grpc 1.24.0 → 1.25.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +306 -243
- data/etc/roots.pem +0 -100
- data/include/grpc/grpc_security.h +44 -18
- data/include/grpc/impl/codegen/grpc_types.h +15 -0
- data/include/grpc/impl/codegen/port_platform.h +27 -11
- data/include/grpc/impl/codegen/sync_generic.h +1 -1
- data/src/boringssl/err_data.c +695 -650
- data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
- data/src/core/ext/filters/client_channel/client_channel.h +24 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
- data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
- data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
- data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
- data/src/core/ext/filters/client_channel/resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver.h +8 -16
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
- data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
- data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
- data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
- data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
- data/src/core/ext/filters/client_channel/service_config.h +8 -8
- data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
- data/src/core/ext/filters/client_channel/subchannel.h +7 -9
- data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
- data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
- data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
- data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
- data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
- data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
- data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
- data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
- data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
- data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
- data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
- data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
- data/src/core/lib/channel/channel_args.cc +16 -0
- data/src/core/lib/channel/channel_args.h +22 -0
- data/src/core/lib/channel/channelz.cc +5 -6
- data/src/core/lib/channel/channelz.h +1 -1
- data/src/core/lib/channel/connected_channel.cc +20 -20
- data/src/core/lib/channel/handshaker.h +3 -4
- data/src/core/lib/channel/handshaker_factory.h +1 -3
- data/src/core/lib/debug/trace.h +3 -2
- data/src/core/lib/gprpp/arena.cc +3 -3
- data/src/core/lib/gprpp/arena.h +2 -3
- data/src/core/lib/gprpp/inlined_vector.h +9 -0
- data/src/core/lib/gprpp/map.h +3 -501
- data/src/core/lib/gprpp/memory.h +45 -41
- data/src/core/lib/gprpp/mpscq.cc +108 -0
- data/src/core/lib/gprpp/mpscq.h +98 -0
- data/src/core/lib/gprpp/orphanable.h +6 -11
- data/src/core/lib/gprpp/ref_counted.h +25 -19
- data/src/core/lib/gprpp/set.h +33 -0
- data/src/core/lib/gprpp/thd.h +2 -4
- data/src/core/lib/http/httpcli.cc +1 -1
- data/src/core/lib/http/httpcli_security_connector.cc +15 -11
- data/src/core/lib/http/parser.cc +1 -1
- data/src/core/lib/iomgr/buffer_list.cc +4 -5
- data/src/core/lib/iomgr/buffer_list.h +5 -6
- data/src/core/lib/iomgr/call_combiner.cc +4 -5
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/cfstream_handle.h +3 -5
- data/src/core/lib/iomgr/closure.h +8 -3
- data/src/core/lib/iomgr/combiner.cc +45 -82
- data/src/core/lib/iomgr/combiner.h +32 -8
- data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
- data/src/core/lib/iomgr/ev_poll_posix.cc +3 -1
- data/src/core/lib/iomgr/exec_ctx.h +4 -3
- data/src/core/lib/iomgr/executor.cc +4 -2
- data/src/core/lib/iomgr/executor.h +3 -0
- data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
- data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
- data/src/core/lib/iomgr/executor/threadpool.h +7 -11
- data/src/core/lib/iomgr/resource_quota.cc +55 -51
- data/src/core/lib/iomgr/resource_quota.h +13 -9
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
- data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
- data/src/core/lib/iomgr/tcp_custom.cc +9 -7
- data/src/core/lib/iomgr/tcp_posix.cc +20 -16
- data/src/core/lib/iomgr/tcp_server.h +1 -4
- data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
- data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
- data/src/core/lib/iomgr/timer_custom.cc +2 -2
- data/src/core/lib/iomgr/udp_server.cc +3 -2
- data/src/core/lib/iomgr/udp_server.h +6 -12
- data/src/core/lib/json/json.h +1 -1
- data/src/core/lib/json/json_string.cc +2 -2
- data/src/core/lib/profiling/basic_timers.cc +2 -2
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
- data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
- data/src/core/lib/security/credentials/credentials.h +4 -20
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/security_connector.cc +1 -0
- data/src/core/lib/security/security_connector/security_connector.h +19 -17
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
- data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
- data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
- data/src/core/lib/security/transport/security_handshaker.cc +29 -13
- data/src/core/lib/security/transport/security_handshaker.h +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
- data/src/core/lib/slice/slice.cc +2 -10
- data/src/core/lib/slice/slice_hash_table.h +4 -6
- data/src/core/lib/slice/slice_intern.cc +42 -39
- data/src/core/lib/slice/slice_internal.h +3 -3
- data/src/core/lib/slice/slice_utils.h +21 -4
- data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
- data/src/core/lib/surface/call.cc +3 -3
- data/src/core/lib/surface/channel.cc +7 -0
- data/src/core/lib/surface/completion_queue.cc +12 -11
- data/src/core/lib/surface/completion_queue.h +4 -2
- data/src/core/lib/surface/init.cc +1 -0
- data/src/core/lib/surface/lame_client.cc +33 -18
- data/src/core/lib/surface/server.cc +77 -76
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/lib/transport/byte_stream.h +3 -7
- data/src/core/lib/transport/connectivity_state.cc +112 -98
- data/src/core/lib/transport/connectivity_state.h +100 -50
- data/src/core/lib/transport/static_metadata.cc +276 -288
- data/src/core/lib/transport/static_metadata.h +73 -76
- data/src/core/lib/transport/status_conversion.cc +1 -1
- data/src/core/lib/transport/status_metadata.cc +1 -1
- data/src/core/lib/transport/transport.cc +2 -2
- data/src/core/lib/transport/transport.h +12 -4
- data/src/core/lib/transport/transport_op_string.cc +14 -11
- data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
- data/src/core/tsi/fake_transport_security.cc +7 -5
- data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
- data/src/core/tsi/local_transport_security.cc +8 -6
- data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
- data/src/core/tsi/ssl_transport_security.cc +12 -12
- data/src/core/tsi/ssl_transport_security.h +2 -2
- data/src/core/tsi/transport_security_grpc.cc +7 -0
- data/src/core/tsi/transport_security_grpc.h +6 -0
- data/src/ruby/ext/grpc/extconf.rb +1 -0
- data/src/ruby/ext/grpc/rb_call.c +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +1 -1
- data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
- data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
- data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
- data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
- data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
- data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
- data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
- data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
- data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
- data/third_party/boringssl/crypto/base64/base64.c +2 -2
- data/third_party/boringssl/crypto/bio/bio.c +73 -9
- data/third_party/boringssl/crypto/bio/connect.c +4 -0
- data/third_party/boringssl/crypto/bio/fd.c +4 -0
- data/third_party/boringssl/crypto/bio/file.c +5 -2
- data/third_party/boringssl/crypto/bio/socket.c +4 -0
- data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
