grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
|
@@ -210,16 +210,24 @@ static bool is_post_quantum_group(uint16_t id) {
|
|
|
210
210
|
|
|
211
211
|
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
212
212
|
Span<const uint8_t> body) {
|
|
213
|
+
CBS cbs = body;
|
|
214
|
+
if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) ||
|
|
215
|
+
CBS_len(&cbs) != 0) {
|
|
216
|
+
return false;
|
|
217
|
+
}
|
|
218
|
+
return true;
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
|
|
222
|
+
SSL_CLIENT_HELLO *out) {
|
|
213
223
|
OPENSSL_memset(out, 0, sizeof(*out));
|
|
214
224
|
out->ssl = const_cast<SSL *>(ssl);
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
!CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
|
|
222
|
-
!CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
|
|
225
|
+
|
|
226
|
+
CBS copy = *cbs;
|
|
227
|
+
CBS random, session_id;
|
|
228
|
+
if (!CBS_get_u16(cbs, &out->version) ||
|
|
229
|
+
!CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) ||
|
|
230
|
+
!CBS_get_u8_length_prefixed(cbs, &session_id) ||
|
|
223
231
|
CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
|
224
232
|
return false;
|
|
225
233
|
}
|
|
@@ -232,16 +240,16 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
|
232
240
|
// Skip past DTLS cookie
|
|
233
241
|
if (SSL_is_dtls(out->ssl)) {
|
|
234
242
|
CBS cookie;
|
|
235
|
-
if (!CBS_get_u8_length_prefixed(
|
|
243
|
+
if (!CBS_get_u8_length_prefixed(cbs, &cookie) ||
|
|
236
244
|
CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
|
|
237
245
|
return false;
|
|
238
246
|
}
|
|
239
247
|
}
|
|
240
248
|
|
|
241
249
|
CBS cipher_suites, compression_methods;
|
|
242
|
-
if (!CBS_get_u16_length_prefixed(
|
|
250
|
+
if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites) ||
|
|
243
251
|
CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
|
|
244
|
-
!CBS_get_u8_length_prefixed(
|
|
252
|
+
!CBS_get_u8_length_prefixed(cbs, &compression_methods) ||
|
|
245
253
|
CBS_len(&compression_methods) < 1) {
|
|
246
254
|
return false;
|
|
247
255
|
}
|
|
@@ -253,23 +261,22 @@ bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
|
253
261
|
|
|
254
262
|
// If the ClientHello ends here then it's valid, but doesn't have any
|
|
255
263
|
// extensions.
|
|
256
|
-
if (CBS_len(
|
|
257
|
-
out->extensions =
|
|
264
|
+
if (CBS_len(cbs) == 0) {
|
|
265
|
+
out->extensions = nullptr;
|
|
258
266
|
out->extensions_len = 0;
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
267
|
+
} else {
|
|
268
|
+
// Extract extensions and check it is valid.
|
|
269
|
+
CBS extensions;
|
|
270
|
+
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
|
271
|
+
!tls1_check_duplicate_extensions(&extensions)) {
|
|
272
|
+
return false;
|
|
273
|
+
}
|
|
274
|
+
out->extensions = CBS_data(&extensions);
|
|
275
|
+
out->extensions_len = CBS_len(&extensions);
|
|
268
276
|
}
|
|
269
277
|
|
|
270
|
-
out->
|
|
271
|
-
out->
|
|
272
|
-
|
|
278
|
+
out->client_hello = CBS_data(©);
|
|
279
|
+
out->client_hello_len = CBS_len(©) - CBS_len(cbs);
|
|
273
280
|
return true;
|
|
274
281
|
}
|
|
275
282
|
|
|
@@ -619,20 +626,30 @@ static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
619
626
|
|
|
620
627
|
// Encrypted ClientHello (ECH)
|
|
621
628
|
//
|
|
622
|
-
// https://tools.ietf.org/html/draft-ietf-tls-esni-
|
|
629
|
+
// https://tools.ietf.org/html/draft-ietf-tls-esni-13
|
|
623
630
|
|
|
624
631
|
static bool ext_ech_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
625
632
|
CBB *out_compressible,
|
|
626
633
|
ssl_client_hello_type_t type) {
|
|
627
|
-
if (type == ssl_client_hello_inner
|
|
634
|
+
if (type == ssl_client_hello_inner) {
|
|
635
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
636
|
+
!CBB_add_u16(out, /* length */ 1) ||
|
|
637
|
+
!CBB_add_u8(out, ECH_CLIENT_INNER)) {
|
|
638
|
+
return false;
|
|
639
|
+
}
|
|
640
|
+
return true;
|
|
641
|
+
}
|
|
642
|
+
|
|
643
|
+
if (hs->ech_client_outer.empty()) {
|
|
628
644
|
return true;
|
|
629
645
|
}
|
|
630
646
|
|
|
631
647
|
CBB ech_body;
|
|
632
648
|
if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
633
649
|
!CBB_add_u16_length_prefixed(out, &ech_body) ||
|
|
634
|
-
!
