grpc 1.32.0 → 1.33.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +175 -376
- data/include/grpc/grpc.h +0 -5
- data/include/grpc/grpc_security.h +16 -0
- data/include/grpc/impl/codegen/grpc_types.h +0 -5
- data/src/core/ext/filters/client_channel/client_channel.cc +204 -170
- data/src/core/ext/filters/client_channel/config_selector.cc +0 -4
- data/src/core/ext/filters/client_channel/config_selector.h +34 -5
- data/src/core/ext/filters/client_channel/lb_policy.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +48 -35
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.h +7 -5
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +3 -2
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +106 -106
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +9 -32
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +3 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +198 -126
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds.cc +439 -249
- data/src/core/ext/filters/client_channel/lb_policy/xds/eds_drop.cc +571 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +727 -0
- data/src/core/ext/filters/client_channel/lb_policy_registry.cc +8 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +553 -358
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +28 -0
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +8 -39
- data/src/core/ext/filters/client_channel/resolver_result_parsing.h +4 -2
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +44 -43
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +5 -9
- data/src/core/ext/filters/client_channel/server_address.cc +80 -0
- data/src/core/ext/filters/client_channel/server_address.h +25 -36
- data/src/core/ext/filters/client_channel/service_config.cc +16 -13
- data/src/core/ext/filters/client_channel/service_config.h +7 -4
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +2 -2
- data/src/core/ext/filters/client_channel/service_config_parser.cc +8 -6
- data/src/core/ext/filters/client_channel/service_config_parser.h +8 -5
- data/src/core/ext/filters/client_channel/subchannel_interface.h +44 -0
- data/src/core/ext/filters/message_size/message_size_filter.cc +2 -1
- data/src/core/ext/filters/message_size/message_size_filter.h +2 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +17 -10
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +10 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +10 -0
- data/src/core/ext/transport/chttp2/transport/internal.h +5 -0
- data/src/core/ext/transport/chttp2/transport/parsing.cc +16 -2
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.c +29 -9
- data/src/core/ext/upb-generated/envoy/config/accesslog/v3/accesslog.upb.h +66 -0
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.c +123 -45
- data/src/core/ext/upb-generated/envoy/config/cluster/v3/cluster.upb.h +310 -53
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.c +17 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/address.upb.h +45 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/base.upb.c +1 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.c +16 -9
- data/src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h +38 -15
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c +53 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h +133 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c +54 -8
- data/src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h +123 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +40 -16
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +114 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c +36 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h +85 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +36 -16
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +86 -20
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.c +23 -6
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener_components.upb.h +54 -5
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +10 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +28 -11
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +184 -57
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +504 -69
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.c +6 -5
- data/src/core/ext/upb-generated/envoy/config/route/v3/scoped_route.upb.h +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +78 -26
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +236 -25
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.c +8 -9
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/common.upb.h +19 -33
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.c +7 -3
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/secret.upb.h +16 -0
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.c +65 -23
- data/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/tls.upb.h +229 -47
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.c +20 -10
- data/src/core/ext/upb-generated/envoy/service/discovery/v3/discovery.upb.h +67 -4
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.c +3 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/string.upb.h +6 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c +242 -0
- data/src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h +753 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.c +31 -0
- data/src/core/ext/upb-generated/udpa/annotations/security.upb.h +57 -0
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.c +28 -0
- data/src/core/ext/upb-generated/udpa/core/v1/authority.upb.h +53 -0
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c +52 -0
- data/src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h +129 -0
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c +42 -0
- data/src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h +77 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.c +36 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource.upb.h +85 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c +54 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h +160 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c +36 -0
- data/src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h +84 -0
- data/src/core/ext/xds/certificate_provider_factory.h +59 -0
- data/src/core/ext/xds/certificate_provider_registry.cc +103 -0
- data/src/core/ext/xds/certificate_provider_registry.h +57 -0
- data/src/core/ext/xds/certificate_provider_store.h +50 -0
