speedtesting_threads = {};
-void MainWindow::speedtest_current_group(int mode) {
+void MainWindow::speedtest_current_group(int mode, bool test_group) {
+ if (speedtesting) {
+ MessageBoxWarning(software_name, QObject::tr("The last speed test did not exit completely, please wait. If it persists, please restart the program."));
+ return;
+ }
+
auto profiles = get_selected_or_group();
+ if (test_group) profiles = NekoGui::profileManager->CurrentGroup()->ProfilesWithOrder();
if (profiles.isEmpty()) return;
auto group = NekoGui::profileManager->CurrentGroup();
if (group->archive) return;
@@ -75,11 +81,6 @@ void MainWindow::speedtest_current_group(int mode) {
}
#ifndef NKR_NO_GRPC
- if (speedtesting) {
- MessageBoxWarning(software_name, "The last speed test did not exit completely, please wait. If it persists, please restart the program.");
- return;
- }
-
QStringList full_test_flags;
if (mode == libcore::FullTest) {
auto w = new QDialog(this);
diff --git a/openwrt-packages/luci-app-ddns-go/luasrc/controller/ddns-go.lua b/openwrt-packages/luci-app-ddns-go/luasrc/controller/ddns-go.lua
index 152c1ca0dc..9dae766746 100644
--- a/openwrt-packages/luci-app-ddns-go/luasrc/controller/ddns-go.lua
+++ b/openwrt-packages/luci-app-ddns-go/luasrc/controller/ddns-go.lua
@@ -12,8 +12,11 @@ function index()
e.dependent=false
e.acl_depends={ "luci-app-ddns-go" }
entry({"admin", "services", "ddns-go", "setting"}, cbi("ddns-go"), _("Base Setting"), 20).leaf=true
- entry({"admin", "services", "ddns-go", "ddns-go"}, template("ddns-go"), _("DDNS-GO Control panel"), 30).leaf = true
+ entry({"admin", "services", "ddns-go", "ddns-go"}, template("ddns-go/ddns-go"), _("DDNS-GO Control panel"), 30).leaf = true
entry({"admin", "services", "ddnsgo_status"}, call("act_status"))
+ entry({"admin", "services", "ddns-go", "log"}, template("ddns-go/ddns-go_log"), _("Log"), 40).leaf = true
+ entry({"admin", "services", "ddns-go", "fetch_log"}, call("fetch_log"), nil).leaf = true
+ entry({"admin", "services", "ddns-go", "clear_log"}, call("clear_log")).leaf = true
end
function act_status()
@@ -23,3 +26,20 @@ function act_status()
luci.http.prepare_content("application/json")
luci.http.write_json(e)
end
+function fetch_log()
+ local fs = require "nixio.fs"
+ local log_file = "/var/log/ddns-go.log"
+ local log_content = fs.readfile(log_file) or "No Log."
+ luci.http.write(log_content)
+end
+function clear_log()
+ local fs = require "nixio.fs"
+ local log_file = "/var/log/ddns-go.log"
+ local f = io.open(log_file, "w")
+ if f then
+ f:close()
+ luci.http.status(204, "No Content")
+ else
+ luci.http.status(500, "Internal Server Error")
+ end
+end
diff --git a/openwrt-packages/luci-app-ddns-go/luasrc/model/cbi/ddns-go.lua b/openwrt-packages/luci-app-ddns-go/luasrc/model/cbi/ddns-go.lua
index 8c8e29c149..37c417a7b9 100644
--- a/openwrt-packages/luci-app-ddns-go/luasrc/model/cbi/ddns-go.lua
+++ b/openwrt-packages/luci-app-ddns-go/luasrc/model/cbi/ddns-go.lua
@@ -6,7 +6,7 @@ m = Map("ddns-go")
m.title = translate("DDNS-GO")
m.description = translate("DDNS-GO automatically obtains your public IPv4 or IPv6 address and resolves it to the corresponding domain name service.")..translate("For specific usage, see:")..translate("GitHub @sirpdboy/luci-app-ddns-go ")
-m:section(SimpleSection).template = "ddns-go_status"
+m:section(SimpleSection).template = "ddns-go/ddns-go_status"
s = m:section(TypedSection, "basic", translate("Global Settings"))
s.addremove = false
diff --git a/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go.htm b/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go.htm
similarity index 100%
rename from openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go.htm
rename to openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go.htm
diff --git a/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go_log.htm b/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go_log.htm
new file mode 100644
index 0000000000..62a27e211d
--- /dev/null
+++ b/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go_log.htm
@@ -0,0 +1,90 @@
+<%+header%>
+
+
+
+
+
+<%
+local fs = require "nixio.fs"
+local log_file_path = "/var/log/ddns-go.log"
+local raw_log_content = fs.readfile(log_file_path) or "No Log."
+local log_lines = {}
+for line in raw_log_content:gmatch("[^\r\n]+") do
+ table.insert(log_lines, line)
+end
+for i=1, math.floor(#log_lines / 2) do
+ log_lines[i], log_lines[#log_lines - i + 1] = log_lines[#log_lines - i + 1], log_lines[i]
+end
+local log_content = table.concat(log_lines, "\n")
+%>
+<%=log_content%>
+
+ <%+footer%>
+
+
\ No newline at end of file
diff --git a/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go_status.htm b/openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go_status.htm
similarity index 100%
rename from openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go_status.htm
rename to openwrt-packages/luci-app-ddns-go/luasrc/view/ddns-go/ddns-go_status.htm
diff --git a/openwrt-packages/luci-app-ddns-go/po/zh-cn/ddns-go.po b/openwrt-packages/luci-app-ddns-go/po/zh-cn/ddns-go.po
index b94df01253..74ac3fd3f8 100644
--- a/openwrt-packages/luci-app-ddns-go/po/zh-cn/ddns-go.po
+++ b/openwrt-packages/luci-app-ddns-go/po/zh-cn/ddns-go.po
@@ -16,6 +16,9 @@ msgstr "运行状态"
msgid "DDNS-GO Control panel"
msgstr "DDNS-GO操作台"
+msgid "Log"
+msgstr "日志"
+
msgid "The DDNS-GO service is running."
msgstr "DDNS-GO服务已启动"
diff --git a/openwrt-packages/luci-app-ddns-go/po/zh_Hans/ddns-go.po b/openwrt-packages/luci-app-ddns-go/po/zh_Hans/ddns-go.po
index b94df01253..74ac3fd3f8 100644
--- a/openwrt-packages/luci-app-ddns-go/po/zh_Hans/ddns-go.po
+++ b/openwrt-packages/luci-app-ddns-go/po/zh_Hans/ddns-go.po
@@ -16,6 +16,9 @@ msgstr "运行状态"
msgid "DDNS-GO Control panel"
msgstr "DDNS-GO操作台"
+msgid "Log"
+msgstr "日志"
+
msgid "The DDNS-GO service is running."
msgstr "DDNS-GO服务已启动"
diff --git a/openwrt-passwall/luci-app-passwall/luasrc/passwall/util_xray.lua b/openwrt-passwall/luci-app-passwall/luasrc/passwall/util_xray.lua
index ae54ba0b63..4a2ef63e06 100644
--- a/openwrt-passwall/luci-app-passwall/luasrc/passwall/util_xray.lua
+++ b/openwrt-passwall/luci-app-passwall/luasrc/passwall/util_xray.lua
@@ -885,7 +885,11 @@ function gen_config(var)
local outbound_tag
if outbound then
set_outbound_detour(_node, outbound, outbounds, rule_name)
- table.insert(outbounds, outbound)
+ if rule_name == "default" then
+ table.insert(outbounds, 1, outbound)
+ else
+ table.insert(outbounds, outbound)
+ end
outbound_tag = outbound.tag
end
return outbound_tag, nil
@@ -1022,6 +1026,7 @@ function gen_config(var)
end
end)
+ --[[
if default_outbound_tag or default_balancer_tag then
table.insert(rules, {
type = "field",
@@ -1030,6 +1035,7 @@ function gen_config(var)
network = "tcp,udp"
})
end
+ ]]--
routing = {
domainStrategy = node.domainStrategy or "AsIs",
diff --git a/small/luci-app-passwall/luasrc/passwall/util_xray.lua b/small/luci-app-passwall/luasrc/passwall/util_xray.lua
index fa11fe37f5..4a2ef63e06 100644
--- a/small/luci-app-passwall/luasrc/passwall/util_xray.lua
+++ b/small/luci-app-passwall/luasrc/passwall/util_xray.lua
@@ -885,7 +885,11 @@ function gen_config(var)
local outbound_tag
if outbound then
set_outbound_detour(_node, outbound, outbounds, rule_name)
- table.insert(outbounds, outbound)
+ if rule_name == "default" then
+ table.insert(outbounds, 1, outbound)
+ else
+ table.insert(outbounds, outbound)
+ end
outbound_tag = outbound.tag
end
return outbound_tag, nil
diff --git a/small/mihomo/Makefile b/small/mihomo/Makefile
index f00854ccac..a3e45bc989 100644
--- a/small/mihomo/Makefile
+++ b/small/mihomo/Makefile
@@ -5,9 +5,9 @@ PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
-PKG_SOURCE_DATE:=2024-10-07
-PKG_SOURCE_VERSION:=9fd63fe93803c89243452f9b033625bd22f75282
-PKG_MIRROR_HASH:=a13d8359ed364cd00337c631d3f6a10910a251c2d63990d43c01476c4f938c8d
+PKG_SOURCE_DATE:=2024-10-08
+PKG_SOURCE_VERSION:=08dcef80bf9a528d36cf8d516cc251f6449f9336
+PKG_MIRROR_HASH:=803fd00529f3bb01617cc6349343858f73b2c6b4d533e8d76434941af7908395
PKG_LICENSE:=MIT
PKG_MAINTAINER:=Joseph Mory
@@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16
-PKG_BUILD_VERSION:=alpha-9fd63fe
+PKG_BUILD_VERSION:=alpha-08dcef8
PKG_BUILD_TIME:=$(shell date -u -Iseconds)
GO_PKG:=github.com/metacubex/mihomo
diff --git a/small/v2ray-geodata/Makefile b/small/v2ray-geodata/Makefile
index e9f583a922..1dffd24b4f 100644
--- a/small/v2ray-geodata/Makefile
+++ b/small/v2ray-geodata/Makefile
@@ -12,13 +12,13 @@ PKG_MAINTAINER:=Tianling Shen
include $(INCLUDE_DIR)/package.mk
-GEOIP_VER:=202410030052
+GEOIP_VER:=202410090012
GEOIP_FILE:=geoip.dat.$(GEOIP_VER)
define Download/geoip
URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/
URL_FILE:=geoip.dat
FILE:=$(GEOIP_FILE)
- HASH:=061c2116e650932c8058b663c14cd03be2241c6048bba6a2765ee1ea38481bff
+ HASH:=384c0143e551dae3022b78d9e42e7d3c9c9df428710467598c258312333c88ff
endef
GEOSITE_VER:=20241007202930
diff --git a/v2rayn/v2rayN/v2rayUpgrade/v2rayUpgrade.csproj b/v2rayn/v2rayN/AmazTool/AmazTool.csproj
similarity index 100%
rename from v2rayn/v2rayN/v2rayUpgrade/v2rayUpgrade.csproj
rename to v2rayn/v2rayN/AmazTool/AmazTool.csproj
diff --git a/v2rayn/v2rayN/v2rayUpgrade/Program.cs b/v2rayn/v2rayN/AmazTool/Program.cs
similarity index 88%
rename from v2rayn/v2rayN/v2rayUpgrade/Program.cs
rename to v2rayn/v2rayN/AmazTool/Program.cs
index 8b9dfe4cbe..3f61464ba1 100644
--- a/v2rayn/v2rayN/v2rayUpgrade/Program.cs
+++ b/v2rayn/v2rayN/AmazTool/Program.cs
@@ -1,4 +1,4 @@
-namespace v2rayUpgrade
+namespace AmazTool
{
internal static class Program
{
@@ -16,7 +16,7 @@
}
var fileName = Uri.UnescapeDataString(string.Join(" ", args));
- Upgrade.UpgradeApp(fileName);
+ UpgradeApp.Upgrade(fileName);
}
}
}
\ No newline at end of file
diff --git a/v2rayn/v2rayN/v2rayUpgrade/Upgrade.cs b/v2rayn/v2rayN/AmazTool/UpgradeApp.cs
similarity index 95%
rename from v2rayn/v2rayN/v2rayUpgrade/Upgrade.cs
rename to v2rayn/v2rayN/AmazTool/UpgradeApp.cs
index ef627f1044..c5189a3310 100644
--- a/v2rayn/v2rayN/v2rayUpgrade/Upgrade.cs
+++ b/v2rayn/v2rayN/AmazTool/UpgradeApp.cs
@@ -3,11 +3,11 @@ using System.IO.Compression;
using System.Runtime.InteropServices;
using System.Text;
-namespace v2rayUpgrade
+namespace AmazTool
{
- internal class Upgrade
+ internal class UpgradeApp
{
- public static void UpgradeApp(string fileName)
+ public static void Upgrade(string fileName)
{
Console.WriteLine(fileName);
Console.WriteLine("In progress, please wait...(正在进行中,请等待)");
@@ -105,7 +105,7 @@ namespace v2rayUpgrade
private static string GetExePath()
{
- return Environment.ProcessPath ?? string.Empty;
+ return Environment.ProcessPath ?? Process.GetCurrentProcess().MainModule?.FileName ?? string.Empty;
}
private static string StartupPath()
diff --git a/v2rayn/v2rayN/ServiceLib/Common/Utils.cs b/v2rayn/v2rayN/ServiceLib/Common/Utils.cs
index 3414a0e08b..d3dc3f6998 100644
--- a/v2rayn/v2rayN/ServiceLib/Common/Utils.cs
+++ b/v2rayn/v2rayN/ServiceLib/Common/Utils.cs
@@ -750,7 +750,7 @@ namespace ServiceLib.Common
///
public static string GetExePath()
{
- return Environment.ProcessPath ?? string.Empty;
+ return Environment.ProcessPath ?? Process.GetCurrentProcess().MainModule?.FileName ?? string.Empty;
}
public static string StartupPath()
diff --git a/v2rayn/v2rayN/ServiceLib/ViewModels/BackupAndRestoreViewModel.cs b/v2rayn/v2rayN/ServiceLib/ViewModels/BackupAndRestoreViewModel.cs
index defeb603bf..09569c40f9 100644
--- a/v2rayn/v2rayN/ServiceLib/ViewModels/BackupAndRestoreViewModel.cs
+++ b/v2rayn/v2rayN/ServiceLib/ViewModels/BackupAndRestoreViewModel.cs
@@ -137,7 +137,7 @@ namespace ServiceLib.ViewModels
var result = await CreateZipFileFromDirectory(fileBackup);
if (result)
{
- Locator.Current.GetService()?.V2rayUpgrade(fileName);
+ Locator.Current.GetService()?.UpgradeApp(fileName);
}
else
{
diff --git a/v2rayn/v2rayN/ServiceLib/ViewModels/CheckUpdateViewModel.cs b/v2rayn/v2rayN/ServiceLib/ViewModels/CheckUpdateViewModel.cs
index 4fc51b1ec1..f7800ad802 100644
--- a/v2rayn/v2rayN/ServiceLib/ViewModels/CheckUpdateViewModel.cs
+++ b/v2rayn/v2rayN/ServiceLib/ViewModels/CheckUpdateViewModel.cs
@@ -235,7 +235,7 @@ namespace ServiceLib.ViewModels
{
return;
}
- Locator.Current.GetService()?.V2rayUpgrade(fileName);
+ Locator.Current.GetService()?.UpgradeApp(fileName);
}
catch (Exception ex)
{
diff --git a/v2rayn/v2rayN/ServiceLib/ViewModels/MainWindowViewModel.cs b/v2rayn/v2rayN/ServiceLib/ViewModels/MainWindowViewModel.cs
index 63d473411d..91e830ede3 100644
--- a/v2rayn/v2rayN/ServiceLib/ViewModels/MainWindowViewModel.cs
+++ b/v2rayn/v2rayN/ServiceLib/ViewModels/MainWindowViewModel.cs
@@ -437,13 +437,13 @@ namespace ServiceLib.ViewModels
}
}
- public async Task V2rayUpgrade(string fileName)
+ public async Task UpgradeApp(string fileName)
{
Process process = new()
{
StartInfo = new ProcessStartInfo
{
- FileName = "v2rayUpgrade",
+ FileName = "AmazTool",
Arguments = fileName.AppendQuotes(),
WorkingDirectory = Utils.StartupPath()
}
diff --git a/v2rayn/v2rayN/build.ps1 b/v2rayn/v2rayN/build.ps1
index b82d1d17e6..dd94598a60 100644
--- a/v2rayn/v2rayN/build.ps1
+++ b/v2rayn/v2rayN/build.ps1
@@ -11,15 +11,15 @@ dotnet publish `
.\v2rayN\v2rayN.csproj `
-c Release `
--self-contained false `
- -p:PublishReadyToRun=true `
+ -p:PublishReadyToRun=false `
-p:PublishSingleFile=true `
-o $OutputPath
dotnet publish `
- .\v2rayUpgrade\v2rayUpgrade.csproj `
+ .\AmazTool\AmazTool.csproj `
-c Release `
--self-contained false `
- -p:PublishReadyToRun=true `
+ -p:PublishReadyToRun=false `
-p:PublishSingleFile=true `
-o $OutputPath
diff --git a/v2rayn/v2rayN/v2rayN.sln b/v2rayn/v2rayN/v2rayN.sln
index 47689a4056..f898d47e5e 100644
--- a/v2rayn/v2rayN/v2rayN.sln
+++ b/v2rayn/v2rayN/v2rayN.sln
@@ -13,7 +13,7 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ServiceLib", "ServiceLib\Se
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "v2rayN.Desktop", "v2rayN.Desktop\v2rayN.Desktop.csproj", "{5D16541A-F971-4C17-9315-BB8955E3F984}"
EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "v2rayUpgrade", "v2rayUpgrade\v2rayUpgrade.csproj", "{47D68B1C-601C-4C69-873B-FFF0DC13EC97}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AmazTool", "AmazTool\AmazTool.csproj", "{47D68B1C-601C-4C69-873B-FFF0DC13EC97}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
