packages/grpc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c779fa5a4fb0ab90060b960c1b362dcb4d30960f
Branches Tags
packages:main
..
compare: packages:cbc87f64e196dcee2c27908226c5381d65ea2825
Branches Tags
packages:main

10 Commits
c779fa5a4f ... cbc87f64e1

Author SHA1 Message Date
openeuler-ci-bot
cbc87f64e1
!111 [sync] PR-108: fix CVE-2024-11407 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-12-06 07:40:49 +00:00
xh
53882712fd fix CVE-2024-11407 
(cherry picked from commit 57ae0c2daa176e75f388a145b51d381ef08d46f5)
 2024-12-05 19:25:35 +08:00
openeuler-ci-bot
e2f71c048f
!105 [sync] PR-103: fix CVE-2024-7246 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-08-19 07:56:45 +00:00
sherlock2010
314c9660bf fix CVE-2024-7246 
(cherry picked from commit c51217c9c20f9df2d79890f2a936e4e9682b5e73)
 2024-08-19 10:33:37 +08:00
openeuler-ci-bot
096c10de85
!100 [sync] PR-96: remove cert expired at 20250512 
From: @openeuler-sync-bot 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai
 2024-06-24 01:30:51 +00:00
sherlock2010
af650a5b86 remove cert expired at 20250512 
(cherry picked from commit 27e95c3d6eb6c0907f06645dd578fa43ca62ce7d)
 2024-06-22 17:10:23 +08:00
openeuler-ci-bot
fa91d1d468
!91 add noexcept to adapt for Cython_3.X 
From: @sherlock2010 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
 2024-02-05 08:38:29 +00:00
sherlock2010
2b55f78d08 add noexcept to adapt for Cython_3.X 2024-02-05 07:40:25 +00:00
openeuler-ci-bot
ce5332d0e5
!90 upgrade grpc to 1.60.0 
From: @sherlock2010 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
 2024-01-24 03:08:00 +00:00
sherlock2010
aba034d096 upgrade grpc to 1.60.0 2024-01-19 07:50:52 +00:00
8 changed files with 677 additions and 310 deletions
Show Stats Expand all files Collapse all files

28
backport-CVE-2024-11407.patch Normal file
View File

@ -0,0 +1,28 @@
From e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Mon Sep 17 00:00:00 2001
From: Vignesh Babu <vigneshbabu@google.com>
Date: Thu, 12 Sep 2024 11:13:45 -0700
Subject: [PATCH] [EventEngine] Fix bug in Tx0cp code path in posix endpoint.
This fix ensures that the iov_base pointers point to the right address.
PiperOrigin-RevId: 673923651
Conflict: NA
Reference: https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791
---
src/core/lib/event_engine/posix_engine/posix_endpoint.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
index 7634bb1334b81..c5708db02c57a 100644
--- a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
+++ b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
@@ -236,7 +236,7 @@ msg_iovlen_type TcpZerocopySendRecord::PopulateIovs(size_t* unwind_slice_idx,
iov_size++) {
MutableSlice& slice = internal::SliceCast<MutableSlice>(
buf_.MutableSliceAt(out_offset_.slice_idx));
- iov[iov_size].iov_base = slice.begin();
+ iov[iov_size].iov_base = slice.begin() + out_offset_.byte_idx;
iov[iov_size].iov_len = slice.length() - out_offset_.byte_idx;
*sending_length += iov[iov_size].iov_len;
++(out_offset_.slice_idx);

414
backport-CVE-2024-7246-chttp2-Fix-a-bug-in-hpack-error-handling.patch Normal file
View File

