grpc 1.65.0 → 1.65.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +1 -1
- data/src/core/client_channel/subchannel.cc +10 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +6 -6
- data/src/core/ext/transport/inproc/inproc_transport.cc +2 -2
- data/src/core/handshaker/http_connect/http_connect_handshaker.cc +2 -2
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +7 -10
- data/src/core/lib/compression/message_compress.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +2 -1
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +6 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +12 -6
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -2
- data/src/core/lib/event_engine/windows/win_socket.cc +4 -2
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +5 -4
- data/src/core/lib/experiments/config.cc +11 -9
- data/src/core/lib/experiments/experiments.cc +1 -1
- data/src/core/lib/experiments/experiments.h +1 -2
- data/src/core/lib/gprpp/dual_ref_counted.h +30 -30
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +4 -4
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -17
- data/src/core/lib/iomgr/socket_windows.cc +3 -3
- data/src/core/lib/iomgr/tcp_posix.cc +2 -2
- data/src/core/lib/iomgr/tcp_server_posix.cc +9 -12
- data/src/core/lib/iomgr/tcp_server_windows.cc +2 -2
- data/src/core/lib/promise/party.cc +4 -4
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +2 -2
- data/src/core/load_balancing/grpclb/grpclb.cc +14 -15
- data/src/core/server/server.cc +1 -1
- data/src/core/util/log.cc +10 -8
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.c +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +7 -61
- data/third_party/boringssl-with-bazel/src/crypto/dilithium/dilithium.c +43 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +21 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +31 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +6 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +10 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +83 -33
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +14 -13
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +22 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +38 -27
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +59 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +1 -1
- metadata +3 -3
@@ -1169,7 +1169,8 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
|
|
1169
1169
|
return ssl_hs_error;
|
1170
1170
|
}
|
1171
1171
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1172
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1172
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1173
|
+
hs->peer_pubkey.get())) {
|
1173
1174
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1174
1175
|
return ssl_hs_error;
|
1175
1176
|
}
|
@@ -1650,7 +1650,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
1650
1650
|
return ssl_hs_error;
|
1651
1651
|
}
|
1652
1652
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1653
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1653
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1654
|
+
hs->peer_pubkey.get())) {
|
1654
1655
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1655
1656
|
return ssl_hs_error;
|
1656
1657
|
}
|
@@ -1044,26 +1044,21 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
|
|
1044
1044
|
bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1045
1045
|
uint8_t type, const uint8_t *in, size_t in_len);
|
1046
1046
|
|
1047
|
-
enum dtls1_use_epoch_t {
|
1048
|
-
dtls1_use_previous_epoch,
|
1049
|
-
dtls1_use_current_epoch,
|
1050
|
-
};
|
1051
|
-
|
1052
1047
|
// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
1053
1048
|
// record.
|
1054
|
-
size_t dtls_max_seal_overhead(const SSL *ssl,
|
1049
|
+
size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);
|
1055
1050
|
|
1056
1051
|
// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
|
1057
1052
|
// front of the plaintext when sealing a record in-place.
|
1058
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
1053
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch);
|
1059
1054
|
|
1060
|
-
// dtls_seal_record implements |tls_seal_record| for DTLS. |
|
1061
|
-
//
|
1062
|
-
//
|
1055
|
+
// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which
|
1056
|
+
// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may
|
1057
|
+
// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
|
1063
1058
|
// ahead of |out|.
|
1064
1059
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1065
1060
|
uint8_t type, const uint8_t *in, size_t in_len,
|
1066
|
-
|
1061
|
+
uint16_t epoch);
|
1067
1062
|
|
1068
1063
|
// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
|
1069
1064
|
// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
|
@@ -1094,7 +1089,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
|
|
1094
1089
|
// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign
|
1095
1090
|
// |sigalg|.
|
1096
1091
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
1097
|
-
uint16_t sigalg);
|
1092
|
+
uint16_t sigalg, bool is_verify);
|
1098
1093
|
|
1099
1094
|
// ssl_public_key_verify verifies that the |signature| is valid for the public
|
1100
1095
|
// key |pkey| and input |in|, using the signature algorithm |sigalg|.
|
@@ -2324,6 +2319,11 @@ bool ssl_is_valid_alpn_list(Span<const uint8_t> in);
|
|
2324
2319
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
2325
2320
|
Span<const uint8_t> protocol);
|
2326
2321
|
|
2322
|
+
// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN
|
2323
|
+
// protocol list, contains |protocol|.
|
2324
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
2325
|
+
Span<const uint8_t> protocol);
|
2326
|
+
|
2327
2327
|
// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
|
2328
2328
|
// true on successful negotiation or if nothing was negotiated. It returns false
|
2329
2329
|
// and sets |*out_alert| to an alert on error.
|
@@ -2449,10 +2449,10 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
2449
2449
|
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out);
|
2450
2450
|
|
2451
2451
|
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
2452
|
-
// signature
|
2452
|
+
// signature from |pkey|. It returns true on success and false on error, setting
|
2453
2453
|
// |*out_alert| to an alert to send.