|
|
635
|
-
|
|
650
|
+
!CBB_add_u8(&ech_body, ECH_CLIENT_OUTER) ||
|
|
651
|
+
!CBB_add_bytes(&ech_body, hs->ech_client_outer.data(),
|
|
652
|
+
hs->ech_client_outer.size()) ||
|
|
636
653
|
!CBB_flush(out)) {
|
|
637
654
|
return false;
|
|
638
655
|
}
|
|
@@ -647,8 +664,10 @@ static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
647
664
|
}
|
|
648
665
|
|
|
649
666
|
// The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3
|
|
650
|
-
//
|
|
651
|
-
|
|
667
|
+
// EncryptedExtensions. It also may not be sent in response to an inner ECH
|
|
668
|
+
// extension.
|
|
669
|
+
if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||
|
|
670
|
+
ssl->s3->ech_status == ssl_ech_accepted) {
|
|
652
671
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
653
672
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
654
673
|
return false;
|
|
@@ -659,17 +678,7 @@ static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
659
678
|
return false;
|
|
660
679
|
}
|
|
661
680
|
|
|
662
|
-
|
|
663
|
-
// ECH GREASE), not ClientHelloInner. The unsolicited extension rule checks
|
|
664
|
-
// this implicitly because the ClientHelloInner has no encrypted_client_hello
|
|
665
|
-
// extension.
|
|
666
|
-
//
|
|
667
|
-
// TODO(https://crbug.com/boringssl/275): If
|
|
668
|
-
// https://github.com/tlswg/draft-ietf-tls-esni/pull/422 is merged, a later
|
|
669
|
-
// draft will fold encrypted_client_hello and ech_is_inner together. Then this
|
|
670
|
-
// assert should become a runtime check.
|
|
671
|
-
assert(ssl->s3->ech_status != ssl_ech_accepted);
|
|
672
|
-
if (hs->selected_ech_config &&
|
|
681
|
+
if (ssl->s3->ech_status == ssl_ech_rejected &&
|
|
673
682
|
!hs->ech_retry_configs.CopyFrom(*contents)) {
|
|
674
683
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
675
684
|
return false;
|
|
@@ -680,10 +689,23 @@ static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
680
689
|
|
|
681
690
|
static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
682
691
|
CBS *contents) {
|
|
683
|
-
if (contents
|
|
684
|
-
|
|
692
|
+
if (contents == nullptr) {
|
|
693
|
+
return true;
|
|
694
|
+
}
|
|
695
|
+
|
|
696
|
+
uint8_t type;
|
|
697
|
+
if (!CBS_get_u8(contents, &type)) {
|
|
698
|
+
return false;
|
|
699
|
+
}
|
|
700
|
+
if (type == ECH_CLIENT_OUTER) {
|
|
701
|
+
// Outer ECH extensions are handled outside the callback.
