grpc 1.65.1 → 1.65.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +1 -1
- data/src/core/client_channel/subchannel.cc +10 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +6 -6
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +7 -10
- data/src/core/lib/compression/message_compress.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +6 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +7 -4
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +4 -2
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +5 -4
- data/src/core/lib/experiments/config.cc +11 -9
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +4 -4
- data/src/core/lib/iomgr/socket_windows.cc +3 -3
- data/src/core/lib/iomgr/tcp_posix.cc +2 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +9 -12
- data/src/core/lib/iomgr/tcp_server_windows.cc +2 -2
- data/src/core/lib/promise/party.cc +4 -4
- data/src/core/load_balancing/grpclb/grpclb.cc +14 -15
- data/src/core/util/log.cc +2 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.c +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +7 -61
- data/third_party/boringssl-with-bazel/src/crypto/dilithium/dilithium.c +43 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +21 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +31 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +6 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +10 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +83 -33
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +14 -13
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +22 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +38 -27
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +59 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +1 -1
- metadata +3 -3
@@ -1205,6 +1205,11 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
|
|
1205
1205
|
#define SSL_SIGN_RSA_PSS_RSAE_SHA512 0x0806
|
1206
1206
|
#define SSL_SIGN_ED25519 0x0807
|
1207
1207
|
|
1208
|
+
// SSL_SIGN_RSA_PKCS1_SHA256_LEGACY is a backport of RSASSA-PKCS1-v1_5 with
|
1209
|
+
// SHA-256 to TLS 1.3. It is disabled by default and only defined for client
|
1210
|
+
// certificates.
|
1211
|
+
#define SSL_SIGN_RSA_PKCS1_SHA256_LEGACY 0x0420
|
1212
|
+
|
1208
1213
|
// SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to
|
1209
1214
|
// specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS
|
1210
1215
|
// before TLS 1.2.
|
@@ -3115,7 +3120,8 @@ OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
|
|
3115
3120
|
|
3116
3121
|
// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
|
3117
3122
|
// during ClientHello processing in order to select an ALPN protocol from the
|
3118
|
-
// client's list of offered protocols.
|
3123
|
+
// client's list of offered protocols. |SSL_select_next_proto| is an optional
|
3124
|
+
// utility function which may be useful in implementing this callback.
|
3119
3125
|
//
|
3120
3126
|
// The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
|
3121
3127
|
// length-prefixed strings) ALPN protocol list in |in|. To select a protocol,
|
@@ -3265,30 +3271,50 @@ OPENSSL_EXPORT int SSL_CTX_add_cert_compression_alg(
|
|
3265
3271
|
// and deprecated in favor of it.
|
3266
3272
|
|
3267
3273
|
// SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
|
3268
|
-
// TLS server needs a list of supported protocols for Next Protocol
|
3269
|
-
//
|
3270
|
-
//
|
3271
|
-
//
|
3272
|
-
//
|
3273
|
-
//
|
3274
|
-
//
|
3275
|
-
//
|
3274
|
+
// TLS server needs a list of supported protocols for Next Protocol Negotiation.
|
3275
|
+
//
|
3276
|
+
// If the callback wishes to advertise NPN to the client, it should return
|
3277
|
+
// |SSL_TLSEXT_ERR_OK| and then set |*out| and |*out_len| to describe to a
|
3278
|
+
// buffer containing a (possibly empty) list of supported protocols in wire
|
3279
|
+
// format. That is, each protocol is prefixed with a 1-byte length, then
|
3280
|
+
// concatenated. From there, the client will select a protocol, possibly one not
|
3281
|
+
// on the server's list. The caller can use |SSL_get0_next_proto_negotiated|
|
3282
|
+
// after the handshake completes to query the final protocol.
|
3283
|
+
//
|
3284
|
+
// The returned buffer must remain valid and unmodified for at least the
|
3285
|
+
// duration of the |SSL| operation (e.g. |SSL_do_handshake|) that triggered the
|
3286
|
+
// callback.
|
3287
|
+
//
|
3288
|
+
// If the caller wishes not to advertise NPN, it should return
|
3289
|
+
// |SSL_TLSEXT_ERR_NOACK|. No NPN extension will be included in the ServerHello,
|
3290
|
+
// and the TLS server will behave as if it does not implement NPN.