diff --git a/v2rayng/V2rayNG/app/build.gradle.kts b/v2rayng/V2rayNG/app/build.gradle.kts
index 295a38c793..84fbd1a34e 100644
--- a/v2rayng/V2rayNG/app/build.gradle.kts
+++ b/v2rayng/V2rayNG/app/build.gradle.kts
@@ -11,8 +11,8 @@ android {
applicationId = "com.v2ray.ang"
minSdk = 21
targetSdk = 34
- versionCode = 600
- versionName = "1.9.6"
+ versionCode = 601
+ versionName = "1.9.7"
multiDexEnabled = true
splits {
abi {
diff --git a/xray-core/go.mod b/xray-core/go.mod
index 8f99995d5e..7f3cba9f4b 100644
--- a/xray-core/go.mod
+++ b/xray-core/go.mod
@@ -11,7 +11,7 @@ require (
github.com/gorilla/websocket v1.5.3
github.com/miekg/dns v1.1.62
github.com/pelletier/go-toml v1.9.5
- github.com/pires/go-proxyproto v0.7.0
+ github.com/pires/go-proxyproto v0.8.0
github.com/quic-go/quic-go v0.46.0
github.com/refraction-networking/utls v1.6.7
github.com/sagernet/sing v0.4.3
@@ -22,13 +22,13 @@ require (
github.com/vishvananda/netlink v1.3.0
github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
- golang.org/x/crypto v0.27.0
- golang.org/x/net v0.29.0
+ golang.org/x/crypto v0.28.0
+ golang.org/x/net v0.30.0
golang.org/x/sync v0.8.0
- golang.org/x/sys v0.25.0
+ golang.org/x/sys v0.26.0
golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
google.golang.org/grpc v1.67.1
- google.golang.org/protobuf v1.34.2
+ google.golang.org/protobuf v1.35.1
gvisor.dev/gvisor v0.0.0-20231202080848-1f7806d17489
h12.io/socks v1.0.3
lukechampine.com/blake3 v1.3.0
@@ -51,7 +51,7 @@ require (
go.uber.org/mock v0.4.0 // indirect
golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect
golang.org/x/mod v0.18.0 // indirect
- golang.org/x/text v0.18.0 // indirect
+ golang.org/x/text v0.19.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.22.0 // indirect
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
diff --git a/xray-core/go.sum b/xray-core/go.sum
index 6803cbde68..8fa32abd62 100644
--- a/xray-core/go.sum
+++ b/xray-core/go.sum
@@ -42,8 +42,8 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v
github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc=
github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
-github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
@@ -79,8 +79,8 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc h1:O9NuF4s+E/PvMIy+9IUZB9znFwUIXEWSstNjek6VpVg=
golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
@@ -89,8 +89,8 @@ golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
@@ -103,14 +103,14 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -129,8 +129,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/yass/.github/workflows/releases-rpm.yml b/yass/.github/workflows/releases-rpm.yml
index f0471e7693..797569c014 100644
--- a/yass/.github/workflows/releases-rpm.yml
+++ b/yass/.github/workflows/releases-rpm.yml
@@ -48,9 +48,13 @@ jobs:
- 'fedora39'
- 'alpine320'
- 'i386-alpine320'
+ - 'armhf-alpine320'
+ - 'aarch64-alpine320'
- 'opensuse15'
runs-on: ubuntu-22.04
steps:
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
- uses: actions/checkout@v4
- name: Cache docker files (dummy)
id: docker-cache
@@ -190,6 +194,10 @@ jobs:
arch: amd64
- container: 'i386-alpine320'
arch: i386
+ - container: 'aarch64-alpine320'
+ arch: aarch64
+ - container: 'armhf-alpine320'
+ arch: armhf
runs-on: ubuntu-20.04
needs: docker_publish
steps:
@@ -217,11 +225,30 @@ jobs:
cache-dependency-path: |
tools/go.sum
third_party/boringssl/src/go.sum
+ - name: Cache qemu-user
+ id: qemu-user-cache
+ uses: actions/cache@v4
+ with:
+ path: |
+ qemu-user*.deb
+ key: ${{ runner.os }}-qemu-9.1.0-ds-8
+ - name: "Install dependency: qemu user cache"
+ if: ${{ steps.qemu-user-cache.outputs.cache-hit != 'true' }}
+ run: |
+ wget http://ftp.us.debian.org/debian/pool/main/q/qemu/qemu-user_9.1.0+ds-8_amd64.deb
+ - name: Populate depedencies
+ run: |
+ sudo apt-get update -qq
+ sudo apt-get install -y cmake ninja-build pkgconf gettext bubblewrap
+ # libc6-i386 interferes with x86 build
+ sudo apt remove libc6-i386
+
+ sudo dpkg -i qemu-user_*.deb
- name: Populate sysroot from docker image
run: |
docker pull ghcr.io/chilledheart/${{ matrix.container }}
mkdir -p "${{ env.SDK_ROOT }}"
- docker export $(docker create ghcr.io/chilledheart/${{ matrix.container }}) | tar -C "${{ env.SDK_ROOT }}" -xf -
+ docker export $(docker create --platform ${{ matrix.arch }} ghcr.io/chilledheart/${{ matrix.container }}) | tar -C "${{ env.SDK_ROOT }}" -xf -
- name: Build build tool
run: |
cd tools
@@ -252,7 +279,8 @@ jobs:
./tools/build --variant cli --arch ${{ matrix.arch }} --system linux --subsystem musl --sysroot "${{ env.SDK_ROOT }}" -build-test --cmake-build-type MinSizeRel -use-static-build -nc
./tools/build --variant server --arch ${{ matrix.arch }} --system linux --subsystem musl --sysroot "${{ env.SDK_ROOT }}" -build-test --cmake-build-type MinSizeRel -use-static-build -nc
./tools/build --variant gui --arch ${{ matrix.arch }} --system linux --subsystem musl --sysroot "${{ env.SDK_ROOT }}" -build-test --cmake-build-type MinSizeRel -nc
- - name: Run tests
+ - name: Run tests (i386 and amd64)
+ if: ${{ matrix.arch == 'i386' || matrix.arch == 'amd64' }}
run: |
bwrap --die-with-parent --bind "$SDK_ROOT" / \
--ro-bind /sys /sys \
@@ -261,6 +289,16 @@ jobs:
--unshare-all --share-net \
--bind $PWD/build-linux-musl-${{ matrix.arch }} /tmp \
/tmp/yass_test
+ - name: Run tests (non x86, under qemu emulation)
+ if: ${{ matrix.arch != 'i386' && matrix.arch != 'amd64' }}
+ run: |
+ # copy required resolv.conf from host
+ cp -fv /etc/resolv.conf "$SDK_ROOT/etc/resolv.conf"
+ # TMPDIR is required by leveldb unittests
+ qemu-${{ matrix.arch }} -L $SDK_ROOT \
+ -E TMPDIR=$PWD/build-linux-musl-${{ matrix.arch }} \
+ $PWD/build-linux-musl-${{ matrix.arch }}/yass_test \
+ --no_exec_proc_tests
- name: Upload dist tarball (including debuginfo)
if: ${{ github.event_name == 'release' }}
env:
diff --git a/yass/.gitignore b/yass/.gitignore
index ad5cfbcb9b..bc10831bf3 100644
--- a/yass/.gitignore
+++ b/yass/.gitignore
@@ -83,6 +83,5 @@ local.properties
*.ipa
/rustc-*-src
/third_party/rust-ohos
-/i386-alpine320-sysroot
-/amd64-alpine320-sysroot
+/*-alpine320-sysroot
*.flatpak
diff --git a/yass/README.md b/yass/README.md
index fd07e29f3a..59afdf3bde 100644
--- a/yass/README.md
+++ b/yass/README.md
@@ -13,7 +13,7 @@ yass is an efficient forward proxy client supporting http/socks4/socks4a/socks5/
Because we are reusing chromium's network stack directly,
we are following [chromium's release schedule](https://chromiumdash.appspot.com/schedule) and delivering new versions based on its beta branch.
-- [Latest M130's Release (1.14.x)](https://github.com/Chilledheart/yass/releases/tag/1.14.2) will become Stable Release since _Oct 15, 2024_ (Extended Support).
+- [Latest M130's Release (1.14.x)](https://github.com/Chilledheart/yass/releases/tag/1.14.3) will become Stable Release since _Oct 15, 2024_ (Extended Support).
- [Latest M129's Release (1.13.x)](https://github.com/Chilledheart/yass/releases/tag/1.13.3) has become Stable Release since _Sep 17, 2024_.
- [Latest M128's Release (1.12.x)](https://github.com/Chilledheart/yass/releases/tag/1.12.5) has become Stable Release since _Aug 20, 2024_ (Extended Support).
- [Latest M127's Release (1.11.x)](https://github.com/Chilledheart/yass/releases/tag/1.11.5) has become Stable Release since _Jul 23, 2024_
@@ -165,37 +165,37 @@ See [ChatGPT capable caddy Server](https://github.com/Chilledheart/yass/wiki/Usa
[bugs]: https://github.com/Chilledheart/yass/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title=
[frs]: https://github.com/Chilledheart/yass/issues/new?assignees=&labels=feature&projects=&template=feature_request.md&title=
-[gtk3_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-gtk3.el8.x86_64.1.14.2.rpm
-[gtk3_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-gtk3-ubuntu-16.04-xenial_amd64.1.14.2.deb
-[qt5_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-qt5.el8.x86_64.1.14.2.rpm
-[qt5_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-qt5-ubuntu-16.04-xenial_amd64.1.14.2.deb
-[gtk4_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-gtk4.lp155.x86_64.1.14.2.rpm
-[gtk4_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-gtk4-ubuntu-22.04-jammy_amd64.1.14.2.deb
-[qt6_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-qt6.lp155.x86_64.1.14.2.rpm
-[qt6_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-qt6-ubuntu-22.04-jammy_amd64.1.14.2.deb
+[gtk3_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-gtk3.el8.x86_64.1.14.3.rpm
+[gtk3_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-gtk3-ubuntu-16.04-xenial_amd64.1.14.3.deb
+[qt5_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-qt5.el8.x86_64.1.14.3.rpm
+[qt5_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-qt5-ubuntu-16.04-xenial_amd64.1.14.3.deb
+[gtk4_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-gtk4.lp155.x86_64.1.14.3.rpm
+[gtk4_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-gtk4-ubuntu-22.04-jammy_amd64.1.14.3.deb
+[qt6_rpm_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-qt6.lp155.x86_64.1.14.3.rpm
+[qt6_deb_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-qt6-ubuntu-22.04-jammy_amd64.1.14.3.deb
-[qt6_flatpak_x86_64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-x86_64-1.14.2.flatpak
+[qt6_flatpak_x86_64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-x86_64-1.14.3.flatpak
-[cli_tgz_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-amd64-1.14.2.tgz
-[cli_tgz_i386_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-amd64-1.14.2.tgz
-[cli_tgz_arm64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-arm64-1.14.2.tgz
-[cli_tgz_loongarch64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-loongarch64-1.14.2.tgz
-[cli_tgz_riscv64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-riscv64-1.14.2.tgz
-[cli_tgz_riscv32_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-release-riscv32-1.14.2.tgz
+[cli_tgz_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-amd64-1.14.3.tgz
+[cli_tgz_i386_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-amd64-1.14.3.tgz
+[cli_tgz_arm64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-arm64-1.14.3.tgz
+[cli_tgz_loongarch64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-loongarch64-1.14.3.tgz
+[cli_tgz_riscv64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-riscv64-1.14.3.tgz
+[cli_tgz_riscv32_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-release-riscv32-1.14.3.tgz
-[cli_openwrt_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-openwrt-release-x86_64-1.14.2.tgz
-[cli_openwrt_i486_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-openwrt-release-i486-1.14.2.tgz
-[cli_openwrt_aarch64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-openwrt-release-aarch64-1.14.2.tgz
+[cli_openwrt_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-openwrt-release-x86_64-1.14.3.tgz
+[cli_openwrt_i486_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-openwrt-release-i486-1.14.3.tgz
+[cli_openwrt_aarch64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-openwrt-release-aarch64-1.14.3.tgz
-[cli_musl_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-musl-release-amd64-1.14.2.tgz
-[cli_musl_i386_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass_cli-linux-musl-release-i386-1.14.2.tgz
+[cli_musl_amd64_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-musl-release-amd64-1.14.3.tgz
+[cli_musl_i386_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass_cli-linux-musl-release-i386-1.14.3.tgz
-[android_64_apk_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-android-release-arm64-1.14.2.apk
-[android_32_apk_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-android-release-arm-1.14.2.apk
+[android_64_apk_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-android-release-arm64-1.14.3.apk
+[android_32_apk_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-android-release-arm-1.14.3.apk
-[windows_64_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-mingw-win7-release-x86_64-1.14.2-system-installer.exe
-[windows_32_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-mingw-winxp-release-i686-1.14.2-system-installer.exe
+[windows_64_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-mingw-win7-release-x86_64-1.14.3-system-installer.exe
+[windows_32_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-mingw-winxp-release-i686-1.14.3-system-installer.exe
-[windows_arm64_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-mingw-release-aarch64-1.14.2-system-installer.exe
-[macos_intel_dmg_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-macos-release-x64-1.14.2.dmg
-[macos_arm_dmg_url]: https://github.com/Chilledheart/yass/releases/download/1.14.2/yass-macos-release-arm64-1.14.2.dmg
+[windows_arm64_installer_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-mingw-release-aarch64-1.14.3-system-installer.exe
+[macos_intel_dmg_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-macos-release-x64-1.14.3.dmg
+[macos_arm_dmg_url]: https://github.com/Chilledheart/yass/releases/download/1.14.3/yass-macos-release-arm64-1.14.3.dmg
diff --git a/yass/docker/aarch64-alpine320.Dockerfile b/yass/docker/aarch64-alpine320.Dockerfile
new file mode 100644
index 0000000000..1b76acf71d
--- /dev/null
+++ b/yass/docker/aarch64-alpine320.Dockerfile
@@ -0,0 +1,2 @@
+FROM arm64v8/alpine:3.20
+RUN apk add --no-cache bash tar build-base linux-headers curl-dev gtk+3.0-dev
diff --git a/yass/docker/armhf-alpine320.Dockerfile b/yass/docker/armhf-alpine320.Dockerfile
new file mode 100644
index 0000000000..ebefe16213
--- /dev/null
+++ b/yass/docker/armhf-alpine320.Dockerfile
@@ -0,0 +1,2 @@
+FROM arm32v7/alpine:3.20
+RUN apk add --no-cache bash tar build-base linux-headers curl-dev gtk+3.0-dev
diff --git a/yass/src/qt6/lang/yass_zh_CN.qm b/yass/src/qt6/lang/yass_zh_CN.qm
index 2290b085c5..ced19e3c0d 100644
Binary files a/yass/src/qt6/lang/yass_zh_CN.qm and b/yass/src/qt6/lang/yass_zh_CN.qm differ
diff --git a/yass/third_party/boringssl/src/BUILDING.md b/yass/third_party/boringssl/src/BUILDING.md
index d78d28391c..8b6203b28d 100644
--- a/yass/third_party/boringssl/src/BUILDING.md
+++ b/yass/third_party/boringssl/src/BUILDING.md
@@ -26,7 +26,7 @@ most recent stable version of each tool.
