RubyGems - grpc - Versions diffs - 1.28.0 → 1.31.0.pre2 - Mend

grpc 1.28.0 → 1.31.0.pre2

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (707) hide show

data/third_party/boringssl-with-bazel/src/ssl/t1_lib.cc CHANGED

@@ -413,7 +413,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
 // algorithms for verifying.
 static const uint16_t kVerifySignatureAlgorithms[] = {
     // List our preferred algorithms first.
-    SSL_SIGN_ED25519,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
     SSL_SIGN_RSA_PSS_RSAE_SHA256,
     SSL_SIGN_RSA_PKCS1_SHA256,
@@ -455,39 +454,15 @@ static const uint16_t kSignSignatureAlgorithms[] = {
     SSL_SIGN_RSA_PKCS1_SHA1,
 };
-struct SSLSignatureAlgorithmList {
-  bool Next(uint16_t *out) {
-    while (!list.empty()) {
-      uint16_t sigalg = list[0];
-      list = list.subspan(1);
-      if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
-        continue;
-      }
-      *out = sigalg;
-      return true;
-    }
-    return false;
+static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
+  if (hs->config->verify_sigalgs.empty()) {
+    return Span<const uint16_t>(kVerifySignatureAlgorithms);
   }
-  Span<const uint16_t> list;
-  bool skip_ed25519 = false;
-};
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl) {
-  SSLSignatureAlgorithmList ret;
-  if (!ssl->config->verify_sigalgs.empty()) {
-    ret.list = ssl->config->verify_sigalgs;
-  } else {
-    ret.list = kVerifySignatureAlgorithms;
-    ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
-  }
-  return ret;
+  return hs->config->verify_sigalgs;
 }
-bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
-  uint16_t sigalg;
-  while (list.Next(&sigalg)) {
+bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
+  for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
     if (!CBB_add_u16(out, sigalg)) {
       return false;
     }
@@ -495,11 +470,9 @@ bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
   return true;
 }
-bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
+bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
                              uint16_t sigalg) {
-  SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl);
-  uint16_t verify_sigalg;
-  while (list.Next(&verify_sigalg)) {
+  for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
     if (verify_sigalg == sigalg) {
       return true;
     }
@@ -936,7 +909,6 @@ static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  SSL *const ssl = hs->ssl;
   if (hs->max_version < TLS1_2_VERSION) {
     return true;
   }
@@ -945,7 +917,7 @@ static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
-      !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
+      !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
       !CBB_flush(out)) {
     return false;
   }
@@ -2575,10 +2547,17 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
-  if (hs->config->quic_transport_params.empty() ||
-      hs->max_version <= TLS1_2_VERSION) {
+  if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
     return true;
   }
+  if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) {
+    // QUIC Transport Parameters must be sent over QUIC, and they must not be
+    // sent over non-QUIC transports. If transport params are set, then
+    // SSL(_CTX)_set_quic_method must also be called.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
+  }
+  assert(hs->min_version > TLS1_2_VERSION);
   CBB contents;
   if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
@@ -2596,13 +2575,19 @@ static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
   if (contents == nullptr) {
-    return true;
+    if (!ssl->quic_method) {
+      return true;
+    }
+    assert(ssl->quic_method);
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // QUIC requires TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
+  if (!ssl->quic_method) {
     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
     return false;
   }
+  // QUIC requires TLS 1.3.
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
@@ -2611,21 +2596,34 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
                                                         uint8_t *out_alert,
                                                         CBS *contents) {
   SSL *const ssl = hs->ssl;
-  if (!contents || hs->config->quic_transport_params.empty()) {
-    return true;
+  if (!contents) {
+    if (!ssl->quic_method) {
+      if (hs->config->quic_transport_params.empty()) {
+        return true;
+      }
+      // QUIC transport parameters must not be set if |ssl| is not configured
+      // for QUIC.
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+      *out_alert = SSL_AD_INTERNAL_ERROR;
+    }
+    *out_alert = SSL_AD_MISSING_EXTENSION;
+    return false;
   }
-  // Ignore the extension before TLS 1.3.
-  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
-    return true;
+  if (!ssl->quic_method) {
+    *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
+    return false;
   }
+  assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
 }
 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
+  assert(hs->ssl->quic_method != nullptr);
   if (hs->config->quic_transport_params.empty()) {
-    return true;
+    // Transport parameters must be set when using QUIC.
+    OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
+    return false;
   }
   CBB contents;
@@ -3870,7 +3868,3 @@ int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
   *out_len = CBS_len(&cbs);
   return 1;
 }
-void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
-  ctx->ed25519_enabled = !!enabled;
-}

data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc CHANGED

@@ -356,7 +356,7 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
   }
   uint8_t alert = SSL_AD_DECODE_ERROR;
-  if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
+  if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return false;
   }

