grpc 1.65.1 → 1.65.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Makefile +1 -1
- data/src/core/client_channel/subchannel.cc +10 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +3 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +6 -6
- data/src/core/handshaker/http_connect/http_proxy_mapper.cc +7 -10
- data/src/core/lib/compression/message_compress.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +3 -3
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +1 -1
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener_utils.cc +6 -6
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +7 -4
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +3 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +4 -2
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +5 -4
- data/src/core/lib/experiments/config.cc +11 -9
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +4 -4
- data/src/core/lib/iomgr/socket_windows.cc +3 -3
- data/src/core/lib/iomgr/tcp_posix.cc +2 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +9 -12
- data/src/core/lib/iomgr/tcp_server_windows.cc +2 -2
- data/src/core/lib/promise/party.cc +4 -4
- data/src/core/load_balancing/grpclb/grpclb.cc +14 -15
- data/src/core/util/log.cc +2 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +7 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_linux.c +4 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_intel.c +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +7 -61
- data/third_party/boringssl-with-bazel/src/crypto/dilithium/dilithium.c +43 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +21 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +31 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +22 -10
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +6 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/dilithium.h +6 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/experimental/kyber.h +10 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +83 -33
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -8
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +14 -13
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +22 -16
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +15 -15
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +38 -27
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +59 -20
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +2 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +1 -1
- metadata +3 -3
@@ -85,29 +85,61 @@ typedef struct {
|
|
85
85
|
int curve;
|
86
86
|
const EVP_MD *(*digest_func)(void);
|
87
87
|
bool is_rsa_pss;
|
88
|
+
bool tls12_ok;
|
89
|
+
bool tls13_ok;
|
90
|
+
bool client_only;
|
88
91
|
} SSL_SIGNATURE_ALGORITHM;
|
89
92
|
|
90
93
|
static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
|
94
|
+
// PKCS#1 v1.5 code points are only allowed in TLS 1.2.
|
91
95
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
|
92
|
-
false
|
93
|
-
|
94
|
-
{
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
{
|
101
|
-
|
102
|
-
|
96
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
97
|
+
/*client_only=*/false},
|
98
|
+
{SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,
|
99
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
100
|
+
/*client_only=*/false},
|
101
|
+
{SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
102
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
103
|
+
/*client_only=*/false},
|
104
|
+
{SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
105
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
106
|
+
/*client_only=*/false},
|
107
|
+
{SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
108
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
109
|
+
/*client_only=*/false},
|
110
|
+
|
111
|
+
// Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and
|
112
|
+
// client-only. See draft-ietf-tls-tls13-pkcs1-00.
|
113
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
114
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true,
|
115
|
+
/*client_only=*/true},
|
116
|
+
|
117
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
|
118
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
119
|
+
/*client_only=*/false},
|
120
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
|
121
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
122
|
+
/*client_only=*/false},
|
123
|
+
{SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
|
124
|
+
/*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
125
|
+
/*client_only=*/false},
|
126
|
+
|
127
|
+
{SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,
|
128
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,
|
129
|
+
/*client_only=*/false},
|
103
130
|
{SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
|
104
|
-
&EVP_sha256, false
|
131
|
+
&EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
132
|
+
/*client_only=*/false},
|
105
133
|
{SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
|
106
|
-
false
|
134