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc +377 -0
- data/src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h +102 -0
- data/src/core/ext/xds/xds_api.cc +301 -93
- data/src/core/ext/xds/xds_api.h +129 -92
- data/src/core/ext/xds/xds_channel_args.h +6 -3
- data/src/core/ext/xds/xds_client.cc +498 -410
- data/src/core/ext/xds/xds_client.h +105 -51
- data/src/core/ext/xds/xds_client_stats.cc +18 -12
- data/src/core/ext/xds/xds_client_stats.h +33 -5
- data/src/core/lib/channel/channel_args.h +0 -1
- data/src/core/lib/channel/channelz.cc +10 -45
- data/src/core/lib/channel/channelz.h +11 -19
- data/src/core/lib/channel/channelz_registry.cc +12 -11
- data/src/core/lib/channel/channelz_registry.h +3 -0
- data/src/core/lib/gpr/time_precise.cc +2 -0
- data/src/core/lib/gpr/time_precise.h +6 -2
- data/src/core/lib/gprpp/dual_ref_counted.h +336 -0
- data/src/core/lib/gprpp/ref_counted.h +51 -22
- data/src/core/lib/gprpp/ref_counted_ptr.h +153 -0
- data/src/core/lib/iomgr/endpoint_cfstream.cc +9 -5
- data/src/core/lib/iomgr/exec_ctx.h +10 -8
- data/src/core/lib/json/json_util.cc +58 -0
- data/src/core/lib/json/json_util.h +37 -0
- data/src/core/lib/security/certificate_provider.h +60 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +321 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +214 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.cc +45 -0
- data/src/core/lib/security/credentials/xds/xds_credentials.h +51 -0
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +6 -10
- data/src/core/lib/security/security_connector/ssl_utils.h +5 -0
- data/src/core/lib/surface/channel.cc +9 -31
- data/src/core/lib/surface/channel.h +6 -1
- data/src/core/lib/surface/init.cc +26 -9
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/bdp_estimator.h +2 -1
- data/src/core/lib/transport/connectivity_state.h +2 -2
- data/src/core/lib/transport/metadata.cc +11 -1
- data/src/core/plugin_registry/grpc_plugin_registry.cc +35 -20
- data/src/core/tsi/ssl_transport_security.cc +2 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +2 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +3 -3
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +465 -463
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +0 -6
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +9 -43
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +55 -4
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +34 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +6 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +30 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +10 -15
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +98 -11
- data/third_party/boringssl-with-bazel/src/crypto/hpke/internal.h +51 -6
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +44 -2
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +221 -49
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +64 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +7 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +21 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +24 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +67 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +29 -35
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +13 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +28 -40
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +3 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +7 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +55 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +0 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +12 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +4 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +9 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +26 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +188 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +52 -43
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +18 -18
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -3
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +9 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +8 -9
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +1 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +4 -8
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +2 -2
- metadata +72 -42
- data/src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc +0 -537
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc +0 -1141
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.c +0 -17
- data/src/core/ext/upb-generated/gogoproto/gogo.upb.h +0 -29
- data/src/core/ext/xds/xds_channel.h +0 -46
- data/src/core/ext/xds/xds_channel_secure.cc +0 -103
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pku.c +0 -110
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_sxnet.c +0 -274
@@ -424,12 +424,6 @@ int ASN1_STRING_length(const ASN1_STRING *x)
|
|
424
424
|
return M_ASN1_STRING_length(x);
|
425
425
|
}
|
426
426
|
|
427
|
-
void ASN1_STRING_length_set(ASN1_STRING *x, int len)
|
428
|
-
{
|
429
|
-
M_ASN1_STRING_length_set(x, len);
|
430
|
-
return;
|
431
|
-
}
|
432
|
-
|
433
427
|
int ASN1_STRING_type(const ASN1_STRING *x)
|
434
428
|
{
|
435
429
|
return M_ASN1_STRING_type(x);
|
@@ -72,12 +72,11 @@
|
|
72
72
|
#include <openssl/sha.h>
|
73
73
|
#include <openssl/thread.h>
|
74
74
|
|
75
|
+
#include "internal.h"
|
75
76
|
#include "../fipsmodule/bn/internal.h"
|
76
77
|
#include "../internal.h"
|
77
78
|
|
78
79
|
|
79
|
-
#define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
80
|
-
|
81
80
|
// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
|
82
81
|
// Miller-Rabin.
|
83
82
|
#define DSS_prime_checks 50
|
@@ -568,23 +567,7 @@ static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|
568
567
|
}
|
569
568
|
|
570
569
|
DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) {
|
571
|
-
if (!dsa
|
572
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
|
573
|
-
return NULL;
|
574
|
-
}
|
575
|
-
|
576
|
-
// Reject invalid parameters. In particular, the algorithm will infinite loop
|
577
|
-
// if |g| is zero.
|
578
|
-
if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) {
|
579
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
|
580
|
-
return NULL;
|
581
|
-
}
|
582
|
-
|
583
|
-
// We only support DSA keys that are a multiple of 8 bits. (This is a weaker
|
584
|
-
// check than the one in |DSA_do_check_signature|, which only allows 160-,
|
585
|
-
// 224-, and 256-bit keys.