|
3276
3291
|
OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(
|
3277
3292
|
SSL_CTX *ctx,
|
3278
3293
|
int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
|
3279
3294
|
void *arg);
|
3280
3295
|
|
3281
3296
|
// SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client
|
3282
|
-
// needs to select a protocol from the server's provided list
|
3283
|
-
//
|
3284
|
-
//
|
3285
|
-
//
|
3286
|
-
//
|
3287
|
-
//
|
3288
|
-
//
|
3289
|
-
//
|
3290
|
-
//
|
3291
|
-
//
|
3297
|
+
// needs to select a protocol from the server's provided list, passed in wire
|
3298
|
+
// format in |in_len| bytes from |in|. The callback can assume that |in| is
|
3299
|
+
// syntactically valid. |SSL_select_next_proto| is an optional utility function
|
3300
|
+
// which may be useful in implementing this callback.
|
3301
|
+
//
|
3302
|
+
// On success, the callback should return |SSL_TLSEXT_ERR_OK| and set |*out| and
|
3303
|
+
// |*out_len| to describe a buffer containing the selected protocol, or an
|
3304
|
+
// empty buffer to select no protocol. The returned buffer may point within
|
3305
|
+
// |in|, or it may point to some other buffer that remains valid and unmodified
|
3306
|
+
// for at least the duration of the |SSL| operation (e.g. |SSL_do_handshake|)
|
3307
|
+
// that triggered the callback.
|
3308
|
+
//
|
3309
|
+
// Returning any other value indicates a fatal error and will terminate the TLS
|
3310
|
+
// connection. To proceed without selecting a protocol, the callback must return
|
3311
|
+
// |SSL_TLSEXT_ERR_OK| and set |*out| and |*out_len| to an empty buffer. (E.g.
|
3312
|
+
// NULL and zero, respectively.)
|
3313
|
+
//
|
3314
|
+
// Configuring this callback enables NPN on a client. Although the callback can
|
3315
|
+
// then decline to negotiate a protocol, merely configuring the callback causes
|
3316
|
+
// the client to offer NPN in the ClientHello. Callers thus should not configure
|
3317
|
+
// this callback in TLS client contexts that are not intended to use NPN.
|
3292
3318
|
OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
|
3293
3319
|
SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
|
3294
3320
|
const uint8_t *in, unsigned in_len, void *arg),
|
@@ -3296,7 +3322,7 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
|
|
3296
3322
|
|
3297
3323
|
// SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to
|
3298
3324
|
// the client's requested protocol for this connection. If the client didn't
|
3299
|
-
// request any protocol, then |*
|
3325
|
+
// request any protocol, then |*out_len| is set to zero.
|
3300
3326
|
//
|
3301
3327
|
// Note that the client can request any protocol it chooses. The value returned
|
3302
3328
|
// from this function need not be a member of the list of supported protocols
|
@@ -3305,21 +3331,45 @@ OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl,
|
|
3305
3331
|
const uint8_t **out_data,
|
3306
3332
|
unsigned *out_len);
|
3307
3333
|
|
3308
|
-
// SSL_select_next_proto implements the standard protocol selection
|
3309
|
-
// expected that this function is called from
|
3334
|
+
// SSL_select_next_proto implements the standard protocol selection for either
|
3335
|
+
// ALPN servers or NPN clients. It is expected that this function is called from
|
3336
|
+
// the callback set by |SSL_CTX_set_alpn_select_cb| or
|
3310
3337
|
// |SSL_CTX_set_next_proto_select_cb|.
|
3311
3338
|
//
|
3312
|
-
// |peer| and |supported|
|
3313
|
-
//
|
3314
|
-
//
|
3315
|
-
//
|
3316
|
-
// non-empty.
|
3317
|
-
//
|
3318
|
-
// This function finds the first protocol in |peer| which is also in
|
3319
|
-
// |supported|. If one was found, it sets |*out| and |*out_len| to point to it
|
3320
|
-
// and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
|
3339
|
+
// |peer| and |supported| contain the peer and locally-configured protocols,
|
3340
|
+
// respectively. This function finds the first protocol in |peer| which is also
|
3341
|
+
// in |supported|. If one was found, it sets |*out| and |*out_len| to point to
|
3342
|
+
// it and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
|
3321
3343
|
// |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first
|
3322
3344
|
// supported protocol.