@ -0,0 +1,414 @@
From 88b1244fd43e81860baa60cc7fb3945a2cca0d11 Mon Sep 17 00:00:00 2001
From: Craig Tiller <ctiller@google.com>
Date: Thu, 1 Aug 2024 13:02:27 -0700
Subject: [PATCH] [v1.60] [chttp2] Fix a bug in hpack error handling (#37361)
PiperOrigin-RevId: 657234128
PiperOrigin-RevId: 658458047
Conflict:NA
Reference:https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11
---
.../chttp2/transport/hpack_parser.cc | 63 +++++++------
.../transport/chttp2/transport/hpack_parser.h | 2 +
.../transport/chttp2/hpack_parser_test.cc | 89 ++++++++++++++++---
.../transport/chttp2/hpack_sync_fuzzer.cc | 62 +++++++++++++
.../transport/chttp2/hpack_sync_fuzzer.proto | 3 +
5 files changed, 179 insertions(+), 40 deletions(-)
diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
index 31bf46456f..f2fe80c504 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
@@ -91,12 +91,14 @@ constexpr Base64InverseTable kBase64InverseTable;
class HPackParser::Input {
public:
Input(grpc_slice_refcount* current_slice_refcount, const uint8_t* begin,
- const uint8_t* end, absl::BitGenRef bitsrc, HpackParseResult& error)
+ const uint8_t* end, absl::BitGenRef bitsrc,
+ HpackParseResult& frame_error, HpackParseResult& field_error)
: current_slice_refcount_(current_slice_refcount),
begin_(begin),
end_(end),
frontier_(begin),
- error_(error),
+ frame_error_(frame_error),
+ field_error_(field_error),
bitsrc_(bitsrc) {}
// If input is backed by a slice, retrieve its refcount. If not, return
@@ -215,14 +217,18 @@ class HPackParser::Input {
// Check if we saw an EOF
bool eof_error() const {
- return min_progress_size_ != 0 || error_.connection_error();
+ return min_progress_size_ != 0 || frame_error_.connection_error();
+ }
+
+ // Reset the field error to be ok
+ void ClearFieldError() {
+ if (field_error_.ok()) return;
+ field_error_ = HpackParseResult();
}
// Minimum number of bytes to unstuck the current parse
size_t min_progress_size() const { return min_progress_size_; }
- bool has_error() const { return !error_.ok(); }
-
// Set the current error - tweaks the error to include a stream id so that
// chttp2 does not close the connection.
// Intended for errors that are specific to a stream and recoverable.
@@ -246,10 +252,7 @@ class HPackParser::Input {
// read prior to being able to get further in this parse.
void UnexpectedEOF(size_t min_progress_size) {
GPR_ASSERT(min_progress_size > 0);
- if (min_progress_size_ != 0 || error_.connection_error()) {
- GPR_DEBUG_ASSERT(eof_error());
- return;
- }
+ if (eof_error()) return;
// Set min progress size, taking into account bytes parsed already but not
// consumed.
min_progress_size_ = min_progress_size + (begin_ - frontier_);
@@ -302,13 +305,18 @@ class HPackParser::Input {
// Do not use this directly, instead use SetErrorAndContinueParsing or
// SetErrorAndStopParsing.
void SetError(HpackParseResult error) {
- if (!error_.ok() || min_progress_size_ > 0) {
- if (error.connection_error() && !error_.connection_error()) {
- error_ = std::move(error); // connection errors dominate
+ SetErrorFor(frame_error_, error);
+ SetErrorFor(field_error_, std::move(error));
+ }
+
+ void SetErrorFor(HpackParseResult& error, HpackParseResult new_error) {
+ if (!error.ok() || min_progress_size_ > 0) {
+ if (new_error.connection_error() && !error.connection_error()) {
+ error = std::move(new_error); // connection errors dominate
}
return;
}
- error_ = std::move(error);
+ error = std::move(new_error);
}
// Refcount if we are backed by a slice
@@ -320,7 +328,8 @@ class HPackParser::Input {
// Frontier denotes the first byte past successfully processed input
const uint8_t* frontier_;
// Current error
- HpackParseResult& error_;
+ HpackParseResult& frame_error_;
+ HpackParseResult& field_error_;
// If the error was EOF, we flag it here by noting how many more bytes would
// be needed to make progress
size_t min_progress_size_ = 0;
@@ -597,6 +606,7 @@ class HPackParser::Parser {
bool ParseTop() {
GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
auto cur = *input_->Next();
+ input_->ClearFieldError();
switch (cur >> 4) {
// Literal header not indexed - First byte format: 0000xxxx
// Literal header never indexed - First byte format: 0001xxxx
@@ -702,7 +712,7 @@ class HPackParser::Parser {
break;
}
gpr_log(
- GPR_DEBUG, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
+ GPR_INFO, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
log_info_.is_client ? "CLI" : "SVR", memento.md.DebugString().c_str(),
memento.parse_status == nullptr
? ""
@@ -951,11 +961,10 @@ class HPackParser::Parser {
state_.string_length)
: String::Parse(input_, state_.is_string_huff_compressed,
state_.string_length);
- HpackParseResult& status = state_.frame_error;
absl::string_view key_string;
if (auto* s = absl::get_if<Slice>(&state_.key)) {
key_string = s->as_string_view();
- if (status.ok()) {
+ if (state_.field_error.ok()) {
auto r = ValidateKey(key_string);
