grpc 1.65.1 → 1.65.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Makefile +1 -1
- data/src/core/client_channel/subchannel.cc +10 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +6 -6
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +7 -10
- data/src/core/lib/compression/message_compress.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +6 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +7 -4
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +4 -2
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +5 -4
- data/src/core/lib/experiments/config.cc +11 -9
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +4 -4
- data/src/core/lib/iomgr/socket_windows.cc +3 -3
- data/src/core/lib/iomgr/tcp_posix.cc +2 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +9 -12
- data/src/core/lib/iomgr/tcp_server_windows.cc +2 -2
- data/src/core/lib/promise/party.cc +4 -4
- data/src/core/load_balancing/grpclb/grpclb.cc +14 -15
- data/src/core/util/log.cc +2 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.c +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +7 -61
- data/third_party/boringssl-with-bazel/src/crypto/dilithium/dilithium.c +43 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +21 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +31 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +6 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +10 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +83 -33
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +14 -13
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +22 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +38 -27
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +59 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +1 -1
- metadata +3 -3
@@ -1205,6 +1205,11 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
|
|
1205
1205
|
#define SSL_SIGN_RSA_PSS_RSAE_SHA512 0x0806
|
1206
1206
|
#define SSL_SIGN_ED25519 0x0807
|
1207
1207
|
|
1208
|
+
// SSL_SIGN_RSA_PKCS1_SHA256_LEGACY is a backport of RSASSA-PKCS1-v1_5 with
|
1209
|
+
// SHA-256 to TLS 1.3. It is disabled by default and only defined for client
|
1210
|
+
// certificates.
|
1211
|
+
#define SSL_SIGN_RSA_PKCS1_SHA256_LEGACY 0x0420
|
1212
|
+
|
1208
1213
|
// SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to
|
1209
1214
|
// specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS
|
1210
1215
|
// before TLS 1.2.
|
@@ -3115,7 +3120,8 @@ OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
|
|
3115
3120
|
|
3116
3121
|
// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
|
3117
3122
|
// during ClientHello processing in order to select an ALPN protocol from the
|
3118
|
-
// client's list of offered protocols.
|
3123
|
+
// client's list of offered protocols. |SSL_select_next_proto| is an optional
|
3124
|
+
// utility function which may be useful in implementing this callback.
|
3119
3125
|
//
|
3120
3126
|
// The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
|
3121
3127
|
// length-prefixed strings) ALPN protocol list in |in|. To select a protocol,
|
@@ -3265,30 +3271,50 @@ OPENSSL_EXPORT int SSL_CTX_add_cert_compression_alg(
|
|
3265
3271
|
// and deprecated in favor of it.
|
3266
3272
|
|
3267
3273
|
// SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
|
3268
|
-
// TLS server needs a list of supported protocols for Next Protocol
|
3269
|
-
//
|
3270
|
-
//
|
3271
|
-
//
|
3272
|
-
//
|
3273
|
-
//
|
3274
|
-
//
|
3275
|
-
//
|
3274
|
+
// TLS server needs a list of supported protocols for Next Protocol Negotiation.
|
3275
|
+
//
|
3276
|
+
// If the callback wishes to advertise NPN to the client, it should return
|
3277
|
+
// |SSL_TLSEXT_ERR_OK| and then set |*out| and |*out_len| to describe to a
|
3278
|
+
// buffer containing a (possibly empty) list of supported protocols in wire
|
3279
|
+
// format. That is, each protocol is prefixed with a 1-byte length, then
|
3280
|
+
// concatenated. From there, the client will select a protocol, possibly one not
|
3281
|
+
// on the server's list. The caller can use |SSL_get0_next_proto_negotiated|
|
3282
|
+
// after the handshake completes to query the final protocol.
|
3283
|
+
//
|
3284
|
+
// The returned buffer must remain valid and unmodified for at least the
|
3285
|
+
// duration of the |SSL| operation (e.g. |SSL_do_handshake|) that triggered the
|
3286
|
+
// callback.
