grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
|
@@ -333,8 +333,7 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
333
333
|
!ssl_write_client_hello_without_extensions(hs, &body, type,
|
|
334
334
|
/*empty_session_id*/ false) ||
|
|
335
335
|
!ssl_add_clienthello_tlsext(hs, &body, /*out_encoded=*/nullptr,
|
|
336
|
-
&needs_psk_binder, type, CBB_len(&body)
|
|
337
|
-
/*omit_ech_len=*/0) ||
|
|
336
|
+
&needs_psk_binder, type, CBB_len(&body)) ||
|
|
338
337
|
!ssl->method->finish_message(ssl, cbb.get(), &msg)) {
|
|
339
338
|
return false;
|
|
340
339
|
}
|
|
@@ -354,42 +353,31 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
354
353
|
return ssl->method->add_message(ssl, std::move(msg));
|
|
355
354
|
}
|
|
356
355
|
|
|
357
|
-
static bool
|
|
358
|
-
|
|
359
|
-
|
|
360
|
-
// the outer version.
|
|
361
|
-
|
|
356
|
+
static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
|
|
357
|
+
uint8_t *out_alert,
|
|
358
|
+
const ParsedServerHello &server_hello) {
|
|
359
|
+
// If the outer version is not TLS 1.2, use it.
|
|
360
|
+
// TODO(davidben): This function doesn't quite match the RFC8446 formulation.
|
|
361
|
+
if (server_hello.legacy_version != TLS1_2_VERSION) {
|
|
362
|
+
*out_version = server_hello.legacy_version;
|
|
362
363
|
return true;
|
|
363
364
|
}
|
|
364
365
|
|
|
365
|
-
|
|
366
|
-
CBS
|
|
367
|
-
if (!
|
|
368
|
-
|
|
369
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
370
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
366
|
+
SSLExtension supported_versions(TLSEXT_TYPE_supported_versions);
|
|
367
|
+
CBS extensions = server_hello.extensions;
|
|
368
|
+
if (!ssl_parse_extensions(&extensions, out_alert, {&supported_versions},
|
|
369
|
+
/*ignore_unknown=*/true)) {
|
|
371
370
|
return false;
|
|
372
371
|
}
|
|
373
372
|
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
{TLSEXT_TYPE_supported_versions, &have_supported_versions,
|
|
378
|
-
&supported_versions},
|
|
379
|
-
};
|
|
380
|
-
|
|
381
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
382
|
-
if (!ssl_parse_extensions(&extensions, &alert, ext_types,
|
|
383
|
-
/*ignore_unknown=*/true)) {
|
|
384
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
385
|
-
return false;
|
|
373
|
+
if (!supported_versions.present) {
|
|
374
|
+
*out_version = server_hello.legacy_version;
|
|
375
|
+
return true;
|
|
386
376
|
}
|
|
387
377
|
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
CBS_len(&supported_versions) != 0)) {
|
|
392
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
378
|
+
if (!CBS_get_u16(&supported_versions.data, out_version) ||
|
|
379
|
+
CBS_len(&supported_versions.data) != 0) {
|
|
380
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
393
381
|
return false;
|
|
394
382
|
}
|
|
395
383
|
|
|
@@ -445,7 +433,7 @@ static ssl_early_data_reason_t should_offer_early_data(
|
|
|
445
433
|
}
|
|
446
434
|
|
|
447
435
|
void ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {
|
|
448
|
-
hs->
|
|
436
|
+
hs->ech_client_outer.Reset();
|
|
449
437
|
hs->cookie.Reset();
|
|
450
438
|
hs->key_share_bytes.Reset();
|
|
451
439
|
}
|
|
@@ -657,6 +645,38 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
|
|
|
657
645
|
return ssl_hs_flush;
|
|
658
646
|
}
|
|
659
647
|
|
|
648
|
+
bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,
|
|
649
|
+
const SSLMessage &msg) {
|
|
650
|
+
if (msg.type != SSL3_MT_SERVER_HELLO) {
|
|
651
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
|
|
652
|
+
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
|
|
653
|
+
return false;
|
|
654
|
+
}
|
|
655
|
+
out->raw = msg.raw;
|
|
656
|
+
CBS body = msg.body;
|
|
657
|
+
if (!CBS_get_u16(&body, &out->legacy_version) ||
|
|
658
|
+
!CBS_get_bytes(&body, &out->random, SSL3_RANDOM_SIZE) ||
|
|
659
|
+
!CBS_get_u8_length_prefixed(&body, &out->session_id) ||
|
|
660
|
+
CBS_len(&out->session_id) > SSL3_SESSION_ID_SIZE ||
|
|
661
|
+
!CBS_get_u16(&body, &out->cipher_suite) ||
|
|
662
|
+
!CBS_get_u8(&body, &out->compression_method)) {
|
|
663
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
664
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
665
|
+
return false;
|
|
666
|
+
}
|
|
667
|
+
// In TLS 1.2 and below, empty extensions blocks may be omitted. In TLS 1.3,
|
|
668
|
+
// ServerHellos always have extensions, so this can be applied generically.
|
|
669
|
+
CBS_init(&out->extensions, nullptr, 0);
|
|
670
|
+
if ((CBS_len(&body) != 0 &&
|
|
671
|
+
!CBS_get_u16_length_prefixed(&body, &out->extensions)) ||
|
|
672
|
+
CBS_len(&body) != 0) {
|
|
673
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
674
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
675
|
+
return false;
|
|
676
|
+
}
|
|
677
|
+
return true;
|
|
678
|
+
}
|
|
679
|
+
|
|
660
680
|
static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
661
681
|
SSL *const ssl = hs->ssl;
|
|
662
682
|
SSLMessage msg;
|
|
@@ -664,26 +684,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
664
684
|
return ssl_hs_read_server_hello;
|
|
665
685
|
}
|
|
666
686
|
|
|
667
|
-
|
|
668
|
-
|
|
669
|
-
|
|
670
|
-
|
|
671
|
-
|
|
672
|
-
|
|
673
|
-
uint8_t compression_method;
|
|
674
|
-
if (!CBS_get_u16(&server_hello, &server_version) ||
|
|
675
|
-
!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
|
|
676
|
-
!CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
|
|
677
|
-
CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
|
|
678
|
-
!CBS_get_u16(&server_hello, &cipher_suite) ||
|
|
679
|
-
!CBS_get_u8(&server_hello, &compression_method)) {
|
|
680
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
681
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
682
|
-
return ssl_hs_error;
|
|
683
|
-
}
|
|
684
|
-
|
|
685
|
-
// Use the supported_versions extension if applicable.
|
|
686
|
-
if (!parse_supported_versions(hs, &server_version, &server_hello)) {
|
|
687
|
+
ParsedServerHello server_hello;
|
|
688
|
+
uint16_t server_version;
|
|
689
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
690
|
+
if (!ssl_parse_server_hello(&server_hello, &alert, msg) ||
|
|
691
|
+
!parse_server_version(hs, &server_version, &alert, server_hello)) {
|
|
692
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
687
693
|
return ssl_hs_error;
|
|
688
694
|
}
|
|
689
695
|
|
|
@@ -737,7 +743,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
737
743
|
}
|
|
738
744
|
|
|
739
745
|
// Copy over the server random.
|
|
740
|
-
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&
|
|
746
|
+
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
|
|
741
747
|
SSL3_RANDOM_SIZE);
|
|
742
748
|
|
|
743
749
|
// Enforce the TLS 1.3 anti-downgrade feature.
|
|
@@ -760,28 +766,26 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
760
766
|
}
|
|
761
767
|
}
|
|
762
768
|
|
|
763
|
-
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
|
|
764
|
-
if (cipher == NULL) {
|
|
765
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
|
|
766
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
767
|
-
return ssl_hs_error;
|
|
768
|
-
}
|
|
769
|
-
hs->new_cipher = cipher;
|
|
770
|
-
|
|
771
769
|
// The cipher must be allowed in the selected version and enabled.
|
|
770
|
+
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
|
|
772
771
|
uint32_t mask_a, mask_k;
|
|
773
772
|
ssl_get_client_disabled(hs, &mask_a, &mask_k);
|
|
774
|
-
if (
|
|
773
|
+
if (cipher == nullptr ||
|
|
774
|
+
(cipher->algorithm_mkey & mask_k) ||
|
|
775
|
+
(cipher->algorithm_auth & mask_a) ||
|
|
775
776
|
SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
|
|
776
777
|
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
|
|
777
|
-
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl),
|
|
778
|
+
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), nullptr, cipher)) {
|
|
778
779
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
|
|
779
780
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
780
781
|
return ssl_hs_error;
|
|
781
782
|
}
|
|
782
783
|
|
|
784
|
+
hs->new_cipher = cipher;
|
|
785
|
+
|
|
783
786
|
if (hs->session_id_len != 0 &&
|
|
784
|
-
CBS_mem_equal(&session_id, hs->session_id,
|
|
787
|
+
CBS_mem_equal(&server_hello.session_id, hs->session_id,
|
|
788
|
+
hs->session_id_len)) {
|
|
785
789
|
// Echoing the ClientHello session ID in TLS 1.2, whether from the session
|
|
786
790
|
// or a synthetic one, indicates resumption. If there was no session (or if
|
|
787
791
|
// the session was only offered in ECH ClientHelloInner), this was the
|
|
@@ -799,7 +803,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
799
803
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
800
804
|
return ssl_hs_error;
|
|
801
805
|
}
|
|
802
|
-
if (ssl->session->cipher !=
|
|
806
|
+
if (ssl->session->cipher != hs->new_cipher) {
|
|
803
807
|
OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
|
|
804
808
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
805
809
|
return ssl_hs_error;
|
|
@@ -822,10 +826,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
822
826
|
return ssl_hs_error;
|
|
823
827
|
}
|
|
824
828
|
// Note: session_id could be empty.
|
|
825
|
-
hs->new_session->session_id_length = CBS_len(&session_id);
|
|
826
|
-
OPENSSL_memcpy(hs->new_session->session_id,
|
|
827
|
-
|
|
828
|
-
|
|
829
|
+
hs->new_session->session_id_length = CBS_len(&server_hello.session_id);
|
|
830
|
+
OPENSSL_memcpy(hs->new_session->session_id,
|
|
831
|
+
CBS_data(&server_hello.session_id),
|
|
832
|
+
CBS_len(&server_hello.session_id));
|
|
833
|
+
hs->new_session->cipher = hs->new_cipher;
|
|
829
834
|
}
|
|
830
835
|
|
|
831
836
|
// Now that the cipher is known, initialize the handshake hash and hash the
|
|
@@ -845,26 +850,17 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
845
850
|
}
|
|
846
851
|
|
|
847
852
|
// Only the NULL compression algorithm is supported.
|
|
848
|
-
if (compression_method != 0) {
|
|
853
|
+
if (server_hello.compression_method != 0) {
|
|
849
854
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
|
|
850
855
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
851
856
|
return ssl_hs_error;
|
|
852
857
|
}
|
|
853
858
|
|
|
854
|
-
|
|
855
|
-
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) {
|
|
859
|
+
if (!ssl_parse_serverhello_tlsext(hs, &server_hello.extensions)) {
|
|
856
860
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
857
861
|
return ssl_hs_error;
|
|
858
862
|
}
|
|
859
863
|
|
|
860
|
-
// There should be nothing left over in the record.
|
|
861
|
-
if (CBS_len(&server_hello) != 0) {
|
|
862
|
-
// wrong packet length
|
|
863
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
864
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
865
|
-
return ssl_hs_error;
|
|
866
|
-
}
|
|
867
|
-
|
|
868
864
|
if (ssl->session != NULL &&
|
|
869
865
|
hs->extended_master_secret != ssl->session->extended_master_secret) {
|
|
870
866
|
if (ssl->session->extended_master_secret) {
|
|
@@ -504,6 +504,91 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
|
|
|
504
504
|
return true;
|
|
505
505
|
}
|
|
506
506
|
|
|
507
|
+
static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
508
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
|
509
|
+
SSL *const ssl = hs->ssl;
|
|
510
|
+
CBS body;
|
|
511
|
+
if (!ssl_client_hello_get_extension(client_hello, &body,
|
|
512
|
+
TLSEXT_TYPE_encrypted_client_hello)) {
|
|
513
|
+
return true;
|
|
514
|
+
}
|
|
515
|
+
uint8_t type;
|
|
516
|
+
if (!CBS_get_u8(&body, &type)) {
|
|
517
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
518
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
519
|
+
return false;
|
|
520
|
+
}
|
|
521
|
+
if (type != ECH_CLIENT_OUTER) {
|
|
522
|
+
return true;
|
|
523
|
+
}
|
|
524
|
+
// This is a ClientHelloOuter ECH extension. Attempt to decrypt it.
|
|
525
|
+
uint8_t config_id;
|
|
526
|
+
uint16_t kdf_id, aead_id;
|
|
527
|
+
CBS enc, payload;
|
|
528
|
+
if (!CBS_get_u16(&body, &kdf_id) || //
|
|
529
|
+
!CBS_get_u16(&body, &aead_id) || //
|
|
530
|
+
!CBS_get_u8(&body, &config_id) ||
|
|
531
|
+
!CBS_get_u16_length_prefixed(&body, &enc) ||
|
|
532
|
+
!CBS_get_u16_length_prefixed(&body, &payload) || //
|
|
533
|
+
CBS_len(&body) != 0) {
|
|
534
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
535
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
536
|
+
return false;
|
|
537
|
+
}
|
|
538
|
+
|
|
539
|
+
{
|
|
540
|
+
MutexReadLock lock(&ssl->ctx->lock);
|
|
541
|
+
hs->ech_keys = UpRef(ssl->ctx->ech_keys);
|
|
542
|
+
}
|
|
543
|
+
|
|
544
|
+
if (!hs->ech_keys) {
|
|
545
|
+
ssl->s3->ech_status = ssl_ech_rejected;
|
|
546
|
+
return true;
|
|
547
|
+
}
|
|
548
|
+
|
|
549
|
+
for (const auto &config : hs->ech_keys->configs) {
|
|
550
|
+
hs->ech_hpke_ctx.Reset();
|
|
551
|
+
if (config_id != config->ech_config().config_id ||
|
|
552
|
+
!config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) {
|
|
553
|
+
// Ignore the error and try another ECHConfig.
|
|
554
|
+
ERR_clear_error();
|
|
555
|
+
continue;
|
|
556
|
+
}
|
|
557
|
+
Array<uint8_t> encoded_client_hello_inner;
|
|
558
|
+
bool is_decrypt_error;
|
|
559
|
+
if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
|
|
560
|
+
&encoded_client_hello_inner,
|
|
561
|
+
&is_decrypt_error, client_hello, payload)) {
|
|
562
|
+
if (is_decrypt_error) {
|
|
563
|
+
// Ignore the error and try another ECHConfig.
|
|
564
|
+
ERR_clear_error();
|
|
565
|
+
continue;
|
|
566
|
+
}
|
|
567
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
|
568
|
+
return false;
|
|
569
|
+
}
|
|
570
|
+
|
|
571
|
+
// Recover the ClientHelloInner from the EncodedClientHelloInner.
|
|
572
|
+
bssl::Array<uint8_t> client_hello_inner;
|
|
573
|
+
if (!ssl_decode_client_hello_inner(ssl, out_alert, &client_hello_inner,
|
|
574
|
+
encoded_client_hello_inner,
|
|
575
|
+
client_hello)) {
|
|
576
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
577
|
+
return false;
|
|
578
|
+
}
|
|
579
|
+
hs->ech_client_hello_buf = std::move(client_hello_inner);
|
|
580
|
+
hs->ech_config_id = config_id;
|
|
581
|
+
ssl->s3->ech_status = ssl_ech_accepted;
|
|
582
|
+
return true;
|
|
583
|
+
}
|
|
584
|
+
|
|
585
|
+
// If we did not accept ECH, proceed with the ClientHelloOuter. Note this
|
|
586
|
+
// could be key mismatch or ECH GREASE, so we must complete the handshake
|
|
587
|
+
// as usual, except EncryptedExtensions will contain retry configs.
|
|
588
|
+
ssl->s3->ech_status = ssl_ech_rejected;
|
|
589
|
+
return true;
|
|
590
|
+
}
|
|
591
|
+
|
|
507
592
|
static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
508
593
|
const SSL_CLIENT_HELLO *client_hello) {
|
|
509
594
|
SSL *const ssl = hs->ssl;
|
|
@@ -583,98 +668,19 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
583
668
|
return ssl_hs_handoff;
|
|
584
669
|
}
|
|
585
670
|
|
|
586
|
-
|
|
587
|
-
|
|
588
|
-
|
|
589
|
-
|
|
590
|
-
|
|
591
|
-
TLSEXT_TYPE_encrypted_client_hello)) {
|
|
592
|
-
CBS unused;
|
|
593
|
-
if (ssl_client_hello_get_extension(&client_hello, &unused,
|
|
594
|
-
TLSEXT_TYPE_ech_is_inner)) {
|
|
595
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
596
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
597
|
-
return ssl_hs_error;
|
|
598
|
-
}
|
|
599
|
-
|
|
600
|
-
// Parse a ClientECH out of the extension body.
|
|
601
|
-
uint8_t config_id;
|
|
602
|
-
uint16_t kdf_id, aead_id;
|
|
603
|
-
CBS enc, payload;
|
|
604
|
-
if (!CBS_get_u16(&ech_body, &kdf_id) || //
|
|
605
|
-
!CBS_get_u16(&ech_body, &aead_id) ||
|
|
606
|
-
!CBS_get_u8(&ech_body, &config_id) ||
|
|
607
|
-
!CBS_get_u16_length_prefixed(&ech_body, &enc) ||
|
|
608
|
-
!CBS_get_u16_length_prefixed(&ech_body, &payload) ||
|
|
609
|
-
CBS_len(&ech_body) != 0) {
|
|
610
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
611
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
612
|
-
return ssl_hs_error;
|
|
613
|
-
}
|
|
614
|
-
|
|
615
|
-
{
|
|
616
|
-
MutexReadLock lock(&ssl->ctx->lock);
|
|
617
|
-
hs->ech_keys = UpRef(ssl->ctx->ech_keys);
|
|
618
|
-
}
|
|
619
|
-
|
|
620
|
-
if (hs->ech_keys) {
|
|
621
|
-
for (const auto &config : hs->ech_keys->configs) {
|
|
622
|
-
hs->ech_hpke_ctx.Reset();
|
|
623
|
-
if (config_id != config->ech_config().config_id ||
|
|
624
|
-
!config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id,
|
|
625
|
-
enc)) {
|
|
626
|
-
// Ignore the error and try another ECHConfig.