|
2454
2454
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2455
|
-
uint16_t sigalg);
|
2455
|
+
uint16_t sigalg, EVP_PKEY *pkey);
|
2456
2456
|
|
2457
2457
|
|
2458
2458
|
// Underdocumented functions.
|
@@ -3374,7 +3374,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
3374
3374
|
// dtls1_write_record sends a record. It returns one on success and <= 0 on
|
3375
3375
|
// error.
|
3376
3376
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
3377
|
-
|
3377
|
+
uint16_t epoch);
|
3378
3378
|
|
3379
3379
|
int dtls1_retransmit_outgoing_messages(SSL *ssl);
|
3380
3380
|
bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
|
@@ -505,13 +505,9 @@ BSSL_NAMESPACE_END
|
|
505
505
|
|
506
506
|
using namespace bssl;
|
507
507
|
|
508
|
-
int SSL_library_init(void) {
|
509
|
-
CRYPTO_library_init();
|
510
|
-
return 1;
|
511
|
-
}
|
508
|
+
int SSL_library_init(void) { return 1; }
|
512
509
|
|
513
510
|
int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
|
514
|
-
CRYPTO_library_init();
|
515
511
|
return 1;
|
516
512
|
}
|
517
513
|
|
@@ -2286,34 +2282,49 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
|
|
2286
2282
|
int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
|
2287
2283
|
unsigned peer_len, const uint8_t *supported,
|
2288
2284
|
unsigned supported_len) {
|
2289
|
-
|
2290
|
-
|
2285
|
+
*out = nullptr;
|
2286
|
+
*out_len = 0;
|
2287
|
+
|
2288
|
+
// Both |peer| and |supported| must be valid protocol lists, but |peer| may be
|
2289
|
+
// empty in NPN.
|
2290
|
+
auto peer_span = MakeConstSpan(peer, peer_len);
|
2291
|
+
auto supported_span = MakeConstSpan(supported, supported_len);
|
2292
|
+
if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) ||
|
2293
|
+
!ssl_is_valid_alpn_list(supported_span)) {
|
2294
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2295
|
+
}
|
2291
2296
|
|
2292
2297
|
// For each protocol in peer preference order, see if we support it.
|
2293
|
-
|
2294
|
-
|
2295
|
-
|
2296
|
-
|
2297
|
-
|
2298
|
-
|
2299
|
-
|
2300
|
-
|
2301
|
-
|
2302
|
-
|
2303
|
-
|
2298
|
+
CBS cbs = peer_span, proto;
|
2299
|
+
while (CBS_len(&cbs) != 0) {
|
2300
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2301
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2302
|
+
}
|
2303
|
+
|
2304
|
+
if (ssl_alpn_list_contains_protocol(MakeConstSpan(supported, supported_len),
|
2305
|
+
proto)) {
|
2306
|
+
// This function is not const-correct for compatibility with existing
|
2307
|
+
// callers.
|
2308
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2309
|
+
// A u8 length prefix will fit in |uint8_t|.
|
2310
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2311
|
+
return OPENSSL_NPN_NEGOTIATED;
|
2304
2312
|
}
|
2305
|
-
i += peer[i];
|
2306
|
-
i++;
|
2307
2313
|
}
|
2308
2314
|
|
2309
|
-
// There's no overlap between our protocols and the peer's list.
|
2310
|
-
|
2311
|
-
|
2315
|
+
// There's no overlap between our protocols and the peer's list. In ALPN, the
|
2316
|
+
// caller is expected to fail the connection with no_application_protocol. In
|
2317
|
+
// NPN, the caller is expected to opportunistically select the first protocol.
|
2318
|
+
// See draft-agl-tls-nextprotoneg-04, section 6.
|
2319
|
+
cbs = supported_span;
|
2320
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2321
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2322
|
+
}
|
2312
2323
|
|
2313
|
-
|
2314
|
-
*out =
|
2315
|
-
*out_len =
|
2316
|
-
return
|
2324
|
+
// See above.
|
2325
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2326
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2327
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2317
2328
|
}
|
2318
2329
|
|
2319
2330
|
void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
|
@@ -85,29 +85,61 @@ typedef struct {
|
|
85
85
|
int curve;
|
86
86
|
const EVP_MD *(*digest_func)(void);
|
87
87
|
bool is_rsa_pss;
|
88
|
+
bool tls12_ok;
|
89
|
+
bool tls13_ok;
|
90
|
+
bool client_only;
|
88
91
|
} SSL_SIGNATURE_ALGORITHM;
|
89
92
|
|
90
93
|
static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
|
94
|
+
// PKCS#1 v1.5 code points are only allowed in TLS 1.2.
|
91
95
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
|
92
|
-
false
|
93
|
-
|
94
|
-
{
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
{
|
101
|
-
|
102
|
-
|
96
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
97
|
+
/*client_only=*/false},
|
98
|
+
{SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,
|
99
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
100
|
+
/*client_only=*/false},
|
101
|
+
{SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
102
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
103
|
+
/*client_only=*/false},
|
104
|
+
{SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
105
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
106
|
+
/*client_only=*/false},
|
107
|
+
{SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
108
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
109
|
+
/*client_only=*/false},
|
110
|
+
|
111
|
+
// Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and
|
112
|
+
// client-only. See draft-ietf-tls-tls13-pkcs1-00.