- data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
- data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
- data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
- data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
- data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
- data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
- data/third_party/boringssl/crypto/chacha/internal.h +45 -0
- data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
- data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
- data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
- data/third_party/boringssl/crypto/conf/conf.c +7 -0
- data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
- data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
- data/third_party/boringssl/crypto/cpu-intel.c +45 -51
- data/third_party/boringssl/crypto/crypto.c +39 -22
- data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
- data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
- data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
- data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
- data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
- data/third_party/boringssl/crypto/engine/engine.c +2 -1
- data/third_party/boringssl/crypto/err/err.c +2 -0
- data/third_party/boringssl/crypto/err/internal.h +2 -2
- data/third_party/boringssl/crypto/evp/evp.c +89 -8
- data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
- data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
- data/third_party/boringssl/crypto/evp/internal.h +18 -1
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
- data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
- data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
- data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
- data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
- data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
- data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
- data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
- data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
- data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
- data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
- data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
- data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
- data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
- data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
- data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
- data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
- data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
- data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
- data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
- data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
- data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
- data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
- data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
- data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
- data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
- data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
- data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
- data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
- data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
- data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
- data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
- data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
- data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
- data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
- data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
- data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
- data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
- data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
- data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
- data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
- data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
- data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
- data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
- data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
- data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
- data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
- data/third_party/boringssl/crypto/hrss/internal.h +62 -0
- data/third_party/boringssl/crypto/internal.h +95 -20
- data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
- data/third_party/boringssl/crypto/mem.c +39 -2
- data/third_party/boringssl/crypto/obj/obj.c +4 -4
- data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
- data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
- data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
- data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
- data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
- data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
- data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
- data/third_party/boringssl/crypto/pool/internal.h +1 -1
- data/third_party/boringssl/crypto/pool/pool.c +21 -0
- data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
- data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
- data/third_party/boringssl/crypto/refcount_lock.c +2 -2
- data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
- data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
- data/third_party/boringssl/crypto/stack/stack.c +83 -32
- data/third_party/boringssl/crypto/thread_none.c +2 -2
- data/third_party/boringssl/crypto/thread_pthread.c +2 -2
- data/third_party/boringssl/crypto/thread_win.c +38 -19
- data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
- data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
- data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
- data/third_party/boringssl/crypto/x509/by_file.c +12 -10
- data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
- data/third_party/boringssl/crypto/x509/t_req.c +1 -3
- data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
- data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
- data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
- data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
- data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
- data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
- data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
- data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
- data/third_party/boringssl/crypto/x509/x509name.c +2 -3
- data/third_party/boringssl/crypto/x509/x_all.c +109 -210
- data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
- data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
- data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
- data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
- data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
- data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
- data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
- data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
- data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
- data/third_party/boringssl/include/openssl/aead.h +45 -19
- data/third_party/boringssl/include/openssl/aes.h +32 -7
- data/third_party/boringssl/include/openssl/asn1.h +7 -77
- data/third_party/boringssl/include/openssl/base.h +120 -6
- data/third_party/boringssl/include/openssl/base64.h +4 -1
- data/third_party/boringssl/include/openssl/bio.h +112 -81
- data/third_party/boringssl/include/openssl/blowfish.h +3 -3
- data/third_party/boringssl/include/openssl/bn.h +55 -29
- data/third_party/boringssl/include/openssl/buf.h +2 -2
- data/third_party/boringssl/include/openssl/bytestring.h +54 -32
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/cipher.h +46 -16
- data/third_party/boringssl/include/openssl/cmac.h +6 -2
- data/third_party/boringssl/include/openssl/conf.h +3 -6