`CMAKE_ASM_NASM_COMPILER`.
* Compilers for C11 and C++14, or later, are required. On Windows, MSVC from
- Visual Studio 2019 or later with Windows 10 SDK 2104 or later are
+ Visual Studio 2022 or later with Windows 10 SDK 2104 or later are
supported, but using the latest versions is recommended. Recent versions of
GCC (6.1+) and Clang should work on non-Windows platforms, and maybe on
Windows too.
diff --git a/yass/third_party/boringssl/src/ssl/d1_both.cc b/yass/third_party/boringssl/src/ssl/d1_both.cc
index ac47189dfb..016e3a2495 100644
--- a/yass/third_party/boringssl/src/ssl/d1_both.cc
+++ b/yass/third_party/boringssl/src/ssl/d1_both.cc
@@ -483,13 +483,8 @@ ssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
// Sending handshake messages.
-void DTLS_OUTGOING_MESSAGE::Clear() { data.Reset(); }
-
void dtls_clear_outgoing_messages(SSL *ssl) {
- for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {
- ssl->d1->outgoing_messages[i].Clear();
- }
- ssl->d1->outgoing_messages_len = 0;
+ ssl->d1->outgoing_messages.clear();
ssl->d1->outgoing_written = 0;
ssl->d1->outgoing_offset = 0;
ssl->d1->outgoing_messages_complete = false;
@@ -524,20 +519,6 @@ bool dtls1_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg) {
return true;
}
-// ssl_size_t_greater_than_32_bits returns whether |v| exceeds the bounds of a
-// 32-bit value. The obvious thing doesn't work because, in some 32-bit build
-// configurations, the compiler warns that the test is always false and breaks
-// the build.
-static bool ssl_size_t_greater_than_32_bits(size_t v) {
-#if defined(OPENSSL_64_BIT)
- return v > 0xffffffff;
-#elif defined(OPENSSL_32_BIT)
- return false;
-#else
-#error "Building for neither 32- nor 64-bits."
-#endif
-}
-
// add_outgoing adds a new handshake message or ChangeCipherSpec to the current
// outgoing flight. It returns true on success and false on error.
static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) {
@@ -548,16 +529,6 @@ static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) {
dtls_clear_outgoing_messages(ssl);
}
- static_assert(SSL_MAX_HANDSHAKE_FLIGHT <
- (1 << 8 * sizeof(ssl->d1->outgoing_messages_len)),
- "outgoing_messages_len is too small");
- if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT ||
- ssl_size_t_greater_than_32_bits(data.size())) {
- assert(false);
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return false;
- }
-
if (!is_ccs) {
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
// on hs.
@@ -569,13 +540,16 @@ static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) {
ssl->d1->handshake_write_seq++;
}
- DTLS_OUTGOING_MESSAGE *msg =
- &ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len];
- msg->data = std::move(data);
- msg->epoch = ssl->d1->w_epoch;
- msg->is_ccs = is_ccs;
+ DTLS_OUTGOING_MESSAGE msg;
+ msg.data = std::move(data);
+ msg.epoch = ssl->d1->w_epoch;
+ msg.is_ccs = is_ccs;
+ if (!ssl->d1->outgoing_messages.TryPushBack(std::move(msg))) {
+ assert(false);
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return false;
+ }
- ssl->d1->outgoing_messages_len++;
return true;
}
@@ -626,7 +600,7 @@ enum seal_result_t {
static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const DTLS_OUTGOING_MESSAGE *msg) {
- assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
+ assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size());
assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
size_t overhead = dtls_max_seal_overhead(ssl, msg->epoch);
@@ -715,8 +689,8 @@ static bool seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
bool made_progress = false;
size_t total = 0;
- assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
- for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len;
+ assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size());
+ for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size();
ssl->d1->outgoing_written++) {
const DTLS_OUTGOING_MESSAGE *msg =
&ssl->d1->outgoing_messages[ssl->d1->outgoing_written];
@@ -772,7 +746,7 @@ static int send_flight(SSL *ssl) {
return -1;
}
- while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) {
+ while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()) {
uint8_t old_written = ssl->d1->outgoing_written;
uint32_t old_offset = ssl->d1->outgoing_offset;
diff --git a/yass/third_party/boringssl/src/ssl/extensions.cc b/yass/third_party/boringssl/src/ssl/extensions.cc
index 30591a6a07..0e001a6d1c 100644
--- a/yass/third_party/boringssl/src/ssl/extensions.cc
+++ b/yass/third_party/boringssl/src/ssl/extensions.cc
@@ -709,14 +709,14 @@ static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
}
assert(ssl->s3->initial_handshake_complete ==
- (ssl->s3->previous_client_finished_len != 0));
+ !ssl->s3->previous_client_finished.empty());
CBB contents, prev_finished;
if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
!CBB_add_u16_length_prefixed(out, &contents) ||
!CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
- !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
- ssl->s3->previous_client_finished_len) ||
+ !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished.data(),
+ ssl->s3->previous_client_finished.size()) ||
!CBB_flush(out)) {
return false;
}
@@ -752,16 +752,11 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
return true;
}
- const size_t expected_len = ssl->s3->previous_client_finished_len +
- ssl->s3->previous_server_finished_len;
-
- // Check for logic errors
- assert(!expected_len || ssl->s3->previous_client_finished_len);
- assert(!expected_len || ssl->s3->previous_server_finished_len);
+ // Check for logic errors.
+ assert(ssl->s3->previous_client_finished.size() ==
+ ssl->s3->previous_server_finished.size());
assert(ssl->s3->initial_handshake_complete ==
- (ssl->s3->previous_client_finished_len != 0));
- assert(ssl->s3->initial_handshake_complete ==
- (ssl->s3->previous_server_finished_len != 0));
+ !ssl->s3->previous_client_finished.empty());
// Parse out the extension contents.
CBS renegotiated_connection;
@@ -773,15 +768,22 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
}
// Check that the extension matches.
- if (CBS_len(&renegotiated_connection) != expected_len) {
+ CBS client_verify, server_verify;
+ if (!CBS_get_bytes(&renegotiated_connection, &client_verify,
+ ssl->s3->previous_client_finished.size()) ||
+ !CBS_get_bytes(&renegotiated_connection, &server_verify,
+ ssl->s3->previous_server_finished.size()) ||
+ CBS_len(&renegotiated_connection) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
return false;
}
- const uint8_t *d = CBS_data(&renegotiated_connection);
- bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
- ssl->s3->previous_client_finished_len) == 0;
+ bool ok =
+ CBS_mem_equal(&client_verify, ssl->s3->previous_client_finished.data(),
+ ssl->s3->previous_client_finished.size()) &&
+ CBS_mem_equal(&server_verify, ssl->s3->previous_server_finished.data(),
+ ssl->s3->previous_server_finished.size());
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
ok = true;
#endif
@@ -790,20 +792,8 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
return false;
}
- d += ssl->s3->previous_client_finished_len;
- ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
- ssl->s3->previous_server_finished_len) == 0;
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- ok = true;
-#endif
- if (!ok) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
- *out_alert = SSL_AD_HANDSHAKE_FAILURE;
- return false;
- }
ssl->s3->send_connection_binding = true;
-
return true;
}
@@ -4079,9 +4069,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
// Envoy's tests expect the session to have a session ID that matches the
// placeholder used by the client. It's unclear whether this is a good idea,
// but we maintain it for now.
- SHA256(ticket.data(), ticket.size(), session->session_id);
- // Other consumers may expect a non-empty session ID to indicate resumption.
- session->session_id_length = SHA256_DIGEST_LENGTH;
+ session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH);
+ SHA256(ticket.data(), ticket.size(), session->session_id.data());
*out_session = std::move(session);
return ssl_ticket_aead_success;
@@ -4292,12 +4281,12 @@ bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
if (ssl->session != NULL) {
static const char kResumptionMagic[] = "Resumption";
SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
- if (ssl->session->original_handshake_hash_len == 0) {
+ if (ssl->session->original_handshake_hash.empty()) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return false;
}
- SHA256_Update(&ctx, ssl->session->original_handshake_hash,
- ssl->session->original_handshake_hash_len);
+ SHA256_Update(&ctx, ssl->session->original_handshake_hash.data(),
+ ssl->session->original_handshake_hash.size());
}
uint8_t hs_hash[EVP_MAX_MD_SIZE];
@@ -4320,20 +4309,14 @@ bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
return false;
}
- static_assert(
- sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
- "original_handshake_hash is too small");
-
size_t digest_len;
- if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
+ hs->new_session->original_handshake_hash.ResizeMaybeUninit(
+ hs->transcript.DigestLen());
+ if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash.data(),
&digest_len)) {
return false;
}
-
- static_assert(EVP_MAX_MD_SIZE <= 0xff,
- "EVP_MAX_MD_SIZE does not fit in uint8_t");
- hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
-
+ assert(digest_len == hs->new_session->original_handshake_hash.size());
return true;
}
diff --git a/yass/third_party/boringssl/src/ssl/handoff.cc b/yass/third_party/boringssl/src/ssl/handoff.cc
index ec950d0388..e4e5d281fd 100644
--- a/yass/third_party/boringssl/src/ssl/handoff.cc
+++ b/yass/third_party/boringssl/src/ssl/handoff.cc
@@ -433,8 +433,8 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
hs->server_handshake_secret().size()) ||
!CBB_add_asn1_octet_string(&seq, hs->secret().data(),
hs->secret().size()) ||
- !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
- s3->exporter_secret_len) ||
+ !CBB_add_asn1_octet_string(&seq, s3->exporter_secret.data(),
+ s3->exporter_secret.size()) ||
!CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
!CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
!CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
@@ -704,11 +704,9 @@ bool SSL_apply_handback(SSL *ssl, Span handback) {
!CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
!CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
!CopyExact(hs->secret(), &secret) ||
- !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
- &exporter_secret)) {
+ !s3->exporter_secret.TryCopyFrom(exporter_secret)) {
return false;
}
- s3->exporter_secret_len = CBS_len(&exporter_secret);
if (s3->early_data_accepted &&
!CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
diff --git a/yass/third_party/boringssl/src/ssl/handshake.cc b/yass/third_party/boringssl/src/ssl/handshake.cc
index a9ec634125..6fe37cc187 100644
--- a/yass/third_party/boringssl/src/ssl/handshake.cc
+++ b/yass/third_party/boringssl/src/ssl/handshake.cc
@@ -495,18 +495,18 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
}
// Copy the Finished so we can use it for renegotiation checks.
- if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
- finished_len > sizeof(ssl->s3->previous_server_finished)) {
+ if (finished_len > ssl->s3->previous_client_finished.capacity() ||
+ finished_len > ssl->s3->previous_server_finished.capacity()) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
}
if (ssl->server) {
- OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
- ssl->s3->previous_client_finished_len = finished_len;
+ ssl->s3->previous_client_finished.CopyFrom(
+ MakeConstSpan(finished, finished_len));
} else {
- OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
- ssl->s3->previous_server_finished_len = finished_len;
+ ssl->s3->previous_server_finished.CopyFrom(
+ MakeConstSpan(finished, finished_len));
}
// The Finished message should be the end of a flight.
@@ -524,38 +524,32 @@ bool ssl_send_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
const SSL_SESSION *session = ssl_handshake_session(hs);
- uint8_t finished[EVP_MAX_MD_SIZE];
+ uint8_t finished_buf[EVP_MAX_MD_SIZE];
size_t finished_len;
- if (!hs->transcript.GetFinishedMAC(finished, &finished_len, session,
+ if (!hs->transcript.GetFinishedMAC(finished_buf, &finished_len, session,
ssl->server)) {
return false;
}
+ auto finished = MakeConstSpan(finished_buf, finished_len);
// Log the master secret, if logging is enabled.
- if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
- MakeConstSpan(session->secret, session->secret_length))) {
+ if (!ssl_log_secret(ssl, "CLIENT_RANDOM", session->secret)) {
return false;
}
// Copy the Finished so we can use it for renegotiation checks.
