RubyGems - grpc - Versions diffs - 1.38.0 → 1.39.0.pre1 - Mend

grpc 1.38.0 → 1.39.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (199) hide show

data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc CHANGED Viewed

@@ -168,7 +168,7 @@ static bool add_record_to_flight(SSL *ssl, uint8_t type,
   return true;
 }
-bool tls_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
+bool tls_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
   // Pick a modest size hint to save most of the |realloc| calls.
   if (!CBB_init(cbb, 64) ||
       !CBB_add_u8(cbb, type) ||
@@ -181,7 +181,7 @@ bool tls_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
   return true;
 }
-bool tls_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {
+bool tls_finish_message(const SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {
   return CBBFinishArray(cbb, out_msg);
 }

data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc CHANGED Viewed

@@ -164,7 +164,8 @@
 BSSL_NAMESPACE_BEGIN
 SSL3_STATE::SSL3_STATE()
-    : skip_early_data(false),
+    : ech_accept(false),
+      skip_early_data(false),
       have_version(false),
       v2_hello_done(false),
       is_v2_hello(false),
@@ -177,7 +178,6 @@ SSL3_STATE::SSL3_STATE()
       key_update_pending(false),
       wpend_pending(false),
       early_data_accepted(false),
-      token_binding_negotiated(false),
       alert_dispatch(false),
       renegotiate_pending(false),
       used_hello_retry_request(false) {}

data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc CHANGED Viewed

@@ -112,6 +112,8 @@
 #include <limits.h>
 #include <string.h>
+#include <algorithm>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>
@@ -138,10 +140,9 @@ int tls_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
     return -1;
   }
-  unsigned tot, n, nw;
+  // TODO(davidben): Switch this logic to |size_t| and |bssl::Span|.
   assert(ssl->s3->wnum <= INT_MAX);
-  tot = ssl->s3->wnum;
+  unsigned tot = ssl->s3->wnum;
   ssl->s3->wnum = 0;
   // Ensure that if we end up with a smaller value of data to write out than
@@ -159,29 +160,23 @@ int tls_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *in,
   const int is_early_data_write =
       !ssl->server && SSL_in_early_data(ssl) && ssl->s3->hs->can_early_write;
-  n = len - tot;
+  unsigned n = len - tot;
   for (;;) {
-    // max contains the maximum number of bytes that we can put into a record.
-    unsigned max = ssl->max_send_fragment;
-    if (is_early_data_write &&
-        max > ssl->session->ticket_max_early_data -
-                  ssl->s3->hs->early_data_written) {
-      max =
-          ssl->session->ticket_max_early_data - ssl->s3->hs->early_data_written;
-      if (max == 0) {
+    size_t max_send_fragment = ssl->max_send_fragment;
+    if (is_early_data_write) {
+      SSL_HANDSHAKE *hs = ssl->s3->hs.get();
+      if (hs->early_data_written >= hs->early_session->ticket_max_early_data) {
         ssl->s3->wnum = tot;
-        ssl->s3->hs->can_early_write = false;
+        hs->can_early_write = false;
         *out_needs_handshake = true;
         return -1;
       }
+      max_send_fragment = std::min(
+          max_send_fragment, size_t{hs->early_session->ticket_max_early_data -
+                                    hs->early_data_written});
     }
-    if (n > max) {
-      nw = max;
-    } else {
-      nw = n;
-    }
+    const size_t nw = std::min(max_send_fragment, size_t{n});
     int ret = do_tls_write(ssl, SSL3_RT_APPLICATION_DATA, &in[tot], nw);
     if (ret <= 0) {
       ssl->s3->wnum = tot;