|
|
685
702
|
return true;
|
|
686
703
|
}
|
|
704
|
+
if (type != ECH_CLIENT_INNER || CBS_len(contents) != 0) {
|
|
705
|
+
return false;
|
|
706
|
+
}
|
|
707
|
+
|
|
708
|
+
hs->ech_is_inner = true;
|
|
687
709
|
return true;
|
|
688
710
|
}
|
|
689
711
|
|
|
@@ -715,32 +737,6 @@ static bool ext_ech_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
715
737
|
return CBB_flush(out);
|
|
716
738
|
}
|
|
717
739
|
|
|
718
|
-
static bool ext_ech_is_inner_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
719
|
-
CBB *out_compressible,
|
|
720
|
-
ssl_client_hello_type_t type) {
|
|
721
|
-
if (type == ssl_client_hello_inner) {
|
|
722
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_ech_is_inner) ||
|
|
723
|
-
!CBB_add_u16(out, 0 /* empty extension */)) {
|
|
724
|
-
return false;
|
|
725
|
-
}
|
|
726
|
-
}
|
|
727
|
-
return true;
|
|
728
|
-
}
|
|
729
|
-
|
|
730
|
-
static bool ext_ech_is_inner_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
731
|
-
uint8_t *out_alert,
|
|
732
|
-
CBS *contents) {
|
|
733
|
-
if (contents == nullptr) {
|
|
734
|
-
return true;
|
|
735
|
-
}
|
|
736
|
-
if (CBS_len(contents) > 0) {
|
|
737
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
738
|
-
return false;
|
|
739
|
-
}
|
|
740
|
-
hs->ech_is_inner_present = true;
|
|
741
|
-
return true;
|
|
742
|
-
}
|
|
743
|
-
|
|
744
740
|
|
|
745
741
|
// Renegotiation indication.
|
|
746
742
|
//
|
|
@@ -1942,13 +1938,10 @@ static bool should_offer_psk(const SSL_HANDSHAKE *hs,
|
|
|
1942
1938
|
const SSL *const ssl = hs->ssl;
|
|
1943
1939
|
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
|
|
1944
1940
|
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
|
1945
|
-
//
|
|
1946
|
-
//
|
|
1947
|
-
//
|
|
1948
|
-
//
|
|
1949
|
-
// Later drafts will recommend including a placeholder one, at which point
|
|
1950
|
-
// we will need to synthesize a ticket. See
|
|
1951
|
-
// https://github.com/tlswg/draft-ietf-tls-esni/issues/408
|
|
1941
|
+
// TODO(https://crbug.com/boringssl/275): Should we synthesize a
|
|
1942
|
+
// placeholder PSK, at least when we offer early data? Otherwise
|
|
1943
|
+
// ClientHelloOuter will contain an early_data extension without a
|
|
1944
|
+
// pre_shared_key extension and potentially break the recovery flow.
|
|
1952
1945
|
type == ssl_client_hello_outer) {
|
|
1953
1946
|
return false;
|
|
1954
1947
|
}
|
|
@@ -1991,7 +1984,6 @@ static bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs,
|
|
|
1991
1984
|
|
|
1992
1985
|
// Fill in a placeholder zero binder of the appropriate length. It will be
|
|
1993
1986
|
// computed and filled in later after length prefixes are computed.
|
|
1994
|
-
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
|
|
1995
1987
|
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
|
|
1996
1988
|
|
|
1997
1989
|
CBB contents, identity, ticket, binders, binder;
|
|
@@ -2004,7 +1996,7 @@ static bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs,
|
|
|
2004
1996
|
!CBB_add_u32(&identity, obfuscated_ticket_age) ||
|
|
2005
1997
|
!CBB_add_u16_length_prefixed(&contents, &binders) ||
|
|
2006
1998
|
!CBB_add_u8_length_prefixed(&binders, &binder) ||
|
|
2007
|
-
!