- if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
- finished_len > sizeof(ssl->s3->previous_server_finished)) {
+ bool ok = ssl->server
+ ? ssl->s3->previous_server_finished.TryCopyFrom(finished)
+ : ssl->s3->previous_client_finished.TryCopyFrom(finished);
+ if (!ok) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return false;
- }
-
- if (ssl->server) {
- OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
- ssl->s3->previous_server_finished_len = finished_len;
- } else {
- OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
- ssl->s3->previous_client_finished_len = finished_len;
+ return ssl_hs_error;
}
ScopedCBB cbb;
CBB body;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
- !CBB_add_bytes(&body, finished, finished_len) ||
+ !CBB_add_bytes(&body, finished.data(), finished.size()) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return false;
diff --git a/yass/third_party/boringssl/src/ssl/handshake_client.cc b/yass/third_party/boringssl/src/ssl/handshake_client.cc
index 2f74ff56da..3774787179 100644
--- a/yass/third_party/boringssl/src/ssl/handshake_client.cc
+++ b/yass/third_party/boringssl/src/ssl/handshake_client.cc
@@ -328,7 +328,7 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
// Do not send a session ID on renegotiation.
if (!ssl->s3->initial_handshake_complete &&
!empty_session_id &&
- !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
+ !CBB_add_bytes(&child, hs->session_id.data(), hs->session_id.size())) {
return false;
}
@@ -526,7 +526,7 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
}
const bool has_id_session = ssl->session != nullptr &&
- ssl->session->session_id_length > 0 &&
+ !ssl->session->session_id.empty() &&
ssl->session->ticket.empty();
const bool has_ticket_session =
ssl->session != nullptr && !ssl->session->ticket.empty();
@@ -540,12 +540,10 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
ssl->quic_method == nullptr &&
!SSL_is_dtls(hs->ssl);
if (has_id_session) {
- hs->session_id_len = ssl->session->session_id_length;
- OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
- hs->session_id_len);
+ hs->session_id = ssl->session->session_id;
} else if (ticket_session_requires_random_id || enable_compatibility_mode) {
- hs->session_id_len = sizeof(hs->session_id);
- if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
+ hs->session_id.ResizeMaybeUninit(SSL_MAX_SSL_SESSION_ID_LENGTH);
+ if (!RAND_bytes(hs->session_id.data(), hs->session_id.size())) {
return ssl_hs_error;
}
}
@@ -830,9 +828,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
hs->new_cipher = cipher;
- if (hs->session_id_len != 0 &&
- CBS_mem_equal(&server_hello.session_id, hs->session_id,
- hs->session_id_len)) {
+ if (!hs->session_id.empty() &&
+ Span(server_hello.session_id) == hs->session_id) {
// Echoing the ClientHello session ID in TLS 1.2, whether from the session
// or a synthetic one, indicates resumption. If there was no session (or if
// the session was only offered in ECH ClientHelloInner), this was the
@@ -874,16 +871,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}
// Save the session ID from the server. This may be empty if the session
- // isn't resumable, or if we'll receive a session ticket later.
- assert(CBS_len(&server_hello.session_id) <= SSL3_SESSION_ID_SIZE);
- static_assert(SSL3_SESSION_ID_SIZE <= UINT8_MAX,
- "max session ID is too large");
- hs->new_session->session_id_length =
- static_cast(CBS_len(&server_hello.session_id));
- OPENSSL_memcpy(hs->new_session->session_id,
- CBS_data(&server_hello.session_id),
- CBS_len(&server_hello.session_id));
-
+ // isn't resumable, or if we'll receive a session ticket later. The
+ // ServerHello parser ensures |server_hello.session_id| is within bounds.
+ hs->new_session->session_id.CopyFrom(server_hello.session_id);
hs->new_session->cipher = hs->new_cipher;
}
@@ -1619,13 +1609,13 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
- hs->new_session->secret_length =
- tls1_generate_master_secret(hs, hs->new_session->secret, pms);
- if (hs->new_session->secret_length == 0) {
+ hs->new_session->secret.ResizeMaybeUninit(SSL3_MASTER_SECRET_SIZE);
+ if (!tls1_generate_master_secret(hs, MakeSpan(hs->new_session->secret),
+ pms)) {
return ssl_hs_error;
}
- hs->new_session->extended_master_secret = hs->extended_master_secret;
+ hs->new_session->extended_master_secret = hs->extended_master_secret;
hs->state = state_send_client_certificate_verify;
return ssl_hs_ok;
}
@@ -1860,8 +1850,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
// Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
// TODO(davidben): Are external callers relying on this? Try removing this.
- SHA256(CBS_data(&ticket), CBS_len(&ticket), hs->new_session->session_id);
- hs->new_session->session_id_length = SHA256_DIGEST_LENGTH;
+ hs->new_session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH);
+ SHA256(CBS_data(&ticket), CBS_len(&ticket),
+ hs->new_session->session_id.data());
ssl->method->next_message(ssl);
hs->state = state_process_change_cipher_spec;
diff --git a/yass/third_party/boringssl/src/ssl/handshake_server.cc b/yass/third_party/boringssl/src/ssl/handshake_server.cc
index 7821ce0931..59531f7161 100644
--- a/yass/third_party/boringssl/src/ssl/handshake_server.cc
+++ b/yass/third_party/boringssl/src/ssl/handshake_server.cc
@@ -894,10 +894,10 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
hs->new_cipher = params.cipher;
hs->signature_algorithm = params.signature_algorithm;
- hs->session_id_len = client_hello.session_id_len;
- // This is checked in |ssl_client_hello_init|.
- assert(hs->session_id_len <= sizeof(hs->session_id));
- OPENSSL_memcpy(hs->session_id, client_hello.session_id, hs->session_id_len);
+ // |ssl_client_hello_init| checks that |client_hello.session_id| is not too
+ // large.
+ hs->session_id.CopyFrom(
+ MakeConstSpan(client_hello.session_id, client_hello.session_id_len));
// Determine whether we are doing session resumption.
UniquePtr session;
@@ -941,9 +941,9 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
// Assign a session ID if not using session tickets.
if (!hs->ticket_expected &&
(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
- hs->new_session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
- RAND_bytes(hs->new_session->session_id,
- hs->new_session->session_id_length);
+ hs->new_session->session_id.ResizeMaybeUninit(SSL3_SSL_SESSION_ID_LENGTH);
+ RAND_bytes(hs->new_session->session_id.data(),
+ hs->new_session->session_id.size());
}
}
@@ -1027,8 +1027,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
// If this is a resumption and the original handshake didn't support
// ChannelID then we didn't record the original handshake hashes in the
// session and so cannot resume with ChannelIDs.
- if (ssl->session != NULL &&
- ssl->session->original_handshake_hash_len == 0) {
+ if (ssl->session != nullptr &&
+ ssl->session->original_handshake_hash.empty()) {
hs->channel_id_negotiated = false;
}
@@ -1072,10 +1072,9 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
Span session_id;
if (ssl->session != nullptr) {
// Echo the session ID from the ClientHello to indicate resumption.
- session_id = MakeConstSpan(hs->session_id, hs->session_id_len);
+ session_id = hs->session_id;
} else {
- session_id = MakeConstSpan(hs->new_session->session_id,
- hs->new_session->session_id_length);
+ session_id = hs->new_session->session_id;
}
ScopedCBB cbb;
@@ -1602,13 +1601,18 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
}
// Compute the master secret.
- hs->new_session->secret_length = tls1_generate_master_secret(
- hs, hs->new_session->secret, premaster_secret);
- if (hs->new_session->secret_length == 0) {
+ hs->new_session->secret.ResizeMaybeUninit(SSL3_MASTER_SECRET_SIZE);
+ if (!tls1_generate_master_secret(hs, MakeSpan(hs->new_session->secret),
+ premaster_secret)) {
return ssl_hs_error;
}
hs->new_session->extended_master_secret = hs->extended_master_secret;
- CONSTTIME_DECLASSIFY(hs->new_session->secret, hs->new_session->secret_length);
+ // Declassify the secret to undo the RSA decryption validation above. We are
+ // not currently running most of the TLS library with constant-time
+ // validation.
+ // TODO(crbug.com/42290551): Remove this and cover the TLS library too.
+ CONSTTIME_DECLASSIFY(hs->new_session->secret.data(),
+ hs->new_session->secret.size());
hs->can_release_private_key = true;
ssl->method->next_message(ssl);
diff --git a/yass/third_party/boringssl/src/ssl/internal.h b/yass/third_party/boringssl/src/ssl/internal.h
index 43ea1c2afe..5e5d3fd5f0 100644
--- a/yass/third_party/boringssl/src/ssl/internal.h
+++ b/yass/third_party/boringssl/src/ssl/internal.h
@@ -189,6 +189,53 @@ struct SSL_X509_METHOD;
// C++ utilities.
+// Fill-ins for various functions in C++17.
+// TODO(crbug.com/42290600): Replace these with the standard ones when we
+// require C++17.
+
+template
+ForwardIt cxx17_uninitialized_default_construct_n(ForwardIt first, size_t n) {
+ using T = typename std::iterator_traits::value_type;
+ while (n > 0) {
+ new (std::addressof(*first)) T;
+ first++;
+ n--;
+ }
+ return first;
+}
+
+template
+ForwardIt cxx17_uninitialized_value_construct_n(ForwardIt first, size_t n) {
+ using T = typename std::iterator_traits::value_type;
+ while (n > 0) {
+ new (std::addressof(*first)) T();
+ first++;
+ n--;
+ }
+ return first;
+}
+
+template
+InputIt cxx17_uninitialized_move(InputIt first, InputIt last, OutputIt out) {
+ using OutputT = typename std::iterator_traits::value_type;
+ for (; first != last; ++first) {
+ new (std::addressof(*out)) OutputT(std::move(*first));
+ ++out;
+ }
+ return out;
+}
+
+template
+ForwardIt cxx17_destroy_n(ForwardIt first, size_t n) {
+ using T = typename std::iterator_traits::value_type;
+ while (n > 0) {
+ first->~T();
+ first++;
+ n--;
+ }
+ return first;
+}
+
// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
// returns nullptr on allocation error. It only implements single-object
// allocation and not new T[n].
@@ -253,8 +300,14 @@ class Array {
size_t size() const { return size_; }
bool empty() const { return size_ == 0; }
- const T &operator[](size_t i) const { return data_[i]; }
- T &operator[](size_t i) { return data_[i]; }
+ const T &operator[](size_t i) const {
+ BSSL_CHECK(i < size_);
+ return data_[i];
+ }
+ T &operator[](size_t i) {
+ BSSL_CHECK(i < size_);
+ return data_[i];
+ }
T *begin() { return data_; }
const T *begin() const { return data_; }
@@ -266,9 +319,7 @@ class Array {
// Reset releases the current contents of the array and takes ownership of the
// raw pointer supplied by the caller.
void Reset(T *new_data, size_t new_size) {
- for (size_t i = 0; i < size_; i++) {
- data_[i].~T();
- }
+ cxx17_destroy_n(data_, size_);
OPENSSL_free(data_);
data_ = new_data;
size_ = new_size;
@@ -289,6 +340,38 @@ class Array {
//
// Note that if |T| is a primitive type like |uint8_t|, it is uninitialized.
bool Init(size_t new_size) {
+ if (!InitUninitialized(new_size)) {
+ return false;
+ }
+ cxx17_uninitialized_default_construct_n(data_, size_);
+ return true;
+ }
+
+ // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns
+ // true on success and false on error.
+ bool CopyFrom(Span in) {
+ if (!InitUninitialized(in.size())) {
+ return false;
+ }
+ std::uninitialized_copy(in.begin(), in.end(), data_);
+ return true;
+ }
+
+ // Shrink shrinks the stored size of the array to |new_size|. It crashes if
+ // the new size is larger. Note this does not shrink the allocation itself.
+ void Shrink(size_t new_size) {
+ if (new_size > size_) {
+ abort();
+ }
+ cxx17_destroy_n(data_ + new_size, size_ - new_size);
+ size_ = new_size;
+ }
+
+ private:
+ // InitUninitialized replaces the array with a newly-allocated array of
+ // |new_size| elements, but whose constructor has not yet run. On success, the
+ // elements must be constructed before returning control to the caller.
+ bool InitUninitialized(size_t new_size) {
Reset();
if (new_size == 0) {
return true;
@@ -303,76 +386,56 @@ class Array {
return false;
}
size_ = new_size;
- for (size_t i = 0; i < size_; i++) {
- new (&data_[i]) T;
- }
return true;
}
- // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns
- // true on success and false on error.
- bool CopyFrom(Span in) {
- if (!Init(in.size())) {
- return false;
- }
- std::copy(in.begin(), in.end(), data_);
- return true;
- }
-
- // Shrink shrinks the stored size of the array to |new_size|. It crashes if
- // the new size is larger. Note this does not shrink the allocation itself.
- void Shrink(size_t new_size) {
- if (new_size > size_) {
- abort();
- }
- for (size_t i = new_size; i < size_; i++) {
- data_[i].~T();
- }
- size_ = new_size;
- }
-
- private:
T *data_ = nullptr;
size_t size_ = 0;
};
// Vector is a resizable array of elements of |T|.
-//
-// Note, for simplicity, this class currently differs from |std::vector| in that
-// |T| must be efficiently default-constructible. Allocated elements beyond the
-// end of the array are constructed and destructed.
template
class Vector {
public:
Vector() = default;
Vector(const Vector &) = delete;
Vector(Vector &&other) { *this = std::move(other); }
- ~Vector() {}
+ ~Vector() { clear(); }
Vector &operator=(const Vector &) = delete;
Vector &operator=(Vector &&other) {
- size_ = other.size_;
- other.size_ = 0;
- array_ = std::move(other.array_);
+ clear();
+ std::swap(data_, other.data_);
+ std::swap(size_, other.size_);
+ std::swap(capacity_, other.capacity_);
return *this;
}
- const T *data() const { return array_.data(); }
- T *data() { return array_.data(); }
+ const T *data() const { return data_; }
+ T *data() { return data_; }
size_t size() const { return size_; }
bool empty() const { return size_ == 0; }
- const T &operator[](size_t i) const { return array_[i]; }
- T &operator[](size_t i) { return array_[i]; }
+ const T &operator[](size_t i) const {
+ BSSL_CHECK(i < size_);
+ return data_[i];
+ }
+ T &operator[](size_t i) {
+ BSSL_CHECK(i < size_);
+ return data_[i];
+ }
- T *begin() { return array_.data(); }
- const T *begin() const { return array_.data(); }
- T *end() { return array_.data() + size_; }
- const T *end() const { return array_.data() + size_; }
+ T *begin() { return data_; }
+ const T *begin() const { return data_; }
+ T *end() { return data_ + size_; }
+ const T *end() const { return data_ + size_; }
void clear() {
+ cxx17_destroy_n(data_, size_);
+ OPENSSL_free(data_);
+ data_ = nullptr;
size_ = 0;
- array_.Reset();
+ capacity_ = 0;
}
// Push adds |elem| at the end of the internal array, growing if necessary. It
@@ -381,7 +444,7 @@ class Vector {
if (!MaybeGrow()) {
return false;
}
- array_[size_] = std::move(elem);
+ new (&data_[size_]) T(std::move(elem));
size_++;
return true;
}
@@ -389,10 +452,14 @@ class Vector {
// CopyFrom replaces the contents of the array with a copy of |in|. It returns
// true on success and false on allocation error.
bool CopyFrom(Span in) {
- if (!array_.CopyFrom(in)) {
+ Array copy;
+ if (!copy.CopyFrom(in)) {
return false;
}
- size_ = in.size();
+
+ clear();
+ copy.Release(&data_, &size_);
+ capacity_ = size_;
return true;
}
@@ -400,39 +467,177 @@ class Vector {
// If there is no room for one more element, creates a new backing array with
// double the size of the old one and copies elements over.
bool MaybeGrow() {
- if (array_.size() == 0) {
- return array_.Init(kDefaultSize);
- }
// No need to grow if we have room for one more T.
