grpc 1.65.0 → 1.65.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Makefile +1 -1
- data/src/core/client_channel/subchannel.cc +10 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +6 -6
- data/src/core/ext/transport/inproc/inproc_transport.cc +2 -2
- data/src/core/handshaker/http_connect/http_connect_handshaker.cc +2 -2
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +7 -10
- data/src/core/lib/compression/message_compress.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +2 -1
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +6 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +12 -6
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -2
- data/src/core/lib/event_engine/windows/win_socket.cc +4 -2
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +5 -4
- data/src/core/lib/experiments/config.cc +11 -9
- data/src/core/lib/experiments/experiments.cc +1 -1
- data/src/core/lib/experiments/experiments.h +1 -2
- data/src/core/lib/gprpp/dual_ref_counted.h +30 -30
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +4 -4
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -17
- data/src/core/lib/iomgr/socket_windows.cc +3 -3
- data/src/core/lib/iomgr/tcp_posix.cc +2 -2
- data/src/core/lib/iomgr/tcp_server_posix.cc +9 -12
- data/src/core/lib/iomgr/tcp_server_windows.cc +2 -2
- data/src/core/lib/promise/party.cc +4 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +2 -2
- data/src/core/load_balancing/grpclb/grpclb.cc +14 -15
- data/src/core/server/server.cc +1 -1
- data/src/core/util/log.cc +10 -8
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.c +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +7 -61
- data/third_party/boringssl-with-bazel/src/crypto/dilithium/dilithium.c +43 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +21 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +31 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +6 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +10 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +83 -33
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +14 -13
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +22 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +38 -27
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +59 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +1 -1
- metadata +3 -3
@@ -1169,7 +1169,8 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
|
|
1169
1169
|
return ssl_hs_error;
|
1170
1170
|
}
|
1171
1171
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1172
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1172
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1173
|
+
hs->peer_pubkey.get())) {
|
1173
1174
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1174
1175
|
return ssl_hs_error;
|
1175
1176
|
}
|
@@ -1650,7 +1650,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
1650
1650
|
return ssl_hs_error;
|
1651
1651
|
}
|
1652
1652
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1653
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1653
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1654
|
+
hs->peer_pubkey.get())) {
|
1654
1655
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1655
1656
|
return ssl_hs_error;
|
1656
1657
|
}
|
@@ -1044,26 +1044,21 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
|
|
1044
1044
|
bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1045
1045
|
uint8_t type, const uint8_t *in, size_t in_len);
|
1046
1046
|
|
1047
|
-
enum dtls1_use_epoch_t {
|
1048
|
-
dtls1_use_previous_epoch,
|
1049
|
-
dtls1_use_current_epoch,
|
1050
|
-
};
|
1051
|
-
|
1052
1047
|
// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
1053
1048
|
// record.
|
1054
|
-
size_t dtls_max_seal_overhead(const SSL *ssl,
|
1049
|
+
size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);
|
1055
1050
|
|
1056
1051
|
// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
|
1057
1052
|
// front of the plaintext when sealing a record in-place.
|
1058
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
1053
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch);
|
1059
1054
|
|
1060
|
-
// dtls_seal_record implements |tls_seal_record| for DTLS. |
|
1061
|
-
//
|
1062
|
-
//
|
1055
|
+
// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which
|
1056
|
+
// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may
|
1057
|
+
// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
|
1063
1058
|
// ahead of |out|.
|
1064
1059
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1065
1060
|
uint8_t type, const uint8_t *in, size_t in_len,
|
1066
|
-
|
1061
|
+
uint16_t epoch);
|
1067
1062
|
|
1068
1063
|
// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
|
1069
1064
|
// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
|
@@ -1094,7 +1089,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
|
|
1094
1089
|
// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign
|
1095
1090
|
// |sigalg|.
|
1096
1091
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
1097
|
-
uint16_t sigalg);
|
1092
|
+
uint16_t sigalg, bool is_verify);
|
1098
1093
|
|
1099
1094
|
// ssl_public_key_verify verifies that the |signature| is valid for the public
|
1100
1095
|
// key |pkey| and input |in|, using the signature algorithm |sigalg|.
|
@@ -2324,6 +2319,11 @@ bool ssl_is_valid_alpn_list(Span<const uint8_t> in);
|
|
2324
2319
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
2325
2320
|
Span<const uint8_t> protocol);
|
2326
2321
|
|
2322
|
+
// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN
|
2323
|
+
// protocol list, contains |protocol|.
|
2324
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
2325
|
+
Span<const uint8_t> protocol);
|
2326
|
+
|
2327
2327
|
// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
|
2328
2328
|
// true on successful negotiation or if nothing was negotiated. It returns false
|
2329
2329
|
// and sets |*out_alert| to an alert on error.
|
@@ -2449,10 +2449,10 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
2449
2449
|
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out);
|
2450
2450
|
|
2451
2451
|
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
2452
|
-
// signature
|
2452
|
+
// signature from |pkey|. It returns true on success and false on error, setting
|
2453
2453
|
// |*out_alert| to an alert to send.
