[openssl/openssl] 221d65: evp_md: assert digest is provided for algctx reuse
Branch: refs/heads/master Home: https://github.openssl.org/openssl/openssl Commit: 221d65ba534d23a240ccadd0c2679b222aae35b1 https://github.openssl.org/openssl/openssl/commit/221d65ba534d23a240ccadd0c2679b222aae35b1 Author: Benjamin Kaduk Date: 2022-05-08 (Sun, 08 May 2022) Changed paths: M crypto/evp/digest.c Log Message: --- evp_md: assert digest is provided for algctx reuse When reusing an algctx (it was always freed on reinitialization, prior to #18105), assert that the associated digest is provided. We implicitly rely on this for algctx reuse to be safe (since an implicit fetch could potentially change the digest object used, including provider, which accordingly could change the layout of the algctx object. >From code inspection, this is currently always the case -- the only way to set an algctx requires the provider to be set, and the only ways to change or remove a provider without destroying the entier EVP_MD_CTX will also free the algctx. Adding an assertion will help ensure that this remains true as the code evolves. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18224)
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via e5050aa1bbce84e359bfd35de60dd745627e8d41 (commit) from c680b3f9c1ed6f70d68c3c597ee4e99b4ce0fa55 (commit) - Log - commit e5050aa1bbce84e359bfd35de60dd745627e8d41 Author: Piotr Kubaj Date: Sat Dec 18 15:21:51 2021 +0100 Add support for BSD-riscv64 target Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (cherry picked from commit c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15) (cherry picked from commit fb72a093f88f7332069659994b67f6b19aceb865) (Merged from https://github.com/openssl/openssl/pull/17341) --- Summary of changes: Configurations/10-main.conf | 7 +++ config | 1 + 2 files changed, 8 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 61c6689a0c..38c8eb3158 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -988,6 +988,13 @@ my %targets = ( perlasm_scheme => "elf", }, +# riscv64 below refers to contemporary RISCV Architecture +# specifications, +"BSD-riscv64" => { +inherit_from => [ "BSD-generic64"], +perlasm_scheme => "linux64", +}, + "bsdi-elf-gcc" => { inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], CC => "gcc", diff --git a/config b/config index 26225ca2a9..49422981ae 100755 --- a/config +++ b/config @@ -704,6 +704,7 @@ case "$GUESSOS" in __CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;; powerpc64-*-*bsd*) OUT="BSD-generic64"; __CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;; + riscv64-*-*bsd*) OUT="BSD-riscv64" ;; sparc64-*-*bsd*) OUT="BSD-sparc64" ;; ia64-*-*bsd*)OUT="BSD-ia64" ;; x86_64-*-dragonfly*) OUT="BSD-x86_64" ;;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via fb72a093f88f7332069659994b67f6b19aceb865 (commit) from 9c85ed8275b49bf240752386b06601358ca1e485 (commit) - Log - commit fb72a093f88f7332069659994b67f6b19aceb865 Author: Piotr Kubaj Date: Sat Dec 18 15:21:51 2021 +0100 Add support for BSD-riscv64 target Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (cherry picked from commit c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15) (Merged from https://github.com/openssl/openssl/pull/17333) --- Summary of changes: Configurations/10-main.conf | 7 +++ util/perl/OpenSSL/config.pm | 1 + 2 files changed, 8 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 8414b34ed9..a7294d2ad1 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1062,6 +1062,13 @@ my %targets = ( perlasm_scheme => "elf", }, +# riscv64 below refers to contemporary RISCV Architecture +# specifications, +"BSD-riscv64" => { +inherit_from => [ "BSD-generic64"], +perlasm_scheme => "linux64", +}, + "bsdi-elf-gcc" => { inherit_from => [ "BASE_unix" ], CC => "gcc", diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 7250791b5b..81e9a03b48 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -741,6 +741,7 @@ EOF defines => [ 'L_ENDIAN' ] } ], [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64", defines => [ 'B_ENDIAN' ] } ], + [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ], [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ], [ 'ia64-.*-.*bsd.*',{ target => "BSD-ia64" } ], [ 'x86_64-.*-dragonfly.*', { target => "BSD-x86_64" } ],
[openssl] master update
The branch master has been updated via b5557666bda56ce4b9464a3dbc65e2a1fa1e482b (commit) from b5e2b1d8447645b296375bc69b010ac4fedb07ac (commit) - Log - commit b5557666bda56ce4b9464a3dbc65e2a1fa1e482b Author: yangyangtiantianlonglong Date: Sun Jul 25 11:43:16 2021 +0800 Fix dtls timeout dead code Delete dtls timeout dead code in dtls1_handle_timeout Fix: #15559 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/16151) --- Summary of changes: include/openssl/dtls1.h | 4 ssl/d1_lib.c| 13 - ssl/ssl_local.h | 12 ++-- 3 files changed, 6 insertions(+), 23 deletions(-) diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 985e409725..5dc6b5419c 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -49,10 +49,6 @@ extern "C" { # define DTLS1_AL_HEADER_LENGTH 2 -/* Timeout multipliers */ -# define DTLS1_TMO_READ_COUNT 2 -# define DTLS1_TMO_WRITE_COUNT 2 - # define DTLS1_TMO_ALERT_COUNT 12 #ifdef __cplusplus diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index a986252866..95a34093c9 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -352,7 +352,7 @@ static void dtls1_double_timeout(SSL *s) void dtls1_stop_timer(SSL *s) { /* Reset everything */ -memset(&s->d1->timeout, 0, sizeof(s->d1->timeout)); +s->d1->timeout_num_alerts = 0; memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); s->d1->timeout_duration_us = 100; BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, @@ -365,10 +365,10 @@ int dtls1_check_timeout_num(SSL *s) { size_t mtu; -s->d1->timeout.num_alerts++; +s->d1->timeout_num_alerts++; /* Reduce MTU after 2 unsuccessful retransmissions */ -if (s->d1->timeout.num_alerts > 2 +if (s->d1->timeout_num_alerts > 2 && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); @@ -376,7 +376,7 @@ int dtls1_check_timeout_num(SSL *s) s->d1->mtu = mtu; } -if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { +if (s->d1->timeout_num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_READ_TIMEOUT_EXPIRED); return -1; @@ -402,11 +402,6 @@ int dtls1_handle_timeout(SSL *s) return -1; } -s->d1->timeout.read_timeouts++; -if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { -s->d1->timeout.read_timeouts = 1; -} - dtls1_start_timer(s); /* Calls SSLfatal() if required */ return dtls1_retransmit_buffered_messages(s); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index dd82314602..ce93049180 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1862,15 +1862,6 @@ struct hm_header_st { struct dtls1_retransmit_state saved_retransmit_state; }; -struct dtls1_timeout_st { -/* Number of read timeouts so far */ -unsigned int read_timeouts; -/* Number of write timeouts so far */ -unsigned int write_timeouts; -/* Number of alerts received so far */ -unsigned int num_alerts; -}; - typedef struct hm_fragment_st { struct hm_header_st msg_header; unsigned char *fragment; @@ -1916,7 +1907,8 @@ typedef struct dtls1_state_st { size_t mtu; /* max DTLS packet size */ struct hm_header_st w_msg_hdr; struct hm_header_st r_msg_hdr; -struct dtls1_timeout_st timeout; +/* Number of alerts received so far */ +unsigned int timeout_num_alerts; /* * Indicates when the last handshake msg sent will timeout */
[openssl] master update
The branch master has been updated via ca001524971ccd595bc0e9843611e6784adfc981 (commit) from 2cff17fdb8bfd46ac8d72208a6538d91217cd629 (commit) - Log - commit ca001524971ccd595bc0e9843611e6784adfc981 Author: Matt Caswell Date: Thu Jul 15 14:08:56 2021 +0100 Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/16086) --- Summary of changes: ssl/record/rec_layer_s3.c | 6 +++--- ssl/record/ssl3_record.c | 34 +- ssl/ssl_lib.c | 2 +- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 28e02e642c..ea7b0cbfde 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -172,9 +172,9 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. The packet will be in the sub-array of - * s->s3.rbuf.buf specified by s->packet and s->packet_length. (If - * s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus - * s->packet_length bytes if extend == 1].) + * s->rlayer.rbuf.buf specified by s->rlayer.packet and + * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may + * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].) * if clearold == 1, move the packet to the start of the buffer; if * clearold == 0 then leave any old packets where they were */ diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 4275c19cff..30af6508a7 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -428,7 +428,7 @@ int ssl3_get_record(SSL *s) } if (more > 0) { -/* now s->packet_length == SSL3_RT_HEADER_LENGTH */ +/* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ rret = ssl3_read_n(s, more, more, 1, 0, &n); if (rret <= 0) @@ -439,9 +439,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); /* - * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH - * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH - * + thisrr->length and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH + * + thisrr->length, or s->rlayer.packet_length == SSL2_RT_HEADER_LENGTH + * + thisrr->length and we have that many bytes in s->rlayer.packet */ if (thisrr->rec_version == SSL2_VERSION) { thisrr->input = @@ -452,11 +452,11 @@ int ssl3_get_record(SSL *s) } /* - * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input - * points at thisrr->length bytes, which need to be copied into - * thisrr->data by either the decryption or by the decompression When - * the data is 'copied' into the thisrr->data buffer, thisrr->input will - * be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'thisrr'. + * thisrr->input points at thisrr->length bytes, which need to be copied + * into thisrr->data by either the decryption or by the decompression. + * When the data is 'copied' into the thisrr->data buffer, + * thisrr->input will be updated to point at the new buffer */ /* @@ -1512,16 +1512,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) sess = s->session; /* - * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length, + * and we have that many bytes in s->rlayer.packet */ rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]); /* - * ok, we can now read from 's->packet' data into 'rr' rr->input points - * at rr->length bytes, which need to be copied into rr->data by either - * the decryption or by the decompression When th
[openssl] master update
The branch master has been updated via 3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130 (commit) from d101700dffa710f3de0ab6465dff688f55214bcc (commit) - Log - commit 3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130 Author: Benjamin Kaduk Date: Tue Jul 6 07:49:39 2021 -0700 Fix comment for test_negotiated_group() test order Because of how the 'client_multi' variable is set, we end up running the tests where the client configures multiple groups (and the server only configures one) before the ones where the server configures multiple groups (and the client only configures one). Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16007) --- Summary of changes: test/sslapitest.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 1b3db55d6b..49f7ef639d 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4751,14 +4751,14 @@ static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti, * was offered in the resumption ClientHello. * * Using E for the number of EC groups and F for the number of FF groups: - * E tests of ECDHE with TLS 1.3, client sends only one group - * F tests of FFDHE with TLS 1.3, client sends only one group - * E tests of ECDHE with TLS 1.2, client sends only one group - * F tests of FFDHE with TLS 1.2, client sends only one group * E tests of ECDHE with TLS 1.3, server only has one group * F tests of FFDHE with TLS 1.3, server only has one group * E tests of ECDHE with TLS 1.2, server only has one group * F tests of FFDHE with TLS 1.2, server only has one group + * E tests of ECDHE with TLS 1.3, client sends only one group + * F tests of FFDHE with TLS 1.3, client sends only one group + * E tests of ECDHE with TLS 1.2, client sends only one group + * F tests of FFDHE with TLS 1.2, client sends only one group */ static int test_negotiated_group(int idx) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9008dc9e38bc35541957eacebafac35912d20821 (commit) from a0f0e6f38009a4a93bd724f6f9c741c413be22d4 (commit) - Log - commit 9008dc9e38bc35541957eacebafac35912d20821 Author: Todd Short Date: Wed May 26 10:03:35 2021 -0400 Call SSLfatal when the generate_ticket_cb returns 0 Otherwise, the state machine ends up being in a bad state: ``` SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:850: ``` Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15485) --- Summary of changes: ssl/statem/statem_srvr.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index fec12f6130..30d20f1297 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -4139,9 +4139,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } if (tctx->generate_ticket_cb != NULL && -tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) +tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) { +SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; - +} /* * If we are using anti-replay protection then we behave as if * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
[openssl] master update
The branch master has been updated via e49095f186dcea5dbd902eae6cc81935063f782d (commit) from 07fb85cf6191961fcad824d2f8f2b2a0fcba18ce (commit) - Log - commit e49095f186dcea5dbd902eae6cc81935063f782d Author: Todd Short Date: Wed May 26 10:03:35 2021 -0400 Call SSLfatal when the generate_ticket_cb returns 0 Otherwise, the state machine ends up being in a bad state: ``` SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:XXX: ``` Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15487) --- Summary of changes: ssl/statem/statem_srvr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 386bd983fc..56d4b4591a 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3945,9 +3945,10 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } if (tctx->generate_ticket_cb != NULL && -tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) +tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) { +SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; - +} /* * If we are using anti-replay protection then we behave as if * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
[openssl] master update
The branch master has been updated via 1376708c1cfee91a891057db132aa45aa2a81a98 (commit) from e6e618bf22ead6af2d7e5a5a540a39e5073296bb (commit) - Log - commit 1376708c1cfee91a891057db132aa45aa2a81a98 Author: Benjamin Kaduk Date: Fri May 21 10:25:00 2021 -0700 Allow TLS13_AD_MISSING_EXTENSION for older versions Add a pass-through switch case for TLS13_AD_MISSING_EXTENSION in ssl3_alert_code() and tls1_alert_code(), so that the call to SSLfatal() in final_psk() will always actually generate an alert, even for non-TLS1.3 protocol versions. Fixes #15375 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15412) --- Summary of changes: ssl/s3_enc.c | 2 ++ ssl/t1_enc.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index cf4d5fe4e7..88ac6e4205 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -589,6 +589,8 @@ int ssl3_alert_code(int code) return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; +case TLS13_AD_MISSING_EXTENSION: +return SSL_AD_HANDSHAKE_FAILURE; default: return -1; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 5e9c3a0ee5..886709bf4a 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -848,6 +848,8 @@ int tls1_alert_code(int code) return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; +case TLS13_AD_MISSING_EXTENSION: +return SSL_AD_HANDSHAKE_FAILURE; default: return -1; }
