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/duration.pb.c +19 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/duration.pb.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/timestamp.pb.c +19 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/google/protobuf/timestamp.pb.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.c +4 -17
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/proto/grpc/lb/v1/load_balancer.pb.h +37 -63
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +79 -0
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +5 -2
- data/src/core/ext/filters/client_channel/lb_policy_factory.cc +8 -0
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +4 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +317 -0
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +48 -9
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +40 -293
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +106 -84
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +6 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +6 -5
- data/src/core/ext/filters/client_channel/subchannel.cc +36 -6
- data/src/core/ext/filters/client_channel/subchannel.h +4 -0
- data/src/core/ext/filters/deadline/deadline_filter.cc +18 -15
- data/src/core/ext/filters/deadline/deadline_filter.h +5 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +10 -9
- data/src/core/ext/filters/http/server/http_server_filter.h +1 -1
- data/src/core/ext/transport/chttp2/client/insecure/channel_create_posix.cc +1 -1
- data/src/core/ext/transport/chttp2/server/insecure/server_chttp2_posix.cc +3 -2
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +33 -22
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +1 -1
- data/src/core/ext/transport/chttp2/transport/internal.h +10 -3
- data/src/core/ext/transport/chttp2/transport/stream_lists.cc +17 -0
- data/src/core/ext/transport/chttp2/transport/writing.cc +21 -16
- data/src/core/ext/transport/inproc/inproc_transport.cc +46 -6
- data/src/core/lib/channel/channel_stack.cc +22 -24
- data/src/core/lib/channel/channel_trace.cc +28 -63
- data/src/core/lib/channel/channel_trace.h +13 -17
- data/src/core/lib/channel/channelz.cc +143 -0
- data/src/core/lib/channel/channelz.h +124 -0
- data/src/core/lib/channel/channelz_registry.cc +7 -24
- data/src/core/lib/channel/channelz_registry.h +12 -8
- data/src/core/lib/channel/connected_channel.cc +8 -1
- data/src/core/{ext/filters/load_reporting/server_load_reporting_filter.h → lib/gpr/alloc.h} +7 -9
- data/src/core/lib/gpr/arena.cc +8 -8
- data/src/core/lib/gpr/string.cc +28 -0
- data/src/core/lib/gpr/string.h +10 -0
- data/src/core/lib/gprpp/abstract.h +5 -2
- data/src/core/lib/gprpp/inlined_vector.h +57 -3
- data/src/core/lib/gprpp/memory.h +2 -2
- data/src/core/lib/gprpp/ref_counted_ptr.h +5 -0
- data/src/core/lib/gprpp/thd_posix.cc +1 -1
- data/src/core/lib/iomgr/call_combiner.h +80 -0
- data/src/core/lib/iomgr/closure.h +3 -2
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
- data/src/core/lib/iomgr/error.cc +12 -0
- data/src/core/lib/iomgr/error.h +5 -0
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +36 -9
- data/src/core/lib/iomgr/ev_epollex_linux.cc +172 -46
- data/src/core/lib/iomgr/ev_epollsig_linux.cc +47 -21
- data/src/core/lib/iomgr/ev_poll_posix.cc +10 -4
- data/src/core/lib/iomgr/ev_posix.cc +17 -9
- data/src/core/lib/iomgr/ev_posix.h +20 -4
- data/src/core/lib/iomgr/executor.cc +196 -140
- data/src/core/lib/iomgr/executor.h +47 -14
- data/src/core/lib/iomgr/iomgr.cc +2 -0
- data/src/core/lib/iomgr/iomgr.h +5 -0
- data/src/core/lib/iomgr/is_epollexclusive_available.cc +1 -0
- data/src/core/lib/iomgr/socket_utils.h +9 -0
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -0
- data/src/core/lib/iomgr/socket_utils_uv.cc +4 -0
- data/src/core/lib/iomgr/socket_utils_windows.cc +4 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +3 -5
- data/src/core/lib/iomgr/tcp_posix.cc +6 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +3 -3