|
586
|
-
if (BN_num_bits(dsa->q) % 8 != 0) {
|
587
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
|
570
|
+
if (!dsa_check_parameters(dsa)) {
|
588
571
|
return NULL;
|
589
572
|
}
|
590
573
|
|
@@ -678,35 +661,17 @@ int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig,
|
|
678
661
|
|
679
662
|
int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
|
680
663
|
size_t digest_len, DSA_SIG *sig, const DSA *dsa) {
|
681
|
-
BN_CTX *ctx;
|
682
|
-
BIGNUM u1, u2, t1;
|
683
|
-
int ret = 0;
|
684
|
-
unsigned i;
|
685
|
-
|
686
664
|
*out_valid = 0;
|
687
|
-
|
688
|
-
if (!dsa->p || !dsa->q || !dsa->g) {
|
689
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
|
690
|
-
return 0;
|
691
|
-
}
|
692
|
-
|
693
|
-
i = BN_num_bits(dsa->q);
|
694
|
-
// FIPS 186-3 allows only different sizes for q.
|
695
|
-
if (i != 160 && i != 224 && i != 256) {
|
696
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
|
697
|
-
return 0;
|
698
|
-
}
|
699
|
-
|
700
|
-
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
|
701
|
-
OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);
|
665
|
+
if (!dsa_check_parameters(dsa)) {
|
702
666
|
return 0;
|
703
667
|
}
|
704
668
|
|
669
|
+
int ret = 0;
|
670
|
+
BIGNUM u1, u2, t1;
|
705
671
|
BN_init(&u1);
|
706
672
|
BN_init(&u2);
|
707
673
|
BN_init(&t1);
|
708
|
-
|
709
|
-
ctx = BN_CTX_new();
|
674
|
+
BN_CTX *ctx = BN_CTX_new();
|
710
675
|
if (ctx == NULL) {
|
711
676
|
goto err;
|
712
677
|
}
|
@@ -729,11 +694,12 @@ int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
|
|
729
694
|
}
|
730
695
|
|
731
696
|
// save M in u1
|
732
|
-
|
697
|
+
unsigned q_bits = BN_num_bits(dsa->q);
|
698
|
+
if (digest_len > (q_bits >> 3)) {
|
733
699
|
// if the digest length is greater than the size of q use the
|
734
700
|
// BN_num_bits(dsa->q) leftmost bits of the digest, see
|
735
701
|
// fips 186-3, 4.2
|
736
|
-
digest_len = (
|
702
|
+
digest_len = (q_bits >> 3);
|
737
703
|
}
|
738
704
|
|
739
705
|
if (BN_bin2bn(digest, digest_len, &u1) == NULL) {
|
@@ -61,9 +61,45 @@
|
|
61
61
|
#include <openssl/err.h>
|
62
62
|
#include <openssl/mem.h>
|
63
63
|
|
64
|
+
#include "internal.h"
|
64
65
|
#include "../bytestring/internal.h"
|
65
66
|
|
66
67
|
|
68
|
+
#define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
69
|
+
|
70
|
+
// This function is in dsa_asn1.c rather than dsa.c because it is reachable from
|
71
|
+
// |EVP_PKEY| parsers. This makes it easier for the static linker to drop most
|
72
|
+
// of the DSA implementation.
|
73
|
+
int dsa_check_parameters(const DSA *dsa) {
|
74
|
+
if (!dsa->p || !dsa->q || !dsa->g) {
|
75
|
+
OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
|
76
|
+
return 0;
|
77
|
+
}
|
78
|
+
|
79
|
+
// Reject invalid parameters. In particular, signing will infinite loop if |g|
|
80
|
+
// is zero.
|
81
|
+
if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) {
|
82
|
+
OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
|
83
|
+
return 0;
|
84
|
+
}
|
85
|
+
|
86
|
+
// FIPS 186-4 allows only three different sizes for q.
|
87
|
+
unsigned q_bits = BN_num_bits(dsa->q);
|
88
|
+
if (q_bits != 160 && q_bits != 224 && q_bits != 256) {
|
89
|
+
OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
|
90
|
+
return 0;
|
91
|
+
}
|
92
|
+
|
93
|
+
// Bound |dsa->p| to avoid a DoS vector. Note this limit is much larger than
|
94
|
+
// the one in FIPS 186-4, which only allows L = 1024, 2048, and 3072.
