RubyGems - grpc - Versions diffs - 1.28.0.pre2 → 1.31.0.pre1 - Mend

grpc 1.28.0.pre2 → 1.31.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (660) hide show

data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h CHANGED

@@ -578,6 +578,7 @@ OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
+OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
 OPENSSL_EXPORT void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
 OPENSSL_EXPORT void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);

data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc CHANGED

@@ -437,10 +437,6 @@ void dtls1_next_message(SSL *ssl) {
 }
 bool dtls_has_unprocessed_handshake_data(const SSL *ssl) {
-  if (ssl->d1->has_change_cipher_spec) {
-    return true;
-  }
   size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
     // Skip the current message.

data/third_party/boringssl-with-bazel/src/ssl/d1_lib.cc CHANGED

@@ -86,12 +86,12 @@ DTLS1_STATE::DTLS1_STATE()
 DTLS1_STATE::~DTLS1_STATE() {}
 bool dtls1_new(SSL *ssl) {
-  if (!ssl3_new(ssl)) {
+  if (!tls_new(ssl)) {
     return false;
   }
   UniquePtr<DTLS1_STATE> d1 = MakeUnique<DTLS1_STATE>();
   if (!d1) {
-    ssl3_free(ssl);
+    tls_free(ssl);
     return false;
   }
@@ -107,7 +107,7 @@ bool dtls1_new(SSL *ssl) {
 }
 void dtls1_free(SSL *ssl) {
-  ssl3_free(ssl);
+  tls_free(ssl);
   if (ssl == NULL) {
     return;

data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc CHANGED

@@ -77,10 +77,13 @@ static void dtls1_on_handshake_complete(SSL *ssl) {
   }
 }
-static bool dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
+static bool dtls1_set_read_state(SSL *ssl, ssl_encryption_level_t level,
+                                 UniquePtr<SSLAEADContext> aead_ctx,
+                                 Span<const uint8_t> secret_for_quic) {
+  assert(secret_for_quic.empty());  // QUIC does not use DTLS.
   // Cipher changes are forbidden if the current epoch has leftover data.
   if (dtls_has_unprocessed_handshake_data(ssl)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
     return false;
   }
@@ -90,11 +93,15 @@ static bool dtls1_set_read_state(SSL *ssl, UniquePtr aead_ctx) {
   OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
   ssl->s3->aead_read_ctx = std::move(aead_ctx);
+  ssl->s3->read_level = level;
+  ssl->d1->has_change_cipher_spec = 0;
   return true;
 }
-static bool dtls1_set_write_state(SSL *ssl,
-                                  UniquePtr<SSLAEADContext> aead_ctx) {
+static bool dtls1_set_write_state(SSL *ssl, ssl_encryption_level_t level,
+                                  UniquePtr<SSLAEADContext> aead_ctx,
+                                  Span<const uint8_t> secret_for_quic) {
+  assert(secret_for_quic.empty());  // QUIC does not use DTLS.
   ssl->d1->w_epoch++;
   OPENSSL_memcpy(ssl->d1->last_write_sequence, ssl->s3->write_sequence,
                  sizeof(ssl->s3->write_sequence));
@@ -102,6 +109,7 @@ static bool dtls1_set_write_state(SSL *ssl,
   ssl->d1->last_aead_write_ctx = std::move(ssl->s3->aead_write_ctx);
   ssl->s3->aead_write_ctx = std::move(aead_ctx);
+  ssl->s3->write_level = level;
   return true;
 }
@@ -111,6 +119,7 @@ static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
     dtls1_free,
     dtls1_get_message,
     dtls1_next_message,
+    dtls_has_unprocessed_handshake_data,
     dtls1_open_handshake,
     dtls1_open_change_cipher_spec,
     dtls1_open_app_data,