- data/third_party/boringssl/include/openssl/cpu.h +25 -9
- data/third_party/boringssl/include/openssl/crypto.h +32 -10
- data/third_party/boringssl/include/openssl/curve25519.h +4 -4
- data/third_party/boringssl/include/openssl/dh.h +3 -2
- data/third_party/boringssl/include/openssl/digest.h +21 -7
- data/third_party/boringssl/include/openssl/dsa.h +8 -2
- data/third_party/boringssl/include/openssl/e_os2.h +18 -0
- data/third_party/boringssl/include/openssl/ec.h +25 -21
- data/third_party/boringssl/include/openssl/ec_key.h +36 -8
- data/third_party/boringssl/include/openssl/ecdh.h +17 -0
- data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
- data/third_party/boringssl/include/openssl/engine.h +4 -4
- data/third_party/boringssl/include/openssl/err.h +3 -0
- data/third_party/boringssl/include/openssl/evp.h +199 -42
- data/third_party/boringssl/include/openssl/hmac.h +4 -4
- data/third_party/boringssl/include/openssl/hrss.h +100 -0
- data/third_party/boringssl/include/openssl/lhash.h +131 -23
- data/third_party/boringssl/include/openssl/md4.h +6 -4
- data/third_party/boringssl/include/openssl/md5.h +6 -4
- data/third_party/boringssl/include/openssl/mem.h +6 -2
- data/third_party/boringssl/include/openssl/nid.h +3 -0
- data/third_party/boringssl/include/openssl/obj.h +3 -0
- data/third_party/boringssl/include/openssl/pem.h +102 -64
- data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
- data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
- data/third_party/boringssl/include/openssl/pool.h +13 -2
- data/third_party/boringssl/include/openssl/ripemd.h +5 -4
- data/third_party/boringssl/include/openssl/rsa.h +46 -15
- data/third_party/boringssl/include/openssl/sha.h +40 -28
- data/third_party/boringssl/include/openssl/siphash.h +37 -0
- data/third_party/boringssl/include/openssl/span.h +17 -9
- data/third_party/boringssl/include/openssl/ssl.h +766 -393
- data/third_party/boringssl/include/openssl/ssl3.h +4 -3
- data/third_party/boringssl/include/openssl/stack.h +134 -77
- data/third_party/boringssl/include/openssl/thread.h +1 -1
- data/third_party/boringssl/include/openssl/tls1.h +25 -9
- data/third_party/boringssl/include/openssl/type_check.h +14 -15
- data/third_party/boringssl/include/openssl/x509.h +28 -3
- data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
- data/third_party/boringssl/include/openssl/x509v3.h +17 -13
- data/third_party/boringssl/ssl/d1_both.cc +9 -18
- data/third_party/boringssl/ssl/d1_lib.cc +4 -3
- data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
- data/third_party/boringssl/ssl/dtls_method.cc +0 -1
- data/third_party/boringssl/ssl/dtls_record.cc +28 -28
- data/third_party/boringssl/ssl/handoff.cc +295 -91
- data/third_party/boringssl/ssl/handshake.cc +133 -72
- data/third_party/boringssl/ssl/handshake_client.cc +218 -189
- data/third_party/boringssl/ssl/handshake_server.cc +399 -272
- data/third_party/boringssl/ssl/internal.h +1413 -928
- data/third_party/boringssl/ssl/s3_both.cc +175 -36
- data/third_party/boringssl/ssl/s3_lib.cc +9 -13
- data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
- data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
- data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
- data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
- data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
- data/third_party/boringssl/ssl/ssl_file.cc +2 -0
- data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
- data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
- data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
- data/third_party/boringssl/ssl/ssl_session.cc +230 -178
- data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
- data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
- data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
- data/third_party/boringssl/ssl/t1_enc.cc +5 -96
- data/third_party/boringssl/ssl/t1_lib.cc +931 -678
- data/third_party/boringssl/ssl/tls13_both.cc +251 -121
- data/third_party/boringssl/ssl/tls13_client.cc +129 -73
- data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
- data/third_party/boringssl/ssl/tls13_server.cc +259 -192
- data/third_party/boringssl/ssl/tls_method.cc +26 -21
- data/third_party/boringssl/ssl/tls_record.cc +42 -47
- data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
- data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
- data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
- data/third_party/boringssl/third_party/fiat/p256.c +238 -999
- data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
- data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
- data/third_party/upb/upb/port_def.inc +1 -1
- data/third_party/upb/upb/table.c +2 -1
- metadata +72 -44
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
- data/src/core/lib/gpr/mpscq.cc +0 -117
- data/src/core/lib/gpr/mpscq.h +0 -88
- data/src/core/lib/gprpp/abstract.h +0 -47
- data/src/core/lib/gprpp/pair.h +0 -38
- data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
- data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
- data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
- data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -12,18 +12,13 @@
|
|
12
12
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
13
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
14
|
|
15
|
-
// Per C99, various stdint.h macros are unavailable in C++ unless some macros
|
16
|
-
// are defined. C++11 overruled this decision, but older Android NDKs still
|
17
|
-
// require it.
|
18
|
-
#if !defined(__STDC_LIMIT_MACROS)
|
19
|
-
#define __STDC_LIMIT_MACROS
|
20
|
-
#endif
|
21
|
-
|
22
15
|
#include <openssl/ssl.h>
|
23
16
|
|
24
17
|
#include <assert.h>
|
25
18
|
#include <string.h>
|
26
19
|
|
20
|
+
#include <tuple>
|
21
|
+
|
27
22
|
#include <openssl/aead.h>
|
28
23
|
#include <openssl/bytestring.h>
|
29
24
|
#include <openssl/digest.h>
|
@@ -36,7 +31,7 @@
|
|
36
31
|
#include "internal.h"
|
37
32
|
|
38
33
|
|
39
|
-
|
34
|
+
BSSL_NAMESPACE_BEGIN
|
40
35
|
|
41
36
|
enum server_hs_state_t {
|
42
37
|
state_select_parameters = 0,
|
@@ -58,6 +53,12 @@ enum server_hs_state_t {
|
|
58
53
|
|
59
54
|
static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
|
60
55
|
|
56
|
+
// Allow a minute of ticket age skew in either direction. This covers
|
57
|
+
// transmission delays in ClientHello and NewSessionTicket, as well as
|
58
|
+
// drift between client and server clock rate since the ticket was issued.
|
59
|
+
// See RFC 8446, section 8.3.
|
60
|
+
static const int32_t kMaxTicketAgeSkewSeconds = 60;
|
61
|
+
|
61
62
|
static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
|
62
63
|
SSL_CLIENT_HELLO *client_hello) {
|
63
64
|
SSL *const ssl = hs->ssl;
|
@@ -86,7 +87,7 @@ static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
|
|
86
87
|
return 0;
|
87
88
|
}
|
88
89
|
|
89
|
-
return tls13_advance_key_schedule(hs, dhe_secret
|
90
|
+
return tls13_advance_key_schedule(hs, dhe_secret);
|
90
91
|
}
|
91
92
|
|
92
93
|
static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
|
@@ -103,53 +104,28 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
|
|
103
104
|
}
|
104
105
|
|
105
106
|
static const SSL_CIPHER *choose_tls13_cipher(
|
106
|
-
const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {
|
107
|
-
if (client_hello->cipher_suites_len % 2 != 0) {
|
108
|
-
return NULL;
|
109
|
-
}
|
110
|
-
|
107
|
+
const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
|
111
108
|
CBS cipher_suites;
|
112
109
|
CBS_init(&cipher_suites, client_hello->cipher_suites,
|
113
110
|
client_hello->cipher_suites_len);
|
114
111
|
|
115
|
-
const int aes_is_fine = EVP_has_aes_hardware();
|
116
112
|
const uint16_t version = ssl_protocol_version(ssl);
|
117
113
|
|
118
|
-
|
119
|
-
while (CBS_len(&cipher_suites) > 0) {
|
120
|
-
uint16_t cipher_suite;
|
121
|
-
if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
|
122
|
-
return NULL;
|
123
|
-
}
|
124
|
-
|
125
|
-
// Limit to TLS 1.3 ciphers we know about.