|
95
|
+
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
|
96
|
+
OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);
|
97
|
+
return 0;
|
98
|
+
}
|
99
|
+
|
100
|
+
return 1;
|
101
|
+
}
|
102
|
+
|
67
103
|
static int parse_integer(CBS *cbs, BIGNUM **out) {
|
68
104
|
assert(*out == NULL);
|
69
105
|
*out = BN_new();
|
@@ -124,10 +160,16 @@ DSA *DSA_parse_public_key(CBS *cbs) {
|
|
124
160
|
!parse_integer(&child, &ret->g) ||
|
125
161
|
CBS_len(&child) != 0) {
|
126
162
|
OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
|
127
|
-
|
128
|
-
|
163
|
+
goto err;
|
164
|
+
}
|
165
|
+
if (!dsa_check_parameters(ret)) {
|
166
|
+
goto err;
|
129
167
|
}
|
130
168
|
return ret;
|
169
|
+
|
170
|
+
err:
|
171
|
+
DSA_free(ret);
|
172
|
+
return NULL;
|
131
173
|
}
|
132
174
|
|
133
175
|
int DSA_marshal_public_key(CBB *cbb, const DSA *dsa) {
|
@@ -156,10 +198,16 @@ DSA *DSA_parse_parameters(CBS *cbs) {
|
|
156
198
|
!parse_integer(&child, &ret->g) ||
|
157
199
|
CBS_len(&child) != 0) {
|
158
200
|
OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
|
159
|
-
|
160
|
-
|
201
|
+
goto err;
|
202
|
+
}
|
203
|
+
if (!dsa_check_parameters(ret)) {
|
204
|
+
goto err;
|
161
205
|
}
|
162
206
|
return ret;
|
207
|
+
|
208
|
+
err:
|
209
|
+
DSA_free(ret);
|
210
|
+
return NULL;
|
163
211
|
}
|
164
212
|
|
165
213
|
int DSA_marshal_parameters(CBB *cbb, const DSA *dsa) {
|
@@ -203,6 +251,9 @@ DSA *DSA_parse_private_key(CBS *cbs) {
|
|
203
251
|
OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
|
204
252
|
goto err;
|
205
253
|
}
|
254
|
+
if (!dsa_check_parameters(ret)) {
|
255
|
+
goto err;
|
256
|
+
}
|
206
257
|
return ret;
|
207
258
|
|
208
259
|
err:
|
@@ -0,0 +1,34 @@
|
|
1
|
+
/* Copyright (c) 2020, Google Inc.
|
2
|
+
*
|
3
|
+
* Permission to use, copy, modify, and/or distribute this software for any
|
4
|
+
* purpose with or without fee is hereby granted, provided that the above
|
5
|
+
* copyright notice and this permission notice appear in all copies.
|
6
|
+
*
|
7
|
+
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
8
|
+
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
9
|
+
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
10
|
+
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
11
|
+
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
12
|
+
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
13
|
+
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
14
|
+
|
15
|
+
#ifndef OPENSSL_HEADER_DSA_INTERNAL_H
|
16
|
+
#define OPENSSL_HEADER_DSA_INTERNAL_H
|
17
|
+
|
18
|
+
#include <openssl/dsa.h>
|
19
|
+
|
20
|
+
#if defined(__cplusplus)
|
21
|
+
extern "C" {
|
22
|
+
#endif
|
23
|
+
|
24
|
+
|
25
|
+
// dsa_check_parameters checks that |dsa|'s group is within DoS bounds. It
|
26
|
+
// returns one on success and zero on error.
|
27
|
+
int dsa_check_parameters(const DSA *dsa);
|
28
|
+
|
29
|
+
|
30
|
+
#if defined(__cplusplus)
|
31
|
+
} // extern C
|
32
|
+
#endif
|
33
|
+
|
34
|
+
#endif // OPENSSL_HEADER_DSA_INTERNAL_H
|
@@ -76,6 +76,10 @@
|
|
76
76
|
// TODO(davidben): Fix Node to not touch the error queue itself and remove this.
|
77
77
|
OPENSSL_DECLARE_ERROR_REASON(EVP, NOT_XOF_OR_INVALID_LENGTH)
|
78
78
|
|
79
|
+
// The HPKE module uses the EVP error namespace, but it lives in another
|
80
|
+
// directory.
|
81
|
+
OPENSSL_DECLARE_ERROR_REASON(EVP, EMPTY_PSK)
|
82
|
+
|
79
83
|
EVP_PKEY *EVP_PKEY_new(void) {
|
80
84
|
EVP_PKEY *ret;
|
81
85
|
|
@@ -141,9 +141,13 @@ static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
|
|
141
141
|
goto err;
|
142
142
|
}
|
143
143
|
|
144
|
-
// Decode the key.