|
3345
|
+
//
|
3346
|
+
// In ALPN, the server should only select protocols among those that the client
|
3347
|
+
// offered. Thus, if this function returns |OPENSSL_NPN_NO_OVERLAP|, the caller
|
3348
|
+
// should ignore |*out| and return |SSL_TLSEXT_ERR_ALERT_FATAL| from
|
3349
|
+
// |SSL_CTX_set_alpn_select_cb|'s callback to indicate there was no match.
|
3350
|
+
//
|
3351
|
+
// In NPN, the client may either select one of the server's protocols, or an
|
3352
|
+
// "opportunistic" protocol as described in Section 6 of
|
3353
|
+
// draft-agl-tls-nextprotoneg-03. When this function returns
|
3354
|
+
// |OPENSSL_NPN_NO_OVERLAP|, |*out| implicitly selects the first supported
|
3355
|
+
// protocol for use as the opportunistic protocol. The caller may use it,
|
3356
|
+
// ignore it and select a different opportunistic protocol, or ignore it and
|
3357
|
+
// select no protocol (empty string).
|
3358
|
+
//
|
3359
|
+
// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte
|
3360
|
+
// strings. The length byte itself is not included in the length. A byte string
|
3361
|
+
// of length 0 is invalid. No byte string may be truncated. |supported| must be
|
3362
|
+
// non-empty; a caller that supports no ALPN/NPN protocols should skip
|
3363
|
+
// negotiating the extension, rather than calling this function. If any of these
|
3364
|
+
// preconditions do not hold, this function will return |OPENSSL_NPN_NO_OVERLAP|
|
3365
|
+
// and set |*out| and |*out_len| to an empty buffer for robustness, but callers
|
3366
|
+
// are not recommended to rely on this. An empty buffer is not a valid output
|
3367
|
+
// for |SSL_CTX_set_alpn_select_cb|'s callback.
|
3368
|
+
//
|
3369
|
+
// WARNING: |*out| and |*out_len| may alias either |peer| or |supported| and may
|
3370
|
+
// not be used after one of those buffers is modified or released. Additionally,
|
3371
|
+
// this function is not const-correct for compatibility reasons. Although |*out|
|
3372
|
+
// is a non-const pointer, callers may not modify the buffer though |*out|.
|
3323
3373
|
OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
|
3324
3374
|
const uint8_t *peer, unsigned peer_len,
|
3325
3375
|
const uint8_t *supported,
|
@@ -4814,7 +4864,7 @@ OPENSSL_EXPORT void SSL_set_check_ecdsa_curve(SSL *ssl, int enable);
|
|
4814
4864
|
|
4815
4865
|
// Deprecated functions.
|
4816
4866
|
|
4817
|
-
// SSL_library_init
|
4867
|
+
// SSL_library_init returns one.
|
4818
4868
|
OPENSSL_EXPORT int SSL_library_init(void);
|
4819
4869
|
|
4820
4870
|
// SSL_CIPHER_description writes a description of |cipher| into |buf| and
|
@@ -5377,7 +5427,7 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
|
|
5377
5427
|
#define OPENSSL_INIT_LOAD_SSL_STRINGS 0
|
5378
5428
|
#define OPENSSL_INIT_SSL_DEFAULT 0
|
5379
5429
|
|
5380
|
-
// OPENSSL_init_ssl
|
5430
|
+
// OPENSSL_init_ssl returns one.