data/third_party/boringssl-with-bazel/src/ssl/handoff.cc CHANGED

@@ -24,6 +24,17 @@ BSSL_NAMESPACE_BEGIN
 constexpr int kHandoffVersion = 0;
 constexpr int kHandbackVersion = 0;
+// early_data_t represents the state of early data in a more compact way than
+// the 3 bits used by the implementation.
+enum early_data_t {
+  early_data_not_offered = 0,
+  early_data_accepted = 1,
+  early_data_rejected_hrr = 2,
+  early_data_skipped = 3,
+  early_data_max_value = early_data_skipped,
+};
 // serialize_features adds a description of features supported by this binary to
 // |out|.  Returns true on success and false on error.
 static bool serialize_features(CBB *out) {
@@ -246,9 +257,10 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
     case state12_finish_server_handshake:
       type = handback_after_handshake;
       break;
-    // The outer state machine is always in |state12_tls13| for a TLS 1.3
-    // handshake as TLS 1.3 uses |tls13_state|.
     case state12_tls13:
+      if (hs->tls13_state != state13_send_half_rtt_ticket) {
+        return false;
+      }
       type = handback_tls13;
       break;
     default:
@@ -261,8 +273,7 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
   }
   Span<const uint8_t> transcript;
-  if (type == handback_after_ecdhe ||
-      type == handback_after_session_resumption || type == handback_tls13) {
+  if (type != handback_after_handshake) {
     transcript = s3->hs->transcript.buffer();
   }
   size_t write_iv_len = 0;
@@ -332,6 +343,27 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
     return false;
   }
   if (type == handback_tls13) {
+    early_data_t early_data;
+    // Check early data invariants.
+    if (ssl->enable_early_data ==
+        (s3->early_data_reason == ssl_early_data_disabled)) {
+      return false;
+    }
+    if (hs->early_data_offered) {
+      if (s3->early_data_accepted && !s3->skip_early_data) {
+        early_data = early_data_accepted;
+      } else if (!s3->early_data_accepted && !s3->skip_early_data) {
+        early_data = early_data_rejected_hrr;
+      } else if (!s3->early_data_accepted && s3->skip_early_data) {
+        early_data = early_data_skipped;
+      } else {
+        return false;
+      }
+    } else if (!s3->early_data_accepted && !s3->skip_early_data) {
+      early_data = early_data_not_offered;
+    } else {
+      return false;
+    }
     if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
                                    hs->client_traffic_secret_0().size()) ||
         !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
@@ -346,13 +378,28 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
                                    s3->exporter_secret_len) ||
         !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
         !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
-        !CBB_add_asn1_int64(&seq, s3->ticket_age_skew)) {
+        !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
+        !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
+        !CBB_add_asn1_uint64(&seq, early_data)) {
+      return false;
+    }
+    if (early_data == early_data_accepted &&
+        !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
+                                   hs->early_traffic_secret().size())) {
       return false;
     }
   }
   return CBB_flush(out);
 }
+static bool CopyExact(Span<uint8_t> out, const CBS *in) {
+  if (CBS_len(in) != out.size()) {
+    return false;
+  }
+  OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
+  return true;
+}
 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   if (ssl->do_handshake != nullptr ||
       ssl->method->is_dtls) {
@@ -360,7 +407,7 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
   }
   SSL3_STATE *const s3 = ssl->s3;
-  uint64_t handback_version, negotiated_token_binding_param, cipher, type;
+  uint64_t handback_version, negotiated_token_binding_param, cipher, type_u64;
   CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
       next_proto, alpn, hostname, channel_id, transcript, key_share;
@@ -372,10 +419,12 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
   if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1_uint64(&seq, &handback_version) ||
       handback_version != kHandbackVersion ||
-      !CBS_get_asn1_uint64(&seq, &type)) {
+      !CBS_get_asn1_uint64(&seq, &type_u64) ||
+      type_u64 > handback_max_value) {
     return false;
   }
+  handback_t type = static_cast<handback_t>(type_u64);
   if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
       !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
@@ -432,9 +481,10 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
     return false;
   }
   CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
-      server_traffic_secret_0, secret, exporter_secret;
+      server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
   if (type == handback_tls13) {
     int used_hello_retry_request, accept_psk_mode;
+    uint64_t early_data, early_data_reason;
     int64_t ticket_age_skew;
     if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
@@ -444,7 +494,16 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
         !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
         !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
-        !CBS_get_asn1_int64(&seq, &ticket_age_skew)) {
+        !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
+        !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
+        early_data_reason > ssl_early_data_reason_max_value ||
+        !CBS_get_asn1_uint64(&seq, &early_data) ||
+        early_data > early_data_max_value) {
+      return false;
+    }
+    early_data_t early_data_type = static_cast<early_data_t>(early_data);
+    if (early_data_type == early_data_accepted &&
+        !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
       return false;
     }
     if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
@@ -454,6 +513,35 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
     s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
     s3->used_hello_retry_request = used_hello_retry_request;
     hs->accept_psk_mode = accept_psk_mode;
+    s3->early_data_reason =
+        static_cast<ssl_early_data_reason_t>(early_data_reason);