|
144
|
+
// Decode the key. To avoid DoS attacks when importing private keys, we bound
|
145
|
+
// |dsa->priv_key| against |dsa->q|, which itself bound by
|
146
|
+
// |DSA_parse_parameters|. (We cannot call |BN_num_bits| on |dsa->priv_key|.
|
147
|
+
// That would leak a secret bit width.)
|
145
148
|
if (!BN_parse_asn1_unsigned(key, dsa->priv_key) ||
|
146
|
-
CBS_len(key) != 0
|
149
|
+
CBS_len(key) != 0 ||
|
150
|
+
BN_cmp(dsa->priv_key, dsa->q) >= 0) {
|
147
151
|
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
|
148
152
|
goto err;
|
149
153
|
}
|
@@ -122,6 +122,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out, size_t len) {
|
|
122
122
|
|
123
123
|
uint32_t EVP_MD_meth_get_flags(const EVP_MD *md) { return EVP_MD_flags(md); }
|
124
124
|
|
125
|
+
void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags) {}
|
126
|
+
|
125
127
|
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) {
|
126
128
|
// |in->digest| may be NULL if this is a signing |EVP_MD_CTX| for, e.g.,
|
127
129
|
// Ed25519 which does not hash with |EVP_MD_CTX|.
|
@@ -108,6 +108,10 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,
|
|
108
108
|
int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
|
109
109
|
size_t from_len);
|
110
110
|
|
111
|
+
// rsa_check_public_key checks that |rsa|'s public modulus and exponent are
|
112
|
+
// within DoS bounds.
|
113
|
+
int rsa_check_public_key(const RSA *rsa);
|
114
|
+
|
111
115
|
// RSA_private_transform calls either the method-specific |private_transform|
|
112
116
|
// function (if given) or the generic one. See the comment for
|
113
117
|
// |private_transform| in |rsa_meth_st|.
|
@@ -661,6 +661,9 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
|
|
661
661
|
return 1;
|
662
662
|
}
|
663
663
|
|
664
|
+
// Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but
|
665
|
+
// checking |ainv| is in range bounds the running time, assuming |m|'s bounds
|
666
|
+
// were checked by the caller.
|
664
667
|
BN_CTX_start(ctx);
|
665
668
|
BIGNUM *tmp = BN_CTX_get(ctx);
|
666
669
|
int ret = tmp != NULL &&
|
@@ -674,22 +677,35 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,
|
|
674
677
|
}
|
675
678
|
|
676
679
|
int RSA_check_key(const RSA *key) {
|
680
|
+
// TODO(davidben): RSA key initialization is spread across
|
681
|
+
// |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and
|
682
|
+
// |BN_MONT_CTX_set_locked| as a result of API issues. See
|
683
|
+
// https://crbug.com/boringssl/316. As a result, we inconsistently check RSA
|
684
|
+
// invariants. We should fix this and integrate that logic.
|
685
|
+
|
677
686
|
if (RSA_is_opaque(key)) {
|
678
687
|
// Opaque keys can't be checked.
|
679
688
|
return 1;
|
680
689
|
}
|
681
690
|
|
691
|
+
if (!rsa_check_public_key(key)) {
|
692
|
+
return 0;
|
693
|
+
}
|
694
|
+
|
682
695
|
if ((key->p != NULL) != (key->q != NULL)) {
|
683
696
|
OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
|
684
697
|
return 0;
|
685
698
|
}
|
686
699
|
|
687
|
-
|
688
|
-
|
700
|
+
// |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|
|
701
|
+
// translate to bounds on the running time of private key operations.
|
702
|
+
if (key->d != NULL &&
|
703
|
+
(BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {
|
704
|
+
OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
|
689
705
|
return 0;
|
690
706
|
}
|
691
707
|
|
692
|
-
if (
|
708
|
+
if (key->d == NULL || key->p == NULL) {
|
693
709
|
// For a public key, or without p and q, there's nothing that can be
|
694
710
|
// checked.
|
695
711
|
return 1;
|
@@ -709,24 +725,28 @@ int RSA_check_key(const RSA *key) {
|
|
709
725
|
BN_init(&qm1);
|
710
726
|
BN_init(&dmp1);
|
711
727
|
BN_init(&dmq1);
|
728
|
+
|
729
|
+
// Check that p * q == n. Before we multiply, we check that p and q are in
|
730
|
+
// bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that
|
731
|
+
// n was bound by |rsa_check_public_key|.