- if (size_ < array_.size()) {
+ if (size_ < capacity_) {
return true;
}
- // Double the array's size if it's safe to do so.
- if (array_.size() > std::numeric_limits::max() / 2) {
+ size_t new_capacity = kDefaultSize;
+ if (capacity_ > 0) {
+ // Double the array's size if it's safe to do so.
+ if (capacity_ > std::numeric_limits::max() / 2) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
+ return false;
+ }
+ new_capacity = capacity_ * 2;
+ }
+ if (new_capacity > std::numeric_limits::max() / sizeof(T)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
return false;
}
- Array new_array;
- if (!new_array.Init(array_.size() * 2)) {
+ T *new_data =
+ reinterpret_cast(OPENSSL_malloc(new_capacity * sizeof(T)));
+ if (new_data == nullptr) {
return false;
}
- for (size_t i = 0; i < array_.size(); i++) {
- new_array[i] = std::move(array_[i]);
- }
- array_ = std::move(new_array);
-
+ size_t new_size = size_;
+ cxx17_uninitialized_move(begin(), end(), new_data);
+ clear();
+ data_ = new_data;
+ size_ = new_size;
+ capacity_ = new_capacity;
return true;
}
+ // data_ is a pointer to |capacity_| objects of size |T|, the first |size_| of
+ // which are constructed.
+ T *data_ = nullptr;
// |size_| is the number of elements stored in this Vector.
size_t size_ = 0;
- // |array_| is the backing array. Note that |array_.size()| is this
- // Vector's current capacity and that |size_ <= array_.size()|.
- Array array_;
+ // |capacity_| is the number of elements allocated in this Vector.
+ size_t capacity_ = 0;
// |kDefaultSize| is the default initial size of the backing array.
static constexpr size_t kDefaultSize = 16;
};
+// A PackedSize is an integer that can store values from 0 to N, represented as
+// a minimal-width integer.
+template
+using PackedSize = std::conditional_t<
+ N <= 0xff, uint8_t,
+ std::conditional_t>>;
+
+// An InplaceVector is like a Vector, but stores up to N elements inline in the
+// object. It is inspired by std::inplace_vector in C++26.
+template
+class InplaceVector {
+ public:
+ InplaceVector() = default;
+ InplaceVector(const InplaceVector &other) { *this = other; }
+ InplaceVector(InplaceVector &&other) { *this = std::move(other); }
+ ~InplaceVector() { clear(); }
+ InplaceVector &operator=(const InplaceVector &other) {
+ if (this != &other) {
+ CopyFrom(other);
+ }
+ return *this;
+ }
+ InplaceVector &operator=(InplaceVector &&other) {
+ clear();
+ cxx17_uninitialized_move(other.begin(), other.end(), data());
+ size_ = other.size();
+ return *this;
+ }
+
+ const T *data() const { return reinterpret_cast(storage_); }
+ T *data() { return reinterpret_cast(storage_); }
+ size_t size() const { return size_; }
+ static constexpr size_t capacity() { return N; }
+ bool empty() const { return size_ == 0; }
+
+ const T &operator[](size_t i) const {
+ BSSL_CHECK(i < size_);
+ return data()[i];
+ }
+ T &operator[](size_t i) {
+ BSSL_CHECK(i < size_);
+ return data()[i];
+ }
+
+ T *begin() { return data(); }
+ const T *begin() const { return data(); }
+ T *end() { return data() + size_; }
+ const T *end() const { return data() + size_; }
+
+ void clear() {
+ cxx17_destroy_n(data(), size_);
+ size_ = 0;
+ }
+
+ // TryResize resizes the vector to |new_size| and returns true, or returns
+ // false if |new_size| is too large. Any newly-added elements are
+ // value-initialized.
+ bool TryResize(size_t new_size) {
+ if (new_size > capacity()) {
+ return false;
+ }
+ if (new_size < size_) {
+ cxx17_destroy_n(data() + new_size, size_ - new_size);
+ } else {
+ cxx17_uninitialized_value_construct_n(data() + size_, new_size - size_);
+ }
+ size_ = static_cast>(new_size);
+ return true;
+ }
+
+ // TryResizeMaybeUninit behaves like |TryResize|, but newly-added elements are
+ // default-initialized, so POD types may contain uninitialized values that the
+ // caller is responsible for filling in.
+ bool TryResizeMaybeUninit(size_t new_size) {
+ if (new_size > capacity()) {
+ return false;
+ }
+ if (new_size < size_) {
+ cxx17_destroy_n(data() + new_size, size_ - new_size);
+ } else {
+ cxx17_uninitialized_default_construct_n(data() + size_, new_size - size_);
+ }
+ size_ = static_cast>(new_size);
+ return true;
+ }
+
+ // TryCopyFrom sets the vector to a copy of |in| and returns true, or returns
+ // false if |in| is too large.
+ bool TryCopyFrom(Span in) {
+ if (in.size() > capacity()) {
+ return false;
+ }
+ clear();
+ std::uninitialized_copy(in.begin(), in.end(), data());
+ size_ = in.size();
+ return true;
+ }
+
+ // TryPushBack appends |val| to the vector and returns a pointer to the
+ // newly-inserted value, or nullptr if the vector is at capacity.
+ T *TryPushBack(T val) {
+ if (size() >= capacity()) {
+ return nullptr;
+ }
+ T *ret = &data()[size_];
+ new (ret) T(std::move(val));
+ size_++;
+ return ret;
+ }
+
+ // The following methods behave like their |Try*| counterparts, but abort the
+ // program on failure.
+ void Resize(size_t size) { BSSL_CHECK(TryResize(size)); }
+ void ResizeMaybeUninit(size_t size) {
+ BSSL_CHECK(TryResizeMaybeUninit(size));
+ }
+ void CopyFrom(Span in) { BSSL_CHECK(TryCopyFrom(in)); }
+ T &PushBack(T val) {
+ T *ret = TryPushBack(std::move(val));
+ BSSL_CHECK(ret != nullptr);
+ return *ret;
+ }
+
+ private:
+ alignas(T) char storage_[sizeof(T[N])];
+ PackedSize size_ = 0;
+};
+
// CBBFinishArray behaves like |CBB_finish| but stores the result in an Array.
OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array *out);
@@ -937,8 +1142,8 @@ class SSLAEADContext {
ScopedEVP_AEAD_CTX ctx_;
// fixed_nonce_ contains any bytes of the nonce that are fixed for all
// records.
- uint8_t fixed_nonce_[12] = {0};
- uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0;
+ InplaceVector fixed_nonce_;
+ uint8_t variable_nonce_len_ = 0;
UniquePtr rn_encrypter_;
// variable_nonce_included_in_record_ is true if the variable nonce
// for a record is included as a prefix before the ciphertext.
@@ -1270,12 +1475,6 @@ bool dtls_has_unprocessed_handshake_data(const SSL *ssl);
bool tls_flush_pending_hs_data(SSL *ssl);
struct DTLS_OUTGOING_MESSAGE {
- DTLS_OUTGOING_MESSAGE() {}
- DTLS_OUTGOING_MESSAGE(const DTLS_OUTGOING_MESSAGE &) = delete;
- DTLS_OUTGOING_MESSAGE &operator=(const DTLS_OUTGOING_MESSAGE &) = delete;
-
- void Clear();
-
Array data;
uint16_t epoch = 0;
bool is_ccs = false;
@@ -2227,8 +2426,7 @@ struct SSL_HANDSHAKE {
uint8_t ech_config_id = 0;
// session_id is the session ID in the ClientHello.
- uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0};
- uint8_t session_id_len = 0;
+ InplaceVector session_id;
// grease_seed is the entropy for GREASE values.
uint8_t grease_seed[ssl_grease_last_index + 1] = {0};
@@ -2574,8 +2772,7 @@ struct CERT {
// sid_ctx partitions the session space within a shared session cache or
// ticket key. Only sessions with a matching value will be accepted.
- uint8_t sid_ctx_length = 0;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH] = {0};
+ InplaceVector sid_ctx;
};
// |SSL_PROTOCOL_METHOD| abstracts between TLS and DTLS.
@@ -2944,18 +3141,13 @@ struct SSL3_STATE {
// one.
UniquePtr hs;
- uint8_t write_traffic_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t read_traffic_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t exporter_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t write_traffic_secret_len = 0;
- uint8_t read_traffic_secret_len = 0;
- uint8_t exporter_secret_len = 0;
+ InplaceVector write_traffic_secret;
+ InplaceVector read_traffic_secret;
+ InplaceVector exporter_secret;
// Connection binding to prevent renegotiation attacks
- uint8_t previous_client_finished[12] = {0};
- uint8_t previous_client_finished_len = 0;
- uint8_t previous_server_finished_len = 0;
- uint8_t previous_server_finished[12] = {0};
+ InplaceVector previous_client_finished;
+ InplaceVector previous_server_finished;
uint8_t send_alert[2] = {0};
@@ -3113,8 +3305,8 @@ struct DTLS1_STATE {
// outgoing_messages is the queue of outgoing messages from the last handshake
// flight.
- DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT];
- uint8_t outgoing_messages_len = 0;
+ InplaceVector
+ outgoing_messages;
// outgoing_written is the number of outgoing messages that have been
// written.
@@ -3493,8 +3685,11 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
evp_aead_direction_t direction);
-int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
- Span premaster);
+
+// tls1_generate_master_secret computes the master secret from |premaster| and
+// writes it to |out|. |out| must have size |SSL3_MASTER_SECRET_SIZE|.
+bool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out,
+ Span premaster);
// tls1_get_grouplist returns the locally-configured group preference list.
Span tls1_get_grouplist(const SSL_HANDSHAKE *ssl);
@@ -4022,17 +4217,14 @@ struct ssl_session_st : public bssl::RefCounted {
// session. In TLS 1.3 and up, it is the resumption PSK for sessions handed to
// the caller, but it stores the resumption secret when stored on |SSL|
// objects.
- uint8_t secret_length = 0;
- uint8_t secret[SSL_MAX_MASTER_KEY_LENGTH] = {0};
+ bssl::InplaceVector secret;
+
+ bssl::InplaceVector session_id;
- // session_id - valid?
- uint8_t session_id_length = 0;
- uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0};
// this is used to determine whether the session is being reused in
// the appropriate context. It is up to the application to set this,
// via SSL_new
- uint8_t sid_ctx_length = 0;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH] = {0};
+ bssl::InplaceVector sid_ctx;
bssl::UniquePtr psk_identity;
@@ -4095,8 +4287,7 @@ struct ssl_session_st : public bssl::RefCounted {
// original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
// SHA-2, depending on TLS version) for the original, full handshake that
// created a session. This is used by Channel IDs during resumption.
- uint8_t original_handshake_hash[EVP_MAX_MD_SIZE] = {0};
- uint8_t original_handshake_hash_len = 0;
+ bssl::InplaceVector original_handshake_hash;
uint32_t ticket_lifetime_hint = 0; // Session lifetime hint in seconds
diff --git a/yass/third_party/boringssl/src/ssl/span_test.cc b/yass/third_party/boringssl/src/ssl/span_test.cc
index 481b0fc64e..84cb5a3ed1 100644
--- a/yass/third_party/boringssl/src/ssl/span_test.cc
+++ b/yass/third_party/boringssl/src/ssl/span_test.cc
@@ -98,5 +98,22 @@ TEST(SpanTest, ConstExpr) {
static_assert(span2[0] == 1, "wrong value");
}
+TEST(SpanDeathTest, BoundsChecks) {
+ // Make an array that's larger than we need, so that a failure to bounds check
+ // won't crash.
+ const int v[] = {1, 2, 3, 4};
+ Span span(v, 3);
+ // Out of bounds access.
+ EXPECT_DEATH_IF_SUPPORTED(span[3], "");
+ EXPECT_DEATH_IF_SUPPORTED(span.subspan(4), "");
+ EXPECT_DEATH_IF_SUPPORTED(span.first(4), "");
+ EXPECT_DEATH_IF_SUPPORTED(span.last(4), "");
+ // Accessing an empty span.
+ Span empty(v, 0);
+ EXPECT_DEATH_IF_SUPPORTED(empty[0], "");
+ EXPECT_DEATH_IF_SUPPORTED(empty.front(), "");
+ EXPECT_DEATH_IF_SUPPORTED(empty.back(), "");
+}
+
} // namespace
BSSL_NAMESPACE_END
diff --git a/yass/third_party/boringssl/src/ssl/ssl_aead_ctx.cc b/yass/third_party/boringssl/src/ssl/ssl_aead_ctx.cc
index 4f25d43369..8e7a387b83 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_aead_ctx.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_aead_ctx.cc
@@ -80,9 +80,7 @@ UniquePtr SSLAEADContext::Create(
aead_ctx->variable_nonce_len_ = (uint8_t)EVP_AEAD_nonce_length(aead);
if (mac_key.empty()) {
// This is an actual AEAD.
- assert(fixed_iv.size() <= sizeof(aead_ctx->fixed_nonce_));
- OPENSSL_memcpy(aead_ctx->fixed_nonce_, fixed_iv.data(), fixed_iv.size());
- aead_ctx->fixed_nonce_len_ = fixed_iv.size();
+ aead_ctx->fixed_nonce_.CopyFrom(fixed_iv);
if (protocol_version >= TLS1_3_VERSION ||
cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
@@ -246,11 +244,11 @@ bool SSLAEADContext::Open(Span *out, uint8_t type,
// Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
- nonce_len = fixed_nonce_len_ - variable_nonce_len_;
+ nonce_len = fixed_nonce_.size() - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
} else {
- OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
- nonce_len += fixed_nonce_len_;
+ OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size());
+ nonce_len += fixed_nonce_.size();
}
// Add the variable nonce.
@@ -270,8 +268,8 @@ bool SSLAEADContext::Open(Span *out, uint8_t type,
// XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
- assert(nonce_len == fixed_nonce_len_);
- for (size_t i = 0; i < fixed_nonce_len_; i++) {
+ assert(nonce_len == fixed_nonce_.size());
+ for (size_t i = 0; i < fixed_nonce_.size(); i++) {
nonce[i] ^= fixed_nonce_[i];
}
}
@@ -323,11 +321,11 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
// Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
- nonce_len = fixed_nonce_len_ - variable_nonce_len_;
+ nonce_len = fixed_nonce_.size() - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
} else {
- OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
- nonce_len += fixed_nonce_len_;
+ OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size());
+ nonce_len += fixed_nonce_.size();
}
// Select the variable nonce.