if (r != ValidateMetadataResult::kOk) {
input_->SetErrorAndContinueParsing(
@@ -965,7 +974,7 @@ class HPackParser::Parser {
} else {
const auto* memento = absl::get<const HPackTable::Memento*>(state_.key);
key_string = memento->md.key();
- if (status.ok() && memento->parse_status != nullptr) {
+ if (state_.field_error.ok() && memento->parse_status != nullptr) {
input_->SetErrorAndContinueParsing(*memento->parse_status);
}
}
@@ -992,16 +1001,16 @@ class HPackParser::Parser {
key_string.size() + value.wire_size + hpack_constants::kEntryOverhead;
auto md = grpc_metadata_batch::Parse(
key_string, std::move(value_slice), state_.add_to_table, transport_size,
- [key_string, &status, this](absl::string_view message, const Slice&) {
- if (!status.ok()) return;
+ [key_string, this](absl::string_view message, const Slice&) {
+ if (!state_.field_error.ok()) return;
input_->SetErrorAndContinueParsing(
HpackParseResult::MetadataParseError(key_string));
gpr_log(GPR_ERROR, "Error parsing '%s' metadata: %s",
std::string(key_string).c_str(),
std::string(message).c_str());
});
- HPackTable::Memento memento{std::move(md),
- status.PersistentStreamErrorOrNullptr()};
+ HPackTable::Memento memento{
+ std::move(md), state_.field_error.PersistentStreamErrorOrNullptr()};
input_->UpdateFrontier();
state_.parse_state = ParseState::kTop;
if (state_.add_to_table) {
@@ -1163,13 +1172,13 @@ grpc_error_handle HPackParser::Parse(
std::vector<uint8_t> buffer = std::move(unparsed_bytes_);
return ParseInput(
Input(nullptr, buffer.data(), buffer.data() + buffer.size(), bitsrc,
- state_.frame_error),
+ state_.frame_error, state_.field_error),
is_last, call_tracer);
}
- return ParseInput(
- Input(slice.refcount, GRPC_SLICE_START_PTR(slice),
- GRPC_SLICE_END_PTR(slice), bitsrc, state_.frame_error),
- is_last, call_tracer);
+ return ParseInput(Input(slice.refcount, GRPC_SLICE_START_PTR(slice),
+ GRPC_SLICE_END_PTR(slice), bitsrc, state_.frame_error,
+ state_.field_error),
+ is_last, call_tracer);
}
grpc_error_handle HPackParser::ParseInput(
diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.h b/src/core/ext/transport/chttp2/transport/hpack_parser.h
index 37456683b6..55842e47eb 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.h
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.h
@@ -236,6 +236,8 @@ class HPackParser {
HPackTable hpack_table;
// Error so far for this frame (set by class Input)
HpackParseResult frame_error;
+ // Error so far for this field (set by class Input)
+ HpackParseResult field_error;
// Length of frame so far.
uint32_t frame_length = 0;
// Length of the string being parsed
diff --git a/test/core/transport/chttp2/hpack_parser_test.cc b/test/core/transport/chttp2/hpack_parser_test.cc
index 3772d909b9..d5b9c6cb68 100644
--- a/test/core/transport/chttp2/hpack_parser_test.cc
+++ b/test/core/transport/chttp2/hpack_parser_test.cc
@@ -440,19 +440,82 @@ INSTANTIATE_TEST_SUITE_P(
Test{"Base64LegalEncoding",
{},
{},
- {// Binary metadata: created using:
- // tools/codegen/core/gen_header_frame.py
- // --compression inc --no_framing --output hexstr
- // < test/core/transport/chttp2/bad-base64.headers
- {"4009612e622e632d62696e1c6c75636b696c7920666f722075732c206974"
- "27732074756573646179",
- absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
- "illegal base64 encoding"),
- 0},
- {"be",
- absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
- "illegal base64 encoding"),
- 0}}},
+ {
+ // Binary metadata: created using:
+ // tools/codegen/core/gen_header_frame.py
+ // --compression inc --no_framing --output hexstr
+ // < test/core/transport/chttp2/bad-base64.headers
+ {"4009612e622e632d62696e1c6c75636b696c7920666f722075732c206974"
+ "27732074756573646179",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ 0},
+ {"be",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ kEndOfHeaders},
+ {"82", ":method: GET\n", 0},
+ }},
+ Test{"Base64LegalEncodingWorksAfterFailure",
+ {},
+ {},
+ {
+ // Binary metadata: created using:
+ // tools/codegen/core/gen_header_frame.py
+ // --compression inc --no_framing --output hexstr
+ // < test/core/transport/chttp2/bad-base64.headers
+ {"4009612e622e632d62696e1c6c75636b696c7920666f722075732c206974"
+ "27732074756573646179",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ 0},
+ {"be",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ 0},
+ {"400e636f6e74656e742d6c656e6774680135",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ kEndOfHeaders},
+ {"be", "content-length: 5\n", 0},
+ }},
+ Test{"Base64LegalEncodingWorksAfterFailure2",
+ {},
+ {},
+ {
+ {// Generated with: tools/codegen/core/gen_header_frame.py
+ // --compression inc --output hexstr --no_framing <
+ // test/core/transport/chttp2/MiXeD-CaSe.headers
+ "400a4d695865442d436153651073686f756c64206e6f74207061727365",
+ absl::InternalError("Illegal header key: MiXeD-CaSe"), 0},
+ // Binary metadata: created using:
+ // tools/codegen/core/gen_header_frame.py