|
732
|
+
if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 ||
|
733
|
+
BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) {
|
734
|
+
OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
|
735
|
+
goto out;
|
736
|
+
}
|
712
737
|
if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {
|
713
738
|
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
|
714
739
|
goto out;
|
715
740
|
}
|
716
|
-
|
717
741
|
if (BN_cmp(&tmp, key->n) != 0) {
|
718
742
|
OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
|
719
743
|
goto out;
|
720
744
|
}
|
721
745
|
|
722
|
-
if (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0) {
|
723
|
-
OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);
|
724
|
-
goto out;
|
725
|
-
}
|
726
|
-
|
727
746
|
// d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it
|
728
747
|
// may be unreduced because other implementations use the Euler totient. We
|
729
|
-
// simply check that d * e is one mod p-1 and mod q-1.
|
748
|
+
// simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound
|
749
|
+
// by earlier checks in this function.
|
730
750
|
if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||
|
731
751
|
!bn_usub_consttime(&qm1, key->q, BN_value_one()) ||
|
732
752
|
!bn_mul_consttime(&de, key->d, key->e, ctx) ||
|
@@ -73,7 +73,12 @@
|
|
73
73
|
#include "../rand/fork_detect.h"
|
74
74
|
|
75
75
|
|
76
|
-
|
76
|
+
int rsa_check_public_key(const RSA *rsa) {
|
77
|
+
if (rsa->n == NULL || rsa->e == NULL) {
|
78
|
+
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
|
79
|
+
return 0;
|
80
|
+
}
|
81
|
+
|
77
82
|
unsigned rsa_bits = BN_num_bits(rsa->n);
|
78
83
|
|
79
84
|
if (rsa_bits > 16 * 1024) {
|
@@ -253,8 +258,7 @@ size_t rsa_default_size(const RSA *rsa) {
|
|
253
258
|
|
254
259
|
int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
|
255
260
|
const uint8_t *in, size_t in_len, int padding) {
|
256
|
-
if (rsa
|
257
|
-
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
|
261
|
+
if (!rsa_check_public_key(rsa)) {
|
258
262
|
return 0;
|
259
263
|
}
|
260
264
|
|
@@ -269,10 +273,6 @@ int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
|
|
269
273
|
return 0;
|
270
274
|
}
|
271
275
|
|
272
|
-
if (!check_modulus_and_exponent_sizes(rsa)) {
|
273
|
-
return 0;
|
274
|
-
}
|
275
|
-
|
276
276
|
ctx = BN_CTX_new();
|
277
277
|
if (ctx == NULL) {
|
278
278
|
goto err;
|
@@ -592,8 +592,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
|
|
592
592
|
|
593
593
|
int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
|
594
594
|
const uint8_t *in, size_t in_len, int padding) {
|
595
|
-
if (rsa
|
596
|
-
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
|
595
|
+
if (!rsa_check_public_key(rsa)) {
|
597
596
|
return 0;
|
598
597
|
}
|
599
598
|
|
@@ -610,10 +609,6 @@ int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
|
|
610
609
|
return 0;
|
611
610
|
}
|
612
611
|
|
613
|
-
if (!check_modulus_and_exponent_sizes(rsa)) {
|
614
|
-
return 0;
|
615
|
-
}
|
616
|
-
|
617
612
|
BN_CTX *ctx = BN_CTX_new();
|
618
613
|
if (ctx == NULL) {
|
619
614
|
return 0;
|
@@ -1121,8 +1116,8 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,
|
|
1121
1116
|
|
1122
1117
|
// Reject excessively large public exponents. Windows CryptoAPI and Go don't
|
1123
1118
|
// support values larger than 32 bits, so match their limits for generating
|
1124
|
-
// keys. (|
|
1125
|
-
//
|
1119
|
+
// keys. (|rsa_check_public_key| uses a slightly more conservative value, but
|
1120
|
+
// we don't need to support generating such keys.)