@@ -351,14 +349,14 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
return false;
}
- OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_len_,
+ OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_.size(),
variable_nonce_len_);
}
// XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
- assert(nonce_len == fixed_nonce_len_);
- for (size_t i = 0; i < fixed_nonce_len_; i++) {
+ assert(nonce_len == fixed_nonce_.size());
+ for (size_t i = 0; i < fixed_nonce_.size(); i++) {
nonce[i] ^= fixed_nonce_[i];
}
}
diff --git a/yass/third_party/boringssl/src/ssl/ssl_asn1.cc b/yass/third_party/boringssl/src/ssl/ssl_asn1.cc
index 3311246c6f..3e1e9d66ae 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_asn1.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_asn1.cc
@@ -216,9 +216,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
!CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
// The session ID is irrelevant for a session ticket.
- !CBB_add_asn1_octet_string(&session, in->session_id,
- for_ticket ? 0 : in->session_id_length) ||
- !CBB_add_asn1_octet_string(&session, in->secret, in->secret_length) ||
+ !CBB_add_asn1_octet_string(&session, in->session_id.data(),
+ for_ticket ? 0 : in->session_id.size()) ||
+ !CBB_add_asn1_octet_string(&session, in->secret.data(),
+ in->secret.size()) ||
!CBB_add_asn1(&session, &child, kTimeTag) ||
!CBB_add_asn1_uint64(&child, in->time) ||
!CBB_add_asn1(&session, &child, kTimeoutTag) ||
@@ -240,7 +241,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
// Although it is OPTIONAL and usually empty, OpenSSL has
// historically always encoded the sid_ctx.
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
- !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) {
+ !CBB_add_asn1_octet_string(&child, in->sid_ctx.data(),
+ in->sid_ctx.size())) {
return 0;
}
@@ -283,10 +285,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
}
}
- if (in->original_handshake_hash_len > 0) {
+ if (!in->original_handshake_hash.empty()) {
if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) ||
- !CBB_add_asn1_octet_string(&child, in->original_handshake_hash,
- in->original_handshake_hash_len)) {
+ !CBB_add_asn1_octet_string(&child, in->original_handshake_hash.data(),
+ in->original_handshake_hash.size())) {
return 0;
}
}
@@ -473,23 +475,6 @@ static int SSL_SESSION_parse_crypto_buffer(CBS *cbs,
return 1;
}
-// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
-// explicitly tagged with |tag| of size at most |max_out|.
-static int SSL_SESSION_parse_bounded_octet_string(CBS *cbs, uint8_t *out,
- uint8_t *out_len,
- uint8_t max_out,
- CBS_ASN1_TAG tag) {
- CBS value;
- if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) ||
- CBS_len(&value) > max_out) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
- return 0;
- }
- OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value));
- *out_len = static_cast(CBS_len(&value));
- return 1;
-}
-
static int SSL_SESSION_parse_long(CBS *cbs, long *out, CBS_ASN1_TAG tag,
long default_value) {
uint64_t value;
@@ -569,29 +554,16 @@ UniquePtr SSL_SESSION_parse(CBS *cbs,
return nullptr;
}
- CBS session_id, secret;
- if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
- CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
- !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||
- CBS_len(&secret) > SSL_MAX_MASTER_KEY_LENGTH) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
- return nullptr;
- }
- OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
- static_assert(SSL3_MAX_SSL_SESSION_ID_LENGTH <= UINT8_MAX,
- "max session ID is too large");
- ret->session_id_length = static_cast(CBS_len(&session_id));
- OPENSSL_memcpy(ret->secret, CBS_data(&secret), CBS_len(&secret));
- static_assert(SSL_MAX_MASTER_KEY_LENGTH <= UINT8_MAX,
- "max secret is too large");
- ret->secret_length = static_cast(CBS_len(&secret));
-
- CBS child;
+ CBS session_id, secret, child;
uint64_t timeout;
- if (!CBS_get_asn1(&session, &child, kTimeTag) ||
+ if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
+ !ret->session_id.TryCopyFrom(session_id) ||
+ !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||
+ !ret->secret.TryCopyFrom(secret) ||
+ !CBS_get_asn1(&session, &child, kTimeTag) ||
!CBS_get_asn1_uint64(&child, &ret->time) ||
!CBS_get_asn1(&session, &child, kTimeoutTag) ||
- !CBS_get_asn1_uint64(&child, &timeout) ||
+ !CBS_get_asn1_uint64(&child, &timeout) || //
timeout > UINT32_MAX) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
@@ -608,9 +580,10 @@ UniquePtr SSL_SESSION_parse(CBS *cbs,
}
// |peer| is processed with the certificate chain.
- if (!SSL_SESSION_parse_bounded_octet_string(
- &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
- kSessionIDContextTag) ||
+ CBS sid_ctx;
+ if (!CBS_get_optional_asn1_octet_string(
+ &session, &sid_ctx, /*out_present=*/nullptr, kSessionIDContextTag) ||
+ !ret->sid_ctx.TryCopyFrom(sid_ctx) ||
!SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,
X509_V_OK)) {
return nullptr;
@@ -648,10 +621,11 @@ UniquePtr SSL_SESSION_parse(CBS *cbs,
ret->peer_sha256_valid = false;
}
- if (!SSL_SESSION_parse_bounded_octet_string(
- &session, ret->original_handshake_hash,
- &ret->original_handshake_hash_len,
- sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
+ CBS original_handshake_hash;
+ if (!CBS_get_optional_asn1_octet_string(&session, &original_handshake_hash,
+ /*out_present=*/nullptr,
+ kOriginalHandshakeHashTag) ||
+ !ret->original_handshake_hash.TryCopyFrom(original_handshake_hash) ||
!SSL_SESSION_parse_crypto_buffer(&session,
&ret->signed_cert_timestamp_list,
kSignedCertTimestampListTag, pool) ||
diff --git a/yass/third_party/boringssl/src/ssl/ssl_cert.cc b/yass/third_party/boringssl/src/ssl/ssl_cert.cc
index e30e27da35..bd0143e748 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_cert.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_cert.cc
@@ -165,9 +165,7 @@ UniquePtr ssl_cert_dup(CERT *cert) {
ret->x509_method->cert_dup(ret.get(), cert);
- ret->sid_ctx_length = cert->sid_ctx_length;
- OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));
-
+ ret->sid_ctx = cert->sid_ctx;
return ret;
}
diff --git a/yass/third_party/boringssl/src/ssl/ssl_lib.cc b/yass/third_party/boringssl/src/ssl/ssl_lib.cc
index 1458b456e5..c84c507104 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_lib.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_lib.cc
@@ -489,11 +489,8 @@ bool SSL_get_traffic_secrets(const SSL *ssl,
return false;
}
- *out_read_traffic_secret = Span(
- ssl->s3->read_traffic_secret, ssl->s3->read_traffic_secret_len);
- *out_write_traffic_secret = Span(
- ssl->s3->write_traffic_secret, ssl->s3->write_traffic_secret_len);
-
+ *out_read_traffic_secret = ssl->s3->read_traffic_secret;
+ *out_write_traffic_secret = ssl->s3->write_traffic_secret;
return true;
}
@@ -519,16 +516,11 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
}
static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
- return ssl_hash_session_id(
- MakeConstSpan(sess->session_id, sess->session_id_length));
+ return ssl_hash_session_id(sess->session_id);
}
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
- if (a->session_id_length != b->session_id_length) {
- return 1;
- }
-
- return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length);
+ return MakeConstSpan(a->session_id) == b->session_id ? 0 : 1;
}
ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
@@ -1522,36 +1514,31 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
// The tls-unique value is the first Finished message in the handshake, which
// is the client's in a full handshake and the server's for a resumption. See
// https://tools.ietf.org/html/rfc5929#section-3.1.
- const uint8_t *finished = ssl->s3->previous_client_finished;
- size_t finished_len = ssl->s3->previous_client_finished_len;
+ Span finished = ssl->s3->previous_client_finished;
if (ssl->session != NULL) {
// tls-unique is broken for resumed sessions unless EMS is used.
if (!ssl->session->extended_master_secret) {
return 0;
}
finished = ssl->s3->previous_server_finished;
- finished_len = ssl->s3->previous_server_finished_len;
}
- *out_len = finished_len;
- if (finished_len > max_out) {
+ *out_len = finished.size();
+ if (finished.size() > max_out) {
*out_len = max_out;
}
- OPENSSL_memcpy(out, finished, *out_len);
+ OPENSSL_memcpy(out, finished.data(), *out_len);
return 1;
}
static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
- size_t sid_ctx_len) {
- if (sid_ctx_len > sizeof(cert->sid_ctx)) {
+ size_t sid_ctx_len) {
+ if (!cert->sid_ctx.TryCopyFrom(MakeConstSpan(sid_ctx, sid_ctx_len))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
}
- static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large");
- cert->sid_ctx_length = (uint8_t)sid_ctx_len;
- OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len);
return 1;
}
@@ -1574,8 +1561,8 @@ const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
*out_len = 0;
return NULL;
}
- *out_len = ssl->config->cert->sid_ctx_length;
- return ssl->config->cert->sid_ctx;
+ *out_len = ssl->config->cert->sid_ctx.size();
+ return ssl->config->cert->sid_ctx.data();
}
int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
@@ -1650,13 +1637,12 @@ int SSL_set_rfd(SSL *ssl, int fd) {
}
#endif // !OPENSSL_NO_SOCK
-static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
- size_t in_len) {
- if (out_len > in_len) {
- out_len = in_len;
+static size_t copy_finished(void *out, size_t out_len, Span in) {
+ if (out_len > in.size()) {
+ out_len = in.size();
}
- OPENSSL_memcpy(out, in, out_len);
- return in_len;
+ OPENSSL_memcpy(out, in.data(), out_len);
+ return in.size();
}
size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
@@ -1666,12 +1652,10 @@ size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
}
if (ssl->server) {
- return copy_finished(buf, count, ssl->s3->previous_server_finished,
- ssl->s3->previous_server_finished_len);
+ return copy_finished(buf, count, ssl->s3->previous_server_finished);
}
- return copy_finished(buf, count, ssl->s3->previous_client_finished,
- ssl->s3->previous_client_finished_len);
+ return copy_finished(buf, count, ssl->s3->previous_client_finished);
}
size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
@@ -1681,12 +1665,10 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
}
if (ssl->server) {
- return copy_finished(buf, count, ssl->s3->previous_client_finished,
- ssl->s3->previous_client_finished_len);
+ return copy_finished(buf, count, ssl->s3->previous_client_finished);
}
- return copy_finished(buf, count, ssl->s3->previous_server_finished,
- ssl->s3->previous_server_finished_len);
+ return copy_finished(buf, count, ssl->s3->previous_server_finished);
}
int SSL_get_verify_mode(const SSL *ssl) {
diff --git a/yass/third_party/boringssl/src/ssl/ssl_session.cc b/yass/third_party/boringssl/src/ssl/ssl_session.cc
index 92bd822155..f455b1b623 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_session.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_session.cc
@@ -197,12 +197,10 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
new_session->is_server = session->is_server;
new_session->ssl_version = session->ssl_version;
new_session->is_quic = session->is_quic;
- new_session->sid_ctx_length = session->sid_ctx_length;
- OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
+ new_session->sid_ctx = session->sid_ctx;
// Copy the key material.
- new_session->secret_length = session->secret_length;
- OPENSSL_memcpy(new_session->secret, session->secret, session->secret_length);
+ new_session->secret = session->secret;
new_session->cipher = session->cipher;
// Copy authentication state.
@@ -247,17 +245,9 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
// Copy non-authentication connection properties.
if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {
- new_session->session_id_length = session->session_id_length;
- OPENSSL_memcpy(new_session->session_id, session->session_id,
- session->session_id_length);
-
+ new_session->session_id = session->session_id;
new_session->group_id = session->group_id;
-
- OPENSSL_memcpy(new_session->original_handshake_hash,
- session->original_handshake_hash,
- session->original_handshake_hash_len);
- new_session->original_handshake_hash_len =
- session->original_handshake_hash_len;
+ new_session->original_handshake_hash = session->original_handshake_hash;
new_session->ticket_lifetime_hint = session->ticket_lifetime_hint;
new_session->ticket_age_add = session->ticket_age_add;
new_session->ticket_max_early_data = session->ticket_max_early_data;
@@ -383,13 +373,10 @@ bool ssl_get_new_session(SSL_HANDSHAKE *hs) {
session->auth_timeout = ssl->session_ctx->session_timeout;
}
- if (hs->config->cert->sid_ctx_length > sizeof(session->sid_ctx)) {
+ if (!session->sid_ctx.TryCopyFrom(hs->config->cert->sid_ctx)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return false;
}
- OPENSSL_memcpy(session->sid_ctx, hs->config->cert->sid_ctx,
- hs->config->cert->sid_ctx_length);
- session->sid_ctx_length = hs->config->cert->sid_ctx_length;
// The session is marked not resumable until it is completely filled in.
session->not_resumable = true;
@@ -580,13 +567,8 @@ bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out,
bool ssl_session_is_context_valid(const SSL_HANDSHAKE *hs,
const SSL_SESSION *session) {
- if (session == NULL) {
- return false;
- }
-
- return session->sid_ctx_length == hs->config->cert->sid_ctx_length &&
- OPENSSL_memcmp(session->sid_ctx, hs->config->cert->sid_ctx,
- hs->config->cert->sid_ctx_length) == 0;
+ return session != nullptr &&
+ MakeConstSpan(session->sid_ctx) == hs->config->cert->sid_ctx;
}
bool ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) {
@@ -655,9 +637,7 @@ static enum ssl_hs_wait_t ssl_lookup_session(
auto cmp = [](const void *key, const SSL_SESSION *sess) -> int {
Span key_id =
*reinterpret_cast *>(key);
- Span sess_id =
- MakeConstSpan(sess->session_id, sess->session_id_length);
- return key_id == sess_id ? 0 : 1;
+ return key_id == sess->session_id ? 0 : 1;
};
MutexReadLock lock(&ssl->session_ctx->lock);
// |lh_SSL_SESSION_retrieve_key| returns a non-owning pointer.
@@ -752,7 +732,7 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL_HANDSHAKE *hs,
}
static bool remove_session(SSL_CTX *ctx, SSL_SESSION *session, bool lock) {
- if (session == nullptr || session->session_id_length == 0) {
+ if (session == nullptr || session->session_id.empty()) {
return false;
}
@@ -971,21 +951,18 @@ void SSL_SESSION_free(SSL_SESSION *session) {
const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,
unsigned *out_len) {
if (out_len != NULL) {
- *out_len = session->session_id_length;
+ *out_len = session->session_id.size();
}
- return session->session_id;
+ return session->session_id.data();
}
int SSL_SESSION_set1_id(SSL_SESSION *session, const uint8_t *sid,
size_t sid_len) {
- if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ if (!session->session_id.TryCopyFrom(MakeConstSpan(sid, sid_len))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_TOO_LONG);
return 0;
}
- // Use memmove in case someone passes in the output of |SSL_SESSION_get_id|.