+    ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
+    s3->skip_early_data = false;
+    s3->early_data_accepted = false;
+    hs->early_data_offered = false;
+    switch (early_data_type) {
+      case early_data_not_offered:
+        break;
+      case early_data_accepted:
+        s3->early_data_accepted = true;
+        hs->early_data_offered = true;
+        hs->can_early_write = true;
+        hs->can_early_read = true;
+        hs->in_early_data = true;
+        break;
+      case early_data_rejected_hrr:
+        hs->early_data_offered = true;
+        break;
+      case early_data_skipped:
+        s3->skip_early_data = true;
+        hs->early_data_offered = true;
+        break;
+      default:
+        return false;
+    }
+  } else {
+    s3->early_data_reason = ssl_early_data_protocol_version;
   }
   ssl->version = session->ssl_version;
@@ -484,7 +572,7 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
       break;
     case handback_tls13:
       hs->state = state12_tls13;
-      hs->tls13_state = state13_read_client_certificate;
+      hs->tls13_state = state13_send_half_rtt_ticket;
       break;
     default:
       return false;
@@ -515,72 +603,73 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
   s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
   hs->cert_request = cert_request;
-  // TODO(davidben): When handoff for TLS 1.3 is added, serialize
-  // |early_data_reason| and stabilize the constants.
-  s3->early_data_reason = ssl_early_data_protocol_version;
-  if ((type == handback_after_ecdhe ||
-       type == handback_after_session_resumption || type == handback_tls13) &&
+  if (type != handback_after_handshake &&
       (!hs->transcript.Init() ||
        !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
        !hs->transcript.Update(transcript))) {
     return false;
   }
   if (type == handback_tls13) {
-    const size_t digest_len = hs->transcript.DigestLen();
-    if (digest_len != CBS_len(&client_traffic_secret_0) ||
-        digest_len != CBS_len(&server_traffic_secret_0) ||
-        digest_len != CBS_len(&client_handshake_secret) ||
-        digest_len != CBS_len(&server_handshake_secret) ||
-        digest_len != CBS_len(&secret)) {
+    hs->ResizeSecrets(hs->transcript.DigestLen());
+    if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
+        !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
+        !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
+        !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
+        !CopyExact(hs->secret(), &secret) ||
+        !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
+                   &exporter_secret)) {
       return false;
     }
-    hs->ResizeSecrets(digest_len);
-    memcpy(hs->client_traffic_secret_0().data(),
-           CBS_data(&client_traffic_secret_0), digest_len);
-    memcpy(hs->server_traffic_secret_0().data(),
-           CBS_data(&server_traffic_secret_0), digest_len);
-    memcpy(hs->client_handshake_secret().data(),
-           CBS_data(&client_handshake_secret), digest_len);
-    memcpy(hs->server_handshake_secret().data(),
-           CBS_data(&server_handshake_secret), digest_len);
-    memcpy(hs->secret().data(), CBS_data(&secret), digest_len);
-    if (digest_len != CBS_len(&exporter_secret)) {
+    s3->exporter_secret_len = CBS_len(&exporter_secret);
+    if (s3->early_data_accepted &&
+        !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
       return false;
     }
-    memcpy(s3->exporter_secret, CBS_data(&exporter_secret), digest_len);
-    s3->exporter_secret_len = digest_len;
   }
   Array<uint8_t> key_block;
-  if ((type == handback_after_session_resumption ||
-       type == handback_after_handshake) &&
-      (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
-                            write_iv) ||
-       !CBS_copy_bytes(&write_seq, s3->write_sequence,
-                       sizeof(s3->write_sequence)))) {
-    return false;
-  }
-  if (type == handback_after_handshake &&
-      (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
-                            read_iv) ||
-       !CBS_copy_bytes(&read_seq, s3->read_sequence,
-                       sizeof(s3->read_sequence)))) {
-    return false;
+  switch (type) {
+    case handback_after_session_resumption:
+      // The write keys are installed after server Finished, but the client
+      // keys must wait for ChangeCipherSpec.
+      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
+                               write_iv)) {
+        return false;
+      }
+      break;
+    case handback_after_ecdhe:
+      // The premaster secret is not yet computed, so install no keys.
+      break;
+    case handback_after_handshake:
+      // The handshake is complete, so both keys are installed.
+      if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
+                               write_iv) ||
+          !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
+                               read_iv)) {
+        return false;
+      }
+      break;
+    case handback_tls13:
+      // After server Finished, the application write keys are installed, but
+      // none of the read keys. The read keys are installed in the state machine
+      // immediately after processing handback.
+      if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                                 hs->new_session.get(),
+                                 hs->server_traffic_secret_0())) {
+        return false;
+      }
+      break;
   }
-  if (type == handback_tls13 &&
-      (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
-                              hs->client_handshake_secret()) ||
-       !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
-                              hs->server_traffic_secret_0()))) {
+  if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
+      !CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
+                 &write_seq)) {
     return false;
   }
   if (type == handback_after_ecdhe &&
       (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
     return false;
   }
-  return CBS_len(&seq) == 0;
+  return true;  // Trailing data allowed for extensibility.
 }
 BSSL_NAMESPACE_END