|
3287
|
+
//
|
3288
|
+
// If the caller wishes not to advertise NPN, it should return
|
3289
|
+
// |SSL_TLSEXT_ERR_NOACK|. No NPN extension will be included in the ServerHello,
|
3290
|
+
// and the TLS server will behave as if it does not implement NPN.
|
3276
3291
|
OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(
|
3277
3292
|
SSL_CTX *ctx,
|
3278
3293
|
int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
|
3279
3294
|
void *arg);
|
3280
3295
|
|
3281
3296
|
// SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client
|
3282
|
-
// needs to select a protocol from the server's provided list
|
3283
|
-
//
|
3284
|
-
//
|
3285
|
-
//
|
3286
|
-
//
|
3287
|
-
//
|
3288
|
-
//
|
3289
|
-
//
|
3290
|
-
//
|
3291
|
-
//
|
3297
|
+
// needs to select a protocol from the server's provided list, passed in wire
|
3298
|
+
// format in |in_len| bytes from |in|. The callback can assume that |in| is
|
3299
|
+
// syntactically valid. |SSL_select_next_proto| is an optional utility function
|
3300
|
+
// which may be useful in implementing this callback.
|
3301
|
+
//
|
3302
|
+
// On success, the callback should return |SSL_TLSEXT_ERR_OK| and set |*out| and
|
3303
|
+
// |*out_len| to describe a buffer containing the selected protocol, or an
|
3304
|
+
// empty buffer to select no protocol. The returned buffer may point within
|
3305
|
+
// |in|, or it may point to some other buffer that remains valid and unmodified
|
3306
|
+
// for at least the duration of the |SSL| operation (e.g. |SSL_do_handshake|)
|
3307
|
+
// that triggered the callback.
|
3308
|
+
//
|
3309
|
+
// Returning any other value indicates a fatal error and will terminate the TLS
|
3310
|
+
// connection. To proceed without selecting a protocol, the callback must return
|
3311
|
+
// |SSL_TLSEXT_ERR_OK| and set |*out| and |*out_len| to an empty buffer. (E.g.
|
3312
|
+
// NULL and zero, respectively.)
|
3313
|
+
//
|
3314
|
+
// Configuring this callback enables NPN on a client. Although the callback can
|
3315
|
+
// then decline to negotiate a protocol, merely configuring the callback causes
|
3316
|
+
// the client to offer NPN in the ClientHello. Callers thus should not configure
|
3317
|
+
// this callback in TLS client contexts that are not intended to use NPN.
|
3292
3318
|
OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
|
3293
3319
|
SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
|
3294
3320
|
const uint8_t *in, unsigned in_len, void *arg),
|
@@ -3296,7 +3322,7 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
|
|
3296
3322
|
|
3297
3323
|
// SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to
|
3298
3324
|
// the client's requested protocol for this connection. If the client didn't
|
3299
|
-
// request any protocol, then |*
|
3325
|
+
// request any protocol, then |*out_len| is set to zero.
|
3300
3326
|
//
|
3301
3327
|
// Note that the client can request any protocol it chooses. The value returned
|
3302
3328
|
// from this function need not be a member of the list of supported protocols
|
@@ -3305,21 +3331,45 @@ OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl,
|
|
3305
3331
|
const uint8_t **out_data,
|
3306
3332
|
unsigned *out_len);
|
3307
3333
|
|
3308
|
-
// SSL_select_next_proto implements the standard protocol selection
|
3309
|
-
// expected that this function is called from
|
3334
|
+
// SSL_select_next_proto implements the standard protocol selection for either
|
3335
|
+
// ALPN servers or NPN clients. It is expected that this function is called from
|
3336
|
+
// the callback set by |SSL_CTX_set_alpn_select_cb| or
|
3310
3337
|
// |SSL_CTX_set_next_proto_select_cb|.
|
3311
3338
|
//
|
3312
|
-
// |peer| and |supported|
|
3313
|
-
//
|
3314
|
-
//
|
3315
|
-
//
|
3316
|
-
// non-empty.