|
5381
5431
|
OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts,
|
5382
5432
|
const OPENSSL_INIT_SETTINGS *settings);
|
5383
5433
|
|
@@ -624,16 +624,14 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
624
624
|
assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
|
625
625
|
assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
|
626
626
|
|
627
|
-
|
628
|
-
|
629
|
-
use_epoch = dtls1_use_previous_epoch;
|
630
|
-
} else if (msg->epoch != ssl->d1->w_epoch) {
|
627
|
+
if (msg->epoch != ssl->d1->w_epoch &&
|
628
|
+
(ssl->d1->w_epoch == 0 || msg->epoch != ssl->d1->w_epoch - 1)) {
|
631
629
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
632
630
|
return seal_error;
|
633
631
|
}
|
634
632
|
|
635
|
-
size_t overhead = dtls_max_seal_overhead(ssl,
|
636
|
-
size_t prefix = dtls_seal_prefix_len(ssl,
|
633
|
+
size_t overhead = dtls_max_seal_overhead(ssl, msg->epoch);
|
634
|
+
size_t prefix = dtls_seal_prefix_len(ssl, msg->epoch);
|
637
635
|
|
638
636
|
if (msg->is_ccs) {
|
639
637
|
// Check there is room for the ChangeCipherSpec.
|
@@ -644,7 +642,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
644
642
|
|
645
643
|
if (!dtls_seal_record(ssl, out, out_len, max_out,
|
646
644
|
SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
|
647
|
-
sizeof(kChangeCipherSpec),
|
645
|
+
sizeof(kChangeCipherSpec), msg->epoch)) {
|
648
646
|
return seal_error;
|
649
647
|
}
|
650
648
|
|
@@ -697,7 +695,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
|
|
697
695
|
MakeSpan(frag, frag_len));
|
698
696
|
|
699
697
|
if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,
|
700
|
-
out + prefix, frag_len,
|
698
|
+
out + prefix, frag_len, msg->epoch)) {
|
701
699
|
return seal_error;
|
702
700
|
}
|
703
701
|
|
@@ -208,7 +208,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
208
208
|
}
|
209
209
|
|
210
210
|
int ret = dtls1_write_record(ssl, SSL3_RT_APPLICATION_DATA, in,
|
211
|
-
|
211
|
+
ssl->d1->w_epoch);
|
212
212
|
if (ret <= 0) {
|
213
213
|
return ret;
|
214
214
|
}
|
@@ -217,7 +217,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
217
217
|
}
|
218
218
|
|
219
219
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
220
|
-
|
220
|
+
uint16_t epoch) {
|
221
221
|
SSLBuffer *buf = &ssl->s3->write_buffer;
|
222
222
|
assert(in.size() <= SSL3_RT_MAX_PLAIN_LENGTH);
|
223
223
|
// There should never be a pending write buffer in DTLS. One can't write half
|
@@ -235,7 +235,7 @@ int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
|
235
235
|
in.size() + SSL_max_seal_overhead(ssl)) ||
|
236
236
|
!dtls_seal_record(ssl, buf->remaining().data(), &ciphertext_len,
|
237
237
|
buf->remaining().size(), type, in.data(), in.size(),
|
238
|
-
|
238
|
+
epoch)) {
|
239
239
|
buf->Clear();
|
240
240
|
return -1;
|
241
241
|
}
|
@@ -250,7 +250,7 @@ int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
|
250
250
|
|
251
251
|
int dtls1_dispatch_alert(SSL *ssl) {
|
252
252
|
int ret = dtls1_write_record(ssl, SSL3_RT_ALERT, ssl->s3->send_alert,
|
253
|
-
|
253
|
+
ssl->d1->w_epoch);
|
254
254
|
if (ret <= 0) {
|
255
255
|
return ret;
|
256
256
|
}
|
@@ -258,29 +258,30 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
|
|
258
258
|
}
|
259
259
|
|
260
260
|
static const SSLAEADContext *get_write_aead(const SSL *ssl,
|
261
|
-
|
262
|
-
if (
|
263
|
-
assert(ssl->d1->w_epoch
|
261
|
+
uint16_t epoch) {
|
262
|
+
if (epoch < ssl->d1->w_epoch) {
|
263
|
+
assert(epoch + 1 == ssl->d1->w_epoch);
|
264
264
|
return ssl->d1->last_aead_write_ctx.get();
|
265
265
|
}
|
266
266
|
|
267
|
+
assert(epoch == ssl->d1->w_epoch);
|
267
268
|
return ssl->s3->aead_write_ctx.get();
|
268
269
|
}
|
269
270
|
|
270
271
|
size_t dtls_max_seal_overhead(const SSL *ssl,
|
271
|
-
|
272
|
-
return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl,
|
272
|
+
uint16_t epoch) {
|
273
|
+
return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl, epoch)->MaxOverhead();
|
273
274
|
}
|
274
275
|
|
275
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
276
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch) {
|
276
277
|
return DTLS1_RT_HEADER_LENGTH +
|
277
|
-
get_write_aead(ssl,
|
278
|
+
get_write_aead(ssl, epoch)->ExplicitNonceLen();
|
278
279
|
}
|
279
280
|
|
280
281
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
281
282
|
uint8_t type, const uint8_t *in, size_t in_len,
|
282
|
-
|
283
|
-
const size_t prefix = dtls_seal_prefix_len(ssl,
|
283
|
+
uint16_t epoch) {
|
284
|
+
const size_t prefix = dtls_seal_prefix_len(ssl, epoch);
|
284
285
|
if (buffers_alias(in, in_len, out, max_out) &&
|
285
286
|
(max_out < prefix || out + prefix != in)) {
|
286
287
|
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
|
@@ -288,14 +289,14 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
|
288
289
|
}
|
289
290
|
|
290
291
|
// Determine the parameters for the current epoch.