|
2454
2454
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2455
|
-
uint16_t sigalg);
|
2455
|
+
uint16_t sigalg, EVP_PKEY *pkey);
|
2456
2456
|
|
2457
2457
|
|
2458
2458
|
// Underdocumented functions.
|
@@ -3374,7 +3374,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
3374
3374
|
// dtls1_write_record sends a record. It returns one on success and <= 0 on
|
3375
3375
|
// error.
|
3376
3376
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
3377
|
-
|
3377
|
+
uint16_t epoch);
|
3378
3378
|
|
3379
3379
|
int dtls1_retransmit_outgoing_messages(SSL *ssl);
|
3380
3380
|
bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
|
@@ -505,13 +505,9 @@ BSSL_NAMESPACE_END
|
|
505
505
|
|
506
506
|
using namespace bssl;
|
507
507
|
|
508
|
-
int SSL_library_init(void) {
|
509
|
-
CRYPTO_library_init();
|
510
|
-
return 1;
|
511
|
-
}
|
508
|
+
int SSL_library_init(void) { return 1; }
|
512
509
|
|
513
510
|
int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
|
514
|
-
CRYPTO_library_init();
|
515
511
|
return 1;
|
516
512
|
}
|
517
513
|
|
@@ -2286,34 +2282,49 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
|
|
2286
2282
|
int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
|
2287
2283
|
unsigned peer_len, const uint8_t *supported,
|
2288
2284
|
unsigned supported_len) {
|
2289
|
-
|
2290
|
-
|
2285
|
+
*out = nullptr;
|
2286
|
+
*out_len = 0;
|
2287
|
+
|
2288
|
+
// Both |peer| and |supported| must be valid protocol lists, but |peer| may be
|
2289
|
+
// empty in NPN.
|
2290
|
+
auto peer_span = MakeConstSpan(peer, peer_len);
|
2291
|
+
auto supported_span = MakeConstSpan(supported, supported_len);
|
2292
|
+
if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) ||
|
2293
|
+
!ssl_is_valid_alpn_list(supported_span)) {
|
2294
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2295
|
+
}
|
2291
2296
|
|
2292
2297
|
// For each protocol in peer preference order, see if we support it.
|
2293
|
-
|
2294
|
-
|
2295
|
-
|
2296
|
-
|
2297
|
-
|
2298
|
-
|
2299
|
-
|
2300
|
-
|
2301
|
-
|
2302
|
-
|
2303
|
-
|
2298
|
+
CBS cbs = peer_span, proto;
|
2299
|
+
while (CBS_len(&cbs) != 0) {
|
2300
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2301
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2302
|
+
}
|
2303
|
+
|
2304
|
+
if (ssl_alpn_list_contains_protocol(MakeConstSpan(supported, supported_len),
|
2305
|
+
proto)) {
|
2306
|
+
// This function is not const-correct for compatibility with existing
|
2307
|
+
// callers.
|
2308
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2309
|
+
// A u8 length prefix will fit in |uint8_t|.
|
2310
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2311
|
+
return OPENSSL_NPN_NEGOTIATED;
|
2304
2312
|
}
|
2305
|
-
i += peer[i];
|
2306
|
-
i++;
|
2307
2313
|
}
|
2308
2314
|
|
2309
|
-
// There's no overlap between our protocols and the peer's list.
|
2310
|
-
|
2311
|
-
|
2315
|
+
// There's no overlap between our protocols and the peer's list. In ALPN, the
|
2316
|
+
// caller is expected to fail the connection with no_application_protocol. In
|
2317
|
+
// NPN, the caller is expected to opportunistically select the first protocol.
|
2318
|
+
// See draft-agl-tls-nextprotoneg-04, section 6.
|
2319
|
+
cbs = supported_span;
|
2320
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2321
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2322
|
+
}
|
2312
2323
|
|
2313
|
-
|
2314
|
-
*out =
|
2315
|
-
*out_len =
|
2316
|
-
return
|
2324
|
+
// See above.
|
2325
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2326
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2327
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2317
2328
|
}
|
2318
2329
|
|
2319
2330
|
void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
|
@@ -85,29 +85,61 @@ typedef struct {
|
|
85
85
|
int curve;
|
86
86
|
const EVP_MD *(*digest_func)(void);
|
87
87
|
bool is_rsa_pss;
|
88
|
+
bool tls12_ok;
|
89
|
+
bool tls13_ok;
|
90
|
+
bool client_only;
|
88
91
|
} SSL_SIGNATURE_ALGORITHM;
|
89
92
|
|
90
93
|
static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
|
94
|
+
// PKCS#1 v1.5 code points are only allowed in TLS 1.2.
|
91
95
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
|
92
|
-
false
|
93
|
-
|
94
|
-
{
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
{
|
101
|
-
|
102
|
-
|
96
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
97
|
+
/*client_only=*/false},
|
98
|
+
{SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,
|
99
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
100
|
+
/*client_only=*/false},
|
101
|
+
{SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
102
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
103
|
+
/*client_only=*/false},
|
104
|
+
{SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
105
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
106
|
+
/*client_only=*/false},
|
107
|
+
{SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
108
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
109
|
+
/*client_only=*/false},
|
110
|
+
|
111
|
+
// Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and
|
112
|
+
// client-only. See draft-ietf-tls-tls13-pkcs1-00.