|
3317
|
-
//
|
3318
|
-
// This function finds the first protocol in |peer| which is also in
|
3319
|
-
// |supported|. If one was found, it sets |*out| and |*out_len| to point to it
|
3320
|
-
// and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
|
3339
|
+
// |peer| and |supported| contain the peer and locally-configured protocols,
|
3340
|
+
// respectively. This function finds the first protocol in |peer| which is also
|
3341
|
+
// in |supported|. If one was found, it sets |*out| and |*out_len| to point to
|
3342
|
+
// it and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
|
3321
3343
|
// |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first
|
3322
3344
|
// supported protocol.
|
3345
|
+
//
|
3346
|
+
// In ALPN, the server should only select protocols among those that the client
|
3347
|
+
// offered. Thus, if this function returns |OPENSSL_NPN_NO_OVERLAP|, the caller
|
3348
|
+
// should ignore |*out| and return |SSL_TLSEXT_ERR_ALERT_FATAL| from
|
3349
|
+
// |SSL_CTX_set_alpn_select_cb|'s callback to indicate there was no match.
|
3350
|
+
//
|
3351
|
+
// In NPN, the client may either select one of the server's protocols, or an
|
3352
|
+
// "opportunistic" protocol as described in Section 6 of
|
3353
|
+
// draft-agl-tls-nextprotoneg-03. When this function returns
|
3354
|
+
// |OPENSSL_NPN_NO_OVERLAP|, |*out| implicitly selects the first supported
|
3355
|
+
// protocol for use as the opportunistic protocol. The caller may use it,
|
3356
|
+
// ignore it and select a different opportunistic protocol, or ignore it and
|
3357
|
+
// select no protocol (empty string).
|
3358
|
+
//
|
3359
|
+
// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte
|
3360
|
+
// strings. The length byte itself is not included in the length. A byte string
|
3361
|
+
// of length 0 is invalid. No byte string may be truncated. |supported| must be
|
3362
|
+
// non-empty; a caller that supports no ALPN/NPN protocols should skip
|
3363
|
+
// negotiating the extension, rather than calling this function. If any of these
|
3364
|
+
// preconditions do not hold, this function will return |OPENSSL_NPN_NO_OVERLAP|
|
3365
|
+
// and set |*out| and |*out_len| to an empty buffer for robustness, but callers
|
3366
|
+
// are not recommended to rely on this. An empty buffer is not a valid output
|
3367
|
+
// for |SSL_CTX_set_alpn_select_cb|'s callback.
|
3368
|
+
//
|
3369
|
+
// WARNING: |*out| and |*out_len| may alias either |peer| or |supported| and may
|
3370
|
+
// not be used after one of those buffers is modified or released. Additionally,
|
3371
|
+
// this function is not const-correct for compatibility reasons. Although |*out|
|
3372
|
+
// is a non-const pointer, callers may not modify the buffer though |*out|.
|
3323
3373
|
OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
|
3324
3374
|
const uint8_t *peer, unsigned peer_len,
|
3325
3375
|
const uint8_t *supported,
|
@@ -4814,7 +4864,7 @@ OPENSSL_EXPORT void SSL_set_check_ecdsa_curve(SSL *ssl, int enable);
|
|
4814
4864
|
|
4815
4865
|
// Deprecated functions.
|
4816
4866
|
|
4817
|
-
// SSL_library_init
|
4867
|
+
// SSL_library_init returns one.
|
4818
4868
|
OPENSSL_EXPORT int SSL_library_init(void);
|
4819
4869
|
|
4820
4870
|
// SSL_CIPHER_description writes a description of |cipher| into |buf| and
|
@@ -5377,7 +5427,7 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
|
|
5377
5427
|
#define OPENSSL_INIT_LOAD_SSL_STRINGS 0
|
5378
5428
|
#define OPENSSL_INIT_SSL_DEFAULT 0
|
5379
5429
|
|
5380
|
-
// OPENSSL_init_ssl
|
5430
|
+
// OPENSSL_init_ssl returns one.