[openssl] master update
The branch master has been updated via 6e495312fda0e669d105172c1ac8a8c0bf52da6d (commit) via a0bbcb42a94cc6bc4f72d567c5e701b4cecf5be6 (commit) via 7c73fefe38f4fce9437b1d24d90dd5aa411c7e28 (commit) from e34e91d7e575a2f69119601f2d34655cb6816148 (commit) - Log - commit 6e495312fda0e669d105172c1ac8a8c0bf52da6d Author: Benjamin Kaduk Date: Thu Apr 8 18:41:46 2021 -0700 Update SSL_new_session_ticket() manual for triggered send Document the recently added functionality. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14817) commit a0bbcb42a94cc6bc4f72d567c5e701b4cecf5be6 Author: Benjamin Kaduk Date: Thu Apr 8 17:09:18 2021 -0700 Test new SSL_new_session_ticket() functionality Now that we can become "in init" directly after the call, test the various scenarios where explicit SSL_do_handshake() calls can come into play. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14817) commit 7c73fefe38f4fce9437b1d24d90dd5aa411c7e28 Author: Benjamin Kaduk Date: Fri Apr 2 10:04:24 2021 -0700 Let SSL_new_session_ticket() enter init immediately The initial implementation always deferred the generation of the requested ticket(s) until the next application write, but this is not a great fit for what it actually does, architecturally wise. A request to send a session ticket means entering back into the handshake state machine (or "in init", as it's known in the implementation). The state machine transition is not something that only occurs at an application-data write, and in general could occur at any time. The only constraint is that we can't enter "init" while in the middle of writing application data. In such cases we will need to wait until the next TLS record boundary to enter the state machine, as is currently done. However, there is no reason why we cannot enter the handshake state machine immediately in SSL_new_session_ticket() if there are no application writes pending. Doing so provides a cleaner API surface to the application, as then calling SSL_do_handshake() suffices to drive the actual ticket generation. In the previous state of affairs a dummy zero-length SSL_write() would be needed to trigger the ticket generation, which is a logical mismatch in the type of operation being performed. This commit should only change whether SSL_do_handshake() vs zero-length SSL_write() is needed to immediately generate a ticket after the SSL_new_session_ticket() call -- the default behavior is still to defer the actual write until there is other application data to write, unless the application requests otherwise. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14817) --- Summary of changes: doc/man3/SSL_CTX_set_num_tickets.pod | 27 --- ssl/ssl_lib.c| 6 +- test/sslapitest.c| 26 +++--- 3 files changed, 44 insertions(+), 15 deletions(-) diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index aa673bd8d0..7ab62d3ad3 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -45,17 +45,22 @@ sent. To issue tickets after other events (such as application-layer changes), SSL_new_session_ticket() is used by a server application to request that a new ticket be sent when it is safe to do so. New tickets are only allowed to be -sent in this manner after the initial handshake has completed, and only for TLS -1.3 connections. The ticket generation and transmission are delayed until the -server is starting a new write operation, so that it is bundled with other -application data being written and properly aligned to a record boundary. -SSL_new_session_ticket() can be called more than once to request additional -tickets be sent; all such requests are queued and written together when it is -safe to do so. Note that a successful return from SSL_new_session_ticket() -indicates only that the request to send a ticket was processed, not that the -ticket itself was sent. To be notified when the ticket itself is sent, a -new-session callback can be registered with L that -will be invoked as the ticket or tickets are generated. +sent in this manner after the initial handshake has completed, and only for +TLS 1.3 connections. By default, the ticket generation and transmission are +delayed until the server is starting a new write operation, so that it is +bundled with other application data being written and properly aligned to a +record boundary. If the
[openssl] master update
The branch master has been updated via 6dc56df26c41666ee5138da6c97bdb400fd03025 (commit) via f89d3d698c570703b7fc0908603faf61f6f68446 (commit) via 75d4852090bb898b39be8e7ae2874720bd0a9c5c (commit) via c22ad9b64a9f2cca64400836caee7279a9de8cc1 (commit) via aa6bd216dd2691d1254eabcbd584691eb3b4b9b8 (commit) from a8457b4c3d86a42209eabe90eddb605f59041f9e (commit) - Log - commit 6dc56df26c41666ee5138da6c97bdb400fd03025 Author: Benjamin Kaduk Date: Tue Mar 16 22:03:36 2021 -0700 Add extensive test coverage for SSL_get_negotiated_group() This is nearly comprehensive, but we cannot exercise the functionality for PSK-only TLS 1.3 resumption, since openssl talking to openssl will always negotiate psk_dhe_ke. Exercise both the TLS 1.3 and 1.2 cases, for initial handshakes and resumptions, and for ECDHE and FFDHE. Since RFC 7919 named groups (for FFDHE) are only supported for TLS 1.3, the TLS 1.2 versions of those scenarios expect to get NID_undef since the key exchange was not performed using a named group. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14750) commit f89d3d698c570703b7fc0908603faf61f6f68446 Author: Benjamin Kaduk Date: Tue Mar 16 20:13:47 2021 -0700 move group lists out of test_key_exchange() in preparation for reuse Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14750) commit 75d4852090bb898b39be8e7ae2874720bd0a9c5c Author: Benjamin Kaduk Date: Tue Mar 16 16:10:04 2021 -0700 Extend SSL_get_negotiated_group() tests for TLS 1.2 We don't implement RFC 7919 named groups for TLS 1.2, so we can only test the ECDHE case for non-TLS-1.3. Interestingly, though the test_key_exchange() routine claimed to be exercising ffdhe2048 with TLS 1.2, the configured ciphers were incompatible with DHE key exchange, so we ended up just using RSA key transport and not doing an ephemeral key exchange at all. Reconfigure the tests to actually exercise ephemeral key exchange for both the EC and FF cases (even though we don't use the named group information for the finite-field case). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14750) commit c22ad9b64a9f2cca64400836caee7279a9de8cc1 Author: Benjamin Kaduk Date: Tue Mar 16 13:42:00 2021 -0700 Regenerate testsid.pem Convert this file to the new format, that includes the kex_group integer value. This is needed in order for the round-trip conversion test to return the same value as the initial input. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14750) commit aa6bd216dd2691d1254eabcbd584691eb3b4b9b8 Author: Benjamin Kaduk Date: Tue Mar 16 07:47:09 2021 -0700 Promote SSL_get_negotiated_group() for non-TLSv1.3 It can be useful to know what group was used for the handshake's key exchange process even on non-TLS 1.3 connections. Allow this API, new in OpenSSL 3.0.0, to be used on other TLS versions as well. Since pre-TLS-1.3 key exchange occurs only on full handshakes, this necessitates adding a field to the SSL_SESSION object to carry the group information across resumptions. The key exchange group in the SSL_SESSION can also be relevant in TLS 1.3 when the resumption handshake uses the "psk_ke" key-exchange mode, so also track whether a fresh key exchange was done for TLS 1.3. Since the new field is optional in the ASN.1 sense, there is no need to increment SSL_SESSION_ASN1_VERSION (which incurs strong incompatibility churn). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14750) --- Summary of changes: doc/man3/SSL_CTX_set1_curves.pod | 18 +-- ssl/s3_lib.c | 11 +- ssl/ssl_asn1.c | 8 +- ssl/ssl_local.h | 7 ++ ssl/statem/extensions_clnt.c | 23 ssl/statem/extensions_srvr.c | 3 + ssl/statem/statem_clnt.c | 2 + ssl/statem/statem_srvr.c | 4 +- test/sslapitest.c| 252 +-- test/testsid.pem | 4 +- 10 files changed, 307 insertions(+), 25 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index 5eebb2b933..65892e46a5 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -77,10 +77,15 @@ NID_undef is returned. If the NID for the shared group is unknown then the value is set to the bitwise OR of TLSEXT_nid_unknown (0x100) and the id of the group. -SSL_get_negotiated_group() returns the NID of
[openssl] master update
The branch master has been updated via a8457b4c3d86a42209eabe90eddb605f59041f9e (commit) from 522827160936319841f3f83fd246f92da96f5686 (commit) - Log - commit a8457b4c3d86a42209eabe90eddb605f59041f9e Author: Richard Levitte Date: Fri May 14 07:23:51 2021 +0200 ASN1: Fix i2d_provided() return value i2d_provided() - which is the internal provider data function for i2d_KeyParams(), i2d_PrivateKey(), i2d_PublicKey() - didn't treat the returned length from OSSL_ENCODER_to_data() quite as well as it should have. A simple added flag that records the state of |*pp| before calling OSSL_ENCODER_to_data() fixes the problem. Fixes #14655 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15277) --- Summary of changes: crypto/asn1/i2d_evp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index 2a101a6fa3..f03dcb2666 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -48,6 +48,7 @@ static int i2d_provided(const EVP_PKEY *a, int selection, * down, when pp != NULL. */ size_t len = INT_MAX; +int pp_was_NULL = (pp == NULL || *pp == NULL); ctx = OSSL_ENCODER_CTX_new_for_pkey(a, selection, output_info->output_type, @@ -56,7 +57,7 @@ static int i2d_provided(const EVP_PKEY *a, int selection, if (ctx == NULL) return -1; if (OSSL_ENCODER_to_data(ctx, pp, &len)) { -if (pp == NULL) +if (pp_was_NULL) ret = (int)len; else ret = INT_MAX - (int)len;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via b743b16113ca0e30c383191c804de37dbfc4f12e (commit) via df1fd3c986f5a58b6dc87d2c4bb565a8f1e688fa (commit) via 5d88a9c62c81e38918becae96a842986e2e0940e (commit) via 1ab7b9991ba00a1423ec6c5898a70e11d1337cfb (commit) from a812f8fc8f3c9ba30e5ecd2c168cca0613f15dcd (commit) - Log - commit b743b16113ca0e30c383191c804de37dbfc4f12e Author: Benjamin Kaduk Date: Mon Mar 29 23:05:22 2021 -0700 Update expected results for tls13kexmodes tests One of the scenarios constructed in these tests was erroneously producing successful handshakes until the previous commits, but should have been failing. Update our expected behavior to match the specification requirements, and adjust the commentary slightly for a test case relevant for the other preceding commit. Reviewed-by: Tomas Mraz (cherry picked from commit 80c25611abd7067815943187f36f5e1879201678) (Merged from https://github.com/openssl/openssl/pull/15255) commit df1fd3c986f5a58b6dc87d2c4bb565a8f1e688fa Author: Benjamin Kaduk Date: Mon Mar 29 21:27:49 2021 -0700 Don't send key_share for PSK-only key exchange TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz (cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc) (Merged from https://github.com/openssl/openssl/pull/15255) commit 5d88a9c62c81e38918becae96a842986e2e0940e Author: Benjamin Kaduk Date: Mon Mar 29 23:08:10 2021 -0700 make update Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15255) commit 1ab7b9991ba00a1423ec6c5898a70e11d1337cfb Author: Benjamin Kaduk Date: Mon Mar 29 23:03:49 2021 -0700 Improve RFC 8446 PSK key exchange mode compliance It's a MUST-level requirement that if the client sends a pre_shared_key extension not accompanied by a psk_key_exchange_modes extension, the server must abort the handshake. Prior to this commit the server would continue on. Reviewed-by: Tomas Mraz (cherry picked from commit efe0f315354b020213097885c79ce856a2f5ac68) (Merged from https://github.com/openssl/openssl/pull/15255) --- Summary of changes: crypto/err/openssl.txt | 2 ++ include/openssl/sslerr.h | 2 ++ ssl/ssl_err.c| 3 +++ ssl/statem/extensions.c | 19 ++- ssl/statem/extensions_srvr.c | 7 +++ test/recipes/70-test_tls13kexmodes.t | 12 +--- 6 files changed, 37 insertions(+), 8 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e0e60ffa38..017a9a6652 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1160,6 +1160,7 @@ SSL_F_FINAL_EC_PT_FORMATS:485:final_ec_pt_formats SSL_F_FINAL_EMS:486:final_ems SSL_F_FINAL_KEY_SHARE:503:final_key_share SSL_F_FINAL_MAXFRAGMENTLEN:557:final_maxfragmentlen +SSL_F_FINAL_PSK:639:final_psk SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate SSL_F_FINAL_SERVER_NAME:558:final_server_name SSL_F_FINAL_SIG_ALGS:497:final_sig_algs @@ -2741,6 +2742,7 @@ SSL_R_MISSING_DSA_SIGNING_CERT:165:missing dsa signing cert SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert SSL_R_MISSING_FATAL:256:missing fatal SSL_R_MISSING_PARAMETERS:290:missing parameters +SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 9060fd1b75..701d61c6e9 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -70,6 +70,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_FINAL_EMS 486 # define SSL_F_FINAL_KEY_SHARE503 # define SSL_F_FINAL_MAXFRAGMENTLEN 557 +# defi
[openssl] master update
The branch master has been updated via 466cab4758289f91215eada905cf334d334830fa (commit) from 80c25611abd7067815943187f36f5e1879201678 (commit) - Log - commit 466cab4758289f91215eada905cf334d334830fa Author: Benjamin Kaduk Date: Sat May 8 08:49:36 2021 -0700 apps: improve hygeine for SET_EXPECT macro Wrap all parameters in parentheses in the expansion, make explicit the use of the 'expect' input, wrap the whole expression in parentheses, and remove duplicate semicolon. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15203) --- Summary of changes: apps/lib/apps.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 67e089bcd4..dafcf419bf 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -847,7 +847,7 @@ static const char *format2string(int format) } /* Set type expectation, but clear it if objects of different types expected. */ -#define SET_EXPECT(val) expect = expect < 0 ? val : (expect == val ? val : 0); +#define SET_EXPECT(expect, val) ((expect) = (expect) < 0 ? (val) : ((expect) == (val) ? (val) : 0)) /* * Load those types of credentials for which the result pointer is not NULL. * Reads from stdio if uri is NULL and maybe_stdin is nonzero. @@ -889,22 +889,22 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, if (ppkey != NULL) { *ppkey = NULL; cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_PKEY); +SET_EXPECT(expect, OSSL_STORE_INFO_PKEY); } if (ppubkey != NULL) { *ppubkey = NULL; cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_PUBKEY); +SET_EXPECT(expect, OSSL_STORE_INFO_PUBKEY); } if (pparams != NULL) { *pparams = NULL; cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_PARAMS); +SET_EXPECT(expect, OSSL_STORE_INFO_PARAMS); } if (pcert != NULL) { *pcert = NULL; cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_CERT); +SET_EXPECT(expect, OSSL_STORE_INFO_CERT); } if (pcerts != NULL) { if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) { @@ -912,12 +912,12 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, goto end; } cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_CERT); +SET_EXPECT(expect, OSSL_STORE_INFO_CERT); } if (pcrl != NULL) { *pcrl = NULL; cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_CRL); +SET_EXPECT(expect, OSSL_STORE_INFO_CRL); } if (pcrls != NULL) { if (*pcrls == NULL && (*pcrls = sk_X509_CRL_new_null()) == NULL) { @@ -925,7 +925,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, goto end; } cnt_expectations++; -SET_EXPECT(OSSL_STORE_INFO_CRL); +SET_EXPECT(expect, OSSL_STORE_INFO_CRL); } if (cnt_expectations == 0) { BIO_printf(bio_err, "Internal error: nothing to load from %s\n",
[openssl] master update