|
126
|
-
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
|
127
|
-
if (candidate == NULL ||
|
128
|
-
SSL_CIPHER_get_min_version(candidate) > version ||
|
129
|
-
SSL_CIPHER_get_max_version(candidate) < version) {
|
130
|
-
continue;
|
131
|
-
}
|
132
|
-
|
133
|
-
// TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
|
134
|
-
// ChaCha20 if we do not have AES hardware.
|
135
|
-
if (aes_is_fine) {
|
136
|
-
return candidate;
|
137
|
-
}
|
138
|
-
|
139
|
-
if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
|
140
|
-
return candidate;
|
141
|
-
}
|
142
|
-
|
143
|
-
if (best == NULL) {
|
144
|
-
best = candidate;
|
145
|
-
}
|
146
|
-
}
|
147
|
-
|
148
|
-
return best;
|
114
|
+
return ssl_choose_tls13_cipher(cipher_suites, version, group_id);
|
149
115
|
}
|
150
116
|
|
151
|
-
static
|
117
|
+
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
|
152
118
|
SSL *const ssl = hs->ssl;
|
119
|
+
if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
|
120
|
+
// session ticket.
|
121
|
+
!hs->accept_psk_mode ||
|
122
|
+
// We only implement stateless resumption in TLS 1.3, so skip sending
|
123
|
+
// tickets if disabled.
|
124
|
+
(SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
|
125
|
+
*out_sent_tickets = false;
|
126
|
+
return true;
|
127
|
+
}
|
128
|
+
|
153
129
|
// TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
|
154
130
|
// the client makes several connections before getting a renewal.
|
155
131
|
static const int kNumTickets = 2;
|
@@ -162,15 +138,18 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
|
|
162
138
|
UniquePtr<SSL_SESSION> session(
|
163
139
|
SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
|
164
140
|
if (!session) {
|
165
|
-
return
|
141
|
+
return false;
|
166
142
|
}
|
167
143
|
|
168
144
|
if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
|
169
|
-
return
|
145
|
+
return false;
|
170
146
|
}
|
171
|
-
session->ticket_age_add_valid =
|
172
|
-
if (ssl->
|
173
|
-
|
147
|
+
session->ticket_age_add_valid = true;
|
148
|
+
if (ssl->enable_early_data) {
|
149
|
+
// QUIC does not use the max_early_data_size parameter and always sets it
|
150
|
+
// to a fixed value. See draft-ietf-quic-tls-22, section 4.5.
|
151
|
+
session->ticket_max_early_data =
|
152
|
+
ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
|
174
153
|
}
|
175
154
|
|
176
155
|
static_assert(kNumTickets < 256, "Too many tickets");
|
@@ -186,18 +165,18 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
|
|
186
165
|
!CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
|
187
166
|
!CBB_add_u16_length_prefixed(&body, &ticket) ||
|
188
167
|
!tls13_derive_session_psk(session.get(), nonce) ||
|
189
|
-
!ssl_encrypt_ticket(
|
168
|
+
!ssl_encrypt_ticket(hs, &ticket, session.get()) ||
|
190
169
|
!CBB_add_u16_length_prefixed(&body, &extensions)) {
|
191
|
-
return
|
170
|
+
return false;
|
192
171
|
}
|
193
172
|
|
194
|
-
if (ssl->
|
195
|
-
CBB
|
173
|
+
if (ssl->enable_early_data) {
|
174
|
+
CBB early_data;
|
196
175
|
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||
|
197
|
-
!CBB_add_u16_length_prefixed(&extensions, &
|
198
|
-
!CBB_add_u32(&
|
176
|
+
!CBB_add_u16_length_prefixed(&extensions, &early_data) ||
|
177
|
+
!CBB_add_u32(&early_data, session->ticket_max_early_data) ||
|
199
178
|
!CBB_flush(&extensions)) {
|
200
|
-
return
|
179
|
+
return false;
|
201
180
|
}
|
202
181
|
}
|
203
182
|
|
@@ -205,15 +184,16 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
|
|
205
184
|
if (!CBB_add_u16(&extensions,
|
206
185
|
ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||
|
207
186
|
!CBB_add_u16(&extensions, 0 /* empty */)) {
|
208
|
-
return
|
187
|
+
return false;
|
209
188
|
}
|
210
189
|
|
211
190
|
if (!ssl_add_message_cbb(ssl, cbb.get())) {
|
212
|
-
return
|
191
|
+
return false;
|
213
192
|
}
|
214
193
|
}
|
215
194
|
|
216
|
-
|
195
|
+
*out_sent_tickets = true;
|
196
|
+
return true;
|
217
197
|
}
|
218
198
|
|
219
199
|
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
@@ -235,8 +215,15 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
235
215
|
client_hello.session_id_len);
|
236
216
|
hs->session_id_len = client_hello.session_id_len;
|
237
217
|
|
218
|
+
uint16_t group_id;
|
219
|
+
if (!tls1_get_shared_group(hs, &group_id)) {
|
220
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
|
221
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
222
|
+
return ssl_hs_error;
|
223
|
+
}
|
224
|
+
|
238
225
|
// Negotiate the cipher suite.
|
239
|
-
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
|
226
|
+
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello, group_id);
|
240
227
|
if (hs->new_cipher == NULL) {
|
241
228
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
|
242
229
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
@@ -257,53 +244,43 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
257
244
|
return ssl_hs_error;
|
258
245
|
}
|
259
246
|
|
260
|
-
if (!ssl_hash_message(hs, msg)) {
|
261
|
-
return ssl_hs_error;
|
262
|
-
}
|
263
|
-
|
264
247
|
hs->tls13_state = state_select_session;
|
265
248
|
return ssl_hs_ok;
|
266
249
|
}
|
267
250
|
|
268
251
|
static enum ssl_ticket_aead_result_t select_session(
|
269
252
|
SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
|
270
|
-
int32_t *out_ticket_age_skew,
|
271
|
-
const SSL_CLIENT_HELLO *client_hello) {
|
253
|
+
int32_t *out_ticket_age_skew, bool *out_offered_ticket,
|
254
|
+
const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
|
272
255
|
SSL *const ssl = hs->ssl;
|
273
|
-
*out_session =
|
256
|
+
*out_session = nullptr;
|
274
257
|
|
275
|
-
// Decode the ticket if we agreed on a PSK key exchange mode.
