grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/ssl/ssl_transcript.cc

@@ -135,22 +135,14 @@
 
 #include <openssl/ssl.h>
 
-#include <assert.h>
-#include <string.h>
-
 #include <openssl/buf.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/md5.h>
-#include <openssl/nid.h>
-#include <openssl/sha.h>
 
-#include "../crypto/internal.h"
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 SSLTranscript::SSLTranscript() {}
 
@@ -163,7 +155,6 @@ bool SSLTranscript::Init() {
   }
 
   hash_.Reset();
-  md5_.Reset();
   return true;
 }
 
@@ -180,17 +171,6 @@ static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
 
 bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
   const EVP_MD *md = ssl_get_handshake_digest(version, cipher);
-
-  // To support SSL 3.0's Finished and CertificateVerify constructions,
-  // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
-  // we can simplify this.
-  if (md == EVP_md5_sha1()) {
-    if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) {
-      return false;
-    }
-    md = EVP_sha1();
-  }
-
   return InitDigestWithData(hash_.get(), md, buffer_.get());
 }
 
@@ -203,9 +183,6 @@ size_t SSLTranscript::DigestLen() const {
 }
 
 const EVP_MD *SSLTranscript::Digest() const {
-  if (EVP_MD_CTX_md(md5_.get()) != nullptr) {
-    return EVP_md5_sha1();
-  }
   return EVP_MD_CTX_md(hash_.get());
 }
 
@@ -229,8 +206,20 @@ bool SSLTranscript::UpdateForHelloRetryRequest() {
   return true;
 }
 
-bool SSLTranscript::CopyHashContext(EVP_MD_CTX *ctx) {
-  return EVP_MD_CTX_copy_ex(ctx, hash_.get());
+bool SSLTranscript::CopyToHashContext(EVP_MD_CTX *ctx, const EVP_MD *digest) {
+  const EVP_MD *transcript_digest = Digest();
+  if (transcript_digest != nullptr &&
+      EVP_MD_type(transcript_digest) == EVP_MD_type(digest)) {
+    return EVP_MD_CTX_copy_ex(ctx, hash_.get());
+  }
+
+  if (buffer_) {
+    return EVP_DigestInit_ex(ctx, digest, nullptr) &&
+           EVP_DigestUpdate(ctx, buffer_->data, buffer_->length);
+  }
+
+  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+  return false;
 }
 
 bool SSLTranscript::Update(Span<const uint8_t> in) {
@@ -244,150 +233,40 @@ bool SSLTranscript::Update(Span<const uint8_t> in) {
   if (EVP_MD_CTX_md(hash_.get()) != NULL) {
     EVP_DigestUpdate(hash_.get(), in.data(), in.size());
   }
-  if (EVP_MD_CTX_md(md5_.get()) != NULL) {
-    EVP_DigestUpdate(md5_.get(), in.data(), in.size());
-  }
 
   return true;
 }
 
 bool SSLTranscript::GetHash(uint8_t *out, size_t *out_len) {
   ScopedEVP_MD_CTX ctx;
-  unsigned md5_len = 0;
-  if (EVP_MD_CTX_md(md5_.get()) != NULL) {
-    if (!EVP_MD_CTX_copy_ex(ctx.get(), md5_.get()) ||
-        !EVP_DigestFinal_ex(ctx.get(), out, &md5_len)) {
-      return false;
-    }
-  }
-
   unsigned len;
   if (!EVP_MD_CTX_copy_ex(ctx.get(), hash_.get()) ||
-      !EVP_DigestFinal_ex(ctx.get(), out + md5_len, &len)) {
-    return false;
-  }
-
-  *out_len = md5_len + len;
-  return true;
-}
-
-static bool SSL3HandshakeMAC(const SSL_SESSION *session,
-                             const EVP_MD_CTX *ctx_template, const char *sender,
-                             size_t sender_len, uint8_t *p, size_t *out_len) {
-  ScopedEVP_MD_CTX ctx;
-  if (!EVP_MD_CTX_copy_ex(ctx.get(), ctx_template)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
+      !EVP_DigestFinal_ex(ctx.get(), out, &len)) {
     return false;
   }
-
-  static const uint8_t kPad1[48] = {
-      0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-      0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-      0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-      0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-  };
-
-  static const uint8_t kPad2[48] = {
-      0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-      0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-      0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-      0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-  };
-
-  size_t n = EVP_MD_CTX_size(ctx.get());
-
-  size_t npad = (48 / n) * n;
-  EVP_DigestUpdate(ctx.get(), sender, sender_len);
-  EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length);
-  EVP_DigestUpdate(ctx.get(), kPad1, npad);
-  unsigned md_buf_len;
-  uint8_t md_buf[EVP_MAX_MD_SIZE];
-  EVP_DigestFinal_ex(ctx.get(), md_buf, &md_buf_len);
-
-  if (!EVP_DigestInit_ex(ctx.get(), EVP_MD_CTX_md(ctx.get()), NULL)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
-    return false;
-  }
-  EVP_DigestUpdate(ctx.get(), session->master_key, session->master_key_length);
-  EVP_DigestUpdate(ctx.get(), kPad2, npad);
-  EVP_DigestUpdate(ctx.get(), md_buf, md_buf_len);
-  unsigned len;
-  EVP_DigestFinal_ex(ctx.get(), p, &len);
-
   *out_len = len;
   return true;
 }
 