The branch master has been updated via 80c25611abd7067815943187f36f5e1879201678 (commit) via e776858bce32d473bd7a69c616ad7f6c2f979dfc (commit) via f84ab284e91991a80191cf0e6d22ddc452043661 (commit) via efe0f315354b020213097885c79ce856a2f5ac68 (commit) from 8f965908a53b4f0c5a735739e8a273a3a33a976e (commit) - Log - commit 80c25611abd7067815943187f36f5e1879201678 Author: Benjamin Kaduk Date: Mon Mar 29 23:05:22 2021 -0700 Update expected results for tls13kexmodes tests One of the scenarios constructed in these tests was erroneously producing successful handshakes until the previous commits, but should have been failing. Update our expected behavior to match the specification requirements, and adjust the commentary slightly for a test case relevant for the other preceding commit. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14749) commit e776858bce32d473bd7a69c616ad7f6c2f979dfc Author: Benjamin Kaduk Date: Mon Mar 29 21:27:49 2021 -0700 Don't send key_share for PSK-only key exchange TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14749) commit f84ab284e91991a80191cf0e6d22ddc452043661 Author: Benjamin Kaduk Date: Mon Mar 29 23:08:10 2021 -0700 make update Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14749) commit efe0f315354b020213097885c79ce856a2f5ac68 Author: Benjamin Kaduk Date: Mon Mar 29 23:03:49 2021 -0700 Improve RFC 8446 PSK key exchange mode compliance It's a MUST-level requirement that if the client sends a pre_shared_key extension not accompanied by a psk_key_exchange_modes extension, the server must abort the handshake. Prior to this commit the server would continue on. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14749) --- Summary of changes: crypto/err/openssl.txt | 1 + include/openssl/sslerr.h | 1 + ssl/ssl_err.c| 2 ++ ssl/statem/extensions.c | 19 ++- ssl/statem/extensions_srvr.c | 7 +++ test/recipes/70-test_tls13kexmodes.t | 12 +--- 6 files changed, 34 insertions(+), 8 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 1391c00a17..9ad6757857 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1361,6 +1361,7 @@ SSL_R_MISSING_DSA_SIGNING_CERT:165:missing dsa signing cert SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert SSL_R_MISSING_FATAL:256:missing fatal SSL_R_MISSING_PARAMETERS:290:missing parameters +SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 87aa4f0d00..a4746d70b5 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -159,6 +159,7 @@ # define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 # define SSL_R_MISSING_FATAL 256 # define SSL_R_MISSING_PARAMETERS 290 +# define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION310 # define SSL_R_MISSING_RSA_CERTIFICATE168 # define SSL_R_MISSING_RSA_ENCRYPTING_CERT169 # define SSL_R_MISSING_RSA_SIGNING_CERT 170 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index c15a24f65f..595e9f5ed0 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -237,6 +237,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "missing ecdsa signing cert"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"}, +{ERR_PAC
[openssl] master update
The branch master has been updated via 8be513ae46765ab4c4c3e244640652c24633288d (commit) from f7f0632b01cf16efccb133e395cf115c194bd003 (commit) - Log - commit 8be513ae46765ab4c4c3e244640652c24633288d Author: Daniel Bevenius Date: Wed Apr 28 10:30:13 2021 +0200 Mark pop/clear error stack in der2key_decode_p8 This commit sets the error mark before calling d2i_X509_SIG and clear it if that function call is successful. The motivation for this is that if d2i_X509_SIG returns NULL then the else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be called. If d2i_X509_SIG raised any errors those error will be on the error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it returns successfully those errors will still be on the error stack. We ran into this issue when upgrading Node.js to 3.0.0-alpha15. More details can be found in the ref links below. Refs: https://github.com/nodejs/node/issues/38373 Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15067) --- Summary of changes: .../implementations/encode_decode/decode_der2key.c | 5 test/evp_extra_test.c | 35 ++ 2 files changed, 40 insertions(+) diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 73acf527c1..01c050ccb0 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -124,10 +124,13 @@ static void *der2key_decode_p8(const unsigned char **input_der, ctx->flag_fatal = 0; +ERR_set_mark(); if ((p8 = d2i_X509_SIG(NULL, input_der, input_der_len)) != NULL) { char pbuf[PEM_BUFSIZE]; size_t plen = 0; +ERR_clear_last_mark(); + if (!pw_cb(pbuf, sizeof(pbuf), &plen, NULL, pw_cbarg)) ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PASSPHRASE); else @@ -136,6 +139,8 @@ static void *der2key_decode_p8(const unsigned char **input_der, ctx->flag_fatal = 1; X509_SIG_free(p8); } else { +/* Pop any errors that might have been raised by d2i_X509_SIG. */ +ERR_pop_to_mark(); p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len); } if (p8inf != NULL diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 7fd45bc316..56522e4af9 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1172,7 +1172,41 @@ static int test_EVP_PKCS82PKEY(void) return ret; } + #endif +static int test_EVP_PKCS82PKEY_wrong_tag(void) +{ +EVP_PKEY *pkey = NULL; +EVP_PKEY *pkey2 = NULL; +BIO *membio = NULL; +char *membuf = NULL; +PKCS8_PRIV_KEY_INFO *p8inf = NULL; +int ok = 0; + +if (testctx != NULL) +/* test not supported with non-default context */ +return 1; + +if (!TEST_ptr(membio = BIO_new(BIO_s_mem())) +|| !TEST_ptr(pkey = load_example_rsa_key()) +|| !TEST_int_gt(i2d_PKCS8PrivateKey_bio(membio, pkey, NULL, +NULL, 0, NULL, NULL), +0) +|| !TEST_int_gt(BIO_get_mem_data(membio, &membuf), 0) +|| !TEST_ptr(p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(membio, NULL)) +|| !TEST_ptr(pkey2 = EVP_PKCS82PKEY(p8inf)) +|| !TEST_int_eq(ERR_get_error(), 0)) { +goto done; +} + +ok = 1; + done: +EVP_PKEY_free(pkey); +EVP_PKEY_free(pkey2); +PKCS8_PRIV_KEY_INFO_free(p8inf); +BIO_free_all(membio); +return ok; +} /* This uses kExampleRSAKeyDER and kExampleRSAKeyPKCS8 to verify encoding */ static int test_privatekey_to_pkcs8(void) @@ -2894,6 +2928,7 @@ int setup_tests(void) ADD_TEST(test_EVP_Enveloped); ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata)); ADD_TEST(test_privatekey_to_pkcs8); +ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag); #ifndef OPENSSL_NO_EC ADD_TEST(test_EVP_PKCS82PKEY); #endif
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 207b8693b0821aab356ce9dccb7f2fe86e5e035a (commit) from a9e808fadcff1b1b4bf5dece753ee5eb00c9cc16 (commit) - Log - commit 207b8693b0821aab356ce9dccb7f2fe86e5e035a Author: David Carlier Date: Sat Apr 24 16:13:26 2021 +0100 BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15015) (cherry picked from commit f7f0632b01cf16efccb133e395cf115c194bd003) --- Summary of changes: crypto/bio/b_sock2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c index 335dfabc61..f54b550ecf 100644 --- a/crypto/bio/b_sock2.c +++ b/crypto/bio/b_sock2.c @@ -243,7 +243,8 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options) } } -# ifdef IPV6_V6ONLY + /* On OpenBSD it is always ipv6 only with ipv6 sockets thus read-only */ +# if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) if (BIO_ADDR_family(addr) == AF_INET6) { /* * Note: Windows default of IPV6_V6ONLY is ON, and Linux is OFF.
[openssl] master update
The branch master has been updated via f7f0632b01cf16efccb133e395cf115c194bd003 (commit) from 10646160125ac1328d892f1dd27f2847892d33c5 (commit) - Log - commit f7f0632b01cf16efccb133e395cf115c194bd003 Author: David Carlier Date: Sat Apr 24 16:13:26 2021 +0100 BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15015) --- Summary of changes: crypto/bio/b_sock2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c index 0446e7fd8d..f13f20148b 100644 --- a/crypto/bio/b_sock2.c +++ b/crypto/bio/b_sock2.c @@ -264,7 +264,8 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options) } } -# ifdef IPV6_V6ONLY + /* On OpenBSD it is always ipv6 only with ipv6 sockets thus read-only */ +# if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) if (BIO_ADDR_family(addr) == AF_INET6) { /* * Note: Windows default of IPV6_V6ONLY is ON, and Linux is OFF.
[openssl] master update
The branch master has been updated via 32b1da718d5d6f35fcef82f3794273807d6202e9 (commit) from ab9d1af955ef71cbc27140623481a003d35c (commit) - Log - commit 32b1da718d5d6f35fcef82f3794273807d6202e9 Author: Benjamin Kaduk Date: Tue May 4 12:33:28 2021 -0700 tasn_dec: use do/while around statement macros Use the do {} while (0) construct around macros whose bodies are complete statements (including one that has internal control flow!). This is safer and avoids any risk of misinterpretation if the macro is used in an unexpected context. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15143) --- Summary of changes: crypto/asn1/tasn_dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 20717df461..aaf3de7e19 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -90,9 +90,9 @@ unsigned long ASN1_tag2bit(int tag) /* Macro to initialize and invalidate the cache */ -#define asn1_tlc_clear(c) if ((c) != NULL) (c)->valid = 0 +#define asn1_tlc_clear(c) do { if ((c) != NULL) (c)->valid = 0; } while (0) /* Version to avoid compiler warning about 'c' always non-NULL */ -#define asn1_tlc_clear_nc(c)(c)->valid = 0 +#define asn1_tlc_clear_nc(c)do {(c)->valid = 0; } while (0) /* * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
[openssl] master update
The branch master has been updated via 6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d (commit) via cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47 (commit) via 72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3 (commit) from 8369592d35da7d321b8d2f4b5591acd7248a (commit) - Log - commit 6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d Author: Benjamin Kaduk Date: Mon May 3 13:23:53 2021 -0700 adapt tests to SSL_OP_LEGACY_SERVER_CONNECT change The "bad DTLS" tests run into trouble due to the special behavior for that "bad" version, and the SSL record tests need to set the -legacy_server_connect flag to allow an SSLv2 ClientHello to work against any TLS server (since SSLv2 ClientHello messages cannot carry extensions as would be needed in order to negotiate the use of the renegitiation_info extension). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15127) commit cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47 Author: Benjamin Kaduk Date: Mon May 3 13:43:55 2021 -0700 Correct ssl_conf logic for "legacy_server_connect" This option is only useful for the client, but it was previously marked as only being applicable for servers. Correct the entry to properly mark it as client-only, and update the s_server/s_client manuals accordingly. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15127) commit 72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3 Author: Benjamin Kaduk Date: Mon May 3 12:16:19 2021 -0700 Enforce secure renegotiation support by default Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in SSL_CTX_new(), to allow connections to legacy servers that did not implement RFC 5746. It has been more than a decade since RFC 5746 was published, so there has been plenty of time for implmentation support to roll out. Change the default behavior to be to require peers to support secure renegotiation. Existing applications that already cleared SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as re-clearing the flag is just a little bit of redundant work. The old behavior is still available by explicitly setting the flag in the application. Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for similar reasons. Document the behavior change in CHANGES.md, and update the SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change in default behavior. Fixes: 14848 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15127) --- Summary of changes: CHANGES.md| 8 doc/man1/openssl-s_client.pod.in | 1 + doc/man1/openssl-s_server.pod.in | 1 - doc/man3/SSL_CONF_cmd.pod | 1 - doc/man3/SSL_CTX_set_options.pod | 19 ++- include/openssl/ssl.h.in | 1 - ssl/ssl_conf.c| 2 +- ssl/ssl_lib.c | 5 - test/bad_dtls_test.c | 2 ++ test/recipes/70-test_sslrecords.t | 2 +- 10 files changed, 19 insertions(+), 23 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 7b6c7c5ffb..6e89f9814c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,14 @@ OpenSSL 3.0 *Boris Pismenny, John Baldwin and Andrew Gallatin* + * Support for RFC 5746 secure renegotiation is now required by default for + SSL or TLS connections to succeed. Applications that require the ability + to connect to legacy peers will need to explicitly set + SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT + is no longer set as part of SSL_OP_ALL. + + *Benjamin Kaduk* + * The signature of the `copy` functional parameter of the EVP_PKEY_meth_set_copy() function has changed so its `src` argument is now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 6d6ba81384..e11df7a9ae 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -83,6 +83,7 @@ B B [B<-comp>] [B<-no_comp>] [B<-brief>] +[B<-legacy_server_connect>] [B<-allow_no_dhe_kex>] [B<-sigalgs> I] [B<-curves> I] diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 243ab8b3e0..fa4190a869 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -94,7 +94,6 @@ B B [B<-serverpref>] [B<-legacy_renegotiation>] [B<-no_renegotiation>] -[B<-legacy_server_connect>] [B<-no_resumption_on_reneg>] [B<-no_legacy_server_connect>] [B<-allow_no_dhe_kex>] diff --git a/doc/man
[openssl] master update
The branch master has been updated via cd0aca532091de4dfadf2f12b18dd99e9cba7615 (commit) from 16b8862d80dbfb627b72cba36739de29235d8f3d (commit) - Log - commit cd0aca532091de4dfadf2f12b18dd99e9cba7615 Author: Tomas Mraz Date: Wed Apr 14 15:12:52 2021 +0200 Update krb5 module to latest release Fixes #14902 Also add workaround of `sudo hostname localhost` for the intermittent test failures seen in CI. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14872) --- Summary of changes: .github/workflows/ci.yml| 2 ++ krb5| 2 +- test/recipes/95-test_external_krb5.t| 2 +- test/recipes/95-test_external_krb5_data/krb5.sh | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee4a2c8f2b..ec35e84ff3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -221,6 +221,8 @@ jobs: uses: perl-actions/install-with-cpanm@v1 with: install: Test2::V0 +- name: setup hostname workaround + run: sudo hostname localhost - name: config run: ./config --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests && perl configdata.pm --dump - name: make diff --git a/krb5 b/krb5 index 890ca2f401..3195e18f66 16 --- a/krb5 +++ b/krb5 @@ -1 +1 @@ -Subproject commit 890ca2f401924cdcb88f493950b04700bbe52db3 +Subproject commit 3195e18f6608890866cf7a60ea538f4649d4fe82 diff --git a/test/recipes/95-test_external_krb5.t b/test/recipes/95-test_external_krb5.t index dca2c065d3..9b8067d5d1 100644 --- a/test/recipes/95-test_external_krb5.t +++ b/test/recipes/95-test_external_krb5.t @@ -17,7 +17,7 @@ setup("test_external_krb5"); plan skip_all => "No external tests in this configuration" if disabled("external-tests"); plan skip_all => "krb5 not available" -if ! -f srctop_file("krb5", "src", "configure.in"); +if ! -f srctop_file("krb5", "src", "configure.ac"); plan tests => 1; diff --git a/test/recipes/95-test_external_krb5_data/krb5.sh b/test/recipes/95-test_external_krb5_data/krb5.sh index 6b267242f7..4c901bebf7 100755 --- a/test/recipes/95-test_external_krb5_data/krb5.sh +++ b/test/recipes/95-test_external_krb5_data/krb5.sh @@ -13,7 +13,7 @@ CFLAGS="-I`pwd`/$BLDTOP/include -I`pwd`/$SRCTOP/include" cd $SRCTOP/krb5/src autoreconf -./configure --with-ldap --with-prng-alg=os --enable-pkinit \ +./configure --with-ldap --with-prng-alg=os --disable-pkinit \ --with-crypto-impl=openssl --with-tls-impl=openssl \ CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
[openssl] master update