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +1 -1
- data/src/core/lib/iomgr/timer_manager.cc +0 -1
- data/src/core/lib/iomgr/udp_server.cc +2 -3
- data/src/core/lib/json/json.cc +10 -0
- data/src/core/lib/json/json.h +5 -0
- data/src/core/lib/security/context/security_context.cc +8 -8
- data/src/core/lib/security/context/security_context.h +6 -2
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +2 -1
- data/src/core/lib/security/credentials/local/local_credentials.cc +77 -0
- data/src/core/lib/security/credentials/local/local_credentials.h +40 -0
- data/src/core/lib/security/credentials/ssl/ssl_credentials.cc +17 -3
- data/src/core/lib/security/security_connector/local_security_connector.cc +245 -0
- data/src/core/lib/security/security_connector/local_security_connector.h +58 -0
- data/src/core/lib/security/security_connector/security_connector.cc +30 -5
- data/src/core/lib/security/security_connector/security_connector.h +1 -0
- data/src/core/lib/security/transport/client_auth_filter.cc +5 -1
- data/src/core/lib/security/transport/server_auth_filter.cc +4 -5
- data/src/core/lib/surface/call.cc +75 -32
- data/src/core/lib/surface/call.h +2 -0
- data/src/core/lib/surface/channel.cc +32 -13
- data/src/core/lib/surface/channel.h +4 -0
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/lib/transport/transport.cc +20 -9
- data/src/core/lib/transport/transport.h +12 -10
- data/src/core/lib/transport/transport_op_string.cc +0 -7
- data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_service_api_util.h +2 -2
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +2 -1
- data/src/core/tsi/alts/handshaker/altscontext.pb.c +0 -1
- data/src/core/tsi/alts/handshaker/altscontext.pb.h +1 -2
- data/src/core/tsi/alts/handshaker/handshaker.pb.c +0 -1
- data/src/core/tsi/alts/handshaker/handshaker.pb.h +1 -2
- data/src/core/tsi/alts/handshaker/transport_security_common.pb.c +0 -1
- data/src/core/tsi/alts/handshaker/transport_security_common.pb.h +1 -1
- data/src/core/tsi/alts/handshaker/transport_security_common_api.h +2 -2
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc +47 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.h +3 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -11
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h +7 -2
- data/src/core/tsi/local_transport_security.cc +209 -0
- data/src/core/tsi/local_transport_security.h +51 -0
- data/src/core/tsi/ssl_transport_security.cc +2 -3
- data/src/{core/ext → cpp/ext/filters}/census/grpc_context.cc +0 -0
- data/src/ruby/ext/grpc/rb_channel_credentials.c +3 -3
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +18 -18
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +29 -29
- data/src/ruby/lib/grpc/generic/active_call.rb +19 -23
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/call_credentials_spec.rb +1 -1
- data/src/ruby/spec/call_spec.rb +1 -1
- data/src/ruby/spec/channel_credentials_spec.rb +1 -1
- data/src/ruby/spec/channel_spec.rb +1 -1
- data/src/ruby/spec/client_auth_spec.rb +1 -12
- data/src/ruby/spec/client_server_spec.rb +1 -1
- data/src/ruby/spec/compression_options_spec.rb +1 -1
- data/src/ruby/spec/error_sanity_spec.rb +1 -1
- data/src/ruby/spec/generic/client_stub_spec.rb +13 -1
- data/src/ruby/spec/generic/rpc_desc_spec.rb +1 -1
- data/src/ruby/spec/generic/rpc_server_pool_spec.rb +1 -1
- data/src/ruby/spec/generic/service_spec.rb +1 -1
- data/src/ruby/spec/google_rpc_status_utils_spec.rb +1 -12
- data/src/ruby/spec/pb/duplicate/codegen_spec.rb +1 -0
- data/src/ruby/spec/pb/health/checker_spec.rb +1 -1
- data/src/ruby/spec/server_credentials_spec.rb +1 -1
- data/src/ruby/spec/server_spec.rb +1 -1
- data/src/ruby/spec/spec_helper.rb +1 -0
- data/src/ruby/spec/support/services.rb +1 -1
- data/src/ruby/spec/time_consts_spec.rb +1 -1
- data/third_party/boringssl/crypto/asn1/tasn_dec.c +40 -19
- data/third_party/boringssl/crypto/bytestring/cbs.c +1 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +47 -15