|
113
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
114
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true,
|
115
|
+
/*client_only=*/true},
|
116
|
+
|
117
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
118
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
119
|
+
/*client_only=*/false},
|
120
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
121
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
122
|
+
/*client_only=*/false},
|
123
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
124
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
125
|
+
/*client_only=*/false},
|
126
|
+
|
127
|
+
{SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,
|
128
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
129
|
+
/*client_only=*/false},
|
103
130
|
{SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
|
104
|
-
&EVP_sha256, false
|
131
|
+
&EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
132
|
+
/*client_only=*/false},
|
105
133
|
{SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
|
106
|
-
false
|
134
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
135
|
+
/*client_only=*/false},
|
107
136
|
{SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
|
108
|
-
false
|
137
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
138
|
+
/*client_only=*/false},
|
109
139
|
|
110
|
-
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
140
|
+
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
141
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
142
|
+
/*client_only=*/false},
|
111
143
|
};
|
112
144
|
|
113
145
|
static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
@@ -120,7 +152,7 @@ static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
|
120
152
|
}
|
121
153
|
|
122
154
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
123
|
-
uint16_t sigalg) {
|
155
|
+
uint16_t sigalg, bool is_verify) {
|
124
156
|
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
|
125
157
|
if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {
|
126
158
|
return false;
|
@@ -152,8 +184,12 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
152
184
|
}
|
153
185
|
|
154
186
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
|
155
|
-
|
156
|
-
|
187
|
+
if (!alg->tls13_ok) {
|
188
|
+
return false;
|
189
|
+
}
|
190
|
+
|
191
|
+
bool is_client_sign = ssl->server == is_verify;
|
192
|
+
if (alg->client_only && !is_client_sign) {
|
157
193
|
return false;
|
158
194
|
}
|
159
195
|
|
@@ -164,6 +200,8 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
164
200
|
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {
|
165
201
|
return false;
|
166
202
|
}
|
203
|
+
} else if (!alg->tls12_ok) {
|
204
|
+
return false;
|
167
205
|
}
|
168
206
|
|
169
207
|
return true;
|
@@ -171,7 +209,7 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
171
209
|
|
172
210
|
static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
|
173
211
|
uint16_t sigalg, bool is_verify) {
|
174
|
-
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg)) {
|
212
|
+
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {
|
175
213
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
176
214
|
return false;
|
177
215
|
}
|
@@ -448,7 +486,7 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
|
|
448
486
|
ctx->cert->default_credential.get(), key_method));
|
449
487
|
}
|
450
488
|
|
451
|
-
static constexpr size_t kMaxSignatureAlgorithmNameLen =
|
489
|
+
static constexpr size_t kMaxSignatureAlgorithmNameLen = 24;
|
452
490
|
|
453
491
|
struct SignatureAlgorithmName {
|
454
492
|
uint16_t signature_algorithm;
|
@@ -461,6 +499,7 @@ static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
|
|
461
499
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
|
462
500
|
{SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
|
463
501
|
{SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
|
502
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"},
|
464
503
|
{SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
|
465
504
|
{SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
|
466
505
|
{SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
|
@@ -142,7 +142,7 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
|
142
142
|
uint16_t version) {
|
143
143
|
// Zero is interpreted as the default minimum version.
|
144
144
|
if (version == 0) {
|
145
|
-
*out = method->is_dtls ?
|
145
|
+
*out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
|
146
146
|
return true;
|
147
147
|
}
|
148
148
|
|
@@ -335,7 +335,8 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
|
|
335
335
|
}
|
336
336
|
|
337
337
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
338
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
338
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
339
|
+
hs->peer_pubkey.get())) {
|
339
340
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
340
341
|
return false;
|
341
342
|
}
|
@@ -606,7 +606,7 @@ using namespace bssl;
|
|
606
606
|
|
607
607
|
size_t SSL_max_seal_overhead(const SSL *ssl) {
|
608
608
|
if (SSL_is_dtls(ssl)) {
|
609
|
-
return dtls_max_seal_overhead(ssl,
|
609
|
+
return dtls_max_seal_overhead(ssl, ssl->d1->w_epoch);
|
610
610
|
}
|
611
611
|
|
612
612
|
size_t ret = SSL3_RT_HEADER_LENGTH;
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: grpc
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.65.
|
4
|
+
version: 1.65.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- gRPC Authors
|
8
8
|
autorequire:
|
9
9
|
bindir: src/ruby/bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-07-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: google-protobuf
|
@@ -3581,7 +3581,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
3581
3581
|
- !ruby/object:Gem::Version
|
3582
3582
|
version: '0'
|
3583
3583
|
requirements: []
|
3584
|
-
rubygems_version: 3.5.
|
3584
|
+
rubygems_version: 3.5.16
|
3585
3585
|
signing_key:
|
3586
3586
|
specification_version: 4
|
3587
3587
|
summary: GRPC system in Ruby
|