- OPENSSL_memmove(session->session_id, sid, sid_len);
- session->session_id_length = sid_len;
return 1;
}
@@ -1035,14 +1012,13 @@ void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
size_t max_out) {
- // TODO(davidben): Fix secret_length's type and remove these casts.
if (max_out == 0) {
- return (size_t)session->secret_length;
+ return session->secret.size();
}
- if (max_out > (size_t)session->secret_length) {
- max_out = (size_t)session->secret_length;
+ if (max_out > session->secret.size()) {
+ max_out = session->secret.size();
}
- OPENSSL_memcpy(out, session->secret, max_out);
+ OPENSSL_memcpy(out, session->secret.data(), max_out);
return max_out;
}
@@ -1068,22 +1044,18 @@ uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session, uint32_t timeout) {
const uint8_t *SSL_SESSION_get0_id_context(const SSL_SESSION *session,
unsigned *out_len) {
if (out_len != NULL) {
- *out_len = session->sid_ctx_length;
+ *out_len = session->sid_ctx.size();
}
- return session->sid_ctx;
+ return session->sid_ctx.data();
}
int SSL_SESSION_set1_id_context(SSL_SESSION *session, const uint8_t *sid_ctx,
size_t sid_ctx_len) {
- if (sid_ctx_len > sizeof(session->sid_ctx)) {
+ if (!session->sid_ctx.TryCopyFrom(MakeConstSpan(sid_ctx, sid_ctx_len))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
}
- static_assert(sizeof(session->sid_ctx) < 256, "sid_ctx_len does not fit");
- session->sid_ctx_length = (uint8_t)sid_ctx_len;
- OPENSSL_memcpy(session->sid_ctx, sid_ctx, sid_ctx_len);
-
return 1;
}
@@ -1093,7 +1065,7 @@ int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {
int SSL_SESSION_is_resumable(const SSL_SESSION *session) {
return !session->not_resumable &&
- (session->session_id_length != 0 || !session->ticket.empty());
+ (!session->session_id.empty() || !session->ticket.empty());
}
int SSL_SESSION_has_ticket(const SSL_SESSION *session) {
diff --git a/yass/third_party/boringssl/src/ssl/ssl_test.cc b/yass/third_party/boringssl/src/ssl/ssl_test.cc
index b55288588c..4d74bfa95a 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_test.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_test.cc
@@ -567,6 +567,13 @@ static bool CipherListsEqual(SSL_CTX *ctx,
return true;
}
+TEST(ArrayDeathTest, BoundsChecks) {
+ Array array;
+ const int v[] = {1, 2, 3, 4};
+ ASSERT_TRUE(array.CopyFrom(v));
+ EXPECT_DEATH_IF_SUPPORTED(array[4], "");
+}
+
TEST(VectorTest, Resize) {
Vector vec;
ASSERT_TRUE(vec.empty());
@@ -587,6 +594,16 @@ TEST(VectorTest, Resize) {
for (size_t i = 0; i < vec.size(); i++) {
EXPECT_EQ(vec[i], i == 0 ? 42 : i);
}
+
+ // Clearing the vector should give an empty one.
+ vec.clear();
+ ASSERT_TRUE(vec.empty());
+ EXPECT_EQ(vec.size(), 0u);
+
+ ASSERT_TRUE(vec.Push(42));
+ ASSERT_TRUE(!vec.empty());
+ EXPECT_EQ(vec.size(), 1u);
+ EXPECT_EQ(vec[0], 42u);
}
TEST(VectorTest, MoveConstructor) {
@@ -635,6 +652,175 @@ TEST(VectorTest, VectorContainingVectors) {
}
}
+TEST(VectorTest, NotDefaultConstructible) {
+ struct NotDefaultConstructible {
+ explicit NotDefaultConstructible(size_t n) { array.Init(n); }
+ Array array;
+ };
+
+ Vector vec;
+ vec.Push(NotDefaultConstructible(0));
+ vec.Push(NotDefaultConstructible(1));
+ vec.Push(NotDefaultConstructible(2));
+ vec.Push(NotDefaultConstructible(3));
+ EXPECT_EQ(vec.size(), 4u);
+ EXPECT_EQ(0u, vec[0].array.size());
+ EXPECT_EQ(1u, vec[1].array.size());
+ EXPECT_EQ(2u, vec[2].array.size());
+ EXPECT_EQ(3u, vec[3].array.size());
+}
+
+TEST(VectorDeathTest, BoundsChecks) {
+ Vector vec;
+ ASSERT_TRUE(vec.Push(1));
+ // Within bounds of the capacity, but not the vector.
+ EXPECT_DEATH_IF_SUPPORTED(vec[1], "");
+ // Not within bounds of the capacity either.
+ EXPECT_DEATH_IF_SUPPORTED(vec[10000], "");
+}
+
+TEST(InplaceVector, Basic) {
+ InplaceVector vec;
+ EXPECT_TRUE(vec.empty());
+ EXPECT_EQ(0u, vec.size());
+ EXPECT_EQ(vec.begin(), vec.end());
+
+ int data3[] = {1, 2, 3};
+ ASSERT_TRUE(vec.TryCopyFrom(data3));
+ EXPECT_FALSE(vec.empty());
+ EXPECT_EQ(3u, vec.size());
+ auto iter = vec.begin();
+ EXPECT_EQ(1, vec[0]);
+ EXPECT_EQ(1, *iter);
+ iter++;
+ EXPECT_EQ(2, vec[1]);
+ EXPECT_EQ(2, *iter);
+ iter++;
+ EXPECT_EQ(3, vec[2]);
+ EXPECT_EQ(3, *iter);
+ iter++;
+ EXPECT_EQ(iter, vec.end());
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(data3));
+
+ InplaceVector vec2 = vec;
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(vec2));
+
+ InplaceVector vec3;
+ vec3 = vec;
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(vec2));
+
+ int data4[] = {1, 2, 3, 4};
+ ASSERT_TRUE(vec.TryCopyFrom(data4));
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(data4));
+
+ int data5[] = {1, 2, 3, 4, 5};
+ EXPECT_FALSE(vec.TryCopyFrom(data5));
+ EXPECT_FALSE(vec.TryResize(5));
+
+ // Shrink the vector.
+ ASSERT_TRUE(vec.TryResize(3));
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(data3));
+
+ // Enlarge it again. The new value should have been value-initialized.
+ ASSERT_TRUE(vec.TryResize(4));
+ EXPECT_EQ(vec[3], 0);
+
+ // Self-assignment should not break the vector. Indirect through a pointer to
+ // avoid tripping a compiler warning.
+ vec.CopyFrom(data4);
+ const auto *ptr = &vec;
+ vec = *ptr;
+ EXPECT_EQ(MakeConstSpan(vec), MakeConstSpan(data4));
+}
+
+TEST(InplaceVectorTest, ComplexType) {
+ InplaceVector, 4> vec_of_vecs;
+ const std::vector data[] = {{1, 2, 3}, {4, 5, 6}, {7, 8, 9}};
+ vec_of_vecs.CopyFrom(data);
+ EXPECT_EQ(MakeConstSpan(vec_of_vecs), MakeConstSpan(data));
+
+ vec_of_vecs.Resize(2);
+ EXPECT_EQ(MakeConstSpan(vec_of_vecs), MakeConstSpan(data, 2));
+
+ vec_of_vecs.Resize(4);
+ EXPECT_EQ(4u, vec_of_vecs.size());
+ EXPECT_EQ(vec_of_vecs[0], data[0]);
+ EXPECT_EQ(vec_of_vecs[1], data[1]);
+ EXPECT_TRUE(vec_of_vecs[2].empty());
+ EXPECT_TRUE(vec_of_vecs[3].empty());
+
+ // Copy-construction.
+ InplaceVector, 4> vec_of_vecs2 = vec_of_vecs;
+ EXPECT_EQ(4u, vec_of_vecs2.size());
+ EXPECT_EQ(vec_of_vecs2[0], data[0]);
+ EXPECT_EQ(vec_of_vecs2[1], data[1]);
+ EXPECT_TRUE(vec_of_vecs2[2].empty());
+ EXPECT_TRUE(vec_of_vecs2[3].empty());
+
+ // Copy-assignment.
+ InplaceVector, 4> vec_of_vecs3;
+ vec_of_vecs3 = vec_of_vecs;
+ EXPECT_EQ(4u, vec_of_vecs3.size());
+ EXPECT_EQ(vec_of_vecs3[0], data[0]);
+ EXPECT_EQ(vec_of_vecs3[1], data[1]);
+ EXPECT_TRUE(vec_of_vecs3[2].empty());
+ EXPECT_TRUE(vec_of_vecs3[3].empty());
+
+ // Move-construction.
+ InplaceVector, 4> vec_of_vecs4 = std::move(vec_of_vecs);
+ EXPECT_EQ(4u, vec_of_vecs4.size());
+ EXPECT_EQ(vec_of_vecs4[0], data[0]);
+ EXPECT_EQ(vec_of_vecs4[1], data[1]);
+ EXPECT_TRUE(vec_of_vecs4[2].empty());
+ EXPECT_TRUE(vec_of_vecs4[3].empty());
+
+ // The elements of the original vector should have been moved-from.
+ EXPECT_EQ(4u, vec_of_vecs.size());
+ for (const auto &vec : vec_of_vecs) {
+ EXPECT_TRUE(vec.empty());
+ }
+
+ // Move-assignment.
+ InplaceVector, 4> vec_of_vecs5;
+ vec_of_vecs5 = std::move(vec_of_vecs4);
+ EXPECT_EQ(4u, vec_of_vecs5.size());
+ EXPECT_EQ(vec_of_vecs5[0], data[0]);
+ EXPECT_EQ(vec_of_vecs5[1], data[1]);
+ EXPECT_TRUE(vec_of_vecs5[2].empty());
+ EXPECT_TRUE(vec_of_vecs5[3].empty());
+
+ // The elements of the original vector should have been moved-from.
+ EXPECT_EQ(4u, vec_of_vecs4.size());
+ for (const auto &vec : vec_of_vecs4) {
+ EXPECT_TRUE(vec.empty());
+ }
+
+ std::vector v = {42};
+ vec_of_vecs5.Resize(3);
+ EXPECT_TRUE(vec_of_vecs5.TryPushBack(v));
+ EXPECT_EQ(v, vec_of_vecs5[3]);
+ EXPECT_FALSE(vec_of_vecs5.TryPushBack(v));
+}
+
+TEST(InplaceVectorDeathTest, BoundsChecks) {
+ InplaceVector vec;
+ // The vector is currently empty.
+ EXPECT_DEATH_IF_SUPPORTED(vec[0], "");
+ int data[] = {1, 2, 3};
+ vec.CopyFrom(data);
+ // Some more out-of-bounds elements.
+ EXPECT_DEATH_IF_SUPPORTED(vec[3], "");
+ EXPECT_DEATH_IF_SUPPORTED(vec[4], "");
+ EXPECT_DEATH_IF_SUPPORTED(vec[1000], "");
+ // The vector cannot be resized past the capacity.
+ EXPECT_DEATH_IF_SUPPORTED(vec.Resize(5), "");
+ EXPECT_DEATH_IF_SUPPORTED(vec.ResizeMaybeUninit(5), "");
+ int too_much_data[] = {1, 2, 3, 4, 5};
+ EXPECT_DEATH_IF_SUPPORTED(vec.CopyFrom(too_much_data), "");
+ vec.Resize(4);
+ EXPECT_DEATH_IF_SUPPORTED(vec.PushBack(42), "");
+}
+
TEST(ReconstructSeqnumTest, Increment) {
// Test simple cases from the beginning of an epoch with both 8- and 16-bit
// wire sequence numbers.
diff --git a/yass/third_party/boringssl/src/ssl/ssl_transcript.cc b/yass/third_party/boringssl/src/ssl/ssl_transcript.cc
index 58fd21e57c..239363d380 100644
--- a/yass/third_party/boringssl/src/ssl/ssl_transcript.cc
+++ b/yass/third_party/boringssl/src/ssl/ssl_transcript.cc
@@ -259,8 +259,7 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
}
static const size_t kFinishedLen = 12;
- if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
- MakeConstSpan(session->secret, session->secret_length), label,
+ if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen), session->secret, label,
MakeConstSpan(digest, digest_len), {})) {
return false;
}
diff --git a/yass/third_party/boringssl/src/ssl/t1_enc.cc b/yass/third_party/boringssl/src/ssl/t1_enc.cc
index 1895bac59a..360c855139 100644
--- a/yass/third_party/boringssl/src/ssl/t1_enc.cc
+++ b/yass/third_party/boringssl/src/ssl/t1_enc.cc
@@ -191,14 +191,13 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
static bool generate_key_block(const SSL *ssl, Span out,
const SSL_SESSION *session) {
- auto secret = MakeConstSpan(session->secret, session->secret_length);
static const char kLabel[] = "key expansion";
auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
const EVP_MD *digest = ssl_session_get_digest(session);
// Note this function assumes that |session|'s key material corresponds to
// |ssl->s3->client_random| and |ssl->s3->server_random|.
- return tls1_prf(digest, out, secret, label, ssl->s3->server_random,
+ return tls1_prf(digest, out, session->secret, label, ssl->s3->server_random,
ssl->s3->client_random);
}
@@ -266,33 +265,33 @@ bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
ssl_handshake_session(hs), {});
}
-int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
- Span premaster) {
+bool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out,
+ Span premaster) {
static const char kMasterSecretLabel[] = "master secret";
static const char kExtendedMasterSecretLabel[] = "extended master secret";
+ BSSL_CHECK(out.size() == SSL3_MASTER_SECRET_SIZE);
const SSL *ssl = hs->ssl;
- auto out_span = MakeSpan(out, SSL3_MASTER_SECRET_SIZE);
if (hs->extended_master_secret) {
auto label = MakeConstSpan(kExtendedMasterSecretLabel,
sizeof(kExtendedMasterSecretLabel) - 1);
uint8_t digests[EVP_MAX_MD_SIZE];
size_t digests_len;
if (!hs->transcript.GetHash(digests, &digests_len) ||
- !tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
+ !tls1_prf(hs->transcript.Digest(), out, premaster, label,
MakeConstSpan(digests, digests_len), {})) {
- return 0;
+ return false;
}
} else {
auto label =
MakeConstSpan(kMasterSecretLabel, sizeof(kMasterSecretLabel) - 1);
- if (!tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
+ if (!tls1_prf(hs->transcript.Digest(), out, premaster, label,
ssl->s3->client_random, ssl->s3->server_random)) {
- return 0;
+ return false;
}
}
- return SSL3_MASTER_SECRET_SIZE;
+ return true;
}
BSSL_NAMESPACE_END
@@ -334,7 +333,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
int use_context) {
// In TLS 1.3, the exporter may be used whenever the secret has been derived.
if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
- if (ssl->s3->exporter_secret_len == 0) {
+ if (ssl->s3->exporter_secret.empty()) {
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
return 0;
}
@@ -343,8 +342,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
context_len = 0;
}
return tls13_export_keying_material(
- ssl, MakeSpan(out, out_len),
- MakeConstSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len),
+ ssl, MakeSpan(out, out_len), ssl->s3->exporter_secret,
MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
}
@@ -379,7 +377,6 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
const SSL_SESSION *session = SSL_get_session(ssl);
const EVP_MD *digest = ssl_session_get_digest(session);
- return tls1_prf(digest, MakeSpan(out, out_len),
- MakeConstSpan(session->secret, session->secret_length),
+ return tls1_prf(digest, MakeSpan(out, out_len), session->secret,
MakeConstSpan(label, label_len), seed, {});
}
diff --git a/yass/third_party/boringssl/src/ssl/tls13_client.cc b/yass/third_party/boringssl/src/ssl/tls13_client.cc
index fd9ab0aa8a..76f970c179 100644
--- a/yass/third_party/boringssl/src/ssl/tls13_client.cc
+++ b/yass/third_party/boringssl/src/ssl/tls13_client.cc
@@ -109,24 +109,21 @@ static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
if (!ssl_parse_server_hello(out, out_alert, msg)) {
return false;
}
- uint16_t server_hello_version = TLS1_2_VERSION;
- if (SSL_is_dtls(hs->ssl)) {
- server_hello_version = DTLS1_2_VERSION;
- }
+ uint16_t expected_version =
+ SSL_is_dtls(hs->ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;
// DTLS 1.3 disables "compatibility mode" (RFC 8446, appendix D.4). When
// disabled, servers MUST NOT echo the legacy_session_id (RFC 9147, section
// 5). The client could have sent a session ID indicating its willingness to
// resume a DTLS 1.2 session, so just checking that the session IDs match is
// incorrect.