The branch master has been updated via 20c2876f24d0ccf9581ace08c7882d544d2588ea (commit) from c6b09ea0fe23a572a781681b3c1f436e8b0932fe (commit) - Log - commit 20c2876f24d0ccf9581ace08c7882d544d2588ea Author: Benjamin Kaduk Date: Mon Mar 22 15:02:04 2021 -0700 Increase HKDF_MAXBUF from 1024 to 2048 We've encountered some scenarios that need to use more than 1 kB of data as the HKDF-Expand() "info" argument (which, per RFC 5869, contains "optional context and application specific information"). Since HKDF_MAXBUF is used to size an array in the HKDF_PKEY_CTX structure, this adds 1 kB of memory footprint to each EVP_PKEY_CTX used for HKDF. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14649) --- Summary of changes: providers/implementations/kdfs/hkdf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 52b284c662..2d3c72f501 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -30,7 +30,7 @@ #include "prov/provider_util.h" #include "e_os.h" -#define HKDF_MAXBUF 1024 +#define HKDF_MAXBUF 2048 static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via cfd74383d9b06f85cb1e166180346115a3f9a452 (commit) from ffefffa000437da5703dd8a173386623304b055d (commit) - Log - commit cfd74383d9b06f85cb1e166180346115a3f9a452 Author: Chenglong Zhang Date: Mon Mar 22 15:29:28 2021 +0800 Fix missing INVALID_EXTENSION Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14639) --- Summary of changes: ssl/statem/extensions.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 9f51a6eb28..b055935d69 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -336,6 +336,8 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_key_share, tls_construct_ctos_key_share, final_key_share }, +#else +INVALID_EXTENSION, #endif { /* Must be after key_share */
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a88ea7dfdfba2c34bd575076f12f06d80dd2c0c2 (commit) from 3a6e6b1f94ae41e2fd73483464c9c80ddcf30d17 (commit) - Log - commit a88ea7dfdfba2c34bd575076f12f06d80dd2c0c2 Author: Benjamin Kaduk Date: Wed Feb 24 13:38:25 2021 -0800 Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14308) (cherry picked from commit 90b4247cc5dca58cee9da5f6975bb38fd200100a) --- Summary of changes: crypto/asn1/bio_ndef.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 6222c99074..5642262719 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -113,6 +113,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) ndef_aux = *(NDEF_SUPPORT **)parg; derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); +if (derlen < 0) +return 0; if ((p = OPENSSL_malloc(derlen)) == NULL) { ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE); return 0;
[openssl] master update
The branch master has been updated via 90b4247cc5dca58cee9da5f6975bb38fd200100a (commit) from d2ccfb9caa9f69d4980f8fe49a15a043c91b40c5 (commit) - Log - commit 90b4247cc5dca58cee9da5f6975bb38fd200100a Author: Benjamin Kaduk Date: Wed Feb 24 13:38:25 2021 -0800 Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14308) --- Summary of changes: crypto/asn1/bio_ndef.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 87c22e897c..f1ad8d3e70 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -114,6 +114,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) ndef_aux = *(NDEF_SUPPORT **)parg; derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); +if (derlen < 0) +return 0; if ((p = OPENSSL_malloc(derlen)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0;
[openssl] master update
The branch master has been updated via ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df (commit) from 6eb7c748d115bd6ba89ceefd642de3deca8773ea (commit) - Log - commit ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df Author: Benjamin Kaduk Date: Wed May 27 11:17:07 2020 -0700 Remove disabled TLS 1.3 ciphers from the SSL(_CTX) In ssl_create_cipher_list() we make a pass through the ciphers to remove those which are disabled in the current libctx. We are careful to not include such disabled TLS 1.3 ciphers in the final consolidated cipher list that we produce, but the disabled ciphers are still kept in the separate stack of TLS 1.3 ciphers associated with the SSL or SSL_CTX in question. This leads to confusing results where a cipher is present in the tls13_cipherlist but absent from the actual cipher list in use. Keep the books in order and remove the disabled ciphers from the 1.3 cipherlist at the same time we skip adding them to the active cipher list. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12037) --- Summary of changes: ssl/ssl_ciph.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index d517799895..0b6f01ccc1 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1625,8 +1625,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, if ((sslc->algorithm_enc & disabled_enc) != 0 || (ssl_cipher_table_mac[sslc->algorithm2 & SSL_HANDSHAKE_MAC_MASK].mask -& ctx->disabled_mac_mask) != 0) +& ctx->disabled_mac_mask) != 0) { +sk_SSL_CIPHER_delete(tls13_ciphersuites, i); +i--; continue; +} if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { sk_SSL_CIPHER_free(cipherstack);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a12c6442f24a32867c971b6feb5db61d01b02c1f (commit) via b6de54b2c1062f15819174784d9bd53c85c432d3 (commit) from 01cf4f868e08f82daa16d049fa7d241d8089c8d8 (commit) - Log - commit a12c6442f24a32867c971b6feb5db61d01b02c1f Author: John Baldwin Date: Thu Jan 7 14:09:41 2021 -0800 Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (cherry picked from commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13853) commit b6de54b2c1062f15819174784d9bd53c85c432d3 Author: John Baldwin Date: Fri Nov 20 17:07:35 2020 -0800 Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (cherry picked from commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13853) --- Summary of changes: crypto/engine/eng_devcrypto.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c index 49e9ce1af3..997271e150 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -758,8 +758,9 @@ static int devcrypto_unload(ENGINE *e) void engine_load_devcrypto_int() { ENGINE *e = NULL; +int fd; -if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { +if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -767,6 +768,18 @@ void engine_load_devcrypto_int() return; } +#ifdef CRIOGET +if (ioctl(fd, CRIOGET, &cfd) < 0) { +fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); +close(fd); +cfd = -1; +return; +} +close(fd); +#else +cfd = fd; +#endif + if ((e = ENGINE_new()) == NULL || !ENGINE_set_destroy_function(e, devcrypto_unload)) { ENGINE_free(e);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ee833fe9c325ecacc15b1f4e6c931f69aac0664e (commit) from b5aff22ac90623afeb0c74b36096f85eff5bc2b9 (commit) - Log - commit ee833fe9c325ecacc15b1f4e6c931f69aac0664e Author: Benjamin Kaduk Date: Wed Jan 27 12:19:08 2021 -0800 Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/13991) (cherry picked from commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68) --- Summary of changes: ssl/ssl_local.h | 1 - ssl/statem/statem_clnt.c | 1 - 2 files changed, 2 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 8ddbde7729..3f02751dde 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -537,7 +537,6 @@ struct ssl_session_st { int not_resumable; /* This is the cert and type for the other end. */ X509 *peer; -int peer_type; /* Certificate chain peer sent. */ STACK_OF(X509) *peer_chain; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 3420ce65c7..d68cd1f9d7 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1960,7 +1960,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) goto err; } } -s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x);
[openssl] master update
The branch master has been updated via 3bc0b621a7baf1a11bc5cad69a287ad093674d68 (commit) from af53092c2b67a8a0b76ae73385414cb1815ea7cc (commit) - Log - commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68 Author: Benjamin Kaduk Date: Wed Jan 27 12:19:08 2021 -0800 Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/13991) --- Summary of changes: ssl/ssl_local.h | 1 - ssl/statem/statem_clnt.c | 1 - 2 files changed, 2 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 5956b6c834..2687a47c2a 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -585,7 +585,6 @@ struct ssl_session_st { int not_resumable; /* This is the cert and type for the other end. */ X509 *peer; -int peer_type; /* Certificate chain peer sent. */ STACK_OF(X509) *peer_chain; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1e9ab00976..83862e076d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1916,7 +1916,6 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) return WORK_ERROR; } } -s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x);
[openssl] master update
The branch master has been updated via 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c (commit) from 678cae0295e3fe600edc049742b8c765a58edebc (commit) - Log - commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c Author: John Baldwin Date: Thu Jan 7 14:09:41 2021 -0800 Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13807) --- Summary of changes: engines/e_devcrypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d549edfd29..e1c4372f72 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1236,9 +1236,11 @@ static int open_devcrypto(void) #ifdef CRIOGET if (ioctl(fd, CRIOGET, &cfd) < 0) { fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); +close(fd); cfd = -1; return 0; } +close(fd); #else cfd = fd; #endif
[openssl] master update
The branch master has been updated via 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f (commit) via b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 (commit) from 3497cc8776d50397ceefbd41bd3356a7f5d30c14 (commit) - Log - commit 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f Author: John Baldwin Date: Fri Nov 20 17:45:48 2020 -0800 Support session information on FreeBSD. FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it does provide other ioctls that can be used to provide similar functionality. First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts a 'struct session2_op'. This structure extends 'struct session_op' with a 'crid' member which can be used to either request an individual driver by id, or a class of drivers via flags. To determine if the available drivers for a given algorithm are accelerated or not, use CIOCGESSION2 to first attempt to create an accelerated (hardware) session. If that fails, fall back to attempting a software session. In addition, when requesting a new cipher session, use the current setting of the 'use_softdrivers' flag to determine the value assigned to 'crid' when invoking CIOCGSESSION2. Finally, use the returned 'crid' value from CIOCGSESSION2 to look up the name of the associated driver via the CIOCFINDDEV ioctl. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 Author: John Baldwin Date: Fri Nov 20 17:07:35 2020 -0800 Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) --- Summary of changes: engines/e_devcrypto.c | 86 +++ 1 file changed, 73 insertions(+), 13 deletions(-) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d54ca3bbc1..7f3768d36c 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -34,6 +34,16 @@ #define engine_devcrypto_id "devcrypto" +/* + * Use session2_op on FreeBSD which permits requesting specific + * drivers or classes of drivers at session creation time. + */ +#ifdef CIOCGSESSION2 +typedef struct session2_op session_op_t; +#else +typedef struct session_op session_op_t; +#endif + /* * ONE global file descriptor for all sessions. This allows operations * such as digest session data copying (see digest_copy()), but is also @@ -73,12 +83,12 @@ struct driver_info_st { void engine_load_devcrypto_int(void); #endif -static int clean_devcrypto_session(struct session_op *sess) { +static int clean_devcrypto_session(session_op_t *sess) { if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } -memset(sess, 0, sizeof(struct session_op)); +memset(sess, 0, sizeof(*sess)); return 1; } @@ -93,7 +103,7 @@ static int clean_devcrypto_session(struct session_op *sess) { */ struct cipher_ctx { -struct session_op sess; +session_op_t sess; int op; /* COP_ENCRYPT or COP_DECRYPT */ unsigned long mode; /* EVP_CIPH_*_MODE */ @@ -198,6 +208,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); +int ret; /* cleanup a previous session */ if (cipher_ctx->sess.ses != 0 && @@ -210,7 +221,15 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; cipher_ctx->blocksize = cipher_d->blocksize; -if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { +#ifdef CIOCGSESSION2 +cipher_ctx->sess.crid = (use_softdrivers == DEVCRYPTO_USE_SOFTWARE) ? +CRYPTO_FLAG_SOFTWARE | CRYPTO_FLAG_HARDWARE : +CRYPTO_FLAG_HARDWARE; +ret = ioctl(cfd, CIOCGSESSION2, &cipher_ctx->sess); +#else +ret = ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess); +#endif +if (ret < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } @@ -406,9 +425,12 @@ static int devcrypto_test_c
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9be10637502bf32189055dff8d3442e140e845c5 (commit) from 64a1b940d2b640e5edf0feae90e81bbb6b4941e7 (commit) - Log - commit 9be10637502bf32189055dff8d3442e140e845c5 Author: David Carlier Date: Tue Dec 8 17:43:10 2020 + CRYPTO_secure_malloc_init: BSD support improvements. Backport of #13394 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13637) --- Summary of changes: crypto/mem_sec.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index b5f959ba15..222c786cba 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -34,6 +34,12 @@ # include # endif # endif +# if defined(__FreeBSD__) +# define MADV_DONTDUMP MADV_NOCORE +# endif +# if !defined(MAP_CONCEAL) +# define MAP_CONCEAL 0 +# endif # include # include # include @@ -442,7 +448,7 @@ static int sh_init(size_t size, int minsize) if (1) { #ifdef MAP_ANON sh.map_result = mmap(NULL, sh.map_size, - PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0); + PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_CONCEAL, -1, 0); } else { #endif int fd;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9d5580612887b0c37016e7b65707e8e9dc27f4bb (commit) from 924c4f942108cc05d97fe03a70ce0ef0a00c4e45 (commit) - Log - commit 9d5580612887b0c37016e7b65707e8e9dc27f4bb Author: Benjamin Kaduk Date: Sat Nov 28 17:11:46 2020 -0800 Fix comment in do_dtls1_write() This code started off as a copy of ssl3_write_bytes(), and the comment was not updated with the implementation. Reported by yangyangtiantianlonglong in #13518 Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13566) (cherry picked from commit 70cae332a2c200087605f94cdccfee80c9380fbf) --- Summary of changes: ssl/record/rec_layer_d1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 73ca8a6ee4..7e22270485 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -808,8 +808,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, wb = &s->rlayer.wbuf[0]; /* - * first check if there is a SSL3_BUFFER still being written out. This - * will happen with non blocking IO + * DTLS writes whole datagrams, so there can't be anything left in + * the buffer. */ if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE,
[openssl] master update
The branch master has been updated via 70cae332a2c200087605f94cdccfee80c9380fbf (commit) from 0a3b330cf09dd3746f4f9c5bb82d9bbcfff809c1 (commit) - Log - commit 70cae332a2c200087605f94cdccfee80c9380fbf Author: Benjamin Kaduk Date: Sat Nov 28 17:11:46 2020 -0800 Fix comment in do_dtls1_write() This code started off as a copy of ssl3_write_bytes(), and the comment was not updated with the implementation. Reported by yangyangtiantianlonglong in #13518 Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13566) --- Summary of changes: ssl/record/rec_layer_d1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 53ac5eebbc..cc412bae37 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -800,8 +800,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, wb = &s->rlayer.wbuf[0]; /* - * first check if there is a SSL3_BUFFER still being written out. This - * will happen with non blocking IO + * DTLS writes whole datagrams, so there can't be anything left in + * the buffer. */ if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