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
135
|
+
/*client_only=*/false},
|
107
136
|
{SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
|
108
|
-
false
|
137
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
138
|
+
/*client_only=*/false},
|
109
139
|
|
110
|
-
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
140
|
+
{SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
|
141
|
+
/*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,
|
142
|
+
/*client_only=*/false},
|
111
143
|
};
|
112
144
|
|
113
145
|
static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
@@ -120,7 +152,7 @@ static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
|
|
120
152
|
}
|
121
153
|
|
122
154
|
bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
123
|
-
uint16_t sigalg) {
|
155
|
+
uint16_t sigalg, bool is_verify) {
|
124
156
|
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
|
125
157
|
if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {
|
126
158
|
return false;
|
@@ -152,8 +184,12 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
152
184
|
}
|
153
185
|
|
154
186
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
|
155
|
-
|
156
|
-
|
187
|
+
if (!alg->tls13_ok) {
|
188
|
+
return false;
|
189
|
+
}
|
190
|
+
|
191
|
+
bool is_client_sign = ssl->server == is_verify;
|
192
|
+
if (alg->client_only && !is_client_sign) {
|
157
193
|
return false;
|
158
194
|
}
|
159
195
|
|
@@ -164,6 +200,8 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
164
200
|
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {
|
165
201
|
return false;
|
166
202
|
}
|
203
|
+
} else if (!alg->tls12_ok) {
|
204
|
+
return false;
|
167
205
|
}
|
168
206
|
|
169
207
|
return true;
|
@@ -171,7 +209,7 @@ bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
|
|
171
209
|
|
172
210
|
static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
|
173
211
|
uint16_t sigalg, bool is_verify) {
|
174
|
-
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg)) {
|
212
|
+
if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {
|
175
213
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
176
214
|
return false;
|
177
215
|
}
|
@@ -448,7 +486,7 @@ void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
|
|
448
486
|
ctx->cert->default_credential.get(), key_method));
|
449
487
|
}
|
450
488
|
|
451
|
-
static constexpr size_t kMaxSignatureAlgorithmNameLen =
|
489
|
+
static constexpr size_t kMaxSignatureAlgorithmNameLen = 24;
|
452
490
|
|
453
491
|
struct SignatureAlgorithmName {
|
454
492
|
uint16_t signature_algorithm;
|
@@ -461,6 +499,7 @@ static const SignatureAlgorithmName kSignatureAlgorithmNames[] = {
|
|
461
499
|
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
|
462
500
|
{SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
|
463
501
|
{SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
|
502
|
+
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"},
|
464
503
|
{SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
|
465
504
|
{SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
|
466
505
|
{SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
|
@@ -142,7 +142,7 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
|
|
142
142
|
uint16_t version) {
|
143
143
|
// Zero is interpreted as the default minimum version.
|
144
144
|
if (version == 0) {
|
145
|
-
*out = method->is_dtls ?
|
145
|
+
*out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
|
146
146
|
return true;
|
147
147
|
}
|
148
148
|
|
@@ -335,7 +335,8 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
|
|
335
335
|
}
|
336
336
|
|
337
337
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
338
|
-
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm
|
338
|
+
if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
|
339
|
+
hs->peer_pubkey.get())) {
|
339
340
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
340
341
|
return false;
|
341
342
|
}
|
@@ -606,7 +606,7 @@ using namespace bssl;
|
|
606
606
|
|
607
607
|
size_t SSL_max_seal_overhead(const SSL *ssl) {
|
608
608
|
if (SSL_is_dtls(ssl)) {
|
609
|
-
return dtls_max_seal_overhead(ssl,
|
609
|
+
return dtls_max_seal_overhead(ssl, ssl->d1->w_epoch);
|
610
610
|
}
|
611
611
|
|
612
612
|
size_t ret = SSL3_RT_HEADER_LENGTH;
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: grpc
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.65.
|
4
|
+
version: 1.65.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- gRPC Authors
|
8
8
|
autorequire:
|
9
9
|
bindir: src/ruby/bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-07-
|
11
|
+
date: 2024-07-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: google-protobuf
|
@@ -3581,7 +3581,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
3581
3581
|
- !ruby/object:Gem::Version
|
3582
3582
|
version: '0'
|
3583
3583
|
requirements: []
|
3584
|
-
rubygems_version: 3.5.
|
3584
|
+
rubygems_version: 3.5.16
|
3585
3585
|
signing_key:
|
3586
3586
|
specification_version: 4
|
3587
3587
|
summary: GRPC system in Ruby
|