|
1126
1121
|
// https://github.com/golang/go/issues/3161
|
1127
1122
|
// https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
|
1128
1123
|
if (BN_num_bits(e_value) > 32) {
|
@@ -38,6 +38,7 @@
|
|
38
38
|
#define HPKE_SUITE_ID_LEN 10
|
39
39
|
|
40
40
|
#define HPKE_MODE_BASE 0
|
41
|
+
#define HPKE_MODE_PSK 1
|
41
42
|
|
42
43
|
static const char kHpkeRfcId[] = "HPKE-05 ";
|
43
44
|
|
@@ -115,7 +116,7 @@ static int hpke_extract_and_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
|
|
115
116
|
X25519_PUBLIC_VALUE_LEN)) {
|
116
117
|
return 0;
|
117
118
|
}
|
118
|
-
const char kPRKExpandLabel[] = "shared_secret";
|
119
|
+
static const char kPRKExpandLabel[] = "shared_secret";
|
119
120
|
if (!hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len,
|
120
121
|
kX25519SuiteID, sizeof(kX25519SuiteID),
|
121
122
|
kPRKExpandLabel, kem_context, KEM_CONTEXT_LEN)) {
|
@@ -150,9 +151,28 @@ static const EVP_MD *hpke_get_kdf(uint16_t kdf_id) {
|
|
150
151
|
return NULL;
|
151
152
|
}
|
152
153
|
|
153
|
-
static int hpke_key_schedule(EVP_HPKE_CTX *hpke,
|
154
|
+
static int hpke_key_schedule(EVP_HPKE_CTX *hpke, uint8_t mode,
|
155
|
+
const uint8_t *shared_secret,
|
154
156
|
size_t shared_secret_len, const uint8_t *info,
|
155
|
-
size_t info_len
|
157
|
+
size_t info_len, const uint8_t *psk,
|
158
|
+
size_t psk_len, const uint8_t *psk_id,
|
159
|
+
size_t psk_id_len) {
|
160
|
+
// Verify the PSK inputs.
|
161
|
+
switch (mode) {
|
162
|
+
case HPKE_MODE_BASE:
|
163
|
+
// This is an internal error, unreachable from the caller.
|
164
|
+
assert(psk_len == 0 && psk_id_len == 0);
|
165
|
+
break;
|
166
|
+
case HPKE_MODE_PSK:
|
167
|
+
if (psk_len == 0 || psk_id_len == 0) {
|
168
|
+
OPENSSL_PUT_ERROR(EVP, EVP_R_EMPTY_PSK);
|
169
|
+
return 0;
|
170
|
+
}
|
171
|
+
break;
|
172
|
+
default:
|
173
|
+
return 0;
|
174
|
+
}
|
175
|
+
|
156
176
|
// Attempt to get an EVP_AEAD*.
|
157
177
|
const EVP_AEAD *aead = hpke_get_aead(hpke->aead_id);
|
158
178
|
if (aead == NULL) {
|
@@ -170,7 +190,7 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, const uint8_t *shared_secret,
|
|
170
190
|
size_t psk_id_hash_len;
|
171
191
|
if (!hpke_labeled_extract(hpke->hkdf_md, psk_id_hash, &psk_id_hash_len, NULL,
|
172
192
|
0, suite_id, sizeof(suite_id), kPskIdHashLabel,
|
173
|
-
|
193
|
+
psk_id, psk_id_len)) {
|
174
194
|
return 0;
|
175
195
|
}
|
176
196
|
|
@@ -189,7 +209,7 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, const uint8_t *shared_secret,
|
|
189
209
|
size_t context_len;
|
190
210
|
CBB context_cbb;
|
191
211
|
if (!CBB_init_fixed(&context_cbb, context, sizeof(context)) ||
|
192
|
-
!CBB_add_u8(&context_cbb,
|
212
|
+
!CBB_add_u8(&context_cbb, mode) ||
|
193
213
|
!CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
|
194
214
|
!CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
|
195
215
|
!CBB_finish(&context_cbb, NULL, &context_len)) {
|
@@ -201,8 +221,8 @@ static int hpke_key_schedule(EVP_HPKE_CTX *hpke, const uint8_t *shared_secret,
|
|
201
221
|
uint8_t psk_hash[EVP_MAX_MD_SIZE];
|
202
222
|
size_t psk_hash_len;
|
203
223
|
if (!hpke_labeled_extract(hpke->hkdf_md, psk_hash, &psk_hash_len, NULL, 0,
|
204
|
-
suite_id, sizeof(suite_id), kPskHashLabel,
|
205
|
-
|
224
|
+
suite_id, sizeof(suite_id), kPskHashLabel, psk,
|
225
|
+
psk_len)) {
|
206
226
|
return 0;
|
207
227
|
}
|
208
228
|
|
@@ -338,8 +358,9 @@ int EVP_HPKE_CTX_setup_base_s_x25519_for_test(
|
|
338
358
|
uint8_t shared_secret[SHA256_DIGEST_LENGTH];
|
339
359
|
if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
|
340
360
|
ephemeral_public) ||
|
341
|
-
!hpke_key_schedule(hpke,
|
342
|
-
|
361
|
+
!hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
|
362
|
+
sizeof(shared_secret), info, info_len, NULL, 0, NULL,
|
363
|
+
0)) {
|
343
364
|
return 0;
|
344
365
|
}
|
345
366
|
return 1;
|
@@ -360,8 +381,74 @@ int EVP_HPKE_CTX_setup_base_r_x25519(
|
|
360
381
|
}
|
361
382
|
uint8_t shared_secret[SHA256_DIGEST_LENGTH];
|
362
383
|
if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
|
363
|
-
!hpke_key_schedule(hpke,
|
364
|
-
|
384
|
+
!hpke_key_schedule(hpke, HPKE_MODE_BASE, shared_secret,
|
385
|
+
sizeof(shared_secret), info, info_len, NULL, 0, NULL,
|
386
|
+
0)) {
|
387
|
+
return 0;
|
388
|
+
}
|
389
|
+
return 1;
|
390
|
+
}
|
391
|
+
|
392
|
+
int EVP_HPKE_CTX_setup_psk_s_x25519(
|
393
|
+
EVP_HPKE_CTX *hpke, uint8_t out_enc[X25519_PUBLIC_VALUE_LEN],
|
394
|
+
uint16_t kdf_id, uint16_t aead_id,
|
395
|
+
const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
|
396
|
+
const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
|
397
|
+
const uint8_t *psk_id, size_t psk_id_len) {
|
398
|
+
// The GenerateKeyPair() step technically belongs in the KEM's Encap()
|
399
|
+
// function, but we've moved it up a layer to make it easier for tests to
|
400
|
+
// inject an ephemeral keypair.