|
291
|
-
uint16_t epoch = ssl->d1->w_epoch;
|
292
292
|
SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
|
293
293
|
uint64_t *seq = &ssl->s3->write_sequence;
|
294
|
-
if (
|
295
|
-
assert(ssl->d1->w_epoch
|
296
|
-
epoch = ssl->d1->w_epoch - 1;
|
294
|
+
if (epoch < ssl->d1->w_epoch) {
|
295
|
+
assert(epoch + 1 == ssl->d1->w_epoch);
|
297
296
|
aead = ssl->d1->last_aead_write_ctx.get();
|
298
297
|
seq = &ssl->d1->last_write_sequence;
|
298
|
+
} else {
|
299
|
+
assert(epoch == ssl->d1->w_epoch);
|
299
300
|
}
|
300
301
|
|
301
302
|
if (max_out < DTLS1_RT_HEADER_LENGTH) {
|
@@ -441,16 +441,18 @@ bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
|
|
441
441
|
}
|
442
442
|
|
443
443
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
444
|
-
uint16_t sigalg) {
|
445
|
-
|
446
|
-
|
447
|
-
|
448
|
-
|
444
|
+
uint16_t sigalg, EVP_PKEY *pkey) {
|
445
|
+
// The peer must have selected an algorithm that is consistent with its public
|
446
|
+
// key, the TLS version, and what we advertised.
|
447
|
+
Span<const uint16_t> sigalgs = tls12_get_verify_sigalgs(hs);
|
448
|
+
if (std::find(sigalgs.begin(), sigalgs.end(), sigalg) == sigalgs.end() ||
|
449
|
+
!ssl_pkey_supports_algorithm(hs->ssl, pkey, sigalg, /*is_verify=*/true)) {
|
450
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
451
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
452
|
+
return false;
|
449
453
|
}
|
450
454
|
|
451
|
-
|
452
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
453
|
-
return false;
|
455
|
+
return true;
|
454
456
|
}
|
455
457
|
|
456
458
|
// tls_extension represents a TLS extension that is handled internally.
|
@@ -1474,16 +1476,19 @@ bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
|
1474
1476
|
}
|
1475
1477
|
|
1476
1478
|
// Check that the protocol name is one of the ones we advertised.