|
5381
5431
|
OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts,
|
5382
5432
|
const OPENSSL_INIT_SETTINGS *settings);
|
5383
5433
|
|
@@ -624,16 +624,14 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
624
624
|
assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
|
625
625
|
assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
|
626
626
|
|
627
|
-
|
628
|
-
|
629
|
-
use_epoch = dtls1_use_previous_epoch;
|
630
|
-
} else if (msg->epoch != ssl->d1->w_epoch) {
|
627
|
+
if (msg->epoch != ssl->d1->w_epoch &&
|
628
|
+
(ssl->d1->w_epoch == 0 || msg->epoch != ssl->d1->w_epoch - 1)) {
|
631
629
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
632
630
|
return seal_error;
|
633
631
|
}
|
634
632
|
|
635
|
-
size_t overhead = dtls_max_seal_overhead(ssl,
|
636
|
-
size_t prefix = dtls_seal_prefix_len(ssl,
|
633
|
+
size_t overhead = dtls_max_seal_overhead(ssl, msg->epoch);
|
634
|
+
size_t prefix = dtls_seal_prefix_len(ssl, msg->epoch);
|
637
635
|
|
638
636
|
if (msg->is_ccs) {
|
639
637
|
// Check there is room for the ChangeCipherSpec.
|
@@ -644,7 +642,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
644
642
|
|
645
643
|
if (!dtls_seal_record(ssl, out, out_len, max_out,
|
646
644
|
SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
|
647
|
-
sizeof(kChangeCipherSpec),
|
645
|
+
sizeof(kChangeCipherSpec), msg->epoch)) {
|
648
646
|
return seal_error;
|
649
647
|
}
|
650
648
|
|
@@ -697,7 +695,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
697
695
|
MakeSpan(frag, frag_len));
|
698
696
|
|
699
697
|
if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,
|
700
|
-
out + prefix, frag_len,
|
698
|
+
out + prefix, frag_len, msg->epoch)) {
|
701
699
|
return seal_error;
|
702
700
|
}
|
703
701
|
|
@@ -208,7 +208,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
208
208
|
}
|
209
209
|
|
210
210
|
int ret = dtls1_write_record(ssl, SSL3_RT_APPLICATION_DATA, in,
|
211
|
-
|
211
|
+
ssl->d1->w_epoch);
|
212
212
|
if (ret <= 0) {
|
213
213
|
return ret;
|
214
214
|
}
|
@@ -217,7 +217,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
217
217
|
}
|
218
218
|
|
219
219
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
220
|
-
|
220
|
+
uint16_t epoch) {
|
221
221
|
SSLBuffer *buf = &ssl->s3->write_buffer;
|
222
222
|
assert(in.size() <= SSL3_RT_MAX_PLAIN_LENGTH);
|
223
223
|
// There should never be a pending write buffer in DTLS. One can't write half
|
@@ -235,7 +235,7 @@ int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
|
235
235
|
in.size() + SSL_max_seal_overhead(ssl)) ||
|
236
236
|
!dtls_seal_record(ssl, buf->remaining().data(), &ciphertext_len,
|
237
237
|
buf->remaining().size(), type, in.data(), in.size(),
|
238
|
-
|
238
|
+
epoch)) {
|
239
239
|
buf->Clear();
|
240
240
|
return -1;
|
241
241
|
}
|
@@ -250,7 +250,7 @@ int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
|
250
250
|
|
251
251
|
int dtls1_dispatch_alert(SSL *ssl) {
|
252
252
|
int ret = dtls1_write_record(ssl, SSL3_RT_ALERT, ssl->s3->send_alert,
|
253
|
-
|
253
|
+
ssl->d1->w_epoch);
|
254
254
|
if (ret <= 0) {
|
255
255
|
return ret;
|
256
256
|
}
|
@@ -258,29 +258,30 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
|
|
258
258
|
}
|
259
259
|
|
260
260
|
static const SSLAEADContext *get_write_aead(const SSL *ssl,
|
261
|
-
|
262
|
-
if (
|
263
|
-
assert(ssl->d1->w_epoch
|