|
276
258
|
CBS pre_shared_key;
|
277
|
-
|
278
|
-
|
279
|
-
|
259
|
+
*out_offered_ticket = ssl_client_hello_get_extension(
|
260
|
+
client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
|
261
|
+
if (!*out_offered_ticket) {
|
280
262
|
return ssl_ticket_aead_ignore_ticket;
|
281
263
|
}
|
282
264
|
|
283
|
-
// Verify that the pre_shared_key extension is the last extension in
|
284
|
-
// ClientHello.
|
285
|
-
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
|
286
|
-
client_hello->extensions + client_hello->extensions_len) {
|
287
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
|
288
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
289
|
-
return ssl_ticket_aead_error;
|
290
|
-
}
|
291
|
-
|
292
265
|
CBS ticket, binders;
|
293
266
|
uint32_t client_ticket_age;
|
294
|
-
if (!ssl_ext_pre_shared_key_parse_clienthello(
|
295
|
-
|
296
|
-
|
267
|
+
if (!ssl_ext_pre_shared_key_parse_clienthello(
|
268
|
+
hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello,
|
269
|
+
&pre_shared_key)) {
|
297
270
|
return ssl_ticket_aead_error;
|
298
271
|
}
|
299
272
|
|
273
|
+
// If the peer did not offer psk_dhe, ignore the resumption.
|
274
|
+
if (!hs->accept_psk_mode) {
|
275
|
+
return ssl_ticket_aead_ignore_ticket;
|
276
|
+
}
|
277
|
+
|
300
278
|
// TLS 1.3 session tickets are renewed separately as part of the
|
301
279
|
// NewSessionTicket.
|
302
280
|
bool unused_renew;
|
303
281
|
UniquePtr<SSL_SESSION> session;
|
304
282
|
enum ssl_ticket_aead_result_t ret =
|
305
|
-
ssl_process_ticket(
|
306
|
-
CBS_len(&ticket), NULL, 0);
|
283
|
+
ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
|
307
284
|
switch (ret) {
|
308
285
|
case ssl_ticket_aead_success:
|
309
286
|
break;
|
@@ -337,10 +314,8 @@ static enum ssl_ticket_aead_result_t select_session(
|
|
337
314
|
return ssl_ticket_aead_ignore_ticket;
|
338
315
|
}
|
339
316
|
|
340
|
-
|
341
|
-
|
342
|
-
*out_ticket_age_skew =
|
343
|
-
(int32_t)client_ticket_age - (int32_t)server_ticket_age;
|
317
|
+
*out_ticket_age_skew = static_cast<int32_t>(client_ticket_age) -
|
318
|
+
static_cast<int32_t>(server_ticket_age);
|
344
319
|
|
345
320
|
// Check the PSK binder.
|
346
321
|
if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
|
@@ -367,10 +342,18 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
367
342
|
|
368
343
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
369
344
|
UniquePtr<SSL_SESSION> session;
|
370
|
-
|
371
|
-
|
345
|
+
bool offered_ticket = false;
|
346
|
+
switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
|
347
|
+
&offered_ticket, msg, &client_hello)) {
|
372
348
|
case ssl_ticket_aead_ignore_ticket:
|
373
349
|
assert(!session);
|
350
|
+
if (!ssl->enable_early_data) {
|
351
|
+
ssl->s3->early_data_reason = ssl_early_data_disabled;
|
352
|
+
} else if (!offered_ticket) {
|
353
|
+
ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
|
354
|
+
} else {
|
355
|
+
ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
|
356
|
+
}
|
374
357
|
if (!ssl_get_new_session(hs, 1 /* server */)) {
|
375
358
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
376
359
|
return ssl_hs_error;
|
@@ -382,29 +365,34 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
382
365
|
// a fresh session.
|
383
366
|
hs->new_session =
|
384
367
|
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
|
368
|
+
if (hs->new_session == nullptr) {
|
369
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
370
|
+
return ssl_hs_error;
|
371
|
+
}
|
385
372
|
|
386
|
-
if (ssl->
|
387
|
-
|
388
|
-
|
389
|
-
|
390
|
-
|
373
|
+
if (!ssl->enable_early_data) {
|
374
|
+
ssl->s3->early_data_reason = ssl_early_data_disabled;
|
375
|
+
} else if (session->ticket_max_early_data == 0) {
|
376
|
+
ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
|
377
|
+
} else if (!hs->early_data_offered) {
|
378
|
+
ssl->s3->early_data_reason = ssl_early_data_peer_declined;
|
379
|
+
} else if (ssl->s3->channel_id_valid) {
|
391
380
|
// Channel ID is incompatible with 0-RTT.
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
397
|
-
|
398
|
-
|
399
|
-
|
381
|
+
ssl->s3->early_data_reason = ssl_early_data_channel_id;
|
382
|
+
} else if (ssl->s3->token_binding_negotiated) {
|
383
|
+
// Token Binding is incompatible with 0-RTT.
|
384
|
+
ssl->s3->early_data_reason = ssl_early_data_token_binding;
|
385
|
+
} else if (MakeConstSpan(ssl->s3->alpn_selected) != session->early_alpn) {
|
386
|
+
// The negotiated ALPN must match the one in the ticket.
|
387
|
+
ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
|
388
|
+
} else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
|
389
|
+
kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
|
390
|
+
ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
|
391
|
+
} else {
|
392
|
+
ssl->s3->early_data_reason = ssl_early_data_accepted;
|
400
393
|
ssl->s3->early_data_accepted = true;
|
401
394
|
}
|
402
395
|
|
403
|
-
if (hs->new_session == NULL) {
|
404
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
405
|
-
return ssl_hs_error;
|
406
|
-
}
|
407
|
-
|
408
396
|
ssl->s3->session_reused = true;
|
409
397
|
|
410
398
|
// Resumption incorporates fresh key material, so refresh the timeout.
|
@@ -425,14 +413,9 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
425
413
|
hs->new_session->cipher = hs->new_cipher;
|
426
414
|
|
427
415
|
// Store the initial negotiated ALPN in the session.
|
428
|
-
if (!ssl->s3->alpn_selected
|
429
|
-
|
430
|
-
|
431
|
-
if (hs->new_session->early_alpn == NULL) {
|
432
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
433
|
-
return ssl_hs_error;
|
434
|
-
}
|
435
|
-
hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size();
|
416
|
+
if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
|
417
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
418
|
+
return ssl_hs_error;
|
436
419
|
}
|
437
420
|
|
438
421
|
if (ssl->ctx->dos_protection_cb != NULL &&
|
@@ -448,16 +431,21 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
448
431
|
|
449
432
|
// Set up the key schedule and incorporate the PSK into the running secret.