data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc CHANGED Viewed

@@ -275,9 +275,7 @@ ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out,
 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
   SSL *const ssl = hs->ssl;
   SSL_CTX *ctx = ssl->session_ctx.get();
-  // Never cache sessions with empty session IDs.
-  if (ssl->s3->established_session->session_id_length == 0 ||
-      ssl->s3->established_session->not_resumable ||
+  if (!SSL_SESSION_is_resumable(ssl->s3->established_session.get()) ||
       (ctx->session_cache_mode & mode) != mode) {
     return;
   }
@@ -463,7 +461,8 @@ static bool ssl_can_renegotiate(const SSL *ssl) {
     return false;
   }
-  if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (ssl->s3->have_version &&
+      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
     return false;
   }
@@ -563,6 +562,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
       signed_cert_timestamps_enabled(false),
       channel_id_enabled(false),
       grease_enabled(false),
+      permute_extensions(false),
       allow_unknown_alpn_protos(false),
       false_start_allowed_without_alpn(false),
       handoff(false),
@@ -685,6 +685,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
   ssl->config->custom_verify_callback = ctx->custom_verify_callback;
   ssl->config->retain_only_sha256_of_client_certs =
       ctx->retain_only_sha256_of_client_certs;
+  ssl->config->permute_extensions = ctx->permute_extensions;
   if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
       !ssl->config->alpn_client_proto_list.CopyFrom(
@@ -731,7 +732,8 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
       handoff(false),
       shed_handshake_config(false),
       jdk11_workaround(false),
-      quic_use_legacy_codepoint(true) {
+      quic_use_legacy_codepoint(false),
+      permute_extensions(false) {
   assert(ssl);
 }
@@ -1099,11 +1101,6 @@ int SSL_write(SSL *ssl, const void *buf, int num) {
     return -1;
   }
-  if (ssl->s3->write_shutdown != ssl_shutdown_none) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
-    return -1;
-  }
   int ret = 0;
   bool needs_handshake = false;
   do {
@@ -1317,8 +1314,6 @@ const char *SSL_early_data_reason_string(enum ssl_early_data_reason_t reason) {
       return "alpn_mismatch";
     case ssl_early_data_channel_id:
       return "channel_id";
-    case ssl_early_data_token_binding:
-      return "token_binding";
     case ssl_early_data_ticket_age_skew:
       return "ticket_age_skew";
     case ssl_early_data_quic_parameter_mismatch:
@@ -1372,7 +1367,6 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
     case SSL_ERROR_HANDOFF:
     case SSL_ERROR_HANDBACK:
     case SSL_ERROR_WANT_X509_LOOKUP:
-    case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
     case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
     case SSL_ERROR_PENDING_TICKET:
     case SSL_ERROR_EARLY_DATA_REJECTED:
@@ -1446,8 +1440,6 @@ const char *SSL_error_description(int err) {
       return "WANT_CONNECT";
     case SSL_ERROR_WANT_ACCEPT:
       return "WANT_ACCEPT";
-    case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
-      return "WANT_CHANNEL_ID_LOOKUP";
     case SSL_ERROR_PENDING_SESSION:
       return "PENDING_SESSION";
     case SSL_ERROR_PENDING_CERTIFICATE:
@@ -1464,6 +1456,8 @@ const char *SSL_error_description(int err) {
       return "HANDOFF";
     case SSL_ERROR_HANDBACK:
       return "HANDBACK";
+    case SSL_ERROR_WANT_RENEGOTIATE:
+      return "WANT_RENEGOTIATE";
     case SSL_ERROR_HANDSHAKE_HINTS_READY:
       return "HANDSHAKE_HINTS_READY";
     default:
@@ -1471,13 +1465,6 @@ const char *SSL_error_description(int err) {
   }
 }
-void SSL_set_enable_ech_grease(SSL *ssl, int enable) {
-  if (!ssl->config) {
-    return;
-  }
-  ssl->config->ech_grease_enabled = !!enable;
-}
 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
   ctx->options |= options;
   return ctx->options;
@@ -1788,6 +1775,9 @@ int SSL_renegotiate(SSL *ssl) {
     return 0;
   }
+  // We should not have told the caller to release the private key.
+  assert(!SSL_can_release_private_key(ssl));
   // Renegotiation is only supported at quiescent points in the application
   // protocol, namely in HTTPS, just before reading the HTTP response.