- data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +9 -10
- data/third_party/boringssl/crypto/ecdh/ecdh.c +4 -3
- data/third_party/boringssl/crypto/fipsmodule/bn/add.c +30 -54
- data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +7 -1
- data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +8 -8
- data/third_party/boringssl/crypto/fipsmodule/bn/div.c +97 -11
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +274 -218
- data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +111 -34
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +1 -1
- data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +24 -6
- data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +324 -63
- data/third_party/boringssl/crypto/fipsmodule/bn/random.c +74 -21
- data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +128 -86
- data/third_party/boringssl/crypto/fipsmodule/bn/sqrt.c +1 -1
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +67 -112
- data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +8 -1
- data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +5 -5
- data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +9 -17
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +5378 -5418
- data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +32 -32
- data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +5 -11
- data/third_party/boringssl/crypto/fipsmodule/rsa/blinding.c +16 -40
- data/third_party/boringssl/crypto/fipsmodule/rsa/internal.h +1 -6
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +41 -29
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +63 -49
- data/third_party/boringssl/crypto/x509/vpm_int.h +1 -0
- data/third_party/boringssl/crypto/x509/x509_vfy.c +4 -0
- data/third_party/boringssl/crypto/x509/x509_vpm.c +44 -22
- data/third_party/boringssl/include/openssl/aead.h +8 -2
- data/third_party/boringssl/include/openssl/asn1.h +1 -0
- data/third_party/boringssl/include/openssl/base.h +4 -0
- data/third_party/boringssl/include/openssl/bn.h +13 -3
- data/third_party/boringssl/include/openssl/bytestring.h +4 -4
- data/third_party/boringssl/include/openssl/ec.h +10 -4
- data/third_party/boringssl/include/openssl/ec_key.h +0 -3
- data/third_party/boringssl/include/openssl/rsa.h +1 -0
- data/third_party/boringssl/include/openssl/ssl.h +8 -3
- data/third_party/boringssl/include/openssl/ssl3.h +0 -1
- data/third_party/boringssl/include/openssl/x509.h +1 -0
- data/third_party/boringssl/include/openssl/x509v3.h +1 -0
- data/third_party/boringssl/ssl/handshake_client.cc +36 -64
- data/third_party/boringssl/ssl/ssl_cipher.cc +4 -0
- data/third_party/boringssl/ssl/ssl_lib.cc +1 -1
- metadata +45 -38
- data/src/core/ext/filters/load_reporting/server_load_reporting_filter.cc +0 -222
- data/src/core/ext/filters/load_reporting/server_load_reporting_plugin.cc +0 -71
- data/src/core/ext/filters/load_reporting/server_load_reporting_plugin.h +0 -61
- data/src/ruby/spec/pb/package_with_underscore/checker_spec.rb +0 -51
- data/src/ruby/spec/pb/package_with_underscore/data.proto +0 -23
- data/src/ruby/spec/pb/package_with_underscore/service.proto +0 -23
@@ -784,6 +784,10 @@ static int check_id(X509_STORE_CTX *ctx)
|
|
784
784
|
X509_VERIFY_PARAM *vpm = ctx->param;
|
785
785
|
X509_VERIFY_PARAM_ID *id = vpm->id;
|
786
786
|
X509 *x = ctx->cert;
|
787
|
+
if (id->poison) {
|
788
|
+
if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
|
789
|
+
return 0;
|
790
|
+
}
|
787
791
|
if (id->hosts && check_hosts(x, id) <= 0) {
|
788
792
|
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
|
789
793
|
return 0;
|
@@ -89,6 +89,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
|
|
89
89
|
{
|
90
90
|
char *copy;
|
91
91
|
|
92
|
+
if (name == NULL || namelen == 0) {
|
93
|
+
// Unlike OpenSSL, we reject trying to set or add an empty name.
|
94
|
+
return 0;
|
95
|
+
}
|
96
|
+
|
92
97
|
/*
|
93
98
|
* Refuse names with embedded NUL bytes.
|
94
99
|
* XXX: Do we need to push an error onto the error stack?