|
|
1999
|
+
!CBB_add_zeros(&binder, binder_len)) {
|
|
2008
2000
|
return false;
|
|
2009
2001
|
}
|
|
2010
2002
|
|
|
@@ -2184,10 +2176,7 @@ static bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
|
|
|
2184
2176
|
// If offering ECH, the extension only applies to ClientHelloInner, but we
|
|
2185
2177
|
// send the extension in both ClientHellos. This ensures that, if the server
|
|
2186
2178
|
// handshakes with ClientHelloOuter, it can skip past early data. See
|
|
2187
|
-
//
|
|
2188
|
-
//
|
|
2189
|
-
// TODO(https://crbug.com/boringssl/275): Replace this with a reference to the
|
|
2190
|
-
// right section in the next draft.
|
|
2179
|
+
// draft-ietf-tls-esni-13, section 6.1.
|
|
2191
2180
|
if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) ||
|
|
2192
2181
|
!CBB_add_u16(out_compressible, 0) ||
|
|
2193
2182
|
!CBB_flush(out_compressible)) {
|
|
@@ -3110,13 +3099,6 @@ static const struct tls_extension kExtensions[] = {
|
|
|
3110
3099
|
ext_ech_parse_clienthello,
|
|
3111
3100
|
ext_ech_add_serverhello,
|
|
3112
3101
|
},
|
|
3113
|
-
{
|
|
3114
|
-
TLSEXT_TYPE_ech_is_inner,
|
|
3115
|
-
ext_ech_is_inner_add_clienthello,
|
|
3116
|
-
forbid_parse_serverhello,
|
|
3117
|
-
ext_ech_is_inner_parse_clienthello,
|
|
3118
|
-
dont_add_serverhello,
|
|
3119
|
-
},
|
|
3120
3102
|
{
|
|
3121
3103
|
TLSEXT_TYPE_extended_master_secret,
|
|
3122
3104
|
ext_ems_add_clienthello,
|
|
@@ -3324,14 +3306,12 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
|
3324
3306
|
|
|
3325
3307
|
static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {
|
|
3326
3308
|
CBB child;
|
|
3327
|
-
uint8_t *ptr;
|
|
3328
3309
|
if (!CBB_add_u16(cbb, ext) || //
|
|
3329
3310
|
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
3330
|
-
!
|
|
3311
|
+
!CBB_add_zeros(&child, len)) {
|
|
3331
3312
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
3332
3313
|
return false;
|
|
3333
3314
|
}
|
|
3334
|
-
OPENSSL_memset(ptr, 0, len);
|
|
3335
3315
|
return CBB_flush(cbb);
|
|
3336
3316
|
}
|
|
3337
3317
|
|
|
@@ -3404,34 +3384,6 @@ static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
|
|
|
3404
3384
|
}
|
|
3405
3385
|
}
|
|
3406
3386
|
|
|
3407
|
-
// Pad the server name. See draft-ietf-tls-esni-10, section 6.1.2.
|
|
3408
|
-
// TODO(https://crbug.com/boringssl/275): Ideally we'd pad the whole thing to
|
|
3409
|
-
// reduce the output range. See
|
|
3410
|
-
// https://github.com/tlswg/draft-ietf-tls-esni/issues/433
|
|
3411
|
-
size_t padding_len = 0;
|
|
3412
|
-
size_t maximum_name_length = hs->selected_ech_config->maximum_name_length;
|
|
3413
|
-
if (ssl->hostname) {
|
|
3414
|
-
size_t hostname_len = strlen(ssl->hostname.get());
|
|
3415
|
-
if (hostname_len <= maximum_name_length) {
|
|
3416
|
-
padding_len = maximum_name_length - hostname_len;
|
|
3417
|
-
} else {
|
|
3418
|
-
// If the server underestimated the maximum size, pad to a multiple of 32.
|
|
3419
|
-
padding_len = 31 - (hostname_len - 1) % 32;
|
|
3420
|
-
// If the input is close to |maximum_name_length|, pad to the next
|
|
3421
|
-
// multiple for at least 32 bytes of length ambiguity.
|
|
3422
|
-
if (hostname_len + padding_len < maximum_name_length + 32) {
|
|
3423
|
-
padding_len += 32;
|
|
3424
|
-
}
|
|
3425
|
-
}
|
|
3426
|
-
} else {
|
|
3427
|
-
// No SNI. Pad up to |maximum_name_length|, including server_name extension
|
|
3428
|
-
// overhead.