   // Require the record-layer be idle and avoid complexities of sending a
@@ -2189,63 +2179,6 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
   return 1;
 }
-SSL_ECH_SERVER_CONFIG_LIST *SSL_ECH_SERVER_CONFIG_LIST_new() {
-  return New<SSL_ECH_SERVER_CONFIG_LIST>();
-}
-void SSL_ECH_SERVER_CONFIG_LIST_up_ref(SSL_ECH_SERVER_CONFIG_LIST *configs) {
-  CRYPTO_refcount_inc(&configs->references);
-}
-void SSL_ECH_SERVER_CONFIG_LIST_free(SSL_ECH_SERVER_CONFIG_LIST *configs) {
-  if (configs == nullptr ||
-      !CRYPTO_refcount_dec_and_test_zero(&configs->references)) {
-    return;
-  }
-  configs->~ssl_ech_server_config_list_st();
-  OPENSSL_free(configs);
-}
-int SSL_ECH_SERVER_CONFIG_LIST_add(SSL_ECH_SERVER_CONFIG_LIST *configs,
-                                   int is_retry_config,
-                                   const uint8_t *ech_config,
-                                   size_t ech_config_len,
-                                   const uint8_t *private_key,
-                                   size_t private_key_len) {
-  ECHServerConfig parsed_config;
-  if (!parsed_config.Init(MakeConstSpan(ech_config, ech_config_len),
-                          MakeConstSpan(private_key, private_key_len),
-                          !!is_retry_config)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    return 0;
-  }
-  if (!configs->configs.Push(std::move(parsed_config))) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  return 1;
-}
-int SSL_CTX_set1_ech_server_config_list(SSL_CTX *ctx,
-                                        SSL_ECH_SERVER_CONFIG_LIST *list) {
-  bool has_retry_config = false;
-  for (const bssl::ECHServerConfig &config : list->configs) {
-    if (config.is_retry_config()) {
-      has_retry_config = true;
-      break;
-    }
-  }
-  if (!has_retry_config) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS);
-    return 0;
-  }
-  UniquePtr<SSL_ECH_SERVER_CONFIG_LIST> owned_list = UpRef(list);
-  MutexWriteLock lock(&ctx->lock);
-  ctx->ech_server_config_list.swap(owned_list);
-  return 1;
-}
 int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
                           unsigned peer_len, const uint8_t *supported,
                           unsigned supported_len) {
@@ -2432,8 +2365,6 @@ int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
   }
   ctx->channel_id_private = UpRef(private_key);
-  ctx->channel_id_enabled = true;
   return 1;
 }
@@ -2447,8 +2378,6 @@ int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
   }
   ssl->config->channel_id_private = UpRef(private_key);
-  ssl->config->channel_id_enabled = true;
   return 1;
 }
@@ -2460,25 +2389,6 @@ size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
   return 64;
 }
-int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) {
-  if (!ssl->config) {
-    return 0;
-  }
-  if (len > 256) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
-    return 0;
-  }
-  return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len));
-}
-int SSL_is_token_binding_negotiated(const SSL *ssl) {
-  return ssl->s3->token_binding_negotiated;
-}
-uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) {
-  return ssl->s3->negotiated_token_binding_param;
-}
 size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) {
   Span<const uint8_t> types;
   if (!ssl->server && ssl->s3->hs != nullptr) {
@@ -2840,6 +2750,17 @@ void SSL_CTX_set_current_time_cb(SSL_CTX *ctx,
   ctx->current_time_cb = cb;
 }
+int SSL_can_release_private_key(const SSL *ssl) {
+  if (ssl_can_renegotiate(ssl)) {
+    // If the connection can renegotiate (client only), the private key may be
+    // used in a future handshake.
+    return 0;
+  }
+  // Otherwise, this is determined by the current handshake.
+  return !ssl->s3->hs || ssl->s3->hs->can_release_private_key;
+}
 int SSL_is_init_finished(const SSL *ssl) {
   return !SSL_in_init(ssl);
 }
@@ -2992,6 +2913,17 @@ void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {
   ctx->grease_enabled = !!enabled;
 }
+void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
+  ctx->permute_extensions = !!enabled;
+}
+void SSL_set_permute_extensions(SSL *ssl, int enabled) {
+  if (!ssl->config) {
+    return;
+  }
+  ssl->config->permute_extensions = !!enabled;
+}
 int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
   return ssl->s3->ticket_age_skew;
 }