+ // --compression inc --no_framing --output hexstr
+ // < test/core/transport/chttp2/bad-base64.headers
+ {"4009612e622e632d62696e1c6c75636b696c7920666f722075732c206974"
+ "27732074756573646179",
+ absl::InternalError("Illegal header key: MiXeD-CaSe"), 0},
+ {"be", absl::InternalError("Illegal header key: MiXeD-CaSe"),
+ 0},
+ {"400e636f6e74656e742d6c656e6774680135",
+ absl::InternalError("Illegal header key: MiXeD-CaSe"),
+ kEndOfHeaders},
+ {"be", "content-length: 5\n", 0},
+ {"bf",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ 0},
+ // Only the first error in each frame is reported, so we should
+ // still see the same error here...
+ {"c0",
+ absl::InternalError("Error parsing 'a.b.c-bin' metadata: "
+ "illegal base64 encoding"),
+ kEndOfHeaders},
+ // ... but if we look at the next frame we should see the
+ // stored error
+ {"c0", absl::InternalError("Illegal header key: MiXeD-CaSe"),
+ kEndOfHeaders},
+ }},
Test{"TeIsTrailers",
{},
{},
diff --git a/test/core/transport/chttp2/hpack_sync_fuzzer.cc b/test/core/transport/chttp2/hpack_sync_fuzzer.cc
index 47e426547a..9afa41fa6d 100644
--- a/test/core/transport/chttp2/hpack_sync_fuzzer.cc
+++ b/test/core/transport/chttp2/hpack_sync_fuzzer.cc
@@ -85,6 +85,10 @@ void FuzzOneInput(const hpack_sync_fuzzer::Msg& msg) {
// Not an interesting case to fuzz
continue;
}
+ if (msg.check_ab_preservation() &&
+ header.literal_inc_idx().key() == "a") {
+ continue;
+ }
if (absl::EndsWith(header.literal_inc_idx().value(), "-bin")) {
std::ignore = encoder.EmitLitHdrWithBinaryStringKeyIncIdx(
Slice::FromCopiedString(header.literal_inc_idx().key()),
@@ -96,6 +100,10 @@ void FuzzOneInput(const hpack_sync_fuzzer::Msg& msg) {
}
break;
case hpack_sync_fuzzer::Header::kLiteralNotIdx:
+ if (msg.check_ab_preservation() &&
+ header.literal_not_idx().key() == "a") {
+ continue;
+ }
if (absl::EndsWith(header.literal_not_idx().value(), "-bin")) {
encoder.EmitLitHdrWithBinaryStringKeyNotIdx(
Slice::FromCopiedString(header.literal_not_idx().key()),
@@ -114,6 +122,10 @@ void FuzzOneInput(const hpack_sync_fuzzer::Msg& msg) {
break;
}
}
+ if (msg.check_ab_preservation()) {
+ std::ignore = encoder.EmitLitHdrWithNonBinaryStringKeyIncIdx(
+ Slice::FromCopiedString("a"), Slice::FromCopiedString("b"));
+ }
// STAGE 2: Decode the buffer (encode_output) into a list of headers
HPackParser parser;
@@ -140,6 +152,21 @@ void FuzzOneInput(const hpack_sync_fuzzer::Msg& msg) {
}
}
+ if (seen_errors.empty() && msg.check_ab_preservation()) {
+ std::string backing;
+ auto a_value = read_metadata.GetStringValue("a", &backing);
+ if (!a_value.has_value()) {
+ fprintf(stderr, "Expected 'a' header to be present: %s\n",
+ read_metadata.DebugString().c_str());
+ abort();
+ }
+ if (a_value != "b") {
+ fprintf(stderr, "Expected 'a' header to be 'b', got '%s'\n",
+ std::string(*a_value).c_str());
+ abort();
+ }
+ }
+
// STAGE 3: If we reached here we either had a stream error or no error
// parsing.
// Either way, the hpack tables should be of the same size between client and
@@ -168,6 +195,41 @@ void FuzzOneInput(const hpack_sync_fuzzer::Msg& msg) {
}
abort();
}
+
+ if (msg.check_ab_preservation()) {
+ SliceBuffer encode_output_2;
+ hpack_encoder_detail::Encoder encoder_2(
+ &compressor, msg.use_true_binary_metadata(), encode_output_2);
+ encoder_2.EmitIndexed(62);
+ GPR_ASSERT(encode_output_2.Count() == 1);
+ grpc_metadata_batch read_metadata_2(arena.get());
+ parser.BeginFrame(
+ &read_metadata_2, 1024, 1024, HPackParser::Boundary::EndOfHeaders,
+ HPackParser::Priority::None,
+ HPackParser::LogInfo{3, HPackParser::LogInfo::kHeaders, false});
+ auto err = parser.Parse(encode_output_2.c_slice_at(0), true,
+ absl::BitGenRef(proto_bit_src),
+ /*call_tracer=*/nullptr);
+ if (!err.ok()) {
+ fprintf(stderr, "Error parsing preservation encoded data: %s\n",
+ err.ToString().c_str());
+ abort();
+ }
+ std::string backing;
+ auto a_value = read_metadata_2.GetStringValue("a", &backing);
+ if (!a_value.has_value()) {
+ fprintf(stderr,
+ "Expected 'a' header to be present: %s\nfirst metadata: %s\n",
+ read_metadata_2.DebugString().c_str(),
+ read_metadata.DebugString().c_str());
+ abort();
+ }
+ if (a_value != "b") {
+ fprintf(stderr, "Expected 'a' header to be 'b', got '%s'\n",
+ std::string(*a_value).c_str());
+ abort();
+ }
+ }
}
} // namespace
diff --git a/test/core/transport/chttp2/hpack_sync_fuzzer.proto b/test/core/transport/chttp2/hpack_sync_fuzzer.proto
index 72792b60d6..2c075a6abb 100644
--- a/test/core/transport/chttp2/hpack_sync_fuzzer.proto
+++ b/test/core/transport/chttp2/hpack_sync_fuzzer.proto
@@ -44,4 +44,7 @@ message Msg {
repeated Header headers = 2;
grpc.testing.FuzzConfigVars config_vars = 3;
repeated uint64 random_numbers = 4;
+ // Ensure that a header "a: b" appended to headers with hpack incremental
+ // indexing is correctly added to the hpack table.
+ bool check_ab_preservation = 5;
}
--
2.33.0