261
|
+
uint16_t epoch) {
|
262
|
+
if (epoch < ssl->d1->w_epoch) {
|
263
|
+
assert(epoch + 1 == ssl->d1->w_epoch);
|
264
264
|
return ssl->d1->last_aead_write_ctx.get();
|
265
265
|
}
|
266
266
|
|
267
|
+
assert(epoch == ssl->d1->w_epoch);
|
267
268
|
return ssl->s3->aead_write_ctx.get();
|
268
269
|
}
|
269
270
|
|
270
271
|
size_t dtls_max_seal_overhead(const SSL *ssl,
|
271
|
-
|
272
|
-
return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl,
|
272
|
+
uint16_t epoch) {
|
273
|
+
return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl, epoch)->MaxOverhead();
|
273
274
|
}
|
274
275
|
|
275
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
276
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch) {
|
276
277
|
return DTLS1_RT_HEADER_LENGTH +
|
277
|
-
get_write_aead(ssl,
|
278
|
+
get_write_aead(ssl, epoch)->ExplicitNonceLen();
|
278
279
|
}
|
279
280
|
|
280
281
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
281
282
|
uint8_t type, const uint8_t *in, size_t in_len,
|
282
|
-
|
283
|
-
const size_t prefix = dtls_seal_prefix_len(ssl,
|
283
|
+
uint16_t epoch) {
|
284
|
+
const size_t prefix = dtls_seal_prefix_len(ssl, epoch);
|
284
285
|
if (buffers_alias(in, in_len, out, max_out) &&
|
285
286
|
(max_out < prefix || out + prefix != in)) {
|
286
287
|
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
|
@@ -288,14 +289,14 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
|
288
289
|
}
|
289
290
|
|
290
291
|
// Determine the parameters for the current epoch.
|
291
|
-
uint16_t epoch = ssl->d1->w_epoch;
|
292
292
|
SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
|
293
293
|
uint64_t *seq = &ssl->s3->write_sequence;
|
294
|
-
if (
|
295
|
-
assert(ssl->d1->w_epoch
|
296
|
-
epoch = ssl->d1->w_epoch - 1;
|
294
|
+
if (epoch < ssl->d1->w_epoch) {
|
295
|
+
assert(epoch + 1 == ssl->d1->w_epoch);
|
297
296
|
aead = ssl->d1->last_aead_write_ctx.get();
|
298
297
|
seq = &ssl->d1->last_write_sequence;
|
298
|
+
} else {
|
299
|
+
assert(epoch == ssl->d1->w_epoch);
|
299
300
|
}
|
300
301
|
|
301
302
|
if (max_out < DTLS1_RT_HEADER_LENGTH) {
|
@@ -441,16 +441,18 @@ bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
|
|
441
441
|
}
|
442
442
|
|
443
443
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
444
|
-
uint16_t sigalg) {
|
445
|
-
|
446
|
-
|
447
|
-
|
448
|
-
|
444
|
+
uint16_t sigalg, EVP_PKEY *pkey) {
|
445
|
+
// The peer must have selected an algorithm that is consistent with its public
|
446
|
+
// key, the TLS version, and what we advertised.
|
447
|
+
Span<const uint16_t> sigalgs = tls12_get_verify_sigalgs(hs);
|
448
|
+
if (std::find(sigalgs.begin(), sigalgs.end(), sigalg) == sigalgs.end() ||
|
449
|
+
!ssl_pkey_supports_algorithm(hs->ssl, pkey, sigalg, /*is_verify=*/true)) {
|
450
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
451
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
452
|
+
return false;
|
449
453
|
}
|
450
454
|
|
451
|
-
|
452
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
453
|
-
return false;
|
455
|
+
return true;
|
454
456
|
}
|
455
457
|
|
456
458
|
// tls_extension represents a TLS extension that is handled internally.
|
@@ -1474,16 +1476,19 @@ bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
|
1474
1476
|
}
|
1475
1477
|
|
1476
1478
|
// Check that the protocol name is one of the ones we advertised.