|
1477
|
-
|
1478
|
-
|
1479
|
-
|
1480
|
-
|
1481
|
-
|
1482
|
-
|
1479
|
+
return ssl_alpn_list_contains_protocol(hs->config->alpn_client_proto_list,
|
1480
|
+
protocol);
|
1481
|
+
}
|
1482
|
+
|
1483
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
1484
|
+
Span<const uint8_t> protocol) {
|
1485
|
+
CBS cbs = list, candidate;
|
1486
|
+
while (CBS_len(&cbs) > 0) {
|
1487
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &candidate)) {
|
1483
1488
|
return false;
|
1484
1489
|
}
|
1485
1490
|
|
1486
|
-
if (
|
1491
|
+
if (candidate == protocol) {
|
1487
1492
|
return true;
|
1488
1493
|
}
|
1489
1494
|
}
|
@@ -4144,7 +4149,8 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
4144
4149
|
? MakeConstSpan(kSignSignatureAlgorithms)
|
4145
4150
|
: cred->sigalgs;
|
4146
4151
|
for (uint16_t sigalg : sigalgs) {
|
4147
|
-
if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg
|
4152
|
+
if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg,
|
4153
|
+
/*is_verify=*/false)) {
|
4148
4154
|
continue;
|
4149
4155
|
}
|
4150
4156
|
|
@@ -1169,7 +1169,8 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
|
|
1169
1169
|
return ssl_hs_error;
|
1170
1170
|
}
|
1171
1171
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1172
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1172
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1173
|
+
hs->peer_pubkey.get())) {
|
1173
1174
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1174
1175
|
return ssl_hs_error;
|
1175
1176
|
}
|
@@ -1650,7 +1650,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
|
|
1650
1650
|
return ssl_hs_error;
|
1651
1651
|
}
|
1652
1652
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
1653
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
1653
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
1654
|
+
hs->peer_pubkey.get())) {
|
1654
1655
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
1655
1656
|
return ssl_hs_error;
|
1656
1657
|
}
|
@@ -1044,26 +1044,21 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
|
|
1044
1044
|
bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1045
1045
|
uint8_t type, const uint8_t *in, size_t in_len);
|
1046
1046
|
|
1047
|
-
enum dtls1_use_epoch_t {
|
1048
|
-
dtls1_use_previous_epoch,
|
1049
|
-
dtls1_use_current_epoch,
|
1050
|
-
};
|
1051
|
-
|
1052
1047
|
// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
1053
1048
|
// record.
|
1054
|
-
size_t dtls_max_seal_overhead(const SSL *ssl,
|
1049
|
+
size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);
|
1055
1050
|
|
1056
1051
|
// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
|
1057
1052
|
// front of the plaintext when sealing a record in-place.
|
1058
|
-
size_t dtls_seal_prefix_len(const SSL *ssl,
|
1053
|
+
size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch);
|
1059
1054
|
|
1060
|
-
// dtls_seal_record implements |tls_seal_record| for DTLS. |
|
1061
|
-
//
|
1062
|
-
//
|
1055
|
+
// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which
|
1056
|
+
// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may
|
1057
|
+
// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
|
1063
1058
|
// ahead of |out|.
|
1064
1059
|
bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
|
1065
1060
|
uint8_t type, const uint8_t *in, size_t in_len,
|
1066
|
-
|
1061
|
+
uint16_t epoch);
|
1067
1062
|
|
1068
1063
|
// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
|
1069
1064
|
// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
|
@@ -1094,7 +1089,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
|
|
1094
1089
|
// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign
|
1095
1090
|
// |sigalg|.
|
1096
1091
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
1097
|
-
uint16_t sigalg);
|
1092
|
+
uint16_t sigalg, bool is_verify);
|
1098
1093
|
|
1099
1094
|
// ssl_public_key_verify verifies that the |signature| is valid for the public
|
1100
1095
|
// key |pkey| and input |in|, using the signature algorithm |sigalg|.
|
@@ -2324,6 +2319,11 @@ bool ssl_is_valid_alpn_list(Span<const uint8_t> in);
|
|
2324
2319
|
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
2325
2320
|
Span<const uint8_t> protocol);
|
2326
2321
|
|
2322
|
+
// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN
|
2323
|
+
// protocol list, contains |protocol|.
|
2324
|
+
bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list,
|
2325
|
+
Span<const uint8_t> protocol);
|
2326
|
+
|
2327
2327
|
// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
|
2328
2328
|
// true on successful negotiation or if nothing was negotiated. It returns false
|
2329
2329
|
// and sets |*out_alert| to an alert on error.
|
@@ -2449,10 +2449,10 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
|
|
2449
2449
|
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out);
|
2450
2450
|
|
2451
2451
|
// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
|
2452
|
-
// signature
|
2452
|
+
// signature from |pkey|. It returns true on success and false on error, setting
|
2453
2453
|
// |*out_alert| to an alert to send.
|
2454
2454
|
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2455
|
-
uint16_t sigalg);
|
2455
|
+
uint16_t sigalg, EVP_PKEY *pkey);
|
2456
2456
|
|
2457
2457
|
|
2458
2458
|
// Underdocumented functions.