- bool session_id_match =
- (SSL_is_dtls(hs->ssl) && CBS_len(&out->session_id) == 0) ||
- (!SSL_is_dtls(hs->ssl) &&
- CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len));
+ Span expected_session_id = SSL_is_dtls(hs->ssl)
+ ? Span()
+ : MakeConstSpan(hs->session_id);
- // The RFC8446 version of the structure fixes some legacy values.
- // Additionally, the session ID must echo the original one.
- if (out->legacy_version != server_hello_version ||
- out->compression_method != 0 || !session_id_match ||
+ // RFC 8446 fixes some legacy values. Check them.
+ if (out->legacy_version != expected_version || //
+ out->compression_method != 0 ||
+ Span(out->session_id) != expected_session_id ||
CBS_len(&out->extensions) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -497,11 +494,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
// Set up the key schedule and incorporate the PSK into the running secret.
size_t hash_len = EVP_MD_size(
ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
- if (!tls13_init_key_schedule(
- hs, ssl->s3->session_reused
- ? MakeConstSpan(hs->new_session->secret,
- hs->new_session->secret_length)
- : MakeConstSpan(kZeroes, hash_len))) {
+ if (!tls13_init_key_schedule(hs, ssl->s3->session_reused
+ ? MakeConstSpan(hs->new_session->secret)
+ : MakeConstSpan(kZeroes, hash_len))) {
return ssl_hs_error;
}
@@ -1166,8 +1161,8 @@ UniquePtr tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
// Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
// Envoy's tests depend on this, although perhaps they shouldn't.
- SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
- session->session_id_length = SHA256_DIGEST_LENGTH;
+ session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH);
+ SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id.data());
session->ticket_age_add_valid = true;
session->not_resumable = false;
diff --git a/yass/third_party/boringssl/src/ssl/tls13_enc.cc b/yass/third_party/boringssl/src/ssl/tls13_enc.cc
index fad411757e..f601b1a8c7 100644
--- a/yass/third_party/boringssl/src/ssl/tls13_enc.cc
+++ b/yass/third_party/boringssl/src/ssl/tls13_enc.cc
@@ -83,9 +83,7 @@ bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,
return init_key_schedule(hs, transcript,
ssl_session_protocol_version(session),
session->cipher) &&
- hkdf_extract_to_secret(
- hs, *transcript,
- MakeConstSpan(session->secret, session->secret_length));
+ hkdf_extract_to_secret(hs, *transcript, session->secret);
}
static Span label_to_span(const char *label) {
@@ -249,17 +247,13 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
secret_for_quic)) {
return false;
}
- OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret.data(),
- traffic_secret.size());
- ssl->s3->read_traffic_secret_len = traffic_secret.size();
+ ssl->s3->read_traffic_secret.CopyFrom(traffic_secret);
} else {
if (!ssl->method->set_write_state(ssl, level, std::move(traffic_aead),
secret_for_quic)) {
return false;
}
- OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret.data(),
- traffic_secret.size());
- ssl->s3->write_traffic_secret_len = traffic_secret.size();
+ ssl->s3->write_traffic_secret.CopyFrom(traffic_secret);
}
return true;
@@ -309,7 +303,6 @@ bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- ssl->s3->exporter_secret_len = hs->transcript.DigestLen();
if (!derive_secret(hs, hs->client_traffic_secret_0(),
label_to_span(kTLS13LabelClientApplicationTraffic)) ||
!ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",
@@ -317,13 +310,13 @@ bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
!derive_secret(hs, hs->server_traffic_secret_0(),
label_to_span(kTLS13LabelServerApplicationTraffic)) ||
!ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",
- hs->server_traffic_secret_0()) ||
- !derive_secret(
- hs, MakeSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len),
- label_to_span(kTLS13LabelExporter)) ||
- !ssl_log_secret(ssl, "EXPORTER_SECRET",
- MakeConstSpan(ssl->s3->exporter_secret,
- ssl->s3->exporter_secret_len))) {
+ hs->server_traffic_secret_0())) {
+ return false;
+ }
+ ssl->s3->exporter_secret.ResizeMaybeUninit(hs->transcript.DigestLen());
+ if (!derive_secret(hs, MakeSpan(ssl->s3->exporter_secret),
+ label_to_span(kTLS13LabelExporter)) ||
+ !ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret)) {
return false;
}
@@ -333,14 +326,9 @@ bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
static const char kTLS13LabelApplicationTraffic[] = "traffic upd";
bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
- Span secret;
- if (direction == evp_aead_open) {
- secret = MakeSpan(ssl->s3->read_traffic_secret,
- ssl->s3->read_traffic_secret_len);
- } else {
- secret = MakeSpan(ssl->s3->write_traffic_secret,
- ssl->s3->write_traffic_secret_len);
- }
+ Span secret = direction == evp_aead_open
+ ? MakeSpan(ssl->s3->read_traffic_secret)
+ : MakeSpan(ssl->s3->write_traffic_secret);
const SSL_SESSION *session = SSL_get_session(ssl);
const EVP_MD *digest = ssl_session_get_digest(session);
@@ -354,14 +342,9 @@ bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
static const char kTLS13LabelResumption[] = "res master";
bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
- if (hs->transcript.DigestLen() > SSL_MAX_MASTER_KEY_LENGTH) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return false;
- }
- hs->new_session->secret_length = hs->transcript.DigestLen();
- return derive_secret(
- hs, MakeSpan(hs->new_session->secret, hs->new_session->secret_length),
- label_to_span(kTLS13LabelResumption));
+ hs->new_session->secret.ResizeMaybeUninit(hs->transcript.DigestLen());
+ return derive_secret(hs, MakeSpan(hs->new_session->secret),
+ label_to_span(kTLS13LabelResumption));
}
static const char kTLS13LabelFinished[] = "finished";
@@ -410,8 +393,8 @@ bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce,
const EVP_MD *digest = ssl_session_get_digest(session);
// The session initially stores the resumption_master_secret, which we
// override with the PSK.
- auto session_secret = MakeSpan(session->secret, session->secret_length);
- return hkdf_expand_label(session_secret, digest, session_secret,
+ assert(session->secret.size() == EVP_MD_size(digest));
+ return hkdf_expand_label(MakeSpan(session->secret), digest, session->secret,
label_to_span(kTLS13LabelResumptionPSK), nonce,
is_dtls);
}
@@ -473,8 +456,9 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest));
if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest,
nullptr) ||
- !HKDF_extract(early_secret, &early_secret_len, digest, session->secret,
- session->secret_length, nullptr, 0) ||
+ !HKDF_extract(early_secret, &early_secret_len, digest,
+ session->secret.data(), session->secret.size(), nullptr,
+ 0) ||
!hkdf_expand_label(
binder_key, digest, MakeConstSpan(early_secret, early_secret_len),
label_to_span(kTLS13LabelPSKBinder),
diff --git a/yass/third_party/boringssl/src/ssl/tls13_server.cc b/yass/third_party/boringssl/src/ssl/tls13_server.cc
index e163d70d6b..655141fbb4 100644
--- a/yass/third_party/boringssl/src/ssl/tls13_server.cc
+++ b/yass/third_party/boringssl/src/ssl/tls13_server.cc
@@ -249,9 +249,8 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
// 'legacy_session_id' value from the client" (RFC 9147, section 5) as it
// would in a TLS 1.3 handshake.
if (!SSL_is_dtls(ssl)) {
- OPENSSL_memcpy(hs->session_id, client_hello.session_id,
- client_hello.session_id_len);
- hs->session_id_len = client_hello.session_id_len;
+ hs->session_id.CopyFrom(
+ MakeConstSpan(client_hello.session_id, client_hello.session_id_len));
}
Array creds;
@@ -561,11 +560,9 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
// Set up the key schedule and incorporate the PSK into the running secret.
- if (!tls13_init_key_schedule(
- hs, ssl->s3->session_reused
- ? MakeConstSpan(hs->new_session->secret,
- hs->new_session->secret_length)
- : MakeConstSpan(kZeroes, hash_len)) ||
+ if (!tls13_init_key_schedule(hs, ssl->s3->session_reused
+ ? MakeConstSpan(hs->new_session->secret)
+ : MakeConstSpan(kZeroes, hash_len)) ||
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
}
@@ -609,7 +606,8 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
!CBB_add_u16(&body, TLS1_2_VERSION) ||
!CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
!CBB_add_u8_length_prefixed(&body, &session_id) ||
- !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
+ !CBB_add_bytes(&session_id, hs->session_id.data(),
+ hs->session_id.size()) ||
!CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
!CBB_add_u8(&body, 0 /* no compression */) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
@@ -810,7 +808,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
!CBB_add_bytes(&body, ssl->s3->server_random,
sizeof(ssl->s3->server_random)) ||
!CBB_add_u8_length_prefixed(&body, &session_id) ||
- !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
+ !CBB_add_bytes(&session_id, hs->session_id.data(),
+ hs->session_id.size()) ||
!CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
!CBB_add_u8(&body, 0) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
diff --git a/yass/third_party/boringssl/src/util/bot/DEPS b/yass/third_party/boringssl/src/util/bot/DEPS
index 441b8430fe..1c7fa7cf70 100644
--- a/yass/third_party/boringssl/src/util/bot/DEPS
+++ b/yass/third_party/boringssl/src/util/bot/DEPS
@@ -25,7 +25,7 @@ vars = {
'checkout_nasm': False,
'checkout_libcxx': False,
'checkout_riscv64': False,
- 'vs_version': '2019',
+ 'vs_version': '2022',
# Run the following command to see the latest builds in CIPD:
# cipd describe PACKAGE_NAME -version latest
diff --git a/yass/third_party/boringssl/src/util/bot/vs_toolchain.py b/yass/third_party/boringssl/src/util/bot/vs_toolchain.py
index c6dc4a4a10..4fb70eac6e 100644
--- a/yass/third_party/boringssl/src/util/bot/vs_toolchain.py
+++ b/yass/third_party/boringssl/src/util/bot/vs_toolchain.py
@@ -63,15 +63,6 @@ def FindDepotTools():
def _GetDesiredVsToolchainHashes(version):
"""Load a list of SHA1s corresponding to the toolchains that we want installed
to build with."""
- if version == '2017':
- # VS 2017 Update 9 (15.9.12) with 10.0.18362 SDK, 10.0.17763 version of
- # Debuggers, and 10.0.17134 version of d3dcompiler_47.dll, with ARM64
- # libraries.
- return ['418b3076791776573a815eb298c8aa590307af63']
- if version == '2019':
- # VS 2019 16.61 with 10.0.20348.0 SDK, 10.0.22621.755 version of Debuggers,
- # with ARM64 libraries and UWP support.
- return ['0b5ee4d2b1']
if version == '2022':
# VS 2022 17.9.2 with 10.0.22621.2428 SDK with ARM64 libraries and UWP
# support.
diff --git a/yass/third_party/libc++/CMakeLists.txt b/yass/third_party/libc++/CMakeLists.txt
index cfd6964e28..e5bcf160f4 100644
--- a/yass/third_party/libc++/CMakeLists.txt
+++ b/yass/third_party/libc++/CMakeLists.txt
@@ -59,7 +59,7 @@ foreach(CompilerFlag ${CompilerFlags})
string(REPLACE "-stdlib=libc++" "" ${CompilerFlag} "${${CompilerFlag}}")
endforeach()
-set(libcxx_CR "e8d7247aa3998ef167bb334f516bdb3467971c07")
+set(libcxx_CR "f1144730714608f01d6904037977dce8c15a49b7")
# Fixed libc++ configuration macros are in
# buildtools/third_party/libc++/__config_site. This config only has defines
# that vary depending on gn args, and non-define flags.
diff --git a/yass/third_party/libc++/trunk/docs/UserDocumentation.rst b/yass/third_party/libc++/trunk/docs/UserDocumentation.rst
index 6659fa54f4..f5e55994aa 100644
--- a/yass/third_party/libc++/trunk/docs/UserDocumentation.rst
+++ b/yass/third_party/libc++/trunk/docs/UserDocumentation.rst
@@ -317,6 +317,15 @@ Unpoisoning may not be an option, if (for example) you are not maintaining the a
* You are using allocator, which does not call destructor during deallocation.
* You are aware that memory allocated with an allocator may be accessed, even when unused by container.
+Support for compiler extensions
+-------------------------------
+
+Clang, GCC and other compilers all provide their own set of language extensions. These extensions
+have often been developed without particular consideration for their interaction with the library,
+and as such, libc++ does not go out of its way to support them. The library may support specific
+compiler extensions which would then be documented explicitly, but the basic expectation should be
+that no special support is provided for arbitrary compiler extensions.
+
Platform specific behavior
==========================
diff --git a/yass/third_party/libc++/trunk/utils/ci/run-buildbot b/yass/third_party/libc++/trunk/utils/ci/run-buildbot
index 229963b38f..e040f15acc 100755
--- a/yass/third_party/libc++/trunk/utils/ci/run-buildbot
+++ b/yass/third_party/libc++/trunk/utils/ci/run-buildbot
@@ -371,14 +371,8 @@ bootstrapping-build)
-DLLVM_LIT_ARGS="-sv --xunit-xml-output test-results.xml --timeout=1500 --time-tests"
echo "+++ Running the LLDB libc++ data formatter tests"
- ${NINJA} -vC "${BUILD_DIR}" check-lldb-api-functionalities-data-formatter-data-formatter-stl-libcxx \
- check-lldb-api-functionalities-data-formatter-data-formatter-stl-generic \
- check-lldb-api-functionalities-data-formatter-data-formatter-stl-libcxx-simulators \
- check-lldb-api-commands-expression-import-std-module \
- check-lldb-api-lang-cpp-std-function-step-into-callable \
- check-lldb-api-lang-cpp-std-function-recognizer \
- check-lldb-api-lang-cpp-std-invoke-recognizer
-
+ ${NINJA} -vC "${BUILD_DIR}" lldb-api-test-deps
+ ${BUILD_DIR}/bin/llvm-lit -sv --param dotest-args='--category libc++' "${MONOREPO_ROOT}/lldb/test/API"
echo "--- Running the libc++ and libc++abi tests"
${NINJA} -vC "${BUILD_DIR}" check-runtimes