[openssl] master update
The branch master has been updated via 6568d7a93127d097122e2ce10491d06a363929e9 (commit) via 410f5bb18908d89e5e35339049adf4070925faec (commit) from d27a8e922ba0b5357abf435cca75b5fe133cfe94 (commit) - Log - commit 6568d7a93127d097122e2ce10491d06a363929e9 Author: John Baldwin Date: Fri Oct 9 15:12:53 2020 -0700 Collapse two identical if statements into a single body. These two bodies should be grouped together anyway as the reason for the call to BIO_flush() is to permit using BIO_set_ktls_ctrl_msg(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13090) commit 410f5bb18908d89e5e35339049adf4070925faec Author: John Baldwin Date: Wed Oct 7 14:34:19 2020 -0700 Allow zero-byte writes to be reported as success. When using KTLS, empty fragments sent as a mitigation for known-IV weakenesses in TLS 1.0 are sent as writes of 0 bytes. The TLS header and trailer are added to the empty fragment by the kernel. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13090) --- Summary of changes: ssl/record/rec_layer_s3.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 0d9228c670..17ee8bd483 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1189,10 +1189,6 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, i = BIO_flush(s->wbio); if (i <= 0) return i; -} - -if (BIO_get_ktls_send(s->wbio) -&& type != SSL3_RT_APPLICATION_DATA) { BIO_set_ktls_ctrl_msg(s->wbio, type); } /* TODO(size_t): Convert this call */ @@ -1206,7 +1202,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET); i = -1; } -if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { + + /* +* When an empty fragment is sent on a connection using KTLS, +* it is sent as a write of zero bytes. If this zero byte +* write succeeds, i will be 0 rather than a non-zero value. +* Treat i == 0 as success rather than an error for zero byte +* writes to permit this case. +*/ +if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { SSL3_BUFFER_set_left(&wb[currbuf], 0); SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit); if (currbuf + 1 < s->rlayer.numwpipes)
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 25fa346e906c4f487727cfebd5a40740709e677b (commit) via d5242203692812a57b2012083822f0c818ca55c1 (commit) from 5795acffd8706e1cb584284ee5bb3a30986d0e75 (commit) - Log - commit 25fa346e906c4f487727cfebd5a40740709e677b Author: Benjamin Kaduk Date: Sun Sep 27 15:01:12 2020 -0700 Unify ssl3_get_cipher_by_std_name() implementation The handling for the SCSVs was the same as for regular ciphers; just merge them into the same table-driven handler. Reviewed-by: Paul Dale (cherry picked from commit 231849bc9ca69dfd3adf40821421d8e2d804d8e8) (Merged from https://github.com/openssl/openssl/pull/13280) commit d5242203692812a57b2012083822f0c818ca55c1 Author: hklaas <71921312+hkl...@users.noreply.github.com> Date: Sat Sep 26 10:54:13 2020 +0100 optimise ssl3_get_cipher_by_std_name() Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers. CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (cherry picked from commit d93bded6aa2852e681de2ed76fb43c415687af68) Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13280) --- Summary of changes: ssl/s3_lib.c | 21 ++--- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a987604bcd..4511b52c9a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4072,9 +4072,10 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) { -SSL_CIPHER *c = NULL, *tbl; -SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; -size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; +SSL_CIPHER *tbl; +SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs}; +size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS, + SSL3_NUM_SCSVS}; /* this is not efficient, necessary to optimize this? */ for (j = 0; j < OSSL_NELEM(alltabs); j++) { @@ -4082,21 +4083,11 @@ const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) if (tbl->stdname == NULL) continue; if (strcmp(stdname, tbl->stdname) == 0) { -c = tbl; -break; -} -} -} -if (c == NULL) { -tbl = ssl3_scsvs; -for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) { -if (strcmp(stdname, tbl->stdname) == 0) { -c = tbl; -break; +return tbl; } } } -return c; +return NULL; } /*
[openssl] master update
The branch master has been updated via e7a8fecd0b1138b156bee71d92372abda956f1a8 (commit) via 467dc325243d7fcbd74cc30a223ea5741f1f9473 (commit) via a92c9648cd96d293cf198652cda8f29cc84a9828 (commit) from 3d7e7e7c48210b515ef5e05f4acf6dc58377331c (commit) - Log - commit e7a8fecd0b1138b156bee71d92372abda956f1a8 Author: Benjamin Kaduk Date: Mon Oct 26 12:20:31 2020 -0700 Add more diagnostics to ossl_shim We had several cases where the connection failed but we did not have an error message to differentiate which failure condition had been triggered. Add some more messages to help clarify what is going wrong. [extended tests] Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13251) commit 467dc325243d7fcbd74cc30a223ea5741f1f9473 Author: Benjamin Kaduk Date: Mon Oct 26 12:35:55 2020 -0700 Adjust error reason for ssl_get_min_max_version() failure Use SSL_R_NO_PROTOCOLS_AVAILABLE instead of ERR_R_INTERNAL_ERROR, to match what the BoringSSL tests expect for this case. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13251) commit a92c9648cd96d293cf198652cda8f29cc84a9828 Author: Benjamin Kaduk Date: Mon Oct 26 12:30:16 2020 -0700 Clear error queue entries from bad DLTS records DTLS by design ignores records/packets with bad MAC or failed AEAD tag validation. However, recent changes to have provided cipher implementations caused tls1_enc() to leave an entry on the error queue for invalid GCM tags, e.g.: 800BEAEF487F:error::Provider routines:gcm_stream_update:cipher operation failed:providers/implementations/ciphers/ciphercommon_gcm.c:306 The BoringSSL tests check for entries on the error queue with SSL_get_error() and so we were seeing spurious test failures due to the additional item on the error queue. To avoid leaving such spurious entries on the error queue, set a mark before calling the ssl3_enc 'enc' method, and pop to that mark before ignoring invalid packets. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13251) --- Summary of changes: ssl/record/ssl3_record.c| 8 ssl/statem/statem_lib.c | 4 ++-- test/ossl_shim/ossl_shim.cc | 5 + 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 046d6f2054..52a8986aca 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1615,6 +1615,12 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) mac_size = 0; } +/* + * Set a mark around the packet decryption attempt. This is DTLS, so + * bad packets are just ignored, and we don't want to leave stray + * errors in the queue from processing bogus junk that we ignored. + */ +ERR_set_mark(); enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0, &macbuf, mac_size); /*- @@ -1624,6 +1630,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) *1: Success or MTE decryption failed (MAC will be randomised) */ if (enc_err == 0) { +ERR_pop_to_mark(); if (ossl_statem_in_error(s)) { /* SSLfatal() got called */ goto end; @@ -1633,6 +1640,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) RECORD_LAYER_reset_packet_length(&s->rlayer); goto end; } +ERR_clear_last_mark(); OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %zd\n", rr->length); BIO_dump_indent(trc_out, rr->data, rr->length, 4); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index ef4067a749..422c631838 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -101,8 +101,8 @@ int tls_setup_handshake(SSL *s) memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { -SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, -ERR_R_INTERNAL_ERROR); +SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_SETUP_HANDSHAKE, +SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index 1d32073f84..380e6853c6 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -1085,6 +1085,7 @@ static bool DoExchange(bssl::UniquePtr *out_session, } while (config->async && RetryAsync(ssl.get(), ret)); if (ret != 1 || !CheckHandshakeProperties(ssl.get(), is_resu
[openssl] master update
The branch master has been updated via 231849bc9ca69dfd3adf40821421d8e2d804d8e8 (commit) from fcf6e9d056162d5af64c6f7209388a5c3be2ce57 (commit) - Log - commit 231849bc9ca69dfd3adf40821421d8e2d804d8e8 Author: Benjamin Kaduk Date: Sun Sep 27 15:01:12 2020 -0700 Unify ssl3_get_cipher_by_std_name() implementation The handling for the SCSVs was the same as for regular ciphers; just merge them into the same table-driven handler. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13010) --- Summary of changes: ssl/s3_lib.c | 18 +- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1fd424a52e..073fae49b0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4122,9 +4122,10 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) { -SSL_CIPHER *c = NULL, *tbl; -SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; -size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; +SSL_CIPHER *tbl; +SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs}; +size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS, + SSL3_NUM_SCSVS}; /* this is not efficient, necessary to optimize this? */ for (j = 0; j < OSSL_NELEM(alltabs); j++) { @@ -4136,16 +4137,7 @@ const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) } } } -if (c == NULL) { -tbl = ssl3_scsvs; -for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) { -if (strcmp(stdname, tbl->stdname) == 0) { -c = tbl; -break; -} -} -} -return c; +return NULL; } /*
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 8979ffee95043baffa51887b1d43d9b07f9fae1b (commit) from 2e06150e3928daa06d5ff70c32bffad8088ebe58 (commit) - Log - commit 8979ffee95043baffa51887b1d43d9b07f9fae1b Author: Matt Caswell Date: Thu Oct 22 13:53:27 2020 +0100 Ensure we raise SSLfatal on error We were missing a call to SSLfatal. A comment claimed that we had already called it - but that is incorrect. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13230) --- Summary of changes: ssl/statem/statem_srvr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 14cb27e6db..cf45a40ce4 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2577,7 +2577,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); if (s->s3->tmp.pkey == NULL) { -/* SSLfatal() already called */ +SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR); goto err; }
[openssl] master update
The branch master has been updated via 47b422c90aec6e3d1de38110d67e17133d086051 (commit) from 22dddfb925da8775eaf4ee8c377da41e6535afe1 (commit) - Log - commit 47b422c90aec6e3d1de38110d67e17133d086051 Author: Matt Caswell Date: Thu Oct 22 13:53:27 2020 +0100 Ensure we raise SSLfatal on error We were missing a call to SSLfatal. A comment claimed that we had already called it - but that is incorrect. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13229) --- Summary of changes: ssl/statem/statem_srvr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 81cea6db37..033a640edd 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2588,7 +2588,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); if (s->s3.tmp.pkey == NULL) { -/* SSLfatal() already called */ +SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR); goto err; }
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 11358e0e3c583fe2ce34d9ab719e49127fc2bd46 (commit) from 7455f247e6f9d621fa79ae3af1588df23078fb11 (commit) - Log - commit 11358e0e3c583fe2ce34d9ab719e49127fc2bd46 Author: Ikko Ashimine Date: Tue Oct 13 00:30:07 2020 +0900 Fixed typo in ssl_lib.c orignal -> original CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13111) (cherry picked from commit 9f7505ab6a1ce76497654ea8cf6a74307da78989) --- Summary of changes: ssl/ssl_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b1df374817..98057921f8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2678,7 +2678,7 @@ const char *SSL_get_servername(const SSL *s, const int type) * - Otherwise it returns NULL * * During/after the handshake (TLSv1.2 or below resumption occurred): - * - If the session from the orignal handshake had a servername accepted + * - If the session from the original handshake had a servername accepted * by the server then it will return that servername. * - Otherwise it returns the servername set via * SSL_set_tlsext_host_name() (or NULL if it was not called).
[openssl] master update
The branch master has been updated via 9f7505ab6a1ce76497654ea8cf6a74307da78989 (commit) from c804f2965ef6908dc1f30447d4547192fc3ba974 (commit) - Log - commit 9f7505ab6a1ce76497654ea8cf6a74307da78989 Author: Ikko Ashimine Date: Tue Oct 13 00:30:07 2020 +0900 Fixed typo in ssl_lib.c orignal -> original CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13111) --- Summary of changes: ssl/ssl_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6f5d2fee28..e8b004f4a6 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2842,7 +2842,7 @@ const char *SSL_get_servername(const SSL *s, const int type) * - Otherwise it returns NULL * * During/after the handshake (TLSv1.2 or below resumption occurred): - * - If the session from the orignal handshake had a servername accepted + * - If the session from the original handshake had a servername accepted * by the server then it will return that servername. * - Otherwise it returns the servername set via * SSL_set_tlsext_host_name() (or NULL if it was not called).
[openssl] master update
The branch master has been updated via 7f0f88240e181b6c95d55893cbab55e0765a1d89 (commit) via 74eee1bdaa03cfcb3b1df01beff2b6d81a113f58 (commit) via 4b09e19216d5e889b85593dbf45b78a874426d8a (commit) from 076bf8c2c972d01a70ca4146e637dfbe6f35b2fb (commit) - Log - commit 7f0f88240e181b6c95d55893cbab55e0765a1d89 Author: John Baldwin Date: Mon Aug 31 17:13:17 2020 -0700 Slightly abstract ktls_start() to reduce OS-specific #ifdefs. Instead of passing the length in from the caller, compute the length to pass to setsockopt() inside of ktls_start(). This isolates the OS-specific behavior to ktls.h and removes it from the socket BIO implementations. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12782) commit 74eee1bdaa03cfcb3b1df01beff2b6d81a113f58 Author: John Baldwin Date: Thu Sep 3 10:56:10 2020 -0700 Remove unused dummy functions from ktls.h. The KTLS functions are always used under #ifndef OPENSSL_NO_KTLS, so the dummy functions were never used. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12782) commit 4b09e19216d5e889b85593dbf45b78a874426d8a Author: John Baldwin Date: Mon Aug 31 17:02:01 2020 -0700 Fix the socket BIO control methods to use ktls_crypto_info_t. This is mostly a cosmetic cleanup I missed when adding the ktls_crypto_info_t type. However, while fixing this I noticed that the changes to extract the size from crypto_info from the wrapper structure for Linux KTLS had not been propagated from bss_sock.c to bss_conn.c, so I've fixed that to use the correct length. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12782) --- Summary of changes: crypto/bio/bss_conn.c | 14 +++--- crypto/bio/bss_sock.c | 17 +++-- include/internal/ktls.h | 43 +++ 3 files changed, 13 insertions(+), 61 deletions(-) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 6cff2a99ac..e6972efd8d 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -377,11 +377,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) long ret = 1; BIO_CONNECT *data; # ifndef OPENSSL_NO_KTLS -# ifdef __FreeBSD__ -struct tls_enable *crypto_info; -# else -struct tls12_crypto_info_aes_gcm_128 *crypto_info; -# endif +ktls_crypto_info_t *crypto_info; # endif data = (BIO_CONNECT *)b->ptr; @@ -544,12 +540,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) break; # ifndef OPENSSL_NO_KTLS case BIO_CTRL_SET_KTLS: -# ifdef __FreeBSD__ -crypto_info = (struct tls_enable *)ptr; -# else -crypto_info = (struct tls12_crypto_info_aes_gcm_128 *)ptr; -# endif -ret = ktls_start(b->num, crypto_info, sizeof(*crypto_info), num); +crypto_info = (ktls_crypto_info_t *)ptr; +ret = ktls_start(b->num, crypto_info, num); if (ret) BIO_set_ktls_flag(b, num); break; diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index ff2bde7a58..d3eaa6b19e 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -154,12 +154,7 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) long ret = 1; int *ip; # ifndef OPENSSL_NO_KTLS -size_t crypto_info_len; -# ifdef __FreeBSD__ -struct tls_enable *crypto_info; -# else -struct tls_crypto_info_all *crypto_info; -# endif +ktls_crypto_info_t *crypto_info; # endif switch (cmd) { @@ -190,14 +185,8 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) break; # ifndef OPENSSL_NO_KTLS case BIO_CTRL_SET_KTLS: -# ifdef __FreeBSD__ -crypto_info = (struct tls_enable *)ptr; -crypto_info_len = sizeof(*crypto_info); -# else -crypto_info = (struct tls_crypto_info_all *)ptr; -crypto_info_len = crypto_info->tls_crypto_info_len; -# endif -ret = ktls_start(b->num, crypto_info, crypto_info_len, num); +crypto_info = (ktls_crypto_info_t *)ptr; +ret = ktls_start(b->num, crypto_info, num); if (ret) BIO_set_ktls_flag(b, num); break; diff --git a/include/internal/ktls.h b/include/internal/ktls.h index 2af1589f98..fd439b5718 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -66,15 +66,14 @@ static ossl_inline int ktls_enable(int fd) * as using TLS. If successful, then data received for this socket will * be authenticated and decrypted using the tls_en provided here. */ -static ossl_inline int ktls_start(int fd, -