|
1477
|
-
|
1478
|
-
|
1479
|
-
|
1480
|
-
|
1481
|
-
|
1482
|
-
|
1479
|
+
return ssl_alpn_list_contains_protocol(hs->config->alpn_client_proto_list,
|
1480
|
+
protocol);
|
1481
|
+
}
|
1482
|
+
|
1483
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
1484
|
+
Span<const uint8_t> protocol) {
|
1485
|
+
CBS cbs = list, candidate;
|
1486
|
+
while (CBS_len(&cbs) > 0) {
|
1487
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &candidate)) {
|
1483
1488
|
return false;
|
1484
1489
|
}
|
1485
1490
|
|
1486
|
-
if (
|
1491
|
+
if (candidate == protocol) {
|
1487
1492
|
return true;
|
1488
1493
|
}
|
1489
1494
|
}
|
@@ -4144,7 +4149,8 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
4144
4149
|
? MakeConstSpan(kSignSignatureAlgorithms)
|
4145
4150
|
: cred->sigalgs;
|
4146
4151
|
for (uint16_t sigalg : sigalgs) {
|
4147
|
-
if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg
|
4152
|
+
if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg,
|
4153
|
+
/*is_verify=*/false)) {
|
4148
4154
|
continue;
|
4149
4155
|
}
|
4150
4156
|
|
@@ -1169,7 +1169,8 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
|
|
1169
1169
|
return ssl_hs_error;
|
1170
1170
|
}
|
1171
1171
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1172
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1172
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1173
|
+
hs->peer_pubkey.get())) {
|
1173
1174
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1174
1175
|
return ssl_hs_error;
|
1175
1176
|
}
|
@@ -1650,7 +1650,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
1650
1650
|
return ssl_hs_error;
|
1651
1651
|
}
|
1652
1652
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1653
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1653
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1654
|
+
hs->peer_pubkey.get())) {
|
1654
1655
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1655
1656
|
return ssl_hs_error;
|
1656
1657
|
}
|
@@ -1044,26 +1044,21 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
|
|
1044
1044
|
bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1045
1045
|
uint8_t type, const uint8_t *in, size_t in_len);
|
1046
1046
|
|
1047
|
-
enum dtls1_use_epoch_t {
|
1048
|
-
dtls1_use_previous_epoch,
|
1049
|
-
dtls1_use_current_epoch,
|
1050
|
-
};
|
1051
|
-
|
1052
1047
|
// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
1053
1048
|
// record.
|
1054
|
-
size_t dtls_max_seal_overhead(const SSL *ssl,
|
1049
|
+
size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);
|
1055
1050
|
|
1056
1051
|
// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
|
1057
1052
|
// front of the plaintext when sealing a record in-place.
|
1058
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
1053
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch);
|
1059
1054
|
|
1060
|
-
// dtls_seal_record implements |tls_seal_record| for DTLS. |
|
1061
|
-
//
|
1062
|
-
//
|
1055
|
+
// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which
|
1056
|
+
// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may
|
1057
|
+
// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
|
1063
1058
|
// ahead of |out|.
|
1064
1059
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1065
1060
|
uint8_t type, const uint8_t *in, size_t in_len,
|
1066
|
-
|
1061
|
+
uint16_t epoch);
|
1067
1062
|
|
1068
1063
|
// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
|
1069
1064
|
// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
|
@@ -1094,7 +1089,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
|
|
1094
1089
|
// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign
|
1095
1090
|
// |sigalg|.
|
1096
1091
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
1097
|
-
uint16_t sigalg);
|
1092
|
+
uint16_t sigalg, bool is_verify);
|
1098
1093
|
|
1099
1094
|
// ssl_public_key_verify verifies that the |signature| is valid for the public
|
1100
1095
|
// key |pkey| and input |in|, using the signature algorithm |sigalg|.
|
@@ -2324,6 +2319,11 @@ bool ssl_is_valid_alpn_list(Span<const uint8_t> in);
|
|
2324
2319
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
2325
2320
|
Span<const uint8_t> protocol);
|
2326
2321
|
|
2322
|
+
// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN
|
2323
|
+
// protocol list, contains |protocol|.
|
2324
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
2325
|
+
Span<const uint8_t> protocol);
|
2326
|
+
|
2327
2327
|
// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
|
2328
2328
|
// true on successful negotiation or if nothing was negotiated. It returns false
|
2329
2329
|
// and sets |*out_alert| to an alert on error.
|
@@ -2449,10 +2449,10 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
2449
2449
|
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out);
|
2450
2450
|
|
2451
2451
|
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
2452
|
-
// signature
|
2452
|
+
// signature from |pkey|. It returns true on success and false on error, setting
|
2453
2453
|
// |*out_alert| to an alert to send.