|
450
433
|
if (ssl->s3->session_reused) {
|
451
|
-
if (!tls13_init_key_schedule(
|
452
|
-
|
434
|
+
if (!tls13_init_key_schedule(
|
435
|
+
hs, MakeConstSpan(hs->new_session->master_key,
|
436
|
+
hs->new_session->master_key_length))) {
|
453
437
|
return ssl_hs_error;
|
454
438
|
}
|
455
|
-
} else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
|
439
|
+
} else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
|
440
|
+
return ssl_hs_error;
|
441
|
+
}
|
442
|
+
|
443
|
+
if (!ssl_hash_message(hs, msg)) {
|
456
444
|
return ssl_hs_error;
|
457
445
|
}
|
458
446
|
|
459
447
|
if (ssl->s3->early_data_accepted) {
|
460
|
-
if (!
|
448
|
+
if (!tls13_derive_early_secret(hs)) {
|
461
449
|
return ssl_hs_error;
|
462
450
|
}
|
463
451
|
} else if (hs->early_data_offered) {
|
@@ -468,7 +456,10 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
468
456
|
bool need_retry;
|
469
457
|
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
|
470
458
|
if (need_retry) {
|
471
|
-
ssl->s3->early_data_accepted
|
459
|
+
if (ssl->s3->early_data_accepted) {
|
460
|
+
ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
|
461
|
+
ssl->s3->early_data_accepted = false;
|
462
|
+
}
|
472
463
|
ssl->s3->skip_early_data = true;
|
473
464
|
ssl->method->next_message(ssl);
|
474
465
|
if (!hs->transcript.UpdateForHelloRetryRequest()) {
|
@@ -480,6 +471,15 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
|
|
480
471
|
return ssl_hs_error;
|
481
472
|
}
|
482
473
|
|
474
|
+
// Note we defer releasing the early traffic secret to QUIC until after ECDHE
|
475
|
+
// is resolved. The early traffic secret should be derived before the key
|
476
|
+
// schedule incorporates ECDHE, but doing so may reject 0-RTT. To avoid
|
477
|
+
// confusing the caller, we split derivation and releasing the secret to QUIC.
|
478
|
+
if (ssl->s3->early_data_accepted &&
|
479
|
+
!tls13_set_early_secret_for_quic(hs)) {
|
480
|
+
return ssl_hs_error;
|
481
|
+
}
|
482
|
+
|
483
483
|
ssl->method->next_message(ssl);
|
484
484
|
hs->tls13_state = state_send_server_hello;
|
485
485
|
return ssl_hs_ok;
|
@@ -536,6 +536,41 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
536
536
|
return ssl_hs_error;
|
537
537
|
}
|
538
538
|
|
539
|
+
// We perform all our negotiation based on the first ClientHello (for
|
540
|
+
// consistency with what |select_certificate_cb| observed), which is in the
|
541
|
+
// transcript, so we can ignore most of this second one.
|
542
|
+
//
|
543
|
+
// We do, however, check the second PSK binder. This covers the client key
|
544
|
+
// share, in case we ever send half-RTT data (we currently do not). It is also
|
545
|
+
// a tricky computation, so we enforce the peer handled it correctly.
|
546
|
+
if (ssl->s3->session_reused) {
|
547
|
+
CBS pre_shared_key;
|
548
|
+
if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
|
549
|
+
TLSEXT_TYPE_pre_shared_key)) {
|
550
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);
|
551
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
552
|
+
return ssl_hs_error;
|
553
|
+
}
|
554
|
+
|
555
|
+
CBS ticket, binders;
|
556
|
+
uint32_t client_ticket_age;
|
557
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
558
|
+
if (!ssl_ext_pre_shared_key_parse_clienthello(
|
559
|
+
hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello,
|
560
|
+
&pre_shared_key)) {
|
561
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
562
|
+
return ssl_hs_error;
|
563
|
+
}
|
564
|
+
|
565
|
+
// Note it is important that we do not obtain a new |SSL_SESSION| from
|
566
|
+
// |ticket|. We have already selected parameters based on the first
|
567
|
+
// ClientHello (in the transcript) and must not switch partway through.
|
568
|
+
if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {
|
569
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
570
|
+
return ssl_hs_error;
|
571
|
+
}
|
572
|
+
}
|
573
|
+
|
539
574
|
bool need_retry;
|
540
575
|
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
|
541
576
|
if (need_retry) {
|
@@ -584,8 +619,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
584
619
|
|
585
620
|
// Derive and enable the handshake traffic secrets.
|
586
621
|
if (!tls13_derive_handshake_secrets(hs) ||
|
587
|
-
!tls13_set_traffic_key(ssl,
|
588
|
-
hs->
|
622
|
+
!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
|
623
|
+
hs->server_handshake_secret())) {
|
589
624
|
return ssl_hs_error;
|
590
625
|
}
|
591
626
|
|
@@ -599,10 +634,10 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
599
634
|
|
600
635
|
if (!ssl->s3->session_reused) {
|
601
636
|
// Determine whether to request a client certificate.
|
602
|
-
hs->cert_request = !!(
|
637
|
+
hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
|
603
638
|
// Only request a certificate if Channel ID isn't negotiated.