data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc CHANGED Viewed

@@ -203,6 +203,7 @@ enum ssl_private_key_result_t ssl_private_key_sign(
   SSL *const ssl = hs->ssl;
   const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method;
   EVP_PKEY *privatekey = hs->config->cert->privatekey.get();
+  assert(!hs->can_release_private_key);
   if (ssl_signing_with_dc(hs)) {
     key_method = hs->config->cert->dc_key_method;
     privatekey = hs->config->cert->dc_privatekey.get();
@@ -254,6 +255,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
                                                       size_t max_out,
                                                       Span<const uint8_t> in) {
   SSL *const ssl = hs->ssl;
+  assert(!hs->can_release_private_key);
   if (hs->config->cert->key_method != NULL) {
     enum ssl_private_key_result_t ret;
     if (hs->pending_private_key_op) {

data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc CHANGED Viewed

@@ -350,19 +350,19 @@ const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {
                                   session->cipher);
 }
-int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
+bool ssl_get_new_session(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_SESSION_MAY_NOT_BE_CREATED);
-    return 0;
+    return false;
   }
   UniquePtr<SSL_SESSION> session = ssl_session_new(ssl->ctx->x509_method);
   if (session == NULL) {
-    return 0;
+    return false;
   }
-  session->is_server = is_server;
+  session->is_server = ssl->server;
   session->ssl_version = ssl->version;
   session->is_quic = ssl->quic_method != nullptr;
@@ -384,24 +384,9 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
     session->auth_timeout = ssl->session_ctx->session_timeout;
   }
-  if (is_server) {
-    if (hs->ticket_expected || version >= TLS1_3_VERSION) {
-      // Don't set session IDs for sessions resumed with tickets. This will keep
-      // them out of the session cache.
-      session->session_id_length = 0;
-    } else {
-      session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
-      if (!RAND_bytes(session->session_id, session->session_id_length)) {
-        return 0;
-      }
-    }
-  } else {
-    session->session_id_length = 0;
-  }
   if (hs->config->cert->sid_ctx_length > sizeof(session->sid_ctx)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
+    return false;
   }
   OPENSSL_memcpy(session->sid_ctx, hs->config->cert->sid_ctx,
                  hs->config->cert->sid_ctx_length);
@@ -413,7 +398,7 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
   hs->new_session = std::move(session);
   ssl_set_session(ssl, NULL);
-  return 1;
+  return true;
 }
 int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {
@@ -1019,7 +1004,8 @@ int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {
 }
 int SSL_SESSION_is_resumable(const SSL_SESSION *session) {
-  return !session->not_resumable;
+  return !session->not_resumable &&
+         (session->session_id_length != 0 || !session->ticket.empty());
 }
 int SSL_SESSION_has_ticket(const SSL_SESSION *session) {
@@ -1298,12 +1284,3 @@ void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,
                                                 int value) {
   return ctx->info_callback;
 }
-void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx,
-                               void (*cb)(SSL *ssl, EVP_PKEY **pkey)) {
-  ctx->channel_id_cb = cb;
-}
-void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey) {
-  return ctx->channel_id_cb;
-}