|
401
|
+
uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN];
|
402
|
+
X25519_keypair(out_enc, ephemeral_private);
|
403
|
+
return EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
|
404
|
+
hpke, kdf_id, aead_id, peer_public_value, info, info_len, psk, psk_len,
|
405
|
+
psk_id, psk_id_len, ephemeral_private, out_enc);
|
406
|
+
}
|
407
|
+
|
408
|
+
int EVP_HPKE_CTX_setup_psk_s_x25519_for_test(
|
409
|
+
EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
|
410
|
+
const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN],
|
411
|
+
const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len,
|
412
|
+
const uint8_t *psk_id, size_t psk_id_len,
|
413
|
+
const uint8_t ephemeral_private[X25519_PRIVATE_KEY_LEN],
|
414
|
+
const uint8_t ephemeral_public[X25519_PUBLIC_VALUE_LEN]) {
|
415
|
+
hpke->is_sender = 1;
|
416
|
+
hpke->kdf_id = kdf_id;
|
417
|
+
hpke->aead_id = aead_id;
|
418
|
+
hpke->hkdf_md = hpke_get_kdf(kdf_id);
|
419
|
+
if (hpke->hkdf_md == NULL) {
|
420
|
+
return 0;
|
421
|
+
}
|
422
|
+
uint8_t shared_secret[SHA256_DIGEST_LENGTH];
|
423
|
+
if (!hpke_encap(hpke, shared_secret, peer_public_value, ephemeral_private,
|
424
|
+
ephemeral_public) ||
|
425
|
+
!hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
|
426
|
+
sizeof(shared_secret), info, info_len, psk, psk_len,
|
427
|
+
psk_id, psk_id_len)) {
|
428
|
+
return 0;
|
429
|
+
}
|
430
|
+
return 1;
|
431
|
+
}
|
432
|
+
|
433
|
+
int EVP_HPKE_CTX_setup_psk_r_x25519(
|
434
|
+
EVP_HPKE_CTX *hpke, uint16_t kdf_id, uint16_t aead_id,
|
435
|
+
const uint8_t enc[X25519_PUBLIC_VALUE_LEN],
|
436
|
+
const uint8_t public_key[X25519_PUBLIC_VALUE_LEN],
|
437
|
+
const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t *info,
|
438
|
+
size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id,
|
439
|
+
size_t psk_id_len) {
|
440
|
+
hpke->is_sender = 0;
|
441
|
+
hpke->kdf_id = kdf_id;
|
442
|
+
hpke->aead_id = aead_id;
|
443
|
+
hpke->hkdf_md = hpke_get_kdf(kdf_id);
|
444
|
+
if (hpke->hkdf_md == NULL) {
|
445
|
+
return 0;
|
446
|
+
}
|
447
|
+
uint8_t shared_secret[SHA256_DIGEST_LENGTH];
|
448
|
+
if (!hpke_decap(hpke, shared_secret, enc, public_key, private_key) ||
|
449
|
+
!hpke_key_schedule(hpke, HPKE_MODE_PSK, shared_secret,
|
450
|
+
sizeof(shared_secret), info, info_len, psk, psk_len,
|
451
|
+
psk_id, psk_id_len)) {
|
365
452
|
return 0;
|
366
453
|
}
|
367
454
|
return 1;
|