|
604
|
-
if ((
|
605
|
-
ssl->s3->
|
639
|
+
if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
|
640
|
+
ssl->s3->channel_id_valid) {
|
606
641
|
hs->cert_request = false;
|
607
642
|
}
|
608
643
|
}
|
@@ -619,17 +654,29 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
619
654
|
!CBB_add_u16_length_prefixed(&cert_request_extensions,
|
620
655
|
&sigalg_contents) ||
|
621
656
|
!CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
|
622
|
-
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb
|
657
|
+
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,
|
658
|
+
false /* online signature */)) {
|
623
659
|
return ssl_hs_error;
|
624
660
|
}
|
625
661
|
|
626
|
-
if (
|
662
|
+
if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {
|
663
|
+
if (!CBB_add_u16(&cert_request_extensions,
|
664
|
+
TLSEXT_TYPE_signature_algorithms_cert) ||
|
665
|
+
!CBB_add_u16_length_prefixed(&cert_request_extensions,
|
666
|
+
&sigalg_contents) ||
|
667
|
+
!CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
|
668
|
+
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {
|
669
|
+
return ssl_hs_error;
|
670
|
+
}
|
671
|
+
}
|
672
|
+
|
673
|
+
if (ssl_has_client_CAs(hs->config)) {
|
627
674
|
CBB ca_contents;
|
628
675
|
if (!CBB_add_u16(&cert_request_extensions,
|
629
676
|
TLSEXT_TYPE_certificate_authorities) ||
|
630
677
|
!CBB_add_u16_length_prefixed(&cert_request_extensions,
|
631
678
|
&ca_contents) ||
|
632
|
-
!ssl_add_client_CA_list(
|
679
|
+
!ssl_add_client_CA_list(hs, &ca_contents) ||
|
633
680
|
!CBB_flush(&cert_request_extensions)) {
|
634
681
|
return ssl_hs_error;
|
635
682
|
}
|
@@ -642,7 +689,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
642
689
|
|
643
690
|
// Send the server Certificate message, if necessary.
|
644
691
|
if (!ssl->s3->session_reused) {
|
645
|
-
if (!ssl_has_certificate(
|
692
|
+
if (!ssl_has_certificate(hs)) {
|
646
693
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
|
647
694
|
return ssl_hs_error;
|
648
695
|
}
|
@@ -681,10 +728,11 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
|
|
681
728
|
SSL *const ssl = hs->ssl;
|
682
729
|
if (!tls13_add_finished(hs) ||
|
683
730
|
// Update the secret to the master secret and derive traffic keys.
|
684
|
-
!tls13_advance_key_schedule(
|
731
|
+
!tls13_advance_key_schedule(
|
732
|
+
hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
|
685
733
|
!tls13_derive_application_secrets(hs) ||
|
686
|
-
!tls13_set_traffic_key(ssl,
|
687
|
-
hs->
|
734
|
+
!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
|
735
|
+
hs->server_traffic_secret_0())) {
|
688
736
|
return ssl_hs_error;
|
689
737
|
}
|
690
738
|
|
@@ -692,21 +740,22 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
|
|
692
740
|
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
|
693
741
|
// the wire sooner and also avoids triggering a write on |SSL_read| when
|
694
742
|
// processing the client Finished. This requires computing the client
|
695
|
-
// Finished early. See
|
743
|
+
// Finished early. See RFC 8446, section 4.6.1.
|
696
744
|
static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
|
697
745
|
0, 0};
|
698
|
-
if (
|
746
|
+
if (ssl->quic_method == nullptr &&
|
747
|
+
!hs->transcript.Update(kEndOfEarlyData)) {
|
699
748
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
700
749
|
return ssl_hs_error;
|
701
750
|
}
|
702
751
|
|
703
752
|
size_t finished_len;
|
704
|
-
if (!tls13_finished_mac(hs, hs->expected_client_finished,
|
705
|
-
|
753
|
+
if (!tls13_finished_mac(hs, hs->expected_client_finished().data(),
|
754
|
+
&finished_len, false /* client */)) {
|
706
755
|
return ssl_hs_error;
|
707
756
|
}
|
708
757
|
|
709
|
-
if (finished_len != hs->
|
758
|
+
if (finished_len != hs->expected_client_finished().size()) {
|
710
759
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
711
760
|
return ssl_hs_error;
|
712
761
|
}
|
@@ -716,14 +765,15 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
|
|
716
765
|
//
|
717
766
|
// TODO(davidben): This will need to be updated for DTLS 1.3.
|
718
767
|
assert(!SSL_is_dtls(hs->ssl));
|
719
|
-
assert(hs->
|
720
|
-
uint8_t header[4] = {
|
721
|
-
|
768
|
+
assert(hs->expected_client_finished().size() <= 0xff);
|
769
|
+
uint8_t header[4] = {
|
770
|
+
SSL3_MT_FINISHED, 0, 0,
|
771
|
+
static_cast<uint8_t>(hs->expected_client_finished().size())};
|
772
|
+
bool unused_sent_tickets;
|
722
773
|
if (!hs->transcript.Update(header) ||
|
723
|
-
!hs->transcript.Update(
|
724
|
-
MakeConstSpan(hs->expected_client_finished, hs->hash_len)) ||
|
774
|
+
!hs->transcript.Update(hs->expected_client_finished()) ||
|
725
775
|
!tls13_derive_resumption_secret(hs) ||
|
726
|
-
!add_new_session_tickets(hs)) {
|
776
|
+
!add_new_session_tickets(hs, &unused_sent_tickets)) {
|
727
777
|
return ssl_hs_error;
|
728
778
|
}
|
729
779
|
}
|
@@ -735,14 +785,29 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
|
|
735
785
|
static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
|
736
786
|
SSL *const ssl = hs->ssl;
|
737
787
|
if (ssl->s3->early_data_accepted) {
|
738
|
-
|
739
|
-
|
788
|
+
// QUIC never receives handshake messages under 0-RTT keys.
|
789
|
+
if (ssl->quic_method == nullptr &&
|
790
|
+
!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
|
791
|
+
hs->early_traffic_secret())) {
|
740
792
|
return ssl_hs_error;
|
741
793
|
}
|
742
794
|
hs->can_early_write = true;
|
743
795
|
hs->can_early_read = true;
|
744
796
|
hs->in_early_data = true;
|
745
797
|
}
|
798
|
+
|
799
|
+
// QUIC doesn't use an EndOfEarlyData message (draft-ietf-quic-tls-22,
|
800
|
+
// section 8.3), so we switch to client_handshake_secret before the early
|
801
|
+
// return.