|
@@ -100,8 +105,6 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
|
|
100
105
|
string_stack_free(id->hosts);
|
101
106
|
id->hosts = NULL;
|
102
107
|
}
|
103
|
-
if (name == NULL || namelen == 0)
|
104
|
-
return 1;
|
105
108
|
|
106
109
|
copy = BUF_strndup(name, namelen);
|
107
110
|
if (copy == NULL)
|
@@ -162,7 +165,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
|
|
162
165
|
paramid->ip = NULL;
|
163
166
|
paramid->iplen = 0;
|
164
167
|
}
|
165
|
-
|
168
|
+
paramid->poison = 0;
|
166
169
|
}
|
167
170
|
|
168
171
|
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
|
@@ -316,6 +319,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
|
|
316
319
|
return 0;
|
317
320
|
}
|
318
321
|
|
322
|
+
dest->id->poison = src->id->poison;
|
323
|
+
|
319
324
|
return 1;
|
320
325
|
}
|
321
326
|
|
@@ -334,18 +339,17 @@ static int int_x509_param_set1(char **pdest, size_t *pdestlen,
|
|
334
339
|
const char *src, size_t srclen)
|
335
340
|
{
|
336
341
|
void *tmp;
|
337
|
-
if (src) {
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
tmp = NULL;
|
347
|
-
srclen = 0;
|
342
|
+
if (src == NULL || srclen == 0) {
|
343
|
+
// Unlike OpenSSL, we do not allow an empty string to disable previously
|
344
|
+
// configured checks.
|
345
|
+
return 0;
|
346
|
+
}
|
347
|
+
|
348
|
+
tmp = BUF_memdup(src, srclen);
|
349
|
+
if (!tmp) {
|
350
|
+
return 0;
|
348
351
|
}
|
352
|
+
|
349
353
|
if (*pdest)
|
350
354
|
OPENSSL_free(*pdest);
|
351
355
|
*pdest = tmp;
|
@@ -454,13 +458,21 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
|
|
454
458
|
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
455
459
|
const char *name, size_t namelen)
|
456
460
|
{
|
457
|
-
|
461
|
+
if (!int_x509_param_set_hosts(param->id, SET_HOST, name, namelen)) {
|
462
|
+
param->id->poison = 1;
|
463
|
+
return 0;
|
464
|
+
}
|
465
|
+
return 1;
|
458
466
|
}
|
459
467
|
|
460
468
|
int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
|
461
469
|
const char *name, size_t namelen)
|
462
470
|
{
|
463
|
-
|
471
|
+
if (!int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen)) {
|
472
|
+
param->id->poison = 1;
|
473
|
+
return 0;
|
474
|
+
}
|
475
|
+
return 1;
|
464
476
|
}
|
465
477
|
|
466
478
|
void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
|
@@ -477,17 +489,27 @@ char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
|
|
477
489
|
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
|
478
490
|
const char *email, size_t emaillen)
|
479
491
|
{
|
480
|
-
|
481
|
-
|
492
|
+
if (OPENSSL_memchr(email, '\0', emaillen) != NULL ||
|
493
|
+
!int_x509_param_set1(¶m->id->email, ¶m->id->emaillen,
|
494
|
+
email, emaillen)) {
|
495
|
+
param->id->poison = 1;
|
496
|
+
return 0;
|
497
|
+
}
|
498
|
+
|
499
|
+
return 1;
|
482
500
|
}
|
483
501
|
|
484
502
|
int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
|
485
503
|
const unsigned char *ip, size_t iplen)
|
486
504
|
{
|
487
|
-
if (iplen !=
|
505
|
+
if ((iplen != 4 && iplen != 16) ||
|
506
|
+
!int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen,
|
507
|
+
(char *)ip, iplen)) {
|
508
|
+
param->id->poison = 1;
|
488
509
|
return 0;
|
489
|
-
|
490
|
-
|
510
|
+
}
|
511
|
+
|
512
|
+
return 1;
|
491
513
|
}
|
492
514
|
|
493
515
|
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
|
@@ -512,7 +534,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
|
|
512
534
|
}
|
513
535
|
|
514
536
|
static const X509_VERIFY_PARAM_ID _empty_id =
|
515
|
-
{ NULL, 0U, NULL, NULL, 0, NULL, 0 };
|
537
|
+
{ NULL, 0U, NULL, NULL, 0, NULL, 0, 0 };
|
516
538
|
|
517
539
|
#define vpm_empty_id ((X509_VERIFY_PARAM_ID *)&_empty_id)
|
518
540
|
|
@@ -117,10 +117,16 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);
|
|
117
117
|
// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
|
118
118
|
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);
|
119
119
|
|
120
|
-
// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2
|
121
|
-
// in the Bluetooth Core Specification v5.0,
|
120
|
+
// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2 (4-byte tags
|
121
|
+
// and 13-byte nonces), as decribed in the Bluetooth Core Specification v5.0,
|
122
|
+
// Volume 6, Part E, Section 1.
