RubyGems - grpc - Versions diffs - 1.27.0 → 1.28.0.pre2 - Mend

grpc 1.27.0 → 1.28.0.pre2

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (678) hide show

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/ssl3.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/stack.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/thread.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/tls1.h RENAMED Viewed

@@ -244,9 +244,6 @@ extern "C" {
 // This is not an IANA defined extension number
 #define TLSEXT_TYPE_channel_id 30032
-// This is not an IANA defined extension number
-#define TLSEXT_TYPE_pq_experiment_signal 54538
 // status request value from RFC 3546
 #define TLSEXT_STATUSTYPE_nothing (-1)
 #define TLSEXT_STATUSTYPE_ocsp 1

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/type_check.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/x509.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/x509_vfy.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/include/openssl/x509v3.h RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/bio_ssl.cc RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/d1_both.cc RENAMED Viewed

@@ -117,7 +117,6 @@
 #include <limits.h>
 #include <string.h>
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/d1_lib.cc RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/d1_pkt.cc RENAMED Viewed

@@ -115,7 +115,6 @@
 #include <string.h>
 #include <openssl/bio.h>
-#include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/mem.h>
 #include <openssl/evp.h>

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/d1_srtp.cc RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/dtls_method.cc RENAMED Viewed

@@ -59,7 +59,6 @@
 #include <assert.h>
 #include <string.h>
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include "../crypto/internal.h"

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/dtls_record.cc RENAMED Viewed