-bool SSLTranscript::GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len,
-                                          const SSL_SESSION *session,
-                                          uint16_t signature_algorithm) {
-  if (Digest() != EVP_md5_sha1()) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return false;
-  }
-
-  if (signature_algorithm == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {
-    size_t md5_len, len;
-    if (!SSL3HandshakeMAC(session, md5_.get(), NULL, 0, out, &md5_len) ||
-        !SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out + md5_len, &len)) {
-      return false;
-    }
-    *out_len = md5_len + len;
-    return true;
-  }
-
-  if (signature_algorithm == SSL_SIGN_ECDSA_SHA1) {
-    return SSL3HandshakeMAC(session, hash_.get(), NULL, 0, out, out_len);
-  }
-
-  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-  return false;
-}
-
 bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
                                    const SSL_SESSION *session,
                                    bool from_server) {
-  if (session->ssl_version == SSL3_VERSION) {
-    if (Digest() != EVP_md5_sha1()) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      return false;
-    }
-
-    const char *sender = from_server ? SSL3_MD_SERVER_FINISHED_CONST
-                                     : SSL3_MD_CLIENT_FINISHED_CONST;
-    const size_t sender_len = 4;
-    size_t md5_len, len;
-    if (!SSL3HandshakeMAC(session, md5_.get(), sender, sender_len, out,
-                          &md5_len) ||
-        !SSL3HandshakeMAC(session, hash_.get(), sender, sender_len,
-                          out + md5_len, &len)) {
-      return false;
-    }
-
-    *out_len = md5_len + len;
-    return true;
-  }
-
-  // At this point, the handshake should have released the handshake buffer on
-  // its own.
-  assert(!buffer_);
-
   static const char kClientLabel[] = "client finished";
   static const char kServerLabel[] = "server finished";
   auto label = from_server
                    ? MakeConstSpan(kServerLabel, sizeof(kServerLabel) - 1)
                    : MakeConstSpan(kClientLabel, sizeof(kClientLabel) - 1);
 
-  uint8_t digests[EVP_MAX_MD_SIZE];
-  size_t digests_len;
-  if (!GetHash(digests, &digests_len)) {
+  uint8_t digest[EVP_MAX_MD_SIZE];
+  size_t digest_len;
+  if (!GetHash(digest, &digest_len)) {
     return false;
   }
 
   static const size_t kFinishedLen = 12;
   if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
                 MakeConstSpan(session->master_key, session->master_key_length),
-                label, MakeConstSpan(digests, digests_len), {})) {
+                label, MakeConstSpan(digest, digest_len), {})) {
     return false;
   }
 
@@ -395,4 +274,4 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

data/third_party/boringssl/ssl/ssl_versions.cc

@@ -23,21 +23,17 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
   switch (version) {
-    case SSL3_VERSION:
     case TLS1_VERSION:
     case TLS1_1_VERSION:
     case TLS1_2_VERSION:
+    case TLS1_3_VERSION:
       *out = version;
       return true;
 
-    case TLS1_3_DRAFT23_VERSION:
-      *out = TLS1_3_VERSION;
-      return true;
-
     case DTLS1_VERSION:
       // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
       *out = TLS1_1_VERSION;
@@ -56,11 +52,10 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
 // decreasing preference.
 
 static const uint16_t kTLSVersions[] = {
-    TLS1_3_DRAFT23_VERSION,
+    TLS1_3_VERSION,
     TLS1_2_VERSION,
     TLS1_1_VERSION,
     TLS1_VERSION,
-    SSL3_VERSION,
 };
 
 static const uint16_t kDTLSVersions[] = {
@@ -68,24 +63,16 @@ static const uint16_t kDTLSVersions[] = {
     DTLS1_VERSION,
 };
 