|
122
123
|
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void);
|
123
124
|
|
125
|
+
// EVP_aead_aes_128_ccm_bluetooth_8 is AES-128-CCM with M=8 and L=2 (8-byte tags
|
126
|
+
// and 13-byte nonces), as used in the Bluetooth Mesh Networking Specification
|
127
|
+
// v1.0.
|
128
|
+
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void);
|
129
|
+
|
124
130
|
// EVP_has_aes_hardware returns one if we enable hardware support for fast and
|
125
131
|
// constant-time AES-GCM.
|
126
132
|
OPENSSL_EXPORT int EVP_has_aes_hardware(void);
|
@@ -104,6 +104,10 @@ extern "C" {
|
|
104
104
|
#elif defined(__pnacl__)
|
105
105
|
#define OPENSSL_32_BIT
|
106
106
|
#define OPENSSL_PNACL
|
107
|
+
#elif defined(__wasm__)
|
108
|
+
#define OPENSSL_32_BIT
|
109
|
+
#elif defined(__asmjs__)
|
110
|
+
#define OPENSSL_32_BIT
|
107
111
|
#elif defined(__myriad2__)
|
108
112
|
#define OPENSSL_32_BIT
|
109
113
|
#else
|
@@ -237,7 +237,8 @@ OPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret);
|
|
237
237
|
|
238
238
|
// BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian
|
239
239
|
// integer, which must have |BN_num_bytes| of space available. It returns the
|
240
|
-
// number of bytes written.
|
240
|
+
// number of bytes written. Note this function leaks the magnitude of |in|. If
|
241
|
+
// |in| is secret, use |BN_bn2bin_padded| instead.
|
241
242
|
OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out);
|
242
243
|
|
243
244
|
// BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as
|
@@ -493,7 +494,12 @@ OPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n);
|
|
493
494
|
OPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n);
|
494
495
|
|
495
496
|
// BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one
|
496
|
-
// on success or zero if |n| is
|
497
|
+
// on success or zero if |n| is negative.
|
498
|
+
//
|
499
|
+
// This differs from OpenSSL which additionally returns zero if |a|'s word
|
500
|
+
// length is less than or equal to |n|, rounded down to a number of words. Note
|
501
|
+
// word size is platform-dependent, so this behavior is also difficult to rely
|
502
|
+
// on in OpenSSL and not very useful.
|
497
503
|
OPENSSL_EXPORT int BN_mask_bits(BIGNUM *a, int n);
|
498
504
|
|
499
505
|
// BN_count_low_zero_bits returns the number of low-order zero bits in |bn|, or
|
@@ -700,7 +706,7 @@ enum bn_primality_result_t {
|
|
700
706
|
// than the number-field sieve security level of |w| is used. It returns one on
|
701
707
|
// success and zero on failure. If |cb| is not NULL, then it is called during
|
702
708
|
// each iteration of the primality test.
|
703
|
-
int BN_enhanced_miller_rabin_primality_test(
|
709
|
+
OPENSSL_EXPORT int BN_enhanced_miller_rabin_primality_test(
|
704
710
|
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
|
705
711
|
BN_CTX *ctx, BN_GENCB *cb);
|
706
712
|
|
@@ -773,6 +779,10 @@ OPENSSL_EXPORT BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a,
|
|
773
779
|
// value) to protect it against side-channel attacks. On failure, if the failure
|
774
780
|
// was caused by |a| having no inverse mod |n| then |*out_no_inverse| will be
|
775
781
|
// set to one; otherwise it will be set to zero.
|
782
|
+
//
|
783
|
+
// Note this function may incorrectly report |a| has no inverse if the random
|
784
|
+
// blinding value has no inverse. It should only be used when |n| has few
|
785
|
+
// non-invertible elements, such as an RSA modulus.