138
backport-Specify-noexcept-for-cdef-functions.patch Normal file
View File

@ -0,0 +1,138 @@
From 45d31dba83999638808891ee7bf93638106bdb71 Mon Sep 17 00:00:00 2001
From: Atri Bhattacharya <badshah400@gmail.com>
Date: Thu, 7 Sep 2023 07:06:56 +0200
Subject: [PATCH] Specify noexcept for cdef functions.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To build against cython 3.0, cdef functions that do not raise exceptions
need to be explicitly declared as noexcept. Fixes issue #33918.
Co-Authored-By: Miro HronĨok <miro@hroncok.cz>
Conflictcontext adapt
Referencehttps://src.fedoraproject.org/rpms/grpc/blob/rawhide/f/0001-Specify-noexcept-for-cdef-functions.patch
---
.../grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi | 2 +-
.../grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi | 2 +-
.../grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi | 2 +-
.../grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi | 6 +++---
.../grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi | 6 +++---
.../grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi | 6 +++---
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
index e54e510..26edbdb 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
@@ -48,7 +48,7 @@ cdef class CallbackWrapper:
@staticmethod
cdef void functor_run(
grpc_completion_queue_functor* functor,
- int succeed)
+ int succeed) noexcept
cdef grpc_completion_queue_functor *c_functor(self)
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
index f2d94a9..5dda90a 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
@@ -50,7 +50,7 @@ cdef class CallbackWrapper:
@staticmethod
cdef void functor_run(
grpc_completion_queue_functor* functor,
- int success):
+ int success) noexcept:
cdef CallbackContext *context = <CallbackContext *>functor
cdef object waiter = <object>context.waiter
if not waiter.cancelled():
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
index 23de3a0..52071f5 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
@@ -314,7 +314,7 @@ def server_credentials_ssl_dynamic_cert_config(initial_cert_config,
return credentials
cdef grpc_ssl_certificate_config_reload_status _server_cert_config_fetcher_wrapper(
- void* user_data, grpc_ssl_server_certificate_config **config) with gil:
+ void* user_data, grpc_ssl_server_certificate_config **config) noexcept with gil:
# This is a credentials.ServerCertificateConfig
cdef ServerCertificateConfig cert_config = None
if not user_data:
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
index 13a0243..b300883 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
@@ -12,10 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-cdef void __prefork() nogil
+cdef void __prefork() noexcept nogil
-cdef void __postfork_parent() nogil
+cdef void __postfork_parent() noexcept nogil
-cdef void __postfork_child() nogil
\ No newline at end of file
+cdef void __postfork_child() noexcept nogil
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
index 53657e8..d4d1cff 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
@@ -34,7 +34,7 @@ _GRPC_ENABLE_FORK_SUPPORT = (
_fork_handler_failed = False
-cdef void __prefork() nogil:
+cdef void __prefork() noexcept nogil:
with gil:
global _fork_handler_failed
_fork_handler_failed = False
@@ -48,14 +48,14 @@ cdef void __prefork() nogil:
_fork_handler_failed = True
-cdef void __postfork_parent() nogil:
+cdef void __postfork_parent() noexcept nogil:
with gil:
with _fork_state.fork_in_progress_condition:
_fork_state.fork_in_progress = False
_fork_state.fork_in_progress_condition.notify_all()
-cdef void __postfork_child() nogil:
+cdef void __postfork_child() noexcept nogil:
with gil:
try:
if _fork_handler_failed:
diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
index da4b81b..f594100 100644
--- a/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
+++ b/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
@@ -13,16 +13,16 @@
# limitations under the License.
# TODO(https://github.com/grpc/grpc/issues/15662): Reform this.
-cdef void* _copy_pointer(void* pointer):
+cdef void* _copy_pointer(void* pointer) noexcept:
return pointer
# TODO(https://github.com/grpc/grpc/issues/15662): Reform this.
-cdef void _destroy_pointer(void* pointer):
+cdef void _destroy_pointer(void* pointer) noexcept:
pass
-cdef int _compare_pointer(void* first_pointer, void* second_pointer):
+cdef int _compare_pointer(void* first_pointer, void* second_pointer) noexcept:
if first_pointer < second_pointer:
return -1
elif first_pointer > second_pointer:
--
2.41.0