|
2454
2454
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2455
|
-
uint16_t sigalg);
|
2455
|
+
uint16_t sigalg, EVP_PKEY *pkey);
|
2456
2456
|
|
2457
2457
|
|
2458
2458
|
// Underdocumented functions.
|
@@ -3374,7 +3374,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
3374
3374
|
// dtls1_write_record sends a record. It returns one on success and <= 0 on
|
3375
3375
|
// error.
|
3376
3376
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
3377
|
-
|
3377
|
+
uint16_t epoch);
|
3378
3378
|
|
3379
3379
|
int dtls1_retransmit_outgoing_messages(SSL *ssl);
|
3380
3380
|
bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
|
@@ -505,13 +505,9 @@ BSSL_NAMESPACE_END
|
|
505
505
|
|
506
506
|
using namespace bssl;
|
507
507
|
|
508
|
-
int SSL_library_init(void) {
|
509
|
-
CRYPTO_library_init();
|
510
|
-
return 1;
|
511
|
-
}
|
508
|
+
int SSL_library_init(void) { return 1; }
|
512
509
|
|
513
510
|
int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
|
514
|
-
CRYPTO_library_init();
|
515
511
|
return 1;
|
516
512
|
}
|
517
513
|
|
@@ -2286,34 +2282,49 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
|
|
2286
2282
|
int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
|
2287
2283
|
unsigned peer_len, const uint8_t *supported,
|
2288
2284
|
unsigned supported_len) {
|
2289
|
-
|
2290
|
-
|
2285
|
+
*out = nullptr;
|
2286
|
+
*out_len = 0;
|
2287
|
+
|
2288
|
+
// Both |peer| and |supported| must be valid protocol lists, but |peer| may be
|
2289
|
+
// empty in NPN.
|
2290
|
+
auto peer_span = MakeConstSpan(peer, peer_len);
|
2291
|
+
auto supported_span = MakeConstSpan(supported, supported_len);
|
2292
|
+
if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) ||
|
2293
|
+
!ssl_is_valid_alpn_list(supported_span)) {
|
2294
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2295
|
+
}
|
2291
2296
|
|
2292
2297
|
// For each protocol in peer preference order, see if we support it.
|
2293
|
-
|
2294
|
-
|
2295
|
-
|
2296
|
-
|
2297
|
-
|
2298
|
-
|
2299
|
-
|
2300
|
-
|
2301
|
-
|
2302
|
-
|
2303
|
-
|
2298
|
+
CBS cbs = peer_span, proto;
|
2299
|
+
while (CBS_len(&cbs) != 0) {
|
2300
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2301
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2302
|
+
}
|
2303
|
+
|
2304
|
+
if (ssl_alpn_list_contains_protocol(MakeConstSpan(supported, supported_len),
|
2305
|
+
proto)) {
|
2306
|
+
// This function is not const-correct for compatibility with existing
|
2307
|
+
// callers.
|
2308
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2309
|
+
// A u8 length prefix will fit in |uint8_t|.
|
2310
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2311
|
+
return OPENSSL_NPN_NEGOTIATED;
|
2304
2312
|
}
|
2305
|
-
i += peer[i];
|
2306
|
-
i++;
|
2307
2313
|
}
|
2308
2314
|
|
2309
|
-
// There's no overlap between our protocols and the peer's list.
|
2310
|
-
|
2311
|
-
|
2315
|
+
// There's no overlap between our protocols and the peer's list. In ALPN, the
|
2316
|
+
// caller is expected to fail the connection with no_application_protocol. In
|
2317
|
+
// NPN, the caller is expected to opportunistically select the first protocol.
|
2318
|
+
// See draft-agl-tls-nextprotoneg-04, section 6.
|
2319
|
+
cbs = supported_span;
|
2320
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2321
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2322
|
+
}
|
2312
2323
|
|
2313
|
-
|
2314
|
-
*out =
|
2315
|
-
*out_len =
|
2316
|
-
return
|
2324
|
+
// See above.
|
2325
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2326
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2327
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2317
2328
|
}
|
2318
2329
|
|
2319
2330
|
void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
|