|
776
786
|
int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
|
777
787
|
const BN_MONT_CTX *mont, BN_CTX *ctx);
|
778
788
|
|
@@ -240,10 +240,10 @@ OPENSSL_EXPORT int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out);
|
|
240
240
|
OPENSSL_EXPORT int CBS_get_asn1_bool(CBS *cbs, int *out);
|
241
241
|
|
242
242
|
// CBS_get_optional_asn1 gets an optional explicitly-tagged element from |cbs|
|
243
|
-
// tagged with |tag| and sets |*out| to its contents
|
244
|
-
// |out_present| is not NULL, it sets |*out_present| to
|
245
|
-
// returns one on success, whether or not the element
|
246
|
-
// decode failure.
|
243
|
+
// tagged with |tag| and sets |*out| to its contents, or ignores it if |out| is
|
244
|
+
// NULL. If present and if |out_present| is not NULL, it sets |*out_present| to
|
245
|
+
// one, otherwise zero. It returns one on success, whether or not the element
|
246
|
+
// was present, and zero on decode failure.
|
247
247
|
OPENSSL_EXPORT int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present,
|
248
248
|
unsigned tag);
|
249
249
|
|
@@ -105,10 +105,13 @@ typedef enum {
|
|
105
105
|
// curve specified by |nid|, or NULL on error.
|
106
106
|
//
|
107
107
|
// The supported NIDs are:
|
108
|
-
// NID_secp224r1,
|
109
|
-
// NID_X9_62_prime256v1,
|
110
|
-
// NID_secp384r1,
|
111
|
-
// NID_secp521r1
|
108
|
+
// NID_secp224r1 (P-224),
|
109
|
+
// NID_X9_62_prime256v1 (P-256),
|
110
|
+
// NID_secp384r1 (P-384),
|
111
|
+
// NID_secp521r1 (P-521)
|
112
|
+
//
|
113
|
+
// If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for
|
114
|
+
// more modern primitives.
|
112
115
|
OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
|
113
116
|
|
114
117
|
// EC_GROUP_free frees |group| and the data that it points to.
|
@@ -209,6 +212,9 @@ OPENSSL_EXPORT int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
|
|
209
212
|
// EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of
|
210
213
|
// |point| using |ctx|, if it's not NULL. It returns one on success and zero
|
211
214
|
// otherwise.
|
215
|
+
//
|
216
|
+
// Either |x| or |y| may be NULL to skip computing that coordinate. This is
|
217
|
+
// slightly faster in the common case where only the x-coordinate is needed.
|
212
218
|
OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
|
213
219
|
const EC_POINT *point,
|
214
220
|
BIGNUM *x, BIGNUM *y,
|
@@ -99,9 +99,6 @@ OPENSSL_EXPORT EC_KEY *EC_KEY_new_by_curve_name(int nid);
|
|
99
99
|
// EC_KEY_free frees all the data owned by |key| and |key| itself.
|
100
100
|
OPENSSL_EXPORT void EC_KEY_free(EC_KEY *key);
|
101
101
|
|
102
|
-
// EC_KEY_copy sets |dst| equal to |src| and returns |dst| or NULL on error.
|
103
|
-
OPENSSL_EXPORT EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
|
104
|
-
|
105
102
|
// EC_KEY_dup returns a fresh copy of |src| or NULL on error.
|
106
103
|
OPENSSL_EXPORT EC_KEY *EC_KEY_dup(const EC_KEY *src);
|
107
104
|
|
@@ -2954,7 +2954,7 @@ OPENSSL_EXPORT int SSL_set_dummy_pq_padding_size(SSL *ssl, size_t num_bytes);
|
|
2954
2954
|
|
2955
2955
|
// SSL_dummy_pq_padding_used returns one if the server echoed a dummy PQ padding
|
2956
2956
|
// extension and zero otherwise. It may only be called on a client connection
|
2957
|
-
// once the
|
2957
|
+
// once the ServerHello has been processed, otherwise it'll return zero.
|
2958
2958
|
OPENSSL_EXPORT int SSL_dummy_pq_padding_used(SSL *ssl);
|
2959
2959
|
|
2960
2960
|
|
@@ -3600,6 +3600,7 @@ OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
|
|
3600
3600
|
OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
|
3601
3601
|
|
3602
3602
|
typedef void COMP_METHOD;
|
3603
|
+
typedef struct ssl_comp_st SSL_COMP;
|
3603
3604
|
|
3604
3605
|
// SSL_COMP_get_compression_methods returns NULL.