data/third_party/boringssl-with-bazel/src/ssl/handshake.cc CHANGED

@@ -441,7 +441,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
   uint8_t finished[EVP_MAX_MD_SIZE];
   size_t finished_len;
   if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
-                                     SSL_get_session(ssl), !ssl->server) ||
+                                     ssl_handshake_session(hs), !ssl->server) ||
       !ssl_hash_message(hs, msg)) {
     return ssl_hs_error;
   }
@@ -471,13 +471,20 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
     ssl->s3->previous_server_finished_len = finished_len;
   }
+  // The Finished message should be the end of a flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
   ssl->method->next_message(ssl);
   return ssl_hs_ok;
 }
 bool ssl_send_finished(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  const SSL_SESSION *session = SSL_get_session(ssl);
+  const SSL_SESSION *session = ssl_handshake_session(hs);
   uint8_t finished[EVP_MAX_MD_SIZE];
   size_t finished_len;
@@ -534,6 +541,13 @@ bool ssl_output_cert_chain(SSL_HANDSHAKE *hs) {
   return true;
 }
+const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
+  if (hs->new_session) {
+    return hs->new_session.get();
+  }
+  return hs->ssl->session.get();
+}
 int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
   SSL *const ssl = hs->ssl;
   for (;;) {
@@ -621,10 +635,15 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
         hs->wait = ssl_hs_ok;
         return -1;
-      case ssl_hs_handback:
+      case ssl_hs_handback: {
+        int ret = ssl->method->flush_flight(ssl);
+        if (ret <= 0) {
+          return ret;
+        }
         ssl->s3->rwstate = SSL_ERROR_HANDBACK;
         hs->wait = ssl_hs_handback;
         return -1;
+      }
       case ssl_hs_x509_lookup:
         ssl->s3->rwstate = SSL_ERROR_WANT_X509_LOOKUP;
@@ -658,9 +677,8 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
       case ssl_hs_early_data_rejected:
         assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
+        assert(!hs->can_early_write);
         ssl->s3->rwstate = SSL_ERROR_EARLY_DATA_REJECTED;
-        // Cause |SSL_write| to start failing immediately.
-        hs->can_early_write = false;
         return -1;
       case ssl_hs_early_return: