grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
|
@@ -489,8 +489,8 @@ bool tls13_write_psk_binder(const SSL_HANDSHAKE *hs,
|
|
|
489
489
|
return false;
|
|
490
490
|
}
|
|
491
491
|
|
|
492
|
-
|
|
493
|
-
|
|
492
|
+
auto msg_binder = msg.last(verify_data_len);
|
|
493
|
+
OPENSSL_memcpy(msg_binder.data(), verify_data, verify_data_len);
|
|
494
494
|
if (out_binder_len != nullptr) {
|
|
495
495
|
*out_binder_len = verify_data_len;
|
|
496
496
|
}
|
|
@@ -537,57 +537,46 @@ size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl) {
|
|
|
537
537
|
ECH_CONFIRMATION_SIGNAL_LEN;
|
|
538
538
|
}
|
|
539
539
|
|
|
540
|
-
bool ssl_ech_accept_confirmation(
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
//
|
|
545
|
-
|
|
546
|
-
|
|
547
|
-
|
|
548
|
-
if (
|
|
540
|
+
bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span<uint8_t> out,
|
|
541
|
+
Span<const uint8_t> client_random,
|
|
542
|
+
const SSLTranscript &transcript, bool is_hrr,
|
|
543
|
+
Span<const uint8_t> msg, size_t offset) {
|
|
544
|
+
// See draft-ietf-tls-esni-13, sections 7.2 and 7.2.1.
|
|
545
|
+
static const uint8_t kZeros[EVP_MAX_MD_SIZE] = {0};
|
|
546
|
+
|
|
547
|
+
// We hash |msg|, with bytes from |offset| zeroed.
|
|
548
|
+
if (msg.size() < offset + ECH_CONFIRMATION_SIGNAL_LEN) {
|
|
549
549
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
550
550
|
return false;
|
|
551
551
|
}
|
|
552
552
|
|
|
553
|
-
auto
|
|
554
|
-
auto
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
unsigned context_hash_len;
|
|
553
|
+
auto before_zeros = msg.subspan(0, offset);
|
|
554
|
+
auto after_zeros = msg.subspan(offset + ECH_CONFIRMATION_SIGNAL_LEN);
|
|
555
|
+
uint8_t context[EVP_MAX_MD_SIZE];
|
|
556
|
+
unsigned context_len;
|
|
558
557
|
ScopedEVP_MD_CTX ctx;
|
|
559
558
|
if (!transcript.CopyToHashContext(ctx.get(), transcript.Digest()) ||
|
|
560
|
-
!EVP_DigestUpdate(ctx.get(),
|
|
561
|
-
|
|
562
|
-
!EVP_DigestUpdate(ctx.get(),
|
|
563
|
-
!
|
|
564
|
-
!EVP_DigestFinal_ex(ctx.get(), context_hash, &context_hash_len)) {
|
|
559
|
+
!EVP_DigestUpdate(ctx.get(), before_zeros.data(), before_zeros.size()) ||
|
|
560
|
+
!EVP_DigestUpdate(ctx.get(), kZeros, ECH_CONFIRMATION_SIGNAL_LEN) ||
|
|
561
|
+
!EVP_DigestUpdate(ctx.get(), after_zeros.data(), after_zeros.size()) ||
|
|
562
|
+
!EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {
|
|
565
563
|
return false;
|
|
566
564
|
}
|
|
567
565
|
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
// TODO(https://crbug.com/boringssl/275): draft-11 will avoid this.
|
|
574
|
-
uint8_t accept_confirmation_buf[EVP_MAX_MD_SIZE];
|
|
575
|
-
bssl::Span<uint8_t> accept_confirmation =
|
|
576
|
-
MakeSpan(accept_confirmation_buf, transcript.DigestLen());
|
|
577
|
-
if (!hkdf_expand_label(accept_confirmation, transcript.Digest(),
|
|
578
|
-
hs->secret(), label_to_span("ech accept confirmation"),
|
|
579
|
-
MakeConstSpan(context_hash, context_hash_len))) {
|
|
566
|
+
uint8_t secret[EVP_MAX_MD_SIZE];
|
|
567
|
+
size_t secret_len;
|
|
568
|
+
if (!HKDF_extract(secret, &secret_len, transcript.Digest(),
|
|
569
|
+
client_random.data(), client_random.size(), kZeros,
|
|
570
|
+
transcript.DigestLen())) {
|
|
580
571
|
return false;
|
|
581
572
|
}
|
|
582
573
|
|
|
583
|
-
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
|
|
587
|
-
|
|
588
|
-
|
|
589
|
-
OPENSSL_memcpy(out.data(), accept_confirmation.data(), out.size());
|
|
590
|
-
return true;
|
|
574
|
+
assert(out.size() == ECH_CONFIRMATION_SIGNAL_LEN);
|
|
575
|
+
return hkdf_expand_label(out, transcript.Digest(),
|
|
576
|
+
MakeConstSpan(secret, secret_len),
|
|
577
|
+
is_hrr ? label_to_span("hrr ech accept confirmation")
|
|
578
|
+
: label_to_span("ech accept confirmation"),
|
|
579
|
+
MakeConstSpan(context, context_len));
|
|
591
580
|
}
|
|
592
581
|
|
|
593
582
|
BSSL_NAMESPACE_END
|
|
@@ -246,8 +246,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
|
246
246
|
return ssl_hs_error;
|
|
247
247
|
}
|
|
248
248
|
|
|
249
|
-
// The PRF hash is now known.
|
|
250
|
-
// ClientHello.
|
|
249
|
+
// The PRF hash is now known.
|
|
251
250
|
if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
|
|
252
251
|
return ssl_hs_error;
|
|
253
252
|
}
|
|
@@ -270,7 +269,7 @@ static enum ssl_ticket_aead_result_t select_session(
|
|
|
270
269
|
return ssl_ticket_aead_ignore_ticket;
|
|
271
270
|
}
|
|
272
271
|
|
|
273
|
-
// Per
|
|
272
|
+
// Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client
|
|
274
273
|
// sends pre_shared_key without psk_key_exchange_modes.
|
|
275
274
|
CBS unused;
|
|
276
275
|
if (!ssl_client_hello_get_extension(client_hello, &unused,
|
|
@@ -571,12 +570,34 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
571
570
|
!CBB_add_u16(&extensions, ssl->version) ||
|
|
572
571
|
!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
|
|
573
572
|
!CBB_add_u16(&extensions, 2 /* length */) ||
|
|
574
|
-
!CBB_add_u16(&extensions, group_id)
|
|
575
|
-
!ssl_add_message_cbb(ssl, cbb.get())) {
|
|
573
|
+
!CBB_add_u16(&extensions, group_id)) {
|
|
576
574
|
return ssl_hs_error;
|
|
577
575
|
}
|
|
576
|
+
if (hs->ech_is_inner) {
|
|
577
|
+
// Fill a placeholder for the ECH confirmation value.
|
|
578
|
+
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_encrypted_client_hello) ||
|
|
579
|
+
!CBB_add_u16(&extensions, ECH_CONFIRMATION_SIGNAL_LEN) ||
|
|
580
|
+
!CBB_add_zeros(&extensions, ECH_CONFIRMATION_SIGNAL_LEN)) {
|
|
581
|
+
return ssl_hs_error;
|
|
582
|
+
}
|
|
583
|
+
}
|
|
584
|
+
Array<uint8_t> hrr;
|
|
585
|
+
if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) {
|
|
586
|
+
return ssl_hs_error;
|
|
587
|
+
}
|
|
588
|
+
if (hs->ech_is_inner) {
|
|
589
|
+
// Now that the message is encoded, fill in the whole value.
|
|
590
|
+
size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN;
|
|
591
|
+
if (!ssl_ech_accept_confirmation(
|
|
592
|
+
hs, MakeSpan(hrr).last(ECH_CONFIRMATION_SIGNAL_LEN),
|
|
593
|
+
ssl->s3->client_random, hs->transcript, /*is_hrr=*/true, hrr,
|
|
594
|
+
offset)) {
|
|
595
|
+
return ssl_hs_error;
|
|
596
|
+
}
|
|
597
|
+
}
|
|
578
598
|
|
|
579
|
-
if (!ssl->method->
|
|
599
|
+
if (!ssl->method->add_message(ssl, std::move(hrr)) ||
|
|
600
|
+
!ssl->method->add_change_cipher_spec(ssl)) {
|
|
580
601
|
return ssl_hs_error;
|
|
581
602
|
}
|
|
582
603
|
|
|
@@ -602,8 +623,8 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
602
623
|
}
|
|
603
624
|
|
|
604
625
|
if (ssl->s3->ech_status == ssl_ech_accepted) {
|
|
605
|
-
// If we previously accepted the ClientHelloInner,
|
|
606
|
-
//
|
|
626
|
+
// If we previously accepted the ClientHelloInner, the second ClientHello
|
|
627
|
+
// must contain an outer encrypted_client_hello extension.
|
|
607
628
|
CBS ech_body;
|
|
608
629
|
if (!ssl_client_hello_get_extension(&client_hello, &ech_body,
|
|
609
630
|
TLSEXT_TYPE_encrypted_client_hello)) {
|
|
@@ -611,12 +632,12 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
611
632
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
|
|
612
633
|
return ssl_hs_error;
|
|
613
634
|
}
|
|
614
|
-
|
|
615
|
-
// Parse a ClientECH out of the extension body.
|
|
616
635
|
uint16_t kdf_id, aead_id;
|
|
617
|
-
uint8_t config_id;
|
|
636
|
+
uint8_t type, config_id;
|
|
618
637
|
CBS enc, payload;
|
|
619
|
-
if (!
|
|
638
|
+
if (!CBS_get_u8(&ech_body, &type) || //
|
|
639
|
+
type != ECH_CLIENT_OUTER || //
|
|
640
|
+
!CBS_get_u16(&ech_body, &kdf_id) || //
|
|
620
641
|
!CBS_get_u16(&ech_body, &aead_id) ||
|
|
621
642
|
!CBS_get_u8(&ech_body, &config_id) ||
|
|
622
643
|
!CBS_get_u16_length_prefixed(&ech_body, &enc) ||
|
|
@@ -627,8 +648,6 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
627
648
|
return ssl_hs_error;
|
|
628
649
|
}
|
|
629
650
|
|
|
630
|
-
// Check that ClientECH.cipher_suite is unchanged and that
|
|
631
|
-
// ClientECH.enc is empty.
|
|
632
651
|
if (kdf_id != EVP_HPKE_KDF_id(EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get())) ||
|
|
633
652
|
aead_id !=
|
|
634
653
|
EVP_HPKE_AEAD_id(EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get())) ||
|
|
@@ -641,9 +660,9 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
641
660
|
// Decrypt the payload with the HPKE context from the first ClientHello.
|
|
642
661
|
Array<uint8_t> encoded_client_hello_inner;
|
|
643
662
|
bool unused;
|
|
644
|
-
if (!ssl_client_hello_decrypt(
|
|
645
|
-
|
|
646
|
-
|
|
663
|
+
if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
|
|
664
|
+
&encoded_client_hello_inner, &unused,
|
|
665
|
+
&client_hello, payload)) {
|
|
647
666
|
// Decryption failure is fatal in the second ClientHello.
|
|
648
667
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
|
649
668
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
|
@@ -761,18 +780,18 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
761
780
|
return ssl_hs_error;
|
|
762
781
|
}
|
|
763
782
|
|
|
764
|
-
assert(ssl->s3->ech_status != ssl_ech_accepted || hs->
|
|
765
|
-
if (hs->
|
|
783
|
+
assert(ssl->s3->ech_status != ssl_ech_accepted || hs->ech_is_inner);
|
|
784
|
+
if (hs->ech_is_inner) {
|
|
766
785
|
// Fill in the ECH confirmation signal.
|
|
767
|
-
|
|
768
|
-
|
|
769
|
-
if (!ssl_ech_accept_confirmation(hs, random_suffix,
|
|
770
|
-
|
|
786
|
+
const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);
|
|
787
|
+
Span<uint8_t> random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN);
|
|
788
|
+
if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random,
|
|
789
|
+
hs->transcript,
|
|
790
|
+
/*is_hrr=*/false, server_hello, offset)) {
|
|
771
791
|
return ssl_hs_error;
|
|
772
792
|
}
|
|
773
793
|
|
|
774
794
|
// Update |server_hello|.
|
|
775
|
-
const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);
|
|
776
795
|
Span<uint8_t> server_hello_out =
|
|
777
796
|
MakeSpan(server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN);
|
|
778
797
|
OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(),
|
|
@@ -1041,20 +1060,15 @@ static enum ssl_hs_wait_t do_read_client_encrypted_extensions(
|
|
|
1041
1060
|
return ssl_hs_error;
|
|
1042
1061
|
}
|
|
1043
1062
|
|
|
1044
|
-
|
|
1045
|
-
bool have_application_settings = false;
|
|
1046
|
-
CBS application_settings;
|
|
1047
|
-
SSL_EXTENSION_TYPE ext_types[] = {{TLSEXT_TYPE_application_settings,
|
|
1048
|
-
&have_application_settings,
|
|
1049
|
-
&application_settings}};
|
|
1063
|
+
SSLExtension application_settings(TLSEXT_TYPE_application_settings);
|
|
1050
1064
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
1051
|
-
if (!ssl_parse_extensions(&extensions, &alert,
|
|
1065
|
+
if (!ssl_parse_extensions(&extensions, &alert, {&application_settings},
|
|
1052
1066
|
/*ignore_unknown=*/false)) {
|
|
1053
1067
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
1054
1068
|
return ssl_hs_error;
|
|
1055
1069
|
}
|
|
1056
1070
|
|
|
1057
|
-
if (!
|
|
1071
|
+
if (!application_settings.present) {
|
|
1058
1072
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
|
|
1059
1073
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
|
|
1060
1074
|
return ssl_hs_error;
|
|
@@ -1063,7 +1077,7 @@ static enum ssl_hs_wait_t do_read_client_encrypted_extensions(
|
|
|
1063
1077
|
// Note that, if 0-RTT was accepted, these values will already have been
|
|
1064
1078
|
// initialized earlier.
|
|
1065
1079
|
if (!hs->new_session->peer_application_settings.CopyFrom(
|
|
1066
|
-
application_settings) ||
|
|
1080
|
+
application_settings.data) ||
|
|
1067
1081
|
!ssl_hash_message(hs, msg)) {
|
|
1068
1082
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
1069
1083
|
return ssl_hs_error;
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: grpc
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.41.
|
|
4
|
+
version: 1.41.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- gRPC Authors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: src/ruby/bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-10-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: google-protobuf
|
|
@@ -1835,6 +1835,7 @@ files:
|
|
|
1835
1835
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c
|
|
1836
1836
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c
|
|
1837
1837
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c
|
|
1838
|
+
- third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c
|
|
1838
1839
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c
|
|
1839
1840
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c
|
|
1840
1841
|
- third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c
|
|
@@ -1843,6 +1844,7 @@ files:
|
|
|
1843
1844
|
- third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c
|
|
1844
1845
|
- third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c
|
|
1845
1846
|
- third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c
|
|
1847
|
+
- third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h
|
|
1846
1848
|
- third_party/boringssl-with-bazel/src/crypto/asn1/f_enum.c
|
|
1847
1849
|
- third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c
|
|
1848
1850
|
- third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c
|
|
@@ -2093,15 +2095,14 @@ files:
|
|
|
2093
2095
|
- third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c
|
|
2094
2096
|
- third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c
|
|
2095
2097
|
- third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c
|
|
2096
|
-
- third_party/boringssl-with-bazel/src/crypto/x509/a_strex.c
|
|
2097
2098
|
- third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c
|
|
2098
2099
|
- third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c
|
|
2099
2100
|
- third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c
|
|
2100
2101
|
- third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c
|
|
2101
2102
|
- third_party/boringssl-with-bazel/src/crypto/x509/by_file.c
|
|
2102
|
-
- third_party/boringssl-with-bazel/src/crypto/x509/charmap.h
|
|
2103
2103
|
- third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c
|
|
2104
2104
|
- third_party/boringssl-with-bazel/src/crypto/x509/internal.h
|
|
2105
|
+
- third_party/boringssl-with-bazel/src/crypto/x509/name_print.c
|
|
2105
2106
|
- third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c
|
|
2106
2107
|
- third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c
|
|
2107
2108
|
- third_party/boringssl-with-bazel/src/crypto/x509/t_req.c
|
|
@@ -2496,51 +2497,51 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
2496
2497
|
- !ruby/object:Gem::Version
|
|
2497
2498
|
version: '0'
|
|
2498
2499
|
requirements: []
|
|
2499
|
-
rubygems_version: 3.2.
|
|
2500
|
+
rubygems_version: 3.2.29
|
|
2500
2501
|
signing_key:
|
|
2501
2502
|
specification_version: 4
|
|
2502
2503
|
summary: GRPC system in Ruby
|
|
2503
2504
|
test_files:
|
|
2505
|
+
- src/ruby/spec/client_server_spec.rb
|
|
2506
|
+
- src/ruby/spec/errors_spec.rb
|
|
2507
|
+
- src/ruby/spec/support/services.rb
|
|
2508
|
+
- src/ruby/spec/support/helpers.rb
|
|
2509
|
+
- src/ruby/spec/compression_options_spec.rb
|
|
2510
|
+
- src/ruby/spec/time_consts_spec.rb
|
|
2511
|
+
- src/ruby/spec/spec_helper.rb
|
|
2512
|
+
- src/ruby/spec/channel_connection_spec.rb
|
|
2513
|
+
- src/ruby/spec/debug_message_spec.rb
|
|
2514
|
+
- src/ruby/spec/call_credentials_spec.rb
|
|
2515
|
+
- src/ruby/spec/generic/interceptor_registry_spec.rb
|
|
2516
|
+
- src/ruby/spec/generic/rpc_desc_spec.rb
|
|
2517
|
+
- src/ruby/spec/generic/service_spec.rb
|
|
2518
|
+
- src/ruby/spec/generic/server_interceptors_spec.rb
|
|
2519
|
+
- src/ruby/spec/generic/client_stub_spec.rb
|
|
2520
|
+
- src/ruby/spec/generic/rpc_server_pool_spec.rb
|
|
2521
|
+
- src/ruby/spec/generic/active_call_spec.rb
|
|
2522
|
+
- src/ruby/spec/generic/rpc_server_spec.rb
|
|
2523
|
+
- src/ruby/spec/generic/client_interceptors_spec.rb
|
|
2524
|
+
- src/ruby/spec/google_rpc_status_utils_spec.rb
|
|
2504
2525
|
- src/ruby/spec/pb/duplicate/codegen_spec.rb
|
|
2505
|
-
- src/ruby/spec/pb/codegen/
|
|
2526
|
+
- src/ruby/spec/pb/codegen/package_option_spec.rb
|
|
2506
2527
|
- src/ruby/spec/pb/codegen/grpc/testing/same_ruby_package_service_name.proto
|
|
2507
|
-
- src/ruby/spec/pb/codegen/grpc/testing/
|
|
2508
|
-
- src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto
|
|
2528
|
+
- src/ruby/spec/pb/codegen/grpc/testing/package_options_import.proto
|
|
2509
2529
|
- src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto
|
|
2530
|
+
- src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto
|
|
2531
|
+
- src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto
|
|
2510
2532
|
- src/ruby/spec/pb/codegen/grpc/testing/package_options.proto
|
|
2511
|
-
- src/ruby/spec/pb/codegen/package_option_spec.rb
|
|
2512
2533
|
- src/ruby/spec/pb/health/checker_spec.rb
|
|
2513
|
-
- src/ruby/spec/
|
|
2514
|
-
- src/ruby/spec/call_credentials_spec.rb
|
|
2515
|
-
- src/ruby/spec/channel_connection_spec.rb
|
|
2534
|
+
- src/ruby/spec/channel_spec.rb
|
|
2516
2535
|
- src/ruby/spec/user_agent_spec.rb
|
|
2517
|
-
- src/ruby/spec/
|
|
2518
|
-
- src/ruby/spec/
|
|
2519
|
-
- src/ruby/spec/support/helpers.rb
|
|
2520
|
-
- src/ruby/spec/support/services.rb
|
|
2536
|
+
- src/ruby/spec/server_credentials_spec.rb
|
|
2537
|
+
- src/ruby/spec/error_sanity_spec.rb
|
|
2521
2538
|
- src/ruby/spec/channel_credentials_spec.rb
|
|
2522
|
-
- src/ruby/spec/
|
|
2523
|
-
- src/ruby/spec/
|
|
2524
|
-
- src/ruby/spec/
|
|
2525
|
-
- src/ruby/spec/generic/active_call_spec.rb
|
|
2526
|
-
- src/ruby/spec/generic/rpc_server_spec.rb
|
|
2527
|
-
- src/ruby/spec/generic/server_interceptors_spec.rb
|
|
2528
|
-
- src/ruby/spec/generic/rpc_desc_spec.rb
|
|
2529
|
-
- src/ruby/spec/generic/interceptor_registry_spec.rb
|
|
2530
|
-
- src/ruby/spec/generic/service_spec.rb
|
|
2531
|
-
- src/ruby/spec/generic/client_interceptors_spec.rb
|
|
2532
|
-
- src/ruby/spec/generic/rpc_server_pool_spec.rb
|
|
2533
|
-
- src/ruby/spec/generic/client_stub_spec.rb
|
|
2534
|
-
- src/ruby/spec/spec_helper.rb
|
|
2535
|
-
- src/ruby/spec/testdata/server1.key
|
|
2536
|
-
- src/ruby/spec/testdata/client.pem
|
|
2539
|
+
- src/ruby/spec/client_auth_spec.rb
|
|
2540
|
+
- src/ruby/spec/server_spec.rb
|
|
2541
|
+
- src/ruby/spec/call_spec.rb
|
|
2537
2542
|
- src/ruby/spec/testdata/README
|
|
2538
2543
|
- src/ruby/spec/testdata/server1.pem
|
|
2539
|
-
- src/ruby/spec/testdata/
|
|
2544
|
+
- src/ruby/spec/testdata/server1.key
|
|
2545
|
+
- src/ruby/spec/testdata/client.pem
|
|
2540
2546
|
- src/ruby/spec/testdata/ca.pem
|
|
2541
|
-
- src/ruby/spec/
|
|
2542
|
-
- src/ruby/spec/error_sanity_spec.rb
|
|
2543
|
-
- src/ruby/spec/server_credentials_spec.rb
|
|
2544
|
-
- src/ruby/spec/client_auth_spec.rb
|
|
2545
|
-
- src/ruby/spec/compression_options_spec.rb
|
|
2546
|
-
- src/ruby/spec/debug_message_spec.rb
|
|
2547
|
+
- src/ruby/spec/testdata/client.key
|