|
3605
3606
|
OPENSSL_EXPORT STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
@@ -3610,6 +3611,12 @@ OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
|
|
3610
3611
|
// SSL_COMP_get_name returns NULL.
|
3611
3612
|
OPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp);
|
3612
3613
|
|
3614
|
+
// SSL_COMP_get0_name returns the |name| member of |comp|.
|
3615
|
+
OPENSSL_EXPORT const char *SSL_COMP_get0_name(const SSL_COMP *comp);
|
3616
|
+
|
3617
|
+
// SSL_COMP_get_id returns the |id| member of |comp|.
|
3618
|
+
OPENSSL_EXPORT int SSL_COMP_get_id(const SSL_COMP *comp);
|
3619
|
+
|
3613
3620
|
// SSL_COMP_free_compression_methods does nothing.
|
3614
3621
|
OPENSSL_EXPORT void SSL_COMP_free_compression_methods(void);
|
3615
3622
|
|
@@ -3836,8 +3843,6 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
|
|
3836
3843
|
#define SSL_set_timeout(session, timeout) \
|
3837
3844
|
SSL_SESSION_set_timeout((session), (timeout))
|
3838
3845
|
|
3839
|
-
typedef struct ssl_comp_st SSL_COMP;
|
3840
|
-
|
3841
3846
|
struct ssl_comp_st {
|
3842
3847
|
int id;
|
3843
3848
|
const char *name;
|
@@ -300,7 +300,6 @@ OPENSSL_COMPILE_ASSERT(
|
|
300
300
|
#define SSL3_MT_SERVER_HELLO 2
|
301
301
|
#define SSL3_MT_NEW_SESSION_TICKET 4
|
302
302
|
#define SSL3_MT_END_OF_EARLY_DATA 5
|
303
|
-
#define SSL3_MT_HELLO_RETRY_REQUEST 6
|
304
303
|
#define SSL3_MT_ENCRYPTED_EXTENSIONS 8
|
305
304
|
#define SSL3_MT_CERTIFICATE 11
|
306
305
|
#define SSL3_MT_SERVER_KEY_EXCHANGE 12
|
@@ -1110,6 +1110,7 @@ extern "C++" {
|
|
1110
1110
|
namespace bssl {
|
1111
1111
|
|
1112
1112
|
BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free)
|
1113
|
+
BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free)
|
1113
1114
|
BORINGSSL_MAKE_DELETER(X509, X509_free)
|
1114
1115
|
BORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free)
|
1115
1116
|
BORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)
|
@@ -748,6 +748,7 @@ extern "C++" {
|
|
748
748
|
|
749
749
|
namespace bssl {
|
750
750
|
|
751
|
+
BORINGSSL_MAKE_DELETER(AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free)
|
751
752
|
BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
|
752
753
|
BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free)
|
753
754
|
BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free)
|
@@ -339,50 +339,21 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) {
|
|
339
339
|
return ssl->method->add_message(ssl, std::move(msg));
|
340
340
|
}
|
341
341
|
|
342
|
-
static
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
|
349
|
-
return 0;
|
350
|
-
}
|
351
|
-
|
352
|
-
CBS server_hello = msg.body;
|
353
|
-
if (!CBS_get_u16(&server_hello, out)) {
|
354
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
355
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
356
|
-
return 0;
|
357
|
-
}
|
358
|
-
|
359
|
-
// The server version may also be in the supported_versions extension if
|
360
|
-
// applicable.
|
361
|
-
if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) {
|
362
|
-
return 1;
|
363
|
-
}
|
364
|
-
|
365
|
-
uint8_t sid_length;
|
366
|
-
if (!CBS_skip(&server_hello, SSL3_RANDOM_SIZE) ||
|
367
|
-
!CBS_get_u8(&server_hello, &sid_length) ||
|
368
|
-
!CBS_skip(&server_hello, sid_length + 2 /* cipher_suite */ +
|
369
|
-
1 /* compression_method */)) {
|
370
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
371
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
372
|
-
return 0;
|
373
|
-
}
|
374
|
-
|
375
|
-
// The extensions block may not be present.