data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc CHANGED

@@ -52,6 +52,54 @@ enum client_hs_state_t {
 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
+// end_of_early_data closes the early data stream for |hs| and switches the
+// encryption level to |level|. It returns true on success and false on error.
+static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
+  SSL *const ssl = hs->ssl;
+  assert(hs->in_early_data);
+  // Note |can_early_write| may already be false if |SSL_write| exceeded the
+  // early data write limit.
+  hs->can_early_write = false;
+  // 0-RTT write states on the client differ between TLS 1.3, DTLS 1.3, and
+  // QUIC. TLS 1.3 has one write encryption level at a time. 0-RTT write keys
+  // overwrite the null cipher and defer handshake write keys. While a
+  // HelloRetryRequest can cause us to rewind back to the null cipher, sequence
+  // numbers have no effect, so we can install a "new" null cipher.
+  //
+  // In QUIC and DTLS 1.3, 0-RTT write state cannot override or defer the normal
+  // write state. The two ClientHello sequence numbers must align, and handshake
+  // write keys must be installed early to ACK the EncryptedExtensions.
+  //
+  // We do not currently implement DTLS 1.3 and, in QUIC, the caller handles
+  // 0-RTT data, so we can skip installing 0-RTT keys and act as if there is one
+  // write level. If we implement DTLS 1.3, we'll need to model this better.
+  if (ssl->quic_method == nullptr) {
+    if (level == ssl_encryption_initial) {
+      bssl::UniquePtr<SSLAEADContext> null_ctx =
+          SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
+      if (!null_ctx ||
+          !ssl->method->set_write_state(ssl, ssl_encryption_initial,
+                                        std::move(null_ctx),
+                                        /*secret_for_quic=*/{})) {
+        return false;
+      }
+      ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
+    } else {
+      assert(level == ssl_encryption_handshake);
+      if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                                 hs->new_session.get(),
+                                 hs->client_handshake_secret())) {
+        return false;
+      }
+    }
+  }
+  assert(ssl->s3->write_level == level);
+  return true;
+}
 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   assert(ssl->s3->have_version);
@@ -183,28 +231,30 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
+  // HelloRetryRequest should be the end of the flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
   ssl->method->next_message(ssl);
   ssl->s3->used_hello_retry_request = true;
   hs->tls13_state = state_send_second_client_hello;
   // 0-RTT is rejected if we receive a HelloRetryRequest.
   if (hs->in_early_data) {
     ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
+    if (!close_early_data(hs, ssl_encryption_initial)) {
+      return ssl_hs_error;
+    }
     return ssl_hs_early_data_rejected;
   }
   return ssl_hs_ok;
 }
 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
-  SSL *const ssl = hs->ssl;
-  // Restore the null cipher. We may have switched due to 0-RTT.
-  bssl::UniquePtr<SSLAEADContext> null_ctx =
-      SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
-  if (!null_ctx ||
-      !ssl->method->set_write_state(ssl, std::move(null_ctx))) {
-    return ssl_hs_error;
-  }
-  ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
+  // Any 0-RTT keys must have been discarded.
+  assert(hs->ssl->s3->write_level == ssl_encryption_initial);
   if (!ssl_write_client_hello(hs)) {
     return ssl_hs_error;
@@ -391,21 +441,28 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
   if (!tls13_advance_key_schedule(hs, dhe_secret) ||
       !ssl_hash_message(hs, msg) ||
-      !tls13_derive_handshake_secrets(hs) ||
-      !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
-                             hs->server_handshake_secret())) {
+      !tls13_derive_handshake_secrets(hs)) {
     return ssl_hs_error;
   }
-  if (!hs->early_data_offered) {
-    // If not sending early data, set client traffic keys now so that alerts are
-    // encrypted.
+  // If currently sending early data over TCP, we defer installing client
+  // traffic keys to when the early data stream is closed. See
+  // |close_early_data|. Note if the server has already rejected 0-RTT via
+  // HelloRetryRequest, |in_early_data| is already false.
+  if (!hs->in_early_data || ssl->quic_method != nullptr) {
     if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
+                               hs->new_session.get(),
                                hs->client_handshake_secret())) {
       return ssl_hs_error;
     }
   }
+  if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                             hs->new_session.get(),
+                             hs->server_handshake_secret())) {
+    return ssl_hs_error;
+  }
   ssl->method->next_message(ssl);
   hs->tls13_state = state_read_encrypted_extensions;
   return ssl_hs_ok;
@@ -439,14 +496,20 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
   }
   if (ssl->s3->early_data_accepted) {
-    if (hs->early_session->cipher != hs->new_session->cipher ||
-        MakeConstSpan(hs->early_session->early_alpn) !=
-            ssl->s3->alpn_selected) {
+    if (hs->early_session->cipher != hs->new_session->cipher) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      return ssl_hs_error;
+    }
+    if (MakeConstSpan(hs->early_session->early_alpn) !=