File without changes

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/handoff.cc RENAMED Viewed

@@ -181,8 +181,15 @@ static bool apply_remote_features(SSL *ssl, CBS *in) {
   return true;
 }
+// uses_disallowed_feature returns true iff |ssl| enables a feature that
+// disqualifies it for split handshakes.
+static bool uses_disallowed_feature(const SSL *ssl) {
+  return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) ||
+         ssl->config->quic_transport_params.size() > 0;
+}
 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
-  if (ssl->method->is_dtls) {
+  if (uses_disallowed_feature(ssl)) {
     return false;
   }
@@ -223,11 +230,13 @@ bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
 }
 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
-  if (!ssl->server || ssl->method->is_dtls) {
+  if (!ssl->server || uses_disallowed_feature(ssl)) {
     return false;
   }
+  const SSL3_STATE *const s3 = ssl->s3;
+  SSL_HANDSHAKE *const hs = s3->hs.get();
   handback_t type;
-  switch (ssl->s3->hs->state) {
+  switch (hs->state) {
     case state12_read_change_cipher_spec:
       type = handback_after_session_resumption;
       break;
@@ -237,11 +246,15 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
     case state12_finish_server_handshake:
       type = handback_after_handshake;
       break;
+    // The outer state machine is always in |state12_tls13| for a TLS 1.3
+    // handshake as TLS 1.3 uses |tls13_state|.
+    case state12_tls13:
+      type = handback_tls13;
+      break;
     default:
       return false;
   }
-  const SSL3_STATE *const s3 = ssl->s3;
   size_t hostname_len = 0;
   if (s3->hostname) {
     hostname_len = strlen(s3->hostname.get());
@@ -249,7 +262,7 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
   Span<const uint8_t> transcript;
   if (type == handback_after_ecdhe ||
-      type == handback_after_session_resumption) {
+      type == handback_after_session_resumption || type == handback_tls13) {
     transcript = s3->hs->transcript.buffer();
   }
   size_t write_iv_len = 0;
@@ -272,8 +285,12 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
   // TODO(mab): make sure everything is serialized.
   CBB seq, key_share;
-  const SSL_SESSION *session =
-      s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();
+  const SSL_SESSION *session;
+  if (type == handback_tls13) {
+    session = hs->new_session.get();
+  } else {
+    session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
+  }
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
       !CBB_add_asn1_uint64(&seq, type) ||
@@ -314,6 +331,25 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
       !s3->hs->key_shares[0]->Serialize(&key_share)) {
     return false;
   }
+  if (type == handback_tls13) {
+    if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
+                                   hs->client_traffic_secret_0().size()) ||
+        !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
+                                   hs->server_traffic_secret_0().size()) ||
+        !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
+                                   hs->client_handshake_secret().size()) ||
+        !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
+                                   hs->server_handshake_secret().size()) ||
+        !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
+                                   hs->secret().size()) ||
+        !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
+                                   s3->exporter_secret_len) ||
+        !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
+        !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
+        !CBB_add_asn1_int64(&seq, s3->ticket_age_skew)) {
+      return false;
+    }
+  }
   return CBB_flush(out);
 }
@@ -360,14 +396,15 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   }
   s3->hs = ssl_handshake_new(ssl);
-  if (session_reused) {
-    ssl->session =
+  SSL_HANDSHAKE *const hs = s3->hs.get();
+  if (!session_reused || type == handback_tls13) {
+    hs->new_session =
         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
-    session = ssl->session.get();
+    session = hs->new_session.get();
   } else {
-    s3->hs->new_session =
+    ssl->session =
         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
-    session = s3->hs->new_session.get();
+    session = ssl->session.get();
   }
   if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
@@ -386,7 +423,7 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
       !CBS_get_asn1_uint64(&seq, &cipher)) {
     return false;
   }
-  if ((s3->hs->new_cipher =
+  if ((hs->new_cipher =
            SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
     return false;
   }
@@ -394,11 +431,35 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
       !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
     return false;
   }
+  CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
+      server_traffic_secret_0, secret, exporter_secret;
+  if (type == handback_tls13) {
+    int used_hello_retry_request, accept_psk_mode;
+    int64_t ticket_age_skew;
+    if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
+        !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
+        !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
+        !CBS_get_asn1_int64(&seq, &ticket_age_skew)) {
+      return false;
+    }
+    if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
+        ticket_age_skew < std::numeric_limits<int32_t>::min()) {
+      return false;
+    }
+    s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
+    s3->used_hello_retry_request = used_hello_retry_request;
+    hs->accept_psk_mode = accept_psk_mode;
+  }
   ssl->version = session->ssl_version;
   s3->have_version = true;
   if (!ssl_method_supports_version(ssl->method, ssl->version) ||
-      session->cipher != s3->hs->new_cipher ||
+      session->cipher != hs->new_cipher ||
       ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
       SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
     return false;
@@ -407,19 +468,23 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   ssl->server = true;
   switch (type) {
     case handback_after_session_resumption:
-      ssl->s3->hs->state = state12_read_change_cipher_spec;
+      hs->state = state12_read_change_cipher_spec;
       if (!session_reused) {
         return false;
       }
       break;
     case handback_after_ecdhe:
-      ssl->s3->hs->state = state12_read_client_certificate;
+      hs->state = state12_read_client_certificate;
       if (session_reused) {
         return false;
       }
       break;
     case handback_after_handshake:
-      ssl->s3->hs->state = state12_finish_server_handshake;
+      hs->state = state12_finish_server_handshake;
+      break;
+    case handback_tls13:
+      hs->state = state12_tls13;
+      hs->tls13_state = state13_read_client_certificate;
       break;
     default:
       return false;
@@ -443,17 +508,50 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   s3->token_binding_negotiated = token_binding_negotiated;
   s3->negotiated_token_binding_param =
       static_cast<uint8_t>(negotiated_token_binding_param);
-  s3->hs->next_proto_neg_seen = next_proto_neg_seen;
-  s3->hs->wait = ssl_hs_flush;
-  s3->hs->extended_master_secret = extended_master_secret;
-  s3->hs->ticket_expected = ticket_expected;
+  hs->next_proto_neg_seen = next_proto_neg_seen;
+  hs->wait = ssl_hs_flush;
+  hs->extended_master_secret = extended_master_secret;
+  hs->ticket_expected = ticket_expected;
   s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
-  s3->hs->cert_request = cert_request;
+  hs->cert_request = cert_request;
   // TODO(davidben): When handoff for TLS 1.3 is added, serialize
   // |early_data_reason| and stabilize the constants.
   s3->early_data_reason = ssl_early_data_protocol_version;
+  if ((type == handback_after_ecdhe ||
+       type == handback_after_session_resumption || type == handback_tls13) &&
+      (!hs->transcript.Init() ||
+       !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
+       !hs->transcript.Update(transcript))) {
+    return false;
+  }
+  if (type == handback_tls13) {
+    const size_t digest_len = hs->transcript.DigestLen();
+    if (digest_len != CBS_len(&client_traffic_secret_0) ||
+        digest_len != CBS_len(&server_traffic_secret_0) ||
+        digest_len != CBS_len(&client_handshake_secret) ||
+        digest_len != CBS_len(&server_handshake_secret) ||
+        digest_len != CBS_len(&secret)) {
+      return false;
+    }
+    hs->ResizeSecrets(digest_len);
+    memcpy(hs->client_traffic_secret_0().data(),
+           CBS_data(&client_traffic_secret_0), digest_len);
+    memcpy(hs->server_traffic_secret_0().data(),
+           CBS_data(&server_traffic_secret_0), digest_len);
+    memcpy(hs->client_handshake_secret().data(),
+           CBS_data(&client_handshake_secret), digest_len);
+    memcpy(hs->server_handshake_secret().data(),
+           CBS_data(&server_handshake_secret), digest_len);
+    memcpy(hs->secret().data(), CBS_data(&secret), digest_len);
+    if (digest_len != CBS_len(&exporter_secret)) {
+      return false;
+    }
+    memcpy(s3->exporter_secret, CBS_data(&exporter_secret), digest_len);
+    s3->exporter_secret_len = digest_len;
+  }
   Array<uint8_t> key_block;
   if ((type == handback_after_session_resumption ||
        type == handback_after_handshake) &&
@@ -470,16 +568,15 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
                        sizeof(s3->read_sequence)))) {
     return false;
   }
-  if ((type == handback_after_ecdhe ||
-       type == handback_after_session_resumption) &&
-      (!s3->hs->transcript.Init() ||
-       !s3->hs->transcript.InitHash(ssl_protocol_version(ssl),
-                                    s3->hs->new_cipher) ||
-       !s3->hs->transcript.Update(transcript))) {
+  if (type == handback_tls13 &&
+      (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                              hs->client_handshake_secret()) ||
+       !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                              hs->server_traffic_secret_0()))) {
     return false;
   }
   if (type == handback_after_ecdhe &&
-      (s3->hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
+      (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
     return false;
   }

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/handshake.cc RENAMED Viewed

@@ -128,8 +128,6 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
     : ssl(ssl_arg),
       scts_requested(false),
       needs_psk_binder(false),
-      received_hello_retry_request(false),
-      sent_hello_retry_request(false),
       handshake_finalized(false),
       accept_psk_mode(false),
       cert_request(false),
@@ -388,7 +386,8 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
 // SSL_VERIFY_NONE
 // 3. We don't call the OCSP callback.
 // 4. We only support custom verify callbacks.
-enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs) {
+enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs,
+                                                bool send_alert) {
   SSL *const ssl = hs->ssl;
   assert(ssl->s3->established_session == nullptr);
   assert(hs->config->verify_mode != SSL_VERIFY_NONE);
@@ -401,7 +400,9 @@ enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs) {
   if (ret == ssl_verify_invalid) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
-    ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+    if (send_alert) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+    }
   }
   return ret;

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/handshake_client.cc RENAMED Viewed

@@ -157,7 +157,6 @@
 #include <openssl/aead.h>
 #include <openssl/bn.h>
-#include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/ec_key.h>
 #include <openssl/ecdsa.h>
@@ -459,8 +458,7 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
   if (!tls13_init_early_key_schedule(
           hs, MakeConstSpan(ssl->session->master_key,
                             ssl->session->master_key_length)) ||
-      !tls13_derive_early_secret(hs) ||
-      !tls13_set_early_secret_for_quic(hs)) {
+      !tls13_derive_early_secret(hs)) {
     return ssl_hs_error;
   }
   if (ssl->quic_method == nullptr &&
@@ -478,17 +476,30 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
 static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) {
   if (hs->ssl->ctx->reverify_on_resume) {
-    switch (ssl_reverify_peer_cert(hs)) {
-    case ssl_verify_ok:
-      break;
-    case ssl_verify_invalid:
-      return ssl_hs_error;
-    case ssl_verify_retry:
-      hs->state = state_early_reverify_server_certificate;
-      return ssl_hs_certificate_verify;
+    // Don't send an alert on error. The alert be in early data, which the
+    // server may not accept anyway. It would also be a mismatch between QUIC
+    // and TCP because the QUIC early keys are deferred below.
+    //
+    // TODO(davidben): The client behavior should be to verify the certificate
+    // before deciding whether to offer the session and, if invalid, decline to
+    // send the session.
+    switch (ssl_reverify_peer_cert(hs, /*send_alert=*/false)) {
+      case ssl_verify_ok:
+        break;
+      case ssl_verify_invalid:
+        return ssl_hs_error;
+      case ssl_verify_retry:
+        hs->state = state_early_reverify_server_certificate;
+        return ssl_hs_certificate_verify;
     }
   }
+  // Defer releasing the 0-RTT key to after certificate reverification, so the
+  // QUIC implementation does not accidentally write data too early.
+  if (!tls13_set_early_secret_for_quic(hs)) {
+    return ssl_hs_error;
+  }
   hs->in_early_data = true;
   hs->can_early_write = true;
   hs->state = state_read_server_hello;
@@ -908,7 +919,7 @@ static enum ssl_hs_wait_t do_verify_server_certificate(SSL_HANDSHAKE *hs) {
 static enum ssl_hs_wait_t do_reverify_server_certificate(SSL_HANDSHAKE *hs) {
   assert(hs->ssl->ctx->reverify_on_resume);
-  switch (ssl_reverify_peer_cert(hs)) {
+  switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
     case ssl_verify_ok:
       break;
     case ssl_verify_invalid:
@@ -1291,7 +1302,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
     }
     assert(psk_len <= PSK_MAX_PSK_LEN);
-    hs->new_session->psk_identity.reset(BUF_strdup(identity));
+    hs->new_session->psk_identity.reset(OPENSSL_strdup(identity));
     if (hs->new_session->psk_identity == nullptr) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return ssl_hs_error;

data/third_party/{boringssl → boringssl-with-bazel/src}/ssl/handshake_server.cc RENAMED Viewed

@@ -152,7 +152,6 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/cipher.h>
 #include <openssl/ec.h>
@@ -1093,12 +1092,9 @@ static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {
         !CBB_add_u8_length_prefixed(&body, &cert_types) ||
         !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) ||
         !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) ||
-        // TLS 1.2 has no way to specify different signature algorithms for
-        // certificates and the online signature, so emit the more restrictive
-        // certificate list.
         (ssl_protocol_version(ssl) >= TLS1_2_VERSION &&
          (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||
-          !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */))) ||
+          !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb))) ||
         !ssl_add_client_CA_list(hs, &body) ||
         !ssl_add_message_cbb(ssl, cbb.get())) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);