|
|
627
|
-
ERR_clear_error();
|
|
628
|
-
continue;
|
|
629
|
-
}
|
|
630
|
-
Array<uint8_t> encoded_client_hello_inner;
|
|
631
|
-
bool is_decrypt_error;
|
|
632
|
-
if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
|
|
633
|
-
&encoded_client_hello_inner,
|
|
634
|
-
&is_decrypt_error, &client_hello, kdf_id,
|
|
635
|
-
aead_id, config_id, enc, payload)) {
|
|
636
|
-
if (is_decrypt_error) {
|
|
637
|
-
// Ignore the error and try another ECHConfig.
|
|
638
|
-
ERR_clear_error();
|
|
639
|
-
continue;
|
|
640
|
-
}
|
|
641
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
|
642
|
-
return ssl_hs_error;
|
|
643
|
-
}
|
|
644
|
-
|
|
645
|
-
// Recover the ClientHelloInner from the EncodedClientHelloInner.
|
|
646
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
647
|
-
bssl::Array<uint8_t> client_hello_inner;
|
|
648
|
-
if (!ssl_decode_client_hello_inner(ssl, &alert, &client_hello_inner,
|
|
649
|
-
encoded_client_hello_inner,
|
|
650
|
-
&client_hello)) {
|
|
651
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
652
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
653
|
-
return ssl_hs_error;
|
|
654
|
-
}
|
|
655
|
-
hs->ech_client_hello_buf = std::move(client_hello_inner);
|
|
656
|
-
|
|
657
|
-
// Load the ClientHelloInner into |client_hello|.
|
|
658
|
-
if (!hs->GetClientHello(&msg, &client_hello)) {
|
|
659
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
660
|
-
return ssl_hs_error;
|
|
661
|
-
}
|
|
662
|
-
|
|
663
|
-
hs->ech_config_id = config_id;
|
|
664
|
-
ssl->s3->ech_status = ssl_ech_accepted;
|
|
665
|
-
break;
|
|
666
|
-
}
|
|
667
|
-
}
|
|
671
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
672
|
+
if (!decrypt_ech(hs, &alert, &client_hello)) {
|
|
673
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
674
|
+
return ssl_hs_error;
|
|
675
|
+
}
|
|
668
676
|
|
|
669
|
-
|
|
670
|
-
|
|
671
|
-
|
|
672
|
-
|
|
673
|
-
|
|
674
|
-
}
|
|
677
|
+
// ECH may have changed which ClientHello we process. Update |msg| and
|
|
678
|
+
// |client_hello| in case.
|
|
679
|
+
if (!hs->GetClientHello(&msg, &client_hello)) {
|
|
680
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
681
|
+
return ssl_hs_error;
|
|
675
682
|
}
|
|
676
683
|
|
|
677
|
-
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
678
684
|
if (!extract_sni(hs, &alert, &client_hello)) {
|
|
679
685
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
680
686
|
return ssl_hs_error;
|
|
@@ -751,12 +757,6 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
|
|
|
751
757
|
return ssl_hs_error;
|
|
752
758
|
}
|
|
753
759
|
|
|
754
|
-
if (hs->ech_present && hs->ech_is_inner_present) {
|
|
755
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
756
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
757
|
-
return ssl_hs_error;
|
|
758
|
-
}
|
|
759
|
-
|
|
760
760
|
hs->state = state12_select_certificate;
|
|
761
761
|
return ssl_hs_ok;
|
|
762
762
|
}
|
|
@@ -973,8 +973,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
|
973
973
|
}
|
|
974
974
|
|
|
975
975
|
static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
|
|
976
|
-
out = out.
|
|
977
|
-
assert(out.size() == in.size());
|
|
976
|
+
out = out.last(in.size());
|
|
978
977
|
OPENSSL_memcpy(out.data(), in.data(), in.size());
|
|
979
978
|
}
|
|
980
979
|
|