|
|
3429
|
-
padding_len = 9 + maximum_name_length;
|
|
3430
|
-
}
|
|
3431
|
-
if (!add_padding_extension(&extensions, TLSEXT_TYPE_padding, padding_len)) {
|
|
3432
|
-
return false;
|
|
3433
|
-
}
|
|
3434
|
-
|
|
3435
3387
|
// Uncompressed extensions are encoded as-is.
|
|
3436
3388
|
if (!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions),
|
|
3437
3389
|
CBB_len(&extensions))) {
|
|
@@ -3473,8 +3425,8 @@ static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,
|
|
|
3473
3425
|
|
|
3474
3426
|
bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
|
|
3475
3427
|
bool *out_needs_psk_binder,
|
|
3476
|
-
ssl_client_hello_type_t type,
|
|
3477
|
-
size_t
|
|
3428
|
+
ssl_client_hello_type_t type,
|
|
3429
|
+
size_t header_len) {
|
|
3478
3430
|
*out_needs_psk_binder = false;
|
|
3479
3431
|
|
|
3480
3432
|
if (type == ssl_client_hello_inner) {
|
|
@@ -3507,20 +3459,14 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
|
|
|
3507
3459
|
size_t i = hs->extension_permutation.empty()
|
|
3508
3460
|
? unpermuted
|
|
3509
3461
|
: hs->extension_permutation[unpermuted];
|
|
3510
|
-
size_t
|
|
3511
|
-
if (
|
|
3512
|
-
|
|
3513
|
-
|
|
3514
|
-
|
|
3515
|
-
const size_t len_before = CBB_len(&extensions);
|
|
3516
|
-
if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
|
|
3517
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
|
3518
|
-
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
|
3519
|
-
return false;
|
|
3520
|
-
}
|
|
3521
|
-
|
|
3522
|
-
bytes_written = CBB_len(&extensions) - len_before;
|
|
3462
|
+
const size_t len_before = CBB_len(&extensions);
|
|
3463
|
+
if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
|
|
3464
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
|
3465
|
+
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
|
3466
|
+
return false;
|
|
3523
3467
|
}
|
|
3468
|
+
|
|
3469
|
+
const size_t bytes_written = CBB_len(&extensions) - len_before;
|
|
3524
3470
|
if (bytes_written != 0) {
|
|
3525
3471
|
hs->extensions.sent |= (1u << i);
|
|
3526
3472
|
}
|
|
@@ -3544,8 +3490,8 @@ bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,
|
|
|
3544
3490
|
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs, type);
|
|
3545
3491
|
if (!SSL_is_dtls(ssl) && !ssl->quic_method &&
|
|
3546
3492
|
!ssl->s3->used_hello_retry_request) {
|
|
3547
|
-
header_len +=
|
|
3548
|
-
|
|
3493
|
+
header_len +=
|
|
3494
|
+
SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len;
|
|
3549
3495
|
size_t padding_len = 0;
|
|
3550
3496
|
|
|
3551
3497
|
// The final extension must be non-empty. WebSphere Application
|
|
@@ -3719,18 +3665,10 @@ bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
|
3719
3665
|
return true;
|
|
3720
3666
|
}
|
|
3721
3667
|
|
|
3722
|
-
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3668
|
+
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs,
|
|
3723
3669
|
int *out_alert) {
|
|
3724
|
-
|
|
3725
|
-
|
|
3726
|
-
if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
3727
|
-
return true;
|
|
3728
|
-
}
|
|
3729
|
-
|
|
3730
|
-
// Decode the extensions block and check it is valid.