-static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
-                                const uint16_t **out, size_t *out_num) {
-  if (method->is_dtls) {
-    *out = kDTLSVersions;
-    *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
-  } else {
-    *out = kTLSVersions;
-    *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
-  }
+static Span<const uint16_t> get_method_versions(
+    const SSL_PROTOCOL_METHOD *method) {
+  return method->is_dtls ? Span<const uint16_t>(kDTLSVersions)
+                         : Span<const uint16_t>(kTLSVersions);
 }
 
-static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
-                                    uint16_t version) {
-  const uint16_t *versions;
-  size_t num_versions;
-  get_method_versions(method, &versions, &num_versions);
-  for (size_t i = 0; i < num_versions; i++) {
-    if (versions[i] == version) {
+bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
+                                 uint16_t version) {
+  for (uint16_t supported : get_method_versions(method)) {
+    if (supported == version) {
       return true;
     }
   }
@@ -93,13 +80,11 @@ static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
 }
 
 // The following functions map between API versions and wire versions. The
-// public API works on wire versions, except that TLS 1.3 draft versions all
-// appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is
-// finalized.
+// public API works on wire versions.
 
 static const char *ssl_version_to_string(uint16_t version) {
   switch (version) {
-    case TLS1_3_DRAFT23_VERSION:
+    case TLS1_3_VERSION:
       return "TLSv1.3";
 
     case TLS1_2_VERSION:
@@ -111,9 +96,6 @@ static const char *ssl_version_to_string(uint16_t version) {
     case TLS1_VERSION:
       return "TLSv1";
 
-    case SSL3_VERSION:
-      return "SSLv3";
-
     case DTLS1_VERSION:
       return "DTLSv1";
 
@@ -126,26 +108,11 @@ static const char *ssl_version_to_string(uint16_t version) {
 }
 
 static uint16_t wire_version_to_api(uint16_t version) {
-  switch (version) {
-    // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
-    case TLS1_3_DRAFT23_VERSION:
-      return TLS1_3_VERSION;
-    default:
-      return version;
-  }
+  return version;
 }
 
-// api_version_to_wire maps |version| to some representative wire version. In
-// particular, it picks an arbitrary TLS 1.3 representative. This should only be
-// used in context where that does not matter.
+// api_version_to_wire maps |version| to some representative wire version.
 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
-  if (version == TLS1_3_DRAFT23_VERSION) {
-    return false;
-  }
-  if (version == TLS1_3_VERSION) {
-    version = TLS1_3_DRAFT23_VERSION;
-  }
-
   // Check it is a real protocol version.
   uint16_t unused;
   if (!ssl_protocol_version_from_wire(&unused, version)) {
@@ -159,12 +126,12 @@ static bool api_version_to_wire(uint16_t *out, uint16_t version) {
 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                               uint16_t version) {
   if (!api_version_to_wire(&version, version) ||
-      !method_supports_version(method, version) ||
-      !ssl_protocol_version_from_wire(out, version)) {
+      !ssl_method_supports_version(method, version)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
     return false;
   }
 
+  *out = version;
   return true;
 }
 
@@ -172,8 +139,7 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default minimum version.
   if (version == 0) {
-    // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
-    *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
+    *out = method->is_dtls ? DTLS1_VERSION : TLS1_VERSION;
     return true;
   }
 
@@ -184,7 +150,7 @@ static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
   if (version == 0) {
-    *out = TLS1_2_VERSION;
+    *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
     return true;
   }
 
@@ -195,27 +161,37 @@ const struct {
   uint16_t version;
   uint32_t flag;
 } kProtocolVersions[] = {
-    {SSL3_VERSION, SSL_OP_NO_SSLv3},
     {TLS1_VERSION, SSL_OP_NO_TLSv1},
     {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
     {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
     {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
 };
 
-bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
+bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
                            uint16_t *out_max_version) {
   // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
   // DTLS 1.0 should be mapped to TLS 1.1.
-  uint32_t options = ssl->options;
-  if (SSL_is_dtls(ssl)) {
+  uint32_t options = hs->ssl->options;
+  if (SSL_is_dtls(hs->ssl)) {
     options &= ~SSL_OP_NO_TLSv1_1;
     if (options & SSL_OP_NO_DTLSv1) {
       options |= SSL_OP_NO_TLSv1_1;
     }
   }
 