|
376
|
-
if (CBS_len(&server_hello) == 0) {
|
377
|
-
return 1;
|
342
|
+
static bool parse_supported_versions(SSL_HANDSHAKE *hs, uint16_t *version,
|
343
|
+
const CBS *in) {
|
344
|
+
// If the outer version is not TLS 1.2, or there is no extensions block, use
|
345
|
+
// the outer version.
|
346
|
+
if (*version != TLS1_2_VERSION || CBS_len(in) == 0) {
|
347
|
+
return true;
|
378
348
|
}
|
379
349
|
|
380
|
-
|
381
|
-
|
382
|
-
|
350
|
+
SSL *const ssl = hs->ssl;
|
351
|
+
CBS copy = *in, extensions;
|
352
|
+
if (!CBS_get_u16_length_prefixed(©, &extensions) ||
|
353
|
+
CBS_len(©) != 0) {
|
383
354
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
384
355
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
385
|
-
return
|
356
|
+
return false;
|
386
357
|
}
|
387
358
|
|
388
359
|
bool have_supported_versions;
|
@@ -397,17 +368,18 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out,
|
|
397
368
|
OPENSSL_ARRAY_SIZE(ext_types),
|
398
369
|
1 /* ignore unknown */)) {
|
399
370
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
400
|
-
return
|
371
|
+
return false;
|
401
372
|
}
|
402
373
|
|
374
|
+
// Override the outer version with the extension, if present.
|
403
375
|
if (have_supported_versions &&
|
404
|
-
(!CBS_get_u16(&supported_versions,
|
376
|
+
(!CBS_get_u16(&supported_versions, version) ||
|
405
377
|
CBS_len(&supported_versions) != 0)) {
|
406
378
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
407
|
-
return
|
379
|
+
return false;
|
408
380
|
}
|
409
381
|
|
410
|
-
return
|
382
|
+
return true;
|
411
383
|
}
|
412
384
|
|
413
385
|
static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
|
@@ -567,8 +539,26 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
567
539
|
return ssl_hs_read_server_hello;
|
568
540
|
}
|
569
541
|
|
570
|
-
|
571
|
-
|
542
|
+
if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
|
543
|
+
return ssl_hs_error;
|
544
|
+
}
|
545
|
+
|
546
|
+
CBS server_hello = msg.body, server_random, session_id;
|
547
|
+
uint16_t server_version, cipher_suite;
|
548
|
+
uint8_t compression_method;
|
549
|
+
if (!CBS_get_u16(&server_hello, &server_version) ||
|
550
|
+
!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
|
551
|
+
!CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
|
552
|
+
CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
|
553
|
+
!CBS_get_u16(&server_hello, &cipher_suite) ||
|
554
|
+
!CBS_get_u8(&server_hello, &compression_method)) {
|
555
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
556
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
557
|
+
return ssl_hs_error;
|
558
|
+
}
|
559
|
+
|
560
|
+
// Use the supported_versions extension if applicable.
|
561
|
+
if (!parse_supported_versions(hs, &server_version, &server_hello)) {
|
572
562
|
return ssl_hs_error;
|
573
563
|
}
|
574
564
|
|
@@ -609,24 +599,6 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
609
599
|
return ssl_hs_error;
|
610
600
|
}
|
611
601
|
|
612
|
-
if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
|
613
|
-
return ssl_hs_error;
|
614
|
-
}
|
615
|
-
|
616
|
-
CBS server_hello = msg.body, server_random, session_id;
|
617
|
-
uint16_t cipher_suite;
|
618
|
-
uint8_t compression_method;
|
619
|
-
if (!CBS_skip(&server_hello, 2 /* version */) ||
|
620
|
-
!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
|
621
|
-
!CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
|
622
|
-
CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
|
623
|
-
!CBS_get_u16(&server_hello, &cipher_suite) ||
|
624
|
-
!CBS_get_u8(&server_hello, &compression_method)) {
|
625
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
626
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
627
|
-
return ssl_hs_error;
|
628
|
-
}
|
629
|
-
|
630
602
|
// Copy over the server random.
|
631
603
|
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
|
632
604
|
SSL3_RANDOM_SIZE);
|