|
802
|
+
if (ssl->quic_method != nullptr) {
|
803
|
+
if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
|
804
|
+
hs->client_handshake_secret())) {
|
805
|
+
return ssl_hs_error;
|
806
|
+
}
|
807
|
+
hs->tls13_state = state_read_client_certificate;
|
808
|
+
return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
|
809
|
+
}
|
810
|
+
|
746
811
|
hs->tls13_state = state_process_end_of_early_data;
|
747
812
|
return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
|
748
813
|
: ssl_hs_ok;
|
@@ -750,50 +815,50 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
|
|
750
815
|
|
751
816
|
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
|
752
817
|
SSL *const ssl = hs->ssl;
|
753
|
-
|
754
|
-
|
755
|
-
|
756
|
-
|
757
|
-
|
758
|
-
|
759
|
-
return ssl_hs_read_message;
|
760
|
-
}
|
761
|
-
|
762
|
-
if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
|
763
|
-
return ssl_hs_error;
|
764
|
-
}
|
765
|
-
if (CBS_len(&msg.body) != 0) {
|
766
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
767
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
768
|
-
return ssl_hs_error;
|
769
|
-
}
|
770
|
-
ssl->method->next_message(ssl);
|
818
|
+
// If early data was not accepted, the EndOfEarlyData will be in the discarded
|
819
|
+
// early data.
|
820
|
+
if (hs->ssl->s3->early_data_accepted) {
|
821
|
+
SSLMessage msg;
|
822
|
+
if (!ssl->method->get_message(ssl, &msg)) {
|
823
|
+
return ssl_hs_read_message;
|
771
824
|
}
|
825
|
+
if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
|
826
|
+
return ssl_hs_error;
|
827
|
+
}
|
828
|
+
if (CBS_len(&msg.body) != 0) {
|
829
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
830
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
831
|
+
return ssl_hs_error;
|
832
|
+
}
|
833
|
+
ssl->method->next_message(ssl);
|
772
834
|
}
|
773
|
-
if (!tls13_set_traffic_key(ssl,
|
774
|
-
hs->
|
835
|
+
if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
|
836
|
+
hs->client_handshake_secret())) {
|
775
837
|
return ssl_hs_error;
|
776
838
|
}
|
777
|
-
hs->tls13_state =
|
778
|
-
? state_read_client_finished
|
779
|
-
: state_read_client_certificate;
|
839
|
+
hs->tls13_state = state_read_client_certificate;
|
780
840
|
return ssl_hs_ok;
|
781
841
|
}
|
782
842
|
|
783
843
|
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
|
784
844
|
SSL *const ssl = hs->ssl;
|
785
845
|
if (!hs->cert_request) {
|
786
|
-
|
787
|
-
|
788
|
-
|
846
|
+
if (!ssl->s3->session_reused) {
|
847
|
+
// OpenSSL returns X509_V_OK when no certificates are requested. This is
|
848
|
+
// classed by them as a bug, but it's assumed by at least NGINX. (Only do
|
849
|
+
// this in full handshakes as resumptions should carry over the previous
|
850
|
+
// |verify_result|, though this is a no-op because servers do not
|
851
|
+
// implement the client's odd soft-fail mode.)
|
852
|
+
hs->new_session->verify_result = X509_V_OK;
|
853
|
+
}
|
789
854
|
|
790
855
|
// Skip this state.
|
791
856
|
hs->tls13_state = state_read_channel_id;
|
792
857
|
return ssl_hs_ok;
|
793
858
|
}
|
794
859
|
|
795
|
-
const
|
796
|
-
(
|
860
|
+
const bool allow_anonymous =
|
861
|
+
(hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
|
797
862
|
SSLMessage msg;
|
798
863
|
if (!ssl->method->get_message(ssl, &msg)) {
|
799
864
|
return ssl_hs_read_message;
|
@@ -812,7 +877,7 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
|
|
812
877
|
static enum ssl_hs_wait_t do_read_client_certificate_verify(
|
813
878
|
SSL_HANDSHAKE *hs) {
|
814
879
|
SSL *const ssl = hs->ssl;
|
815
|
-
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
|
880
|
+
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
|
816
881
|
// Skip this state.
|
817
882
|
hs->tls13_state = state_read_channel_id;
|
818
883
|
return ssl_hs_ok;
|
@@ -846,7 +911,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(
|
|
846
911
|
|
847
912
|
static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
|
848
913
|
SSL *const ssl = hs->ssl;
|
849
|
-
if (!ssl->s3->
|
914
|
+
if (!ssl->s3->channel_id_valid) {
|
850
915
|
hs->tls13_state = state_read_client_finished;
|
851
916
|
return ssl_hs_ok;
|
852
917
|
}
|
@@ -877,8 +942,8 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
|
|
877
942
|
// and derived the resumption secret.
|
878
943
|
!tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
|
879
944
|
// evp_aead_seal keys have already been switched.
|
880
|
-
!tls13_set_traffic_key(ssl,
|
881
|
-
hs->
|
945
|
+
!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
|
946
|
+
hs->client_traffic_secret_0())) {
|
882
947
|
return ssl_hs_error;
|
883
948
|
}
|
884
949
|
|
@@ -900,19 +965,21 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
|
|
900
965
|
}
|
901
966
|
|
902
967
|
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
|
903
|
-
|
904
|
-
|
905
|
-
if (!hs->accept_psk_mode) {
|
906
|
-
hs->tls13_state = state_done;
|
907
|
-
return ssl_hs_ok;
|
908
|
-
}
|
909
|
-
|
910
|
-
if (!add_new_session_tickets(hs)) {
|
968
|
+
bool sent_tickets;
|
969
|
+
if (!add_new_session_tickets(hs, &sent_tickets)) {
|
911
970
|
return ssl_hs_error;
|
912
971
|
}
|
913
972
|
|
914
973
|
hs->tls13_state = state_done;
|
915
|
-
|
974
|
+
// In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
|
975
|
+
// write, to prevent a non-reading client from causing the server to hang in
|
976
|
+
// the case of a small server write buffer. Consumers which don't write data
|
977
|
+
// to the client will need to do a zero-byte write if they wish to flush the
|
978
|
+
// tickets.
|
979
|
+
if (hs->ssl->quic_method != nullptr && sent_tickets) {
|
980
|
+
return ssl_hs_flush;
|
981
|
+
}
|
982
|
+
return ssl_hs_ok;
|
916
983
|
}
|
917
984
|
|
918
985
|
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
|
@@ -1019,4 +1086,4 @@ const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
|
|
1019
1086
|
return "TLS 1.3 server unknown";
|
1020
1087
|
}
|
1021
1088
|
|
1022
|
-
|
1089
|
+
BSSL_NAMESPACE_END
|