303
backport-iomgr-EventEngine-Improve-server-handling-o.patch
View File

@ -1,303 +0,0 @@
From f44cddbebae95935fa640aa19ed5d5786de2aafa Mon Sep 17 00:00:00 2001
From: AJ Heller <hork@google.com>
Date: Wed, 12 Jul 2023 15:12:56 -0700
Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of
file descriptor exhaustion (#33670)
Backport of #33656
---
src/core/BUILD | 1 +
.../event_engine/posix_engine/posix_engine.h | 1 +
.../posix_engine/posix_engine_listener.cc | 30 +++++++++++
.../posix_engine/posix_engine_listener.h | 3 ++
src/core/lib/iomgr/tcp_server_posix.cc | 53 ++++++++++++++-----
src/core/lib/iomgr/tcp_server_utils_posix.h | 12 +++++
.../iomgr/tcp_server_utils_posix_common.cc | 21 ++++++++
7 files changed, 107 insertions(+), 14 deletions(-)
diff --git a/src/core/BUILD b/src/core/BUILD
index 3f8ef0d054..d4ae087542 100644
--- a/src/core/BUILD
+++ b/src/core/BUILD
@@ -1908,6 +1908,7 @@ grpc_cc_library(
"posix_event_engine_tcp_socket_utils",
"socket_mutator",
"status_helper",
+ "time",
"//:event_engine_base_hdrs",
"//:gpr",
],
diff --git a/src/core/lib/event_engine/posix_engine/posix_engine.h b/src/core/lib/event_engine/posix_engine/posix_engine.h
index afeda404a7..3a49d65699 100644
--- a/src/core/lib/event_engine/posix_engine/posix_engine.h
+++ b/src/core/lib/event_engine/posix_engine/posix_engine.h
@@ -196,6 +196,7 @@ class PosixEventEngine final : public PosixEventEngineWithFdSupport,
const DNSResolver::ResolverOptions& options) override;
void Run(Closure* closure) override;
void Run(absl::AnyInvocable<void()> closure) override;
+ // Caution!! The timer implementation cannot create any fds. See #20418.
TaskHandle RunAfter(Duration when, Closure* closure) override;
TaskHandle RunAfter(Duration when,
absl::AnyInvocable<void()> closure) override;
diff --git a/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc b/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc
index b395bff00d..39f3141afd 100644
--- a/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc
+++ b/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc
@@ -23,7 +23,10 @@
#include <sys/socket.h> // IWYU pragma: keep
#include <unistd.h> // IWYU pragma: keep
+#include <atomic>
#include <string>
+#include <tuple>
+#include <type_traits>
#include <utility>
#include "absl/functional/any_invocable.h"
@@ -41,6 +44,7 @@
#include "src/core/lib/event_engine/posix_engine/tcp_socket_utils.h"
#include "src/core/lib/event_engine/tcp_socket_utils.h"
#include "src/core/lib/gprpp/status_helper.h"
+#include "src/core/lib/gprpp/time.h"
#include "src/core/lib/iomgr/socket_mutator.h"
namespace grpc_event_engine {
@@ -136,6 +140,32 @@ void PosixEngineListenerImpl::AsyncConnectionAcceptor::NotifyOnAccept(
switch (errno) {
case EINTR:
continue;
+ case EMFILE:
+ // When the process runs out of fds, accept4() returns EMFILE. When
+ // this happens, the connection is left in the accept queue until
+ // either a read event triggers the on_read callback, or time has
+ // passed and the accept should be re-tried regardless. This callback
+ // is not cancelled, so a spurious wakeup may occur even when there's
+ // nothing to accept. This is not a performant code path, but if an fd
+ // limit has been reached, the system is likely in an unhappy state
+ // regardless.
+ GRPC_LOG_EVERY_N_SEC(1, GPR_ERROR, "%s",
+ "File descriptor limit reached. Retrying.");
+ handle_->NotifyOnRead(notify_on_accept_);
+ // Do not schedule another timer if one is already armed.
+ if (retry_timer_armed_.exchange(true)) return;
+ // Hold a ref while the retry timer is waiting, to prevent listener
+ // destruction and the races that would ensue.
+ Ref();
+ std::ignore =
+ engine_->RunAfter(grpc_core::Duration::Seconds(1), [this]() {
+ retry_timer_armed_.store(false);
+ if (!handle_->IsHandleShutdown()) {
+ handle_->SetReadable();
+ }
+ Unref();
+ });
+ return;
case EAGAIN:
case ECONNABORTED:
handle_->NotifyOnRead(notify_on_accept_);
diff --git a/src/core/lib/event_engine/posix_engine/posix_engine_listener.h b/src/core/lib/event_engine/posix_engine/posix_engine_listener.h
index 4bf793b197..ababb97846 100644
--- a/src/core/lib/event_engine/posix_engine/posix_engine_listener.h
+++ b/src/core/lib/event_engine/posix_engine/posix_engine_listener.h
@@ -121,6 +121,9 @@ class PosixEngineListenerImpl
ListenerSocketsContainer::ListenerSocket socket_;
EventHandle* handle_;
PosixEngineClosure* notify_on_accept_;
+ // Tracks the status of a backup timer to retry accept4 calls after file
+ // descriptor exhaustion.
+ std::atomic<bool> retry_timer_armed_{false};
};
class ListenerAsyncAcceptors : public ListenerSocketsContainer {
public:
diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
index dbe7bec338..c0cea6769e 100644
--- a/src/core/lib/iomgr/tcp_server_posix.cc
+++ b/src/core/lib/iomgr/tcp_server_posix.cc
@@ -16,13 +16,17 @@
//
//
+#include <grpc/support/port_platform.h>
+
+#include <utility>
+
+#include <grpc/support/atm.h>
+
// FIXME: "posix" files shouldn't be depending on _GNU_SOURCE
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
-#include <grpc/support/port_platform.h>
-
#include "src/core/lib/iomgr/port.h"
#ifdef GRPC_POSIX_SOCKET_TCP_SERVER
@@ -45,6 +49,7 @@
#include <grpc/byte_buffer.h>
#include <grpc/event_engine/endpoint_config.h>
+#include <grpc/event_engine/event_engine.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
#include <grpc/support/sync.h>
@@ -75,6 +80,8 @@
#include "src/core/lib/transport/error_utils.h"