[openssl] master update
The branch master has been updated via 1010e4ac9743a273d12e4f7c49959607aa4f6403 (commit) via 2b748d722b6ac560d122ea2dcf8d09fe6f03124b (commit) from 2c0e356ef7fdbb117c9294b57deb67be66db3470 (commit) - Log - commit 1010e4ac9743a273d12e4f7c49959607aa4f6403 Author: Todd Short Date: Tue Sep 1 14:50:03 2020 -0400 Fix post-condition in algorithm_do_this Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12760) commit 2b748d722b6ac560d122ea2dcf8d09fe6f03124b Author: Todd Short Date: Mon Aug 31 19:59:43 2020 -0400 Fix use of OPENSSL_realloc in provider Fix OPENSSL_realloc failure case; `provider->operation_bits` memory is lost when `OPENSSL_realloc()` returns NULL. `operation_bits_sz` is never set to the length of the allocated array. This means that operation_bits is always reallocated in `ossl_provider_set_operation_bit()`, possibly shrinking the array. In addition, it means that the `memset()` always zeros out the whole reallocated array, not just the new part. Also, because `operation_bits_sz` is always zero, the value of `*result` in `ossl_provider_test_operation_bit()` will always be zero. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12760) --- Summary of changes: crypto/core_algorithm.c | 8 crypto/provider_core.c | 9 ++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/crypto/core_algorithm.c b/crypto/core_algorithm.c index f4a20cb2d1..68d6129598 100644 --- a/crypto/core_algorithm.c +++ b/crypto/core_algorithm.c @@ -31,7 +31,7 @@ static int algorithm_do_this(OSSL_PROVIDER *provider, void *cbdata) int first_operation = 1; int last_operation = OSSL_OP__HIGHEST; int cur_operation; -int ok = 0; +int ok = 1; if (data->operation_id != 0) first_operation = last_operation = data->operation_id; @@ -77,9 +77,9 @@ static int algorithm_do_this(OSSL_PROVIDER *provider, void *cbdata) return 0; } -/* If post-condition fulfilled, set general success */ -if (ret) -ok = 1; +/* If post-condition not fulfilled, set general failure */ +if (!ret) +ok = 0; } return ok; diff --git a/crypto/provider_core.c b/crypto/provider_core.c index a714a71681..f282071e2d 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -875,14 +875,17 @@ int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) unsigned char bit = (1 << (bitnum % 8)) & 0xFF; if (provider->operation_bits_sz <= byte) { -provider->operation_bits = OPENSSL_realloc(provider->operation_bits, - byte + 1); -if (provider->operation_bits == NULL) { +unsigned char *tmp = OPENSSL_realloc(provider->operation_bits, + byte + 1); + +if (tmp == NULL) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; } +provider->operation_bits = tmp; memset(provider->operation_bits + provider->operation_bits_sz, '\0', byte + 1 - provider->operation_bits_sz); +provider->operation_bits_sz = byte + 1; } provider->operation_bits[byte] |= bit; return 1;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 28499baca599413fe775c59433159b6188d9bedb (commit) from 46a9ee8c796c8b5f8d95290676119b4f3d72be91 (commit) - Log - commit 28499baca599413fe775c59433159b6188d9bedb Author: Jung-uk Kim Date: Wed Aug 26 14:00:56 2020 -0400 Ignore vendor name in Clang version number. For example, FreeBSD prepends "FreeBSD" to version string, e.g., FreeBSD clang version 11.0.0 (g...@github.com:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86) Target: x86_64-unknown-freebsd13.0 Thread model: posix InstalledDir: /usr/bin This prevented us from properly detecting AVX support, etc. CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12725) (cherry picked from commit cd84d8832d274357a5ba5433640d7ef76691b1ac) --- Summary of changes: crypto/aes/asm/aesni-mb-x86_64.pl | 2 +- crypto/aes/asm/aesni-sha1-x86_64.pl| 2 +- crypto/aes/asm/aesni-sha256-x86_64.pl | 2 +- crypto/bn/asm/rsaz-avx2.pl | 2 +- crypto/bn/asm/rsaz-x86_64.pl | 2 +- crypto/bn/asm/x86_64-mont.pl | 2 +- crypto/bn/asm/x86_64-mont5.pl | 2 +- crypto/chacha/asm/chacha-x86.pl| 2 +- crypto/chacha/asm/chacha-x86_64.pl | 2 +- crypto/ec/asm/ecp_nistz256-x86_64.pl | 2 +- crypto/ec/asm/x25519-x86_64.pl | 2 +- crypto/modes/asm/aesni-gcm-x86_64.pl | 2 +- crypto/modes/asm/ghash-x86_64.pl | 2 +- crypto/poly1305/asm/poly1305-x86.pl| 2 +- crypto/poly1305/asm/poly1305-x86_64.pl | 2 +- crypto/sha/asm/sha1-586.pl | 2 +- crypto/sha/asm/sha1-mb-x86_64.pl | 2 +- crypto/sha/asm/sha1-x86_64.pl | 2 +- crypto/sha/asm/sha256-586.pl | 2 +- crypto/sha/asm/sha256-mb-x86_64.pl | 2 +- crypto/sha/asm/sha512-x86_64.pl| 2 +- 21 files changed, 21 insertions(+), 21 deletions(-) diff --git a/crypto/aes/asm/aesni-mb-x86_64.pl b/crypto/aes/asm/aesni-mb-x86_64.pl index be2434f120..a80cfdc139 100644 --- a/crypto/aes/asm/aesni-mb-x86_64.pl +++ b/crypto/aes/asm/aesni-mb-x86_64.pl @@ -70,7 +70,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/crypto/aes/asm/aesni-sha1-x86_64.pl b/crypto/aes/asm/aesni-sha1-x86_64.pl index 42fe5d469e..04fd13be5e 100644 --- a/crypto/aes/asm/aesni-sha1-x86_64.pl +++ b/crypto/aes/asm/aesni-sha1-x86_64.pl @@ -108,7 +108,7 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && `ml64 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); -$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0); +$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0); $shaext=1; ### set to zero if compiling for 1.0.1 diff --git a/crypto/aes/asm/aesni-sha256-x86_64.pl b/crypto/aes/asm/aesni-sha256-x86_64.pl index f1b144eccb..ff9b18507d 100644 --- a/crypto/aes/asm/aesni-sha256-x86_64.pl +++ b/crypto/aes/asm/aesni-sha256-x86_64.pl @@ -70,7 +70,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=12); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl index 9b54f9d9ed..0be771febc 100755 --- a/crypto/bn/asm/rsaz-avx2.pl +++ b/crypto/bn/asm/rsaz-avx2.pl @@ -66,7 +66,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) { my $ver = $2 + $3/100.0;# 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $add
[openssl] master update
The branch master has been updated via cd84d8832d274357a5ba5433640d7ef76691b1ac (commit) from 4516bf743a47f98931c1315985bd9dc303af (commit) - Log - commit cd84d8832d274357a5ba5433640d7ef76691b1ac Author: Jung-uk Kim Date: Wed Aug 26 14:00:56 2020 -0400 Ignore vendor name in Clang version number. For example, FreeBSD prepends "FreeBSD" to version string, e.g., FreeBSD clang version 11.0.0 (g...@github.com:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86) Target: x86_64-unknown-freebsd13.0 Thread model: posix InstalledDir: /usr/bin This prevented us from properly detecting AVX support, etc. CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12725) --- Summary of changes: crypto/aes/asm/aesni-mb-x86_64.pl | 2 +- crypto/aes/asm/aesni-sha1-x86_64.pl| 2 +- crypto/aes/asm/aesni-sha256-x86_64.pl | 2 +- crypto/bn/asm/rsaz-avx2.pl | 2 +- crypto/bn/asm/rsaz-x86_64.pl | 2 +- crypto/bn/asm/x86_64-mont.pl | 2 +- crypto/bn/asm/x86_64-mont5.pl | 2 +- crypto/chacha/asm/chacha-x86.pl| 2 +- crypto/chacha/asm/chacha-x86_64.pl | 2 +- crypto/ec/asm/ecp_nistz256-x86_64.pl | 2 +- crypto/ec/asm/x25519-x86_64.pl | 2 +- crypto/modes/asm/aesni-gcm-x86_64.pl | 2 +- crypto/modes/asm/ghash-x86_64.pl | 2 +- crypto/poly1305/asm/poly1305-x86.pl| 2 +- crypto/poly1305/asm/poly1305-x86_64.pl | 2 +- crypto/sha/asm/sha1-586.pl | 2 +- crypto/sha/asm/sha1-mb-x86_64.pl | 2 +- crypto/sha/asm/sha1-x86_64.pl | 2 +- crypto/sha/asm/sha256-586.pl | 2 +- crypto/sha/asm/sha256-mb-x86_64.pl | 2 +- crypto/sha/asm/sha512-x86_64.pl| 2 +- util/perl/OpenSSL/config.pm| 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/crypto/aes/asm/aesni-mb-x86_64.pl b/crypto/aes/asm/aesni-mb-x86_64.pl index 3c74df5f78..dde15b1ef7 100644 --- a/crypto/aes/asm/aesni-mb-x86_64.pl +++ b/crypto/aes/asm/aesni-mb-x86_64.pl @@ -76,7 +76,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/crypto/aes/asm/aesni-sha1-x86_64.pl b/crypto/aes/asm/aesni-sha1-x86_64.pl index 7d1f91295c..dbe33a3f1a 100644 --- a/crypto/aes/asm/aesni-sha1-x86_64.pl +++ b/crypto/aes/asm/aesni-sha1-x86_64.pl @@ -109,7 +109,7 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && `ml64 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); -$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0); +$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0); $shaext=1; ### set to zero if compiling for 1.0.1 diff --git a/crypto/aes/asm/aesni-sha256-x86_64.pl b/crypto/aes/asm/aesni-sha256-x86_64.pl index 38901feb66..5521766a6a 100644 --- a/crypto/aes/asm/aesni-sha256-x86_64.pl +++ b/crypto/aes/asm/aesni-sha256-x86_64.pl @@ -71,7 +71,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=12); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl index fc2e8f587b..3d0e342a6b 100755 --- a/crypto/bn/asm/rsaz-avx2.pl +++ b/crypto/bn/asm/rsaz-avx2.pl @@ -67,7 +67,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) { my $ver = $2 + $3/100.0;# 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/b
[openssl] master update
The branch master has been updated via dd0164e7565bb14fac193aea4c2c37714bf66d56 (commit) from eeccc237239d6f2b6fbc557be7062bfe2ab836be (commit) - Log - commit dd0164e7565bb14fac193aea4c2c37714bf66d56 Author: Benjamin Kaduk Date: Wed Sep 19 21:14:04 2018 -0500 Mark SSL_CTX_set_ssl_version() as deprecated in 3.0 Also, document its unusual semantics of resetting the cipher list (but preserving other configuration). Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/7274) --- Summary of changes: doc/man3/SSL_CTX_set_ssl_version.pod | 17 ++--- include/openssl/ssl.h| 2 +- ssl/ssl_lib.c| 2 ++ util/libssl.num | 2 +- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set_ssl_version.pod b/doc/man3/SSL_CTX_set_ssl_version.pod index b41073112b..20efe0fbf7 100644 --- a/doc/man3/SSL_CTX_set_ssl_version.pod +++ b/doc/man3/SSL_CTX_set_ssl_version.pod @@ -16,9 +16,11 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method =head1 DESCRIPTION SSL_CTX_set_ssl_version() sets a new default TLS/SSL B for SSL objects -newly created from this B. SSL objects already created with -L are not affected, except when -L is being called. +newly created from this B. Most of the configuration attached to the +SSL_CTX object is retained, with the exception of the configured TLS ciphers, +which are reset to the default values. SSL objects already created from this +SSL_CTX with L are not affected, except when L is +being called, as described below. SSL_set_ssl_method() sets a new TLS/SSL B for a particular B object. It may be reset, when SSL_clear() is called. @@ -35,6 +37,11 @@ When L is called and no session is connected to an SSL object, the method of the SSL object is reset to the method currently set in the corresponding SSL_CTX object. +SSL_CTX_set_version() has unusual semantics and no clear use case; +it would usually be preferable to create a new SSL_CTX object than to +try to reuse an existing one in this fashion. Its usage is considered +deprecated. + =head1 RETURN VALUES The following return values can occur for SSL_CTX_set_ssl_version() @@ -58,6 +65,10 @@ L, L, L, L, L +=head1 HISTORY + +SSL_CTX_set_ssl_version() was deprecated in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index bc003bc4fa..0b17f22193 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1903,7 +1903,7 @@ __owur int SSL_get_error(const SSL *s, int ret_code); __owur const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ -__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); +DEPRECATEDIN_3_0(__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)) # ifndef OPENSSL_NO_SSL3_METHOD DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_method(void)) /* SSLv3 */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 63a7433be4..f957664a48 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -642,6 +642,7 @@ int SSL_clear(SSL *s) return 1; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 /** Used to change an SSL_CTXs default SSL method type */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) { @@ -664,6 +665,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) } return 1; } +#endif SSL *SSL_new(SSL_CTX *ctx) { diff --git a/util/libssl.num b/util/libssl.num index 1758525038..45ff6ed00a 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -239,7 +239,7 @@ DTLSv1_method 239 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1 SSL_set0_wbio 2403_0_0 EXIST::FUNCTION: SSL_read2413_0_0 EXIST::FUNCTION: SSL_CTX_get_options 2423_0_0 EXIST::FUNCTION: -SSL_CTX_set_ssl_version 2433_0_0 EXIST::FUNCTION: +SSL_CTX_set_ssl_version 2433_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 SSL_set_SSL_CTX 2443_0_0 EXIST::FUNCTION: SSL_renegotiate_abbreviated 2453_0_0 EXIST::FUNCTION: SSL_get_verify_mode 2463_0_0 EXIST::FUNCTION:
[openssl] master update