|
@@ -3374,7 +3374,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
|
|
3374
3374
|
// dtls1_write_record sends a record. It returns one on success and <= 0 on
|
3375
3375
|
// error.
|
3376
3376
|
int dtls1_write_record(SSL *ssl, int type, Span<const uint8_t> in,
|
3377
|
-
|
3377
|
+
uint16_t epoch);
|
3378
3378
|
|
3379
3379
|
int dtls1_retransmit_outgoing_messages(SSL *ssl);
|
3380
3380
|
bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
|
@@ -505,13 +505,9 @@ BSSL_NAMESPACE_END
|
|
505
505
|
|
506
506
|
using namespace bssl;
|
507
507
|
|
508
|
-
int SSL_library_init(void) {
|
509
|
-
CRYPTO_library_init();
|
510
|
-
return 1;
|
511
|
-
}
|
508
|
+
int SSL_library_init(void) { return 1; }
|
512
509
|
|
513
510
|
int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
|
514
|
-
CRYPTO_library_init();
|
515
511
|
return 1;
|
516
512
|
}
|
517
513
|
|
@@ -2286,34 +2282,49 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
|
|
2286
2282
|
int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
|
2287
2283
|
unsigned peer_len, const uint8_t *supported,
|
2288
2284
|
unsigned supported_len) {
|
2289
|
-
|
2290
|
-
|
2285
|
+
*out = nullptr;
|
2286
|
+
*out_len = 0;
|
2287
|
+
|
2288
|
+
// Both |peer| and |supported| must be valid protocol lists, but |peer| may be
|
2289
|
+
// empty in NPN.
|
2290
|
+
auto peer_span = MakeConstSpan(peer, peer_len);
|
2291
|
+
auto supported_span = MakeConstSpan(supported, supported_len);
|
2292
|
+
if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) ||
|
2293
|
+
!ssl_is_valid_alpn_list(supported_span)) {
|
2294
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2295
|
+
}
|
2291
2296
|
|
2292
2297
|
// For each protocol in peer preference order, see if we support it.
|
2293
|
-
|
2294
|
-
|
2295
|
-
|
2296
|
-
|
2297
|
-
|
2298
|
-
|
2299
|
-
|
2300
|
-
|
2301
|
-
|
2302
|
-
|
2303
|
-
|
2298
|
+
CBS cbs = peer_span, proto;
|
2299
|
+
while (CBS_len(&cbs) != 0) {
|
2300
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2301
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2302
|
+
}
|
2303
|
+
|
2304
|
+
if (ssl_alpn_list_contains_protocol(MakeConstSpan(supported, supported_len),
|
2305
|
+
proto)) {
|
2306
|
+
// This function is not const-correct for compatibility with existing
|
2307
|
+
// callers.
|
2308
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2309
|
+
// A u8 length prefix will fit in |uint8_t|.
|
2310
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2311
|
+
return OPENSSL_NPN_NEGOTIATED;
|
2304
2312
|
}
|
2305
|
-
i += peer[i];
|
2306
|
-
i++;
|
2307
2313
|
}
|
2308
2314
|
|
2309
|
-
// There's no overlap between our protocols and the peer's list.
|
2310
|
-
|
2311
|
-
|
2315
|
+
// There's no overlap between our protocols and the peer's list. In ALPN, the
|
2316
|
+
// caller is expected to fail the connection with no_application_protocol. In
|
2317
|
+
// NPN, the caller is expected to opportunistically select the first protocol.
|
2318
|
+
// See draft-agl-tls-nextprotoneg-04, section 6.
|
2319
|
+
cbs = supported_span;
|
2320
|
+
if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {
|
2321
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2322
|
+
}
|
2312
2323
|
|
2313
|
-
|
2314
|
-
*out =
|
2315
|
-
*out_len =
|
2316
|
-
return
|
2324
|
+
// See above.
|
2325
|
+
*out = const_cast<uint8_t *>(CBS_data(&proto));
|
2326
|
+
*out_len = static_cast<uint8_t>(CBS_len(&proto));
|
2327
|
+
return OPENSSL_NPN_NO_OVERLAP;
|
2317
2328
|
}
|
2318
2329
|
|
2319
2330
|
void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
|