|
113
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
114
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true,
|
115
|
+
/*client_only=*/true},
|
116
|
+
|
117
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
118
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
119
|
+
/*client_only=*/false},
|
120
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
121
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
122
|
+
/*client_only=*/false},
|
123
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
124
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
125
|
+
/*client_only=*/false},
|
126
|
+
|
127
|
+
{SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,
|
128
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
129
|
+
/*client_only=*/false},
|
103
130
|
{SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
|
104
|
-
&EVP_sha256, false
|
131
|
+
&EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
132
|
+
/*client_only=*/false},
|
105
133
|
{SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
|
106
|
-
false
|
134
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
135
|
+
/*client_only=*/false},
|
107
136
|
{SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
|
108
|
-
false
|
137
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
138
|
+
/*client_only=*/false},
|
109
139
|
|
110
|
-
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
140
|
+
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
141
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
142
|
+
/*client_only=*/false},
|
111
143
|
};
|
112
144
|
|
113
145
|
static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
@@ -120,7 +152,7 @@ static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
|
120
152
|
}
|
121
153
|
|
122
154
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
123
|
-
uint16_t sigalg) {
|
155
|
+
uint16_t sigalg, bool is_verify) {
|
124
156
|
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
|
125
157
|
if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {
|
126
158
|
return false;
|
@@ -152,8 +184,12 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
152
184
|
}
|
153
185
|
|
154
186
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
|
155
|
-
|
156
|
-
|
187
|
+
if (!alg->tls13_ok) {
|
188
|
+
return false;
|
189
|
+
}
|
190
|
+
|
191
|
+
bool is_client_sign = ssl->server == is_verify;
|
192
|
+
if (alg->client_only && !is_client_sign) {
|
157
193
|
return false;
|
158
194
|
}
|
159
195
|
|
@@ -164,6 +200,8 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
164
200
|
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {
|
165
201
|
return false;
|
166
202
|
}
|
203
|
+
} else if (!alg->tls12_ok) {
|
204
|
+
return false;
|
167
205
|
}
|
168
206
|
|
169
207
|
return true;
|
@@ -171,7 +209,7 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
171
209
|
|
172
210
|
static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
|
173
211
|
uint16_t sigalg, bool is_verify) {
|
174
|
-
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg)) {
|
212
|
+
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {
|
175
213
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
176
214
|
return false;
|
177
215
|
}
|
@@ -448,7 +486,7 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
|
|
448
486
|
ctx->cert->default_credential.get(), key_method));
|
449
487
|
}
|
450
488
|
|
451
|
-
static constexpr size_t kMaxSignatureAlgorithmNameLen =
|
489
|
+
static constexpr size_t kMaxSignatureAlgorithmNameLen = 24;
|
452
490
|
|
453
491
|
struct SignatureAlgorithmName {
|
454
492
|
uint16_t signature_algorithm;
|
@@ -461,6 +499,7 @@ static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
|
|
461
499
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
|
462
500
|
{SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
|
463
501
|
{SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
|
502
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"},
|
464
503
|
{SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
|
465
504
|
{SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
|
466
505
|
{SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
|
@@ -142,7 +142,7 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
|
142
142
|
uint16_t version) {
|
143
143
|
// Zero is interpreted as the default minimum version.
|
144
144
|
if (version == 0) {
|
145
|
-
*out = method->is_dtls ?
|
145
|
+
*out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
|
146
146
|
return true;
|
147
147
|
}
|
148
148
|
|
@@ -335,7 +335,8 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
|
|
335
335
|
}
|
336
336
|
|
337
337
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
338
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
338
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
339
|
+
hs->peer_pubkey.get())) {
|
339
340
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
340
341
|
return false;
|
341
342
|
}
|
@@ -606,7 +606,7 @@ using namespace bssl;
|
|
606
606
|
|
607
607
|
size_t SSL_max_seal_overhead(const SSL *ssl) {
|
608
608
|
if (SSL_is_dtls(ssl)) {
|
609
|
-
return dtls_max_seal_overhead(ssl,
|
609
|
+
return dtls_max_seal_overhead(ssl, ssl->d1->w_epoch);
|
610
610
|
}
|
611
611
|
|
612
612
|
size_t ret = SSL3_RT_HEADER_LENGTH;
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: grpc
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.65.
|
4
|
+
version: 1.65.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- gRPC Authors
|
8
8
|
autorequire:
|
9
9
|
bindir: src/ruby/bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-07-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: google-protobuf
|
@@ -3581,7 +3581,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
3581
3581
|
- !ruby/object:Gem::Version
|
3582
3582
|
version: '0'
|
3583
3583
|
requirements: []
|
3584
|
-
rubygems_version: 3.5.
|
3584
|
+
rubygems_version: 3.5.16
|
3585
3585
|
signing_key:
|
3586
3586
|
specification_version: 4
|
3587
3587
|
summary: GRPC system in Ruby
|