The branch master has been updated via 520150151bc5993194ba34464220454d8135099d (commit) via bdc0df8ab5f3096aafd54d170c85887366920c4b (commit) via f43c947dd924cfb1f69c800648f80881bb542027 (commit) via 2f5c405a1694220cca7be8cd96958c1c1245f0ed (commit) via d91f902d73689c8a8c1bf684ff9d244197f8c7b3 (commit) via acb30f4b593bbd1bdaa6495d0f641da7ef702b95 (commit) via 1453d736b5bb8abaa18482652828096b44c4bf3a (commit) via c4d21d2f71363e9f6d4a0e377789555e655d96f4 (commit) via 36025d3b8716f6f8cadc983295398ccdd734a17b (commit) via 2c533a71c63ef223615fe4f6a0a89ffaffbd739a (commit) via ddce5c29f535ce5f61013563732f80647d2c6977 (commit) via d3308027e9bda451e43b52c36064fd70337e02a8 (commit) via 18a49e168f8b6917e2b013897392cf357bb15ded (commit) via 9197c226ea0b1c231a4141dcac055daddcb11466 (commit) via 37322687b0fb4c5c0bb637acd3e9785ffc71fa35 (commit) via c76ffc78a513660b5f62bc32a64f44c62edede74 (commit) via ef58f9af93cdd75b9798cdb177319995dc7a7d50 (commit) via 440b852a0f79ac4a7e101606a7c32d212e06d203 (commit) via 79f4417ed940793fe7d48d613c9b903d00630b69 (commit) via 8489026850b38447d8e3e68c4d4260585b7e8e3a (commit) from 31d2daecb384475da13c4bf7c76a2dde0077b2f2 (commit) - Log - commit 520150151bc5993194ba34464220454d8135099d Author: Benjamin Kaduk Date: Tue Jul 21 16:23:19 2020 -0700 Expose S390x HW ciphers' IV state to provider layer The S390x hardware-accelerated cipher implementations keep their IV state in an internal structure tied to the underlying implementation. However, the provider itself needs to be able to expose the IV state to libcrypto when processing the "iv-state" parameter. In the absence of a S390x hardware-specific get_ctx_params() implementation, be sure to copy the IV state from the hw-specific structure back to the generic PROV_CIPHER_CTX object after each cipher operation in order to synchronize the internal and fetchable state. [extended tests] Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12233) commit bdc0df8ab5f3096aafd54d170c85887366920c4b Author: Benjamin Kaduk Date: Thu Jul 9 14:29:33 2020 -0700 Avoid deprecated API in evp_test.c Use EVP_CIPHER_CTX_get_iv_state() in cipher_test_enc() rather than the deprecated EVP_CIPHER_CTX_iv(). [extended tests] Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12233) commit f43c947dd924cfb1f69c800648f80881bb542027 Author: Benjamin Kaduk Date: Thu Jul 2 16:27:03 2020 -0700 Avoid deprecated function in evp_lib.c Use EVP_CIPHER_CTX_get_iv() to implement EVP_CIPHER_set_asn1_iv(), rather than the deprecated EVP_CIPHER_CTX_original_iv(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12233) commit 2f5c405a1694220cca7be8cd96958c1c1245f0ed Author: Benjamin Kaduk Date: Thu Jul 2 14:12:33 2020 -0700 Use local IV storage in EVP BLOCK_* macros Inline the pre-13273237a65d46186b6bea0b51aec90670d4598a versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in evp.h. These macros are internal-only, used to implement legacy libcrypto EVP ciphers, with no real provider involvement. Accordingly, just use the EVP_CIPHER_CTX storage directly and don't try to reach into a provider-side context. This does necessitate including evp_local.h in several more files. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12233) commit d91f902d73689c8a8c1bf684ff9d244197f8c7b3 Author: Benjamin Kaduk Date: Thu Jul 2 14:12:33 2020 -0700 Use local IV storage in e_rc2.c Inline the pre-13273237a65d46186b6bea0b51aec90670d4598a versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_rc2.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12233) commit acb30f4b593bbd1bdaa6495d0f641da7ef702b95 Author: Benjamin Kaduk Date: Thu Jul 2 14:12:33 2020 -0700 Use local IV storage in e_xcbc_d.c Inline the pre-13273237a65d46186b6bea0b51aec90670d4598a versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_xcbc_d.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by
[openssl] master update
The branch master has been updated via 02e14a65fd6cc63204b43a79d510e95a63bdd901 (commit) from 16c6534b961a723781bb827211c705c7d7fb3727 (commit) - Log - commit 02e14a65fd6cc63204b43a79d510e95a63bdd901 Author: Dimitri John Ledkov Date: Tue Jul 14 17:55:49 2020 +0100 man3: Drop warning about using security levels higher than 1. Today, majority of web-browsers reject communication as allowed by the security level 1. Instead key sizes and algorithms from security level 2 are required. Thus remove the now obsolete warning against using security levels higher than 1. For example Ubuntu, compiles OpenSSL with security level set to 2, and further restricts algorithm versions available at that security level. Reviewed-by: Kurt Roeckx Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12444) --- Summary of changes: doc/man3/SSL_CTX_set_security_level.pod | 6 -- 1 file changed, 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index ef59d4eb20..4b1fef867c 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -114,12 +114,6 @@ I =head1 NOTES -B at this time setting the security level higher than 1 for -general internet use is likely to cause B interoperability -issues and is not recommended. This is because the B algorithm -is very widely used in certificates and will be rejected at levels -higher than 1 because it only offers 80 bits of security. - The default security level can be configured when OpenSSL is compiled by setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 335266fa793c105e5e38cbaf098542cc372cdc2e (commit) from a47dd08d6cacc64536c2f57e0f0aee03dcfaab3d (commit) - Log - commit 335266fa793c105e5e38cbaf098542cc372cdc2e Author: Dimitri John Ledkov Date: Tue Jul 14 17:55:49 2020 +0100 man3: Drop warning about using security levels higher than 1. Today, majority of web-browsers reject communication as allowed by the security level 1. Instead key sizes and algorithms from security level 2 are required. Thus remove the now obsolete warning against using security levels higher than 1. For example Ubuntu, compiles OpenSSL with security level set to 2, and further restricts algorithm versions available at that security level. Reviewed-by: Kurt Roeckx Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12444) (cherry picked from commit 02e14a65fd6cc63204b43a79d510e95a63bdd901) --- Summary of changes: doc/man3/SSL_CTX_set_security_level.pod | 6 -- 1 file changed, 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index 0cb6c1f52a..ba0aa0b9ca 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -114,12 +114,6 @@ I =head1 NOTES -B at this time setting the security level higher than 1 for -general internet use is likely to cause B interoperability -issues and is not recommended. This is because the B algorithm -is very widely used in certificates and will be rejected at levels -higher than 1 because it only offers 80 bits of security. - The default security level can be configured when OpenSSL is compiled by setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
[openssl] master update
The branch master has been updated via 661595ca0933fe631faeadd14a189acd5d4185e0 (commit) from 310a0edbd003dd7c580ae3cf78f1782b2c3d9ded (commit) - Log - commit 661595ca0933fe631faeadd14a189acd5d4185e0 Author: Benjamin Kaduk Date: Thu Jul 2 12:14:52 2020 -0700 Providerized libssl fallout: cleanup init Since libssl is entirely using fetched cipher/digest implementations from providers, we don't need to register the libcrypto cipher/digest implementations in ossl_init_ssl_base(). Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12418) --- Summary of changes: ssl/ssl_init.c | 61 -- 1 file changed, 61 deletions(-) diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index d9d27520c2..c48a17b546 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -24,67 +24,6 @@ static CRYPTO_ONCE ssl_base = CRYPTO_ONCE_STATIC_INIT; static int ssl_base_inited = 0; DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) { -OSSL_TRACE(INIT, "ossl_init_ssl_base: adding SSL ciphers and digests\n"); -#ifndef OPENSSL_NO_DES -EVP_add_cipher(EVP_des_cbc()); -EVP_add_cipher(EVP_des_ede3_cbc()); -#endif -#ifndef OPENSSL_NO_IDEA -EVP_add_cipher(EVP_idea_cbc()); -#endif -#ifndef OPENSSL_NO_RC4 -EVP_add_cipher(EVP_rc4()); -# ifndef OPENSSL_NO_MD5 -EVP_add_cipher(EVP_rc4_hmac_md5()); -# endif -#endif -#ifndef OPENSSL_NO_RC2 -EVP_add_cipher(EVP_rc2_cbc()); -/* - * Not actually used for SSL/TLS but this makes PKCS#12 work if an - * application only calls SSL_library_init(). - */ -EVP_add_cipher(EVP_rc2_40_cbc()); -#endif -EVP_add_cipher(EVP_aes_128_cbc()); -EVP_add_cipher(EVP_aes_192_cbc()); -EVP_add_cipher(EVP_aes_256_cbc()); -EVP_add_cipher(EVP_aes_128_gcm()); -EVP_add_cipher(EVP_aes_256_gcm()); -EVP_add_cipher(EVP_aes_128_ccm()); -EVP_add_cipher(EVP_aes_256_ccm()); -EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); -EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); -EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256()); -EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256()); -#ifndef OPENSSL_NO_ARIA -EVP_add_cipher(EVP_aria_128_gcm()); -EVP_add_cipher(EVP_aria_256_gcm()); -#endif -#ifndef OPENSSL_NO_CAMELLIA -EVP_add_cipher(EVP_camellia_128_cbc()); -EVP_add_cipher(EVP_camellia_256_cbc()); -#endif -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -EVP_add_cipher(EVP_chacha20_poly1305()); -#endif - -#ifndef OPENSSL_NO_SEED -EVP_add_cipher(EVP_seed_cbc()); -#endif - -#ifndef OPENSSL_NO_MD5 -EVP_add_digest(EVP_md5()); -EVP_add_digest_alias(SN_md5, "ssl3-md5"); -EVP_add_digest(EVP_md5_sha1()); -#endif -EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ -EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -EVP_add_digest(EVP_sha224()); -EVP_add_digest(EVP_sha256()); -EVP_add_digest(EVP_sha384()); -EVP_add_digest(EVP_sha512()); #ifndef OPENSSL_NO_COMP OSSL_TRACE(INIT, "ossl_init_ssl_base: " "SSL_COMP_get_compression_methods()\n");
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via bfbf06c4d29086f1c67ed38324a2c4a9f642d291 (commit) from f924b298125010b998b33abd158ac6a057b2bc9d (commit) - Log - commit bfbf06c4d29086f1c67ed38324a2c4a9f642d291 Author: Miłosz Kaniewski Date: Tue Jun 30 21:46:38 2020 +0200 Free pre_proc_exts in SSL_free() Usually it will be freed in tls_early_post_process_client_hello(). However if a ClientHello callback will be used and will return SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello() may never come to the point where pre_proc_exts is freed. Fixes #12194 CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12330) (cherry picked from commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3) --- Summary of changes: ssl/ssl_lib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f6a4964ed2..433a537969 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1200,6 +1200,8 @@ void SSL_free(SSL *s) OPENSSL_free(s->ext.ocsp.resp); OPENSSL_free(s->ext.alpn); OPENSSL_free(s->ext.tls13_cookie); +if (s->clienthello != NULL) +OPENSSL_free(s->clienthello->pre_proc_exts); OPENSSL_free(s->clienthello); OPENSSL_free(s->pha_context); EVP_MD_CTX_free(s->pha_dgst);
[openssl] master update
The branch master has been updated via 94941cada25433a7dca35b5b9f8cbb751ab65ab3 (commit) from 69f982679ec0c8887a4324d8518a33808fee1cd7 (commit) - Log - commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3 Author: Miłosz Kaniewski Date: Tue Jun 30 21:46:38 2020 +0200 Free pre_proc_exts in SSL_free() Usually it will be freed in tls_early_post_process_client_hello(). However if a ClientHello callback will be used and will return SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello() may never come to the point where pre_proc_exts is freed. Fixes #12194 CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/12330) --- Summary of changes: ssl/ssl_lib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fea040289b..dd83f373b2 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1217,6 +1217,8 @@ void SSL_free(SSL *s) OPENSSL_free(s->ext.ocsp.resp); OPENSSL_free(s->ext.alpn); OPENSSL_free(s->ext.tls13_cookie); +if (s->clienthello != NULL) +OPENSSL_free(s->clienthello->pre_proc_exts); OPENSSL_free(s->clienthello); OPENSSL_free(s->pha_context); EVP_MD_CTX_free(s->pha_dgst);
[openssl] master update
The branch master has been updated via 7cc5e0d283800c757e46d1476273d271120aa38d (commit) via 320d96a32c16de1adbf11f76819fe738f24665b1 (commit) from 5797e309fce89b5aa9f690ad82f272552b4c7987 (commit) - Log - commit 7cc5e0d283800c757e46d1476273d271120aa38d Author: Benjamin Kaduk Date: Mon Jun 1 12:31:55 2020 -0700 Allow oversized buffers for provider cipher IV fetch When we're fetching an IV, there's no need to enforce that the provided buffer is exactly the same size as the IV we want to write into it. This might happen, for example, when EVP_CIPHER_CTX_iv_noconst() passes sizeof(ctx->iv) (that is, EVP_MAX_IV_LENGTH) for an AES-GCM cipher that uses a shorter IV. AES-OCB and CCM were also affected. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12039) commit 320d96a32c16de1adbf11f76819fe738f24665b1 Author: Benjamin Kaduk Date: Mon Jun 1 14:33:54 2020 -0700 Set cipher IV as octet string and pointer from providers OSSL_CIPHER_PARAM_IV can be accessed both as an octet string and as an octet pointer (for routines like EVP_CIPHER_CTX_iv() that are in a nebulous undocumented-and-might-go-away-eventually state), the latter for when there is need to modify the actual value in the provider. Make sure that we consistently try to set it as both the string and pointer forms (not just octet string) and only fail if neither version succeeds. The generic cipher get_ctx_params routine was already doing so, but the AES-variant-, GCM-, and CCM-specific ones were not. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12039) --- Summary of changes: providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c | 3 ++- providers/implementations/ciphers/cipher_aes_ocb.c | 5 +++-- providers/implementations/ciphers/ciphercommon_ccm.c| 5 +++-- providers/implementations/ciphers/ciphercommon_gcm.c| 5 +++-- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index 34bd3c151f..ece4341a3f 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -229,7 +229,8 @@ static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[]) } p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); if (p != NULL -&& !OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) { +&& !OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen) +&& !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 859f3524a4..84ba062d6b 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -401,11 +401,12 @@ static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); if (p != NULL) { -if (ctx->base.ivlen != p->data_size) { +if (ctx->base.ivlen > p->data_size) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } -if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) { +if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen) +&& !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index 80c2230d96..2b9a0687e3 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -160,11 +160,12 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); if (p != NULL) { -if (ccm_get_ivlen(ctx) != p->data_size) { +if (ccm_get_ivlen(ctx) > p->data_size) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); return 0; } -if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)) { +if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size) +&& !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, p->data_size)) {
[openssl] master update
The branch master has been updated via 670ff08e77c5b331443a3ed6d41564d863a47f06 (commit) from 2edb571b4b857e51620bfd93e240e39de40cb456 (commit) - Log - commit 670ff08e77c5b331443a3ed6d41564d863a47f06 Author: Benjamin Kaduk Date: Fri Jun 12 19:56:11 2020 -0700 Fix logic error for building x86 CAST assembly The assembly code is not PIC, so we should only try to build it when the configuration has disabled PIC, not the other way around. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/12128) --- Summary of changes: crypto/cast/build.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/cast/build.info b/crypto/cast/build.info index 8763f22405..01a3691d68 100644 --- a/crypto/cast/build.info +++ b/crypto/cast/build.info @@ -2,7 +2,7 @@ LIBS=../../libcrypto $CASTASM=c_enc.c # CAST assembly source is not PIC -IF[{- !$disabled{asm} && !$disabled{pic} -}] +IF[{- !$disabled{asm} && $disabled{pic} -}] $CASTASM_x86=cast-586.s # Now that we have defined all the arch specific variables, use the
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ad178c15a112d10380a6446127b069270af666de (commit) from 8354f53d40781630eb4caa1a2ce31eca5296aa29 (commit) - Log - commit ad178c15a112d10380a6446127b069270af666de Author: Benjamin Kaduk Date: Thu May 28 14:34:10 2020 -0700 Fix a typo in SSL_CTX_set_session_ticket_cb.pod "SSL" takes two esses, not three. [skip ci] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12038) (cherry picked from commit 09527c493596060544bda92ecd0d8ef40a366c5e) --- Summary of changes: doc/man3/SSL_CTX_set_session_ticket_cb.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_session_ticket_cb.pod b/doc/man3/SSL_CTX_set_session_ticket_cb.pod index f3dfb62c23..99d2f29ac6 100644 --- a/doc/man3/SSL_CTX_set_session_ticket_cb.pod +++ b/doc/man3/SSL_CTX_set_session_ticket_cb.pod @@ -177,7 +177,7 @@ L =head1 HISTORY -The SSL_CTX_set_session_ticket_cb(), SSSL_SESSION_set1_ticket_appdata() +The SSL_CTX_set_session_ticket_cb(), SSL_SESSION_set1_ticket_appdata() and SSL_SESSION_get_ticket_appdata() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT
[openssl] master update