-  uint16_t min_version = ssl->conf_min_version;
-  uint16_t max_version = ssl->conf_max_version;
+  uint16_t min_version, max_version;
+  if (!ssl_protocol_version_from_wire(&min_version,
+                                      hs->config->conf_min_version) ||
+      !ssl_protocol_version_from_wire(&max_version,
+                                      hs->config->conf_max_version)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return false;
+  }
+
+  // QUIC requires TLS 1.3.
+  if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
+    min_version = TLS1_3_VERSION;
+  }
 
   // OpenSSL's API for controlling versions entails blacklisting individual
   // protocols. This has two problems. First, on the client, the protocol can
@@ -287,38 +263,20 @@ uint16_t ssl_protocol_version(const SSL *ssl) {
 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
   SSL *const ssl = hs->ssl;
   uint16_t protocol_version;
-  if (!method_supports_version(ssl->method, version) ||
+  if (!ssl_method_supports_version(ssl->method, version) ||
       !ssl_protocol_version_from_wire(&protocol_version, version) ||
       hs->min_version > protocol_version ||
       protocol_version > hs->max_version) {
     return false;
   }
 
-  // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3
-  // experimentation. Although we currently only have one variant, TLS 1.3 does
-  // not a final stable deployment yet, so leave the logic in place for now.
-  if (protocol_version != TLS1_3_VERSION ||
-      (ssl->tls13_variant == tls13_default &&
-       version == TLS1_3_DRAFT23_VERSION)) {
-    return true;
-  }
-
-  // The server, when not configured at |tls13_default|, should additionally
-  // enable all variants.
-  if (ssl->server && ssl->tls13_variant != tls13_default) {
-    return true;
-  }
-
-  return false;
+  return true;
 }
 
 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
-  const uint16_t *versions;
-  size_t num_versions;
-  get_method_versions(hs->ssl->method, &versions, &num_versions);
-  for (size_t i = 0; i < num_versions; i++) {
-    if (ssl_supports_version(hs, versions[i]) &&
-        !CBB_add_u16(cbb, versions[i])) {
+  for (uint16_t version : get_method_versions(hs->ssl->method)) {
+    if (ssl_supports_version(hs, version) &&
+        !CBB_add_u16(cbb, version)) {
       return false;
     }
   }
@@ -327,24 +285,33 @@ bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
 
 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
                            uint16_t *out_version, const CBS *peer_versions) {
-  const uint16_t *versions;
-  size_t num_versions;
-  get_method_versions(hs->ssl->method, &versions, &num_versions);
-  for (size_t i = 0; i < num_versions; i++) {
-    if (!ssl_supports_version(hs, versions[i])) {
+  for (uint16_t version : get_method_versions(hs->ssl->method)) {
+    if (!ssl_supports_version(hs, version)) {
+      continue;
+    }
+
+    // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
+    // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
+    // clients. We apply this logic here rather than |ssl_supports_version| so
+    // the downgrade signal continues to query the true capabilities. (The
+    // workaround is a limitation of the peer's capabilities rather than our
+    // own.)
+    //
+    // See https://bugs.openjdk.java.net/browse/JDK-8211806.
+    if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
       continue;
     }
 
     CBS copy = *peer_versions;
     while (CBS_len(&copy) != 0) {
-      uint16_t version;
-      if (!CBS_get_u16(&copy, &version)) {
+      uint16_t peer_version;
+      if (!CBS_get_u16(&copy, &peer_version)) {
         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
         *out_alert = SSL_AD_DECODE_ERROR;
         return false;
       }
 
-      if (version == versions[i]) {
+      if (peer_version == version) {
         *out_version = version;
         return true;
       }
@@ -356,7 +323,7 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   return false;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 
@@ -368,12 +335,40 @@ int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
   return set_max_version(ctx->method, &ctx->conf_max_version, version);
 }
 
+uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
+  return ctx->conf_min_version;
+}
+
+uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
+  return ctx->conf_max_version;
+}
+
 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
-  return set_min_version(ssl->method, &ssl->conf_min_version, version);
+  if (!ssl->config) {
+    return 0;
+  }
+  return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
 }
 
 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
-  return set_max_version(ssl->method, &ssl->conf_max_version, version);
+  if (!ssl->config) {
+    return 0;
+  }
+  return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
+}
+
+uint16_t SSL_get_min_proto_version(const SSL *ssl) {
+  if (!ssl->config) {
+    return 0;
+  }
+  return ssl->config->conf_min_version;
+}
+
+uint16_t SSL_get_max_proto_version(const SSL *ssl) {
+  if (!ssl->config) {
+    return 0;
+  }
+  return ssl->config->conf_max_version;
 }
 
 int SSL_version(const SSL *ssl) {