static std::atomic<int64_t> num_dropped_connections{0};
+static constexpr grpc_core::Duration kRetryAcceptWaitTime{
+ grpc_core::Duration::Seconds(1)};
using ::grpc_event_engine::experimental::EndpointConfig;
using ::grpc_event_engine::experimental::EventEngine;
@@ -339,22 +346,38 @@ static void on_read(void* arg, grpc_error_handle err) {
if (fd < 0) {
if (errno == EINTR) {
continue;
- } else if (errno == EAGAIN || errno == ECONNABORTED ||
- errno == EWOULDBLOCK) {
+ }
+ // When the process runs out of fds, accept4() returns EMFILE. When this
+ // happens, the connection is left in the accept queue until either a
+ // read event triggers the on_read callback, or time has passed and the
+ // accept should be re-tried regardless. This callback is not cancelled,
+ // so a spurious wakeup may occur even when there's nothing to accept.
+ // This is not a performant code path, but if an fd limit has been
+ // reached, the system is likely in an unhappy state regardless.
+ if (errno == EMFILE) {
+ GRPC_LOG_EVERY_N_SEC(1, GPR_ERROR, "%s",
+ "File descriptor limit reached. Retrying.");
+ grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+ if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
+ grpc_timer_init(&sp->retry_timer,
+ grpc_core::Timestamp::Now() + kRetryAcceptWaitTime,
+ &sp->retry_closure);
+ return;
+ }
+ if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
return;
+ }
+ gpr_mu_lock(&sp->server->mu);
+ if (!sp->server->shutdown_listeners) {
+ gpr_log(GPR_ERROR, "Failed accept4: %s",
+ grpc_core::StrError(errno).c_str());
} else {
- gpr_mu_lock(&sp->server->mu);
- if (!sp->server->shutdown_listeners) {
- gpr_log(GPR_ERROR, "Failed accept4: %s",
- grpc_core::StrError(errno).c_str());
- } else {
- // if we have shutdown listeners, accept4 could fail, and we
- // needn't notify users
- }
- gpr_mu_unlock(&sp->server->mu);
- goto error;
+ // if we have shutdown listeners, accept4 could fail, and we
+ // needn't notify users
}
+ gpr_mu_unlock(&sp->server->mu);
+ goto error;
}
if (sp->server->memory_quota->IsMemoryPressureHigh()) {
@@ -547,6 +570,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener,
sp->port_index = listener->port_index;
sp->fd_index = listener->fd_index + count - i;
GPR_ASSERT(sp->emfd);
+ grpc_tcp_server_listener_initialize_retry_timer(sp);
while (listener->server->tail->next != nullptr) {
listener->server->tail = listener->server->tail->next;
}
@@ -780,6 +804,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
if (s->active_ports) {
grpc_tcp_listener* sp;
for (sp = s->head; sp; sp = sp->next) {
+ grpc_timer_cancel(&sp->retry_timer);
grpc_fd_shutdown(sp->emfd, GRPC_ERROR_CREATE("Server shutdown"));
}
}
diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h
index 26cef0209f..de5a888cff 100644
--- a/src/core/lib/iomgr/tcp_server_utils_posix.h
+++ b/src/core/lib/iomgr/tcp_server_utils_posix.h
@@ -30,6 +30,7 @@
#include "src/core/lib/iomgr/resolve_address.h"
#include "src/core/lib/iomgr/socket_utils_posix.h"
#include "src/core/lib/iomgr/tcp_server.h"
+#include "src/core/lib/iomgr/timer.h"
#include "src/core/lib/resource_quota/memory_quota.h"
// one listening port
@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
// identified while iterating through 'next'.
struct grpc_tcp_listener* sibling;
int is_sibling;
+ // If an accept4() call fails, a timer is started to drain the accept queue in
+ // case no further connection attempts reach the gRPC server.
+ grpc_closure retry_closure;
+ grpc_timer retry_timer;
+ gpr_atm retry_timer_armed;
} grpc_tcp_listener;
// the overall server
@@ -139,4 +145,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket(
// Ruturn true if the platform supports ifaddrs
bool grpc_tcp_server_have_ifaddrs(void);
+// Initialize (but don't start) the timer and callback to retry accept4() on a
+// listening socket after file descriptors have been exhausted. This must be
+// called when creating a new listener.
+void grpc_tcp_server_listener_initialize_retry_timer(
+ grpc_tcp_listener* listener);
+
#endif // GRPC_SRC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H
diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
index 574fd02d0d..a32f542c4a 100644
--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
@@ -18,6 +18,8 @@
#include <grpc/support/port_platform.h>
+#include <grpc/support/atm.h>
+
#include "src/core/lib/iomgr/port.h"
#ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
return s_max_accept_queue_size;
}
+static void listener_retry_timer_cb(void* arg, grpc_error_handle err) {
+ // Do nothing if cancelled.
+ if (!err.ok()) return;
+ grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
+ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+ if (!grpc_fd_is_shutdown(listener->emfd)) {
+ grpc_fd_set_readable(listener->emfd);
+ }
+}
+
+void grpc_tcp_server_listener_initialize_retry_timer(
+ grpc_tcp_listener* listener) {
+ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
+ grpc_timer_init_unset(&listener->retry_timer);
+ GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
+ grpc_schedule_on_exec_ctx);
+}
+
static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
const grpc_resolved_address* addr,
unsigned port_index,
@@ -112,6 +132,7 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
sp->server = s;
sp->fd = fd;
sp->emfd = grpc_fd_create(fd, name.c_str(), true);
+ grpc_tcp_server_listener_initialize_retry_timer(sp);
// Check and set fd as prellocated
if (grpc_tcp_server_pre_allocated_fd(s) == fd) {
--
2.33.0