+        ssl->s3->alpn_selected) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
     }
     if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
     }
   }
@@ -458,6 +521,9 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
   ssl->method->next_message(ssl);
   hs->tls13_state = state_read_certificate_request;
   if (hs->in_early_data && !ssl->s3->early_data_accepted) {
+    if (!close_early_data(hs, ssl_encryption_handshake)) {
+      return ssl_hs_error;
+    }
     return ssl_hs_early_data_rejected;
   }
   return ssl_hs_ok;
@@ -622,6 +688,13 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
+  // Finished should be the end of the flight.
+  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
+    return ssl_hs_error;
+  }
   ssl->method->next_message(ssl);
   hs->tls13_state = state_send_end_of_early_data;
   return ssl_hs_ok;
@@ -631,7 +704,6 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (ssl->s3->early_data_accepted) {
-    hs->can_early_write = false;
     // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
     // section 8.3.
     if (ssl->quic_method == nullptr) {
@@ -643,11 +715,8 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
         return ssl_hs_error;
       }
     }
-  }
-  if (hs->early_data_offered) {
-    if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
-                               hs->client_handshake_secret())) {
+    if (!close_early_data(hs, ssl_encryption_handshake)) {
       return ssl_hs_error;
     }
   }
@@ -741,10 +810,12 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
   }
   // Derive the final keys and enable them.
-  if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
-                             hs->server_traffic_secret_0()) ||
-      !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+  if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
+                             hs->new_session.get(),
                              hs->client_traffic_secret_0()) ||
+      !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
+                             hs->new_session.get(),
+                             hs->server_traffic_secret_0()) ||
       !tls13_derive_resumption_secret(hs)) {
     return ssl_hs_error;
   }
@@ -860,26 +931,43 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
     return true;
   }
+  CBS body = msg.body;
+  UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
+  if (!session) {
+    return false;
+  }
+  if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
+      ssl->session_ctx->new_session_cb != NULL &&
+      ssl->session_ctx->new_session_cb(ssl, session.get())) {
+    // |new_session_cb|'s return value signals that it took ownership.
+    session.release();
+  }
+  return true;
+}
+UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
   UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
       ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
   if (!session) {
-    return false;
+    return nullptr;
   }
   ssl_session_rebase_time(ssl, session.get());
   uint32_t server_timeout;
-  CBS body = msg.body, ticket_nonce, ticket, extensions;
-  if (!CBS_get_u32(&body, &server_timeout) ||
-      !CBS_get_u32(&body, &session->ticket_age_add) ||
-      !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||
-      !CBS_get_u16_length_prefixed(&body, &ticket) ||
+  CBS ticket_nonce, ticket, extensions;
+  if (!CBS_get_u32(body, &server_timeout) ||
+      !CBS_get_u32(body, &session->ticket_age_add) ||
+      !CBS_get_u8_length_prefixed(body, &ticket_nonce) ||
+      !CBS_get_u16_length_prefixed(body, &ticket) ||
       !session->ticket.CopyFrom(ticket) ||
-      !CBS_get_u16_length_prefixed(&body, &extensions) ||
-      CBS_len(&body) != 0) {
+      !CBS_get_u16_length_prefixed(body, &extensions) ||
+      CBS_len(body) != 0) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    return false;
+    return nullptr;
   }
   // Cap the renewable lifetime by the server advertised value. This avoids
@@ -889,7 +977,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   }
   if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
-    return false;
+    return nullptr;
   }
   // Parse out the extensions.
@@ -904,7 +992,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
                             OPENSSL_ARRAY_SIZE(ext_types),
                             1 /* ignore unknown */)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
-    return false;
+    return nullptr;
   }
   if (have_early_data) {
@@ -912,7 +1000,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
         CBS_len(&early_data) != 0) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-      return false;
+      return nullptr;
     }
     // QUIC does not use the max_early_data_size parameter and always sets it to
@@ -921,7 +1009,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
         session->ticket_max_early_data != 0xffffffff) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-      return false;
+      return nullptr;
     }
   }
@@ -933,14 +1021,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   session->ticket_age_add_valid = true;
   session->not_resumable = false;
-  if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
-      ssl->session_ctx->new_session_cb != NULL &&
-      ssl->session_ctx->new_session_cb(ssl, session.get())) {
-    // |new_session_cb|'s return value signals that it took ownership.
-    session.release();
-  }
-  return true;
+  return session;
 }
 BSSL_NAMESPACE_END