|
|
3731
|
-
CBS extensions;
|
|
3732
|
-
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
|
3733
|
-
!tls1_check_duplicate_extensions(&extensions)) {
|
|
3670
|
+
CBS extensions = *cbs;
|
|
3671
|
+
if (!tls1_check_duplicate_extensions(&extensions)) {
|
|
3734
3672
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
3735
3673
|
return false;
|
|
3736
3674
|
}
|
|
@@ -3852,7 +3790,7 @@ static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs) {
|
|
|
3852
3790
|
return true;
|
|
3853
3791
|
}
|
|
3854
3792
|
|
|
3855
|
-
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
|
|
3793
|
+
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs) {
|
|
3856
3794
|
SSL *const ssl = hs->ssl;
|
|
3857
3795
|
int alert = SSL_AD_DECODE_ERROR;
|
|
3858
3796
|
if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
|
|
@@ -3880,8 +3818,8 @@ static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
|
|
|
3880
3818
|
return ssl_ticket_aead_ignore_ticket;
|
|
3881
3819
|
}
|
|
3882
3820
|
// Split the ticket into the ticket and the MAC.
|
|
3883
|
-
auto ticket_mac = ticket.
|
|
3884
|
-
ticket = ticket.
|
|
3821
|
+
auto ticket_mac = ticket.last(mac_len);
|
|
3822
|
+
ticket = ticket.first(ticket.size() - mac_len);
|
|
3885
3823
|
HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
|
|
3886
3824
|
HMAC_Final(hmac_ctx, mac, NULL);
|
|
3887
3825
|
assert(mac_len == ticket_mac.size());
|
|
@@ -126,8 +126,7 @@ BSSL_NAMESPACE_BEGIN
|
|
|
126
126
|
|
|
127
127
|
SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
|
|
128
128
|
: ssl(ssl_arg),
|
|
129
|
-
|
|
130
|
-
ech_is_inner_present(false),
|
|
129
|
+
ech_is_inner(false),
|
|
131
130
|
ech_authenticated_reject(false),
|
|
132
131
|
scts_requested(false),
|
|
133
132
|
handshake_finalized(false),
|
|
@@ -268,12 +267,15 @@ bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
|
268
267
|
}
|
|
269
268
|
|
|
270
269
|
bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
|
|
271
|
-
|
|
270
|
+
std::initializer_list<SSLExtension *> extensions,
|
|
272
271
|
bool ignore_unknown) {
|
|
273
272
|
// Reset everything.
|
|
274
|
-
for (
|
|
275
|
-
|
|
276
|
-
CBS_init(
|
|
273
|
+
for (SSLExtension *ext : extensions) {
|
|
274
|
+
ext->present = false;
|
|
275
|
+
CBS_init(&ext->data, nullptr, 0);
|
|
276
|
+
if (!ext->allowed) {
|
|
277
|
+
assert(!ignore_unknown);
|
|
278
|
+
}
|
|
277
279
|
}
|
|
278
280
|
|
|
279
281
|
CBS copy = *cbs;
|
|
@@ -287,10 +289,10 @@ bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
|
|
|
287
289
|
return false;
|
|
288
290
|
}
|
|
289
291
|
|
|
290
|
-
|
|
291
|
-
for (
|
|
292
|
-
if (type ==
|
|
293
|
-
found =
|
|
292
|
+
SSLExtension *found = nullptr;
|
|
293
|
+
for (SSLExtension *ext : extensions) {
|
|
294
|
+
if (type == ext->type && ext->allowed) {
|
|
295
|
+
found = ext;
|
|
294
296
|
break;
|
|
295
297
|
}
|
|
296
298
|
}
|
|
@@ -305,14 +307,14 @@ bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
|
|
|
305
307
|
}
|
|
306
308
|
|
|
307
309
|
// Duplicate ext_types are forbidden.
|
|
308
|
-
if (
|
|
310
|
+
if (found->present) {
|
|
309
311
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
|
|
310
312
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
311
313
|
return false;
|
|
312
314
|
}
|
|
313
315
|
|
|
314
|
-
|
|
315
|
-
|
|
316
|
+
found->present = true;
|
|
317
|
+
found->data = data;
|
|
316
318
|
}
|
|
317
319
|
|
|
318
320
|
return true;
|