BIN
grpc-1.54.2.tar.gz
View File

Binary file not shown.

BIN
grpc-1.60.0.tar.gz Normal file
View File

Binary file not shown.

53
grpc.spec
View File

@ -1,10 +1,10 @@
%global c_so_version 31
%global cpp_so_version 1.54
%global c_so_version 37
%global cpp_so_version 1.60
%global cpp_std 17
Name: grpc
Version: 1.54.2
Release: 3
Version: 1.60.0
Release: 5
Summary: A modern, open source high performance RPC framework that can run in any environment
License: ASL 2.0
URL: https://www.grpc.io
@ -12,10 +12,13 @@ Source0: https://github.com/grpc/grpc/archive/v%{version}/%{name}-%{versio
Patch0006: repair-pkgconfig-path.patch
Patch0007: add-secure-compile-option-in-Makefile.patch
Patch0008: backport-iomgr-EventEngine-Improve-server-handling-o.patch
Patch0009: remove-cert-expired-on-20230930.patch
Patch0010: backport-Specify-noexcept-for-cdef-functions.patch
Patch0011: remove-cert-expired-at-20250512.patch
Patch0012: backport-CVE-2024-7246-chttp2-Fix-a-bug-in-hpack-error-handling.patch
Patch0013: backport-CVE-2024-11407.patch
BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler
BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler protobuf-lite-devel
BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel
BuildRequires: python3-devel python3-setuptools python3-Cython
BuildRequires: cmake >= 3.13.0
@ -88,7 +91,9 @@ cmake ../../ -DgRPC_INSTALL=ON\
-DgRPC_INSTALL_PKGCONFIGDIR=%{buildroot}%{_libdir}/pkgconfig \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \
-DBUILD_SHARED_LIBS=ON \
-DCMAKE_VERBOSE_MAKEFILE=ON
-DCMAKE_VERBOSE_MAKEFILE=ON \
-DCMAKE_EXE_LINKER_FLAGS=-Wl,--as-needed \
-DCMAKE_SHARED_LINKER_FLAGS=-Wl,--as-needed
make -j24 V=1
# build python module
@ -132,6 +137,10 @@ cd ../..
%{_libdir}/libgrpc_plugin_support.so.%{cpp_so_version}*
%{_libdir}/libgrpcpp_channelz.so.%{cpp_so_version}*
%{_libdir}/libgrpc_authorization_provider.so.%{cpp_so_version}*
%{_libdir}/libupb_collections_lib.so.%{c_so_version}*
%{_libdir}/libupb_json_lib.so.%{c_so_version}*
%{_libdir}/libupb_textformat_lib.so.%{c_so_version}*
%{_libdir}/libutf8_range_lib.so.%{c_so_version}*
%files plugins
%{_bindir}/grpc_*_plugin
@ -150,6 +159,36 @@ cd ../..
%{python3_sitearch}/grpcio-%{version}-py*
%changelog
* Tue Dec 03 2024 xinghe <xinghe2@h-partners.com> - 1.60.0-5
- Type:CVE
- CVE:CVE-2024-11407
- SUG:NA
- DESC:fix CVE-2024-11407
* Wed Aug 14 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.60.0-4
- Type:CVE
- CVE:CVE-2024-7246
- SUG:NA
- DESC:fix CVE-2024-7246
* Fri Jun 21 2024 zhouyihang<zhouyihang3@h-partners.com> - 1.60.0-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:remove cert expired at 20250512
* Mon Feb 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.60.0-2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add noexcept to adapt for Cython_3.X
* Fri Jan 19 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.60.0-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:upgrade grpc to 1.60.0
* Wed Nov 15 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.54.2-3
- Type:bugfix
- ID:NA

51
remove-cert-expired-at-20250512.patch Normal file
View File

@ -0,0 +1,51 @@
From 15327a17f80de1251e84d38dda045bbfd7061125 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Tue, 28 May 2024 20:59:35 +0800
Subject: [PATCH] huawei-remove-cert-expired-at-20250512
---
etc/roots.pem | 29 -----------------------------
1 file changed, 29 deletions(-)
diff --git a/etc/roots.pem b/etc/roots.pem
index c599727..d84a8f5 100644
--- a/etc/roots.pem
+++ b/etc/roots.pem
@@ -64,35 +64,6 @@ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Label: "Baltimore CyberTrust Root"
-# Serial: 33554617
-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
------END CERTIFICATE-----
-
# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
# Label: "Entrust Root Certification Authority"
--
2.33.0