The branch master has been updated via 09527c493596060544bda92ecd0d8ef40a366c5e (commit) from 7b2d995ed79f0653defd682e5097ed937f4cabbc (commit) - Log - commit 09527c493596060544bda92ecd0d8ef40a366c5e Author: Benjamin Kaduk Date: Thu May 28 14:34:10 2020 -0700 Fix a typo in SSL_CTX_set_session_ticket_cb.pod "SSL" takes two esses, not three. [skip ci] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12038) --- Summary of changes: doc/man3/SSL_CTX_set_session_ticket_cb.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_session_ticket_cb.pod b/doc/man3/SSL_CTX_set_session_ticket_cb.pod index 8cdb88cc55..2a9576e259 100644 --- a/doc/man3/SSL_CTX_set_session_ticket_cb.pod +++ b/doc/man3/SSL_CTX_set_session_ticket_cb.pod @@ -177,7 +177,7 @@ L =head1 HISTORY -The SSL_CTX_set_session_ticket_cb(), SSSL_SESSION_set1_ticket_appdata() +The SSL_CTX_set_session_ticket_cb(), SSL_SESSION_set1_ticket_appdata() and SSL_SESSION_get_ticket_appdata() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT
[openssl] master update
The branch master has been updated via 9c44916ce555a0280170c5fc519a0ebf693292f8 (commit) via 7c302f8afc1d36ec12effd0c08047baced095b46 (commit) via 2cd3ebc76c7d8e76a8e337ef1eef43753eacef00 (commit) from 5ddec6a7d3206c61209a016db4227b847dcaad27 (commit) - Log - commit 9c44916ce555a0280170c5fc519a0ebf693292f8 Author: Benjamin Kaduk Date: Fri May 22 11:13:24 2020 -0700 RSA: Do not set NULL OAEP labels As of the previous commit, when a zero-length (string) parameter is present in the parameters passed to a provider for a given operation, we will produce an object corresponding to that zero-length parameter, indicating to the underlying cryptographic operation that the parameter was passed. However, rsa_cms_decrypt() was relying on the previous behavior, and unconditionally tried to call EVP_PKEY_CTX_set0_rsa_oaep_label() even when the implicit default label was used (and thus the relevant local variable was still NULL). In the new setup that distinguishes present-but-empty and absent more clearly, it is an error to attempt to set a NULL parameter, even if it is zero-length. Exercise more caution when setting parameters, and do not call EVP_PKEY_CTX_set0_rsa_oaep_label() when there is not actually a label provided. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11920) commit 7c302f8afc1d36ec12effd0c08047baced095b46 Author: Benjamin Kaduk Date: Thu May 21 14:10:50 2020 -0700 params: do not ignore zero-length strings Prior to this commit, if a string (or octet string) parameter was present but indicated it was zero-length, we would return success but with a NULL output value. This can be problematic in cases where there is a protocol-level distinction between parameter-absent and parameter-present-but-zero-length, which is uncommon but can happen. Since OPENSSL_malloc() returns NULL for zero-length allocation requests, make a dummy allocation for this case, to give a signal that the string parameter does exist but has zero length. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11920) commit 2cd3ebc76c7d8e76a8e337ef1eef43753eacef00 Author: Benjamin Kaduk Date: Thu May 21 12:53:59 2020 -0700 test HKDF with empty IKM Add an extra EVP test that provides empty input key material. It currently fails, since we lose the information about "key present but zero length" as we deserialize parameters in the provider. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11920) --- Summary of changes: crypto/params.c| 7 +++ crypto/rsa/rsa_ameth.c | 3 ++- test/evp_extra_test.c | 42 ++ 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/crypto/params.c b/crypto/params.c index 06ae1bc44f..9bccc51760 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -788,8 +788,6 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, size_t max_len, if (used_len != NULL) *used_len = sz; -if (sz == 0) -return 1; if (p->data == NULL) return 0; @@ -797,12 +795,13 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, size_t max_len, return 1; if (*val == NULL) { -char *const q = OPENSSL_malloc(sz); +char *const q = OPENSSL_malloc(sz > 0 ? sz : 1); if (q == NULL) return 0; *val = q; -memcpy(q, p->data, sz); +if (sz != 0) +memcpy(q, p->data, sz); return 1; } if (max_len < sz) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 6628e38342..22c06a2139 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1007,7 +1007,8 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) goto err; if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) goto err; -if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) +if (label != NULL +&& EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) goto err; /* Carry on */ rv = 1; diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 2ab4be89a3..e6a76a1fa6 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1246,6 +1246,47 @@ static int test_HKDF(void) return ret; } +static int test_emptyikm_HKDF(void) +{ +EVP_PKEY_CTX *pctx; +unsigned char out[20]; +size_t outlen; +int ret = 0; +unsigned char salt[] = "9876543210"; +unsigned char key[] = ""; +unsigned char info[] = "stringinfo";
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via de5e2cb541699e11a2b82de1d7f98f62bc207a1d (commit) via 76b0d1f0dbdab628e2c5b2a7d45e3e93ecf5ee09 (commit) from 5cea5841c70be0186c11ff79a9767d2e1376e80a (commit) - Log - commit de5e2cb541699e11a2b82de1d7f98f62bc207a1d Author: raja-ashok Date: Wed May 13 23:37:14 2020 +0530 Update early data exchange scenarios in doc Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11816) (cherry picked from commit b2a5001d954e81e2a582f2a935212ab554a3cbbe) commit 76b0d1f0dbdab628e2c5b2a7d45e3e93ecf5ee09 Author: raja-ashok Date: Wed May 13 23:32:44 2020 +0530 Update limitation of psk_client_cb and psk_server_cb in usage with TLSv1.3 Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11816) (cherry picked from commit e0bcb4f97f7496af032013ead15b7472b60e85fa) --- Summary of changes: doc/man3/SSL_CTX_set_psk_client_callback.pod | 4 +++- doc/man3/SSL_CTX_use_psk_identity_hint.pod | 4 +++- doc/man3/SSL_read_early_data.pod | 9 + 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod index eb4e4f5fa4..293ddcbead 100644 --- a/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -123,7 +123,9 @@ and it will use that in preference. If no such callback is present then it will check to see if a callback has been set via SSL_CTX_set_psk_client_callback() or SSL_set_psk_client_callback() and use that. In this case the B value will always be NULL and the handshake digest will default to SHA-256 for any returned -PSK. +PSK. TLSv1.3 early data exchanges are possible in PSK connections only with the +B callback, and are not possible with the +B callback. =head1 NOTES diff --git a/doc/man3/SSL_CTX_use_psk_identity_hint.pod b/doc/man3/SSL_CTX_use_psk_identity_hint.pod index 0957ade5e1..6403da3d6b 100644 --- a/doc/man3/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/man3/SSL_CTX_use_psk_identity_hint.pod @@ -83,7 +83,9 @@ via SSL_CTX_set_psk_find_session_callback() or SSL_set_psk_find_session_callback and it will use that in preference. If no such callback is present then it will check to see if a callback has been set via SSL_CTX_set_psk_server_callback() or SSL_set_psk_server_callback() and use that. In this case the handshake digest -will default to SHA-256 for any returned PSK. +will default to SHA-256 for any returned PSK. TLSv1.3 early data exchanges are +possible in PSK connections only with the B +callback, and are not possible with the B callback. =head1 NOTES diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index c51fe1359d..d3552c928b 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -58,10 +58,11 @@ SSL_set_allow_early_data_cb These functions are used to send and receive early data where TLSv1.3 has been negotiated. Early data can be sent by the client immediately after its initial ClientHello without having to wait for the server to complete the handshake. -Early data can only be sent if a session has previously been established with -the server, and the server is known to support it. Additionally these functions -can be used to send data from the server to the client when the client has not -yet completed the authentication stage of the handshake. +Early data can be sent if a session has previously been established with the +server or when establishing a new session using an out-of-band PSK, and only +when the server is known to support it. Additionally these functions can be used +to send data from the server to the client when the client has not yet completed +the authentication stage of the handshake. Early data has weaker security properties than other data sent over an SSL/TLS connection. In particular the data does not have forward secrecy. There are also
[openssl] master update
The branch master has been updated via b2a5001d954e81e2a582f2a935212ab554a3cbbe (commit) via e0bcb4f97f7496af032013ead15b7472b60e85fa (commit) from e638112e15c63bfb4ab9bf5af66aa439e5983f23 (commit) - Log - commit b2a5001d954e81e2a582f2a935212ab554a3cbbe Author: raja-ashok Date: Wed May 13 23:37:14 2020 +0530 Update early data exchange scenarios in doc Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11816) commit e0bcb4f97f7496af032013ead15b7472b60e85fa Author: raja-ashok Date: Wed May 13 23:32:44 2020 +0530 Update limitation of psk_client_cb and psk_server_cb in usage with TLSv1.3 Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11816) --- Summary of changes: doc/man3/SSL_CTX_set_psk_client_callback.pod | 4 +++- doc/man3/SSL_CTX_use_psk_identity_hint.pod | 4 +++- doc/man3/SSL_read_early_data.pod | 9 + 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod index 55ffb31c49..70eefa0265 100644 --- a/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -123,7 +123,9 @@ and it will use that in preference. If no such callback is present then it will check to see if a callback has been set via SSL_CTX_set_psk_client_callback() or SSL_set_psk_client_callback() and use that. In this case the B value will always be NULL and the handshake digest will default to SHA-256 for any returned -PSK. +PSK. TLSv1.3 early data exchanges are possible in PSK connections only with the +B callback, and are not possible with the +B callback. =head1 NOTES diff --git a/doc/man3/SSL_CTX_use_psk_identity_hint.pod b/doc/man3/SSL_CTX_use_psk_identity_hint.pod index 937c91a3c8..0e70d4d531 100644 --- a/doc/man3/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/man3/SSL_CTX_use_psk_identity_hint.pod @@ -83,7 +83,9 @@ via SSL_CTX_set_psk_find_session_callback() or SSL_set_psk_find_session_callback and it will use that in preference. If no such callback is present then it will check to see if a callback has been set via SSL_CTX_set_psk_server_callback() or SSL_set_psk_server_callback() and use that. In this case the handshake digest -will default to SHA-256 for any returned PSK. +will default to SHA-256 for any returned PSK. TLSv1.3 early data exchanges are +possible in PSK connections only with the B +callback, and are not possible with the B callback. A connection established via a TLSv1.3 PSK will appear as if session resumption has occurred so that L will return true. diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index 4f1593638c..dd86831767 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -58,10 +58,11 @@ SSL_set_allow_early_data_cb These functions are used to send and receive early data where TLSv1.3 has been negotiated. Early data can be sent by the client immediately after its initial ClientHello without having to wait for the server to complete the handshake. -Early data can only be sent if a session has previously been established with -the server, and the server is known to support it. Additionally these functions -can be used to send data from the server to the client when the client has not -yet completed the authentication stage of the handshake. +Early data can be sent if a session has previously been established with the +server or when establishing a new session using an out-of-band PSK, and only +when the server is known to support it. Additionally these functions can be used +to send data from the server to the client when the client has not yet completed +the authentication stage of the handshake. Early data has weaker security properties than other data sent over an SSL/TLS connection. In particular the data does not have forward secrecy. There are also
[openssl] master update
The branch master has been updated via 0b2b0be948404cefe7160c9b1096bc554e982f03 (commit) via 2e1a4f6aeb5a9935e3055f61740381e17a31fc9a (commit) from 43a70f02022ebbc29aa71853f04f1dc0d9772846 (commit) - Log - commit 0b2b0be948404cefe7160c9b1096bc554e982f03 Author: raja-ashok Date: Sun May 10 22:47:00 2020 +0530 Test TLSv1.3 out-of-band PSK with all 5 ciphersuites Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11785) commit 2e1a4f6aeb5a9935e3055f61740381e17a31fc9a Author: raja-ashok Date: Fri May 8 19:17:21 2020 +0530 Fix crash in early data send with out-of-band PSK using AES CCM Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11785) --- Summary of changes: ssl/tls13_enc.c | 11 +- test/sslapitest.c | 113 +- 2 files changed, 121 insertions(+), 3 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index e81f3656ee..1775152eeb 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -436,11 +436,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, uint32_t algenc; ivlen = EVP_CCM_TLS_IV_LEN; -if (s->s3.tmp.new_cipher == NULL) { +if (s->s3.tmp.new_cipher != NULL) { +algenc = s->s3.tmp.new_cipher->algorithm_enc; +} else if (s->session->cipher != NULL) { /* We've not selected a cipher yet - we must be doing early data */ algenc = s->session->cipher->algorithm_enc; +} else if (s->psksession != NULL && s->psksession->cipher != NULL) { +/* We must be doing early data with out-of-band PSK */ +algenc = s->psksession->cipher->algorithm_enc; } else { -algenc = s->s3.tmp.new_cipher->algorithm_enc; +SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, + ERR_R_EVP_LIB); +goto err; } if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = EVP_CCM8_TLS_TAG_LEN; diff --git a/test/sslapitest.c b/test/sslapitest.c index ea86b13f80..c1c288e50a 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -2755,8 +2755,11 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, #define MSG6"test" #define MSG7"message." -#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") +#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") +#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") +#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") +#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") static SSL_SESSION *create_a_psk(SSL *ssl) @@ -3689,6 +3692,113 @@ static int test_early_data_psk(int idx) return testresult; } +/* + * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites + * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 + * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 + * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 + * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 + */ +static int test_early_data_psk_with_all_ciphers(int idx) +{ +SSL_CTX *cctx = NULL, *sctx = NULL; +SSL *clientssl = NULL, *serverssl = NULL; +int testresult = 0; +SSL_SESSION *sess = NULL; +unsigned char buf[20]; +size_t readbytes, written; +const SSL_CIPHER *cipher; +const char *cipher_str[] = { +TLS1_3_RFC_AES_128_GCM_SHA256, +TLS1_3_RFC_AES_256_GCM_SHA384, +# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +TLS1_3_RFC_CHACHA20_POLY1305_SHA256, +# else +NULL, +# endif +TLS1_3_RFC_AES_128_CCM_SHA256, +TLS1_3_RFC_AES_128_CCM_8_SHA256 +}; +const unsigned char *cipher_bytes[] = { +TLS13_AES_128_GCM_SHA256_BYTES, +TLS13_AES_256_GCM_SHA384_BYTES, +# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +TLS13_CHACHA20_POLY1305_SHA256_BYTES, +# else +NULL, +# endif +TLS13_AES_128_CCM_SHA256_BYTES, +TLS13_AES_128_CCM_8_SHA256_BYTES +}; + +if (cipher_str[idx] == NULL) +return 1; +/* Skip ChaCha20Poly1305 as currently FIPS module does not support it */ +if (idx == 2 &&
[openssl] master update
The branch master has been updated via dd63f9bbfc95931e4f41558fbc7a2ffb68b0eef0 (commit) from 7ef43790617cb08b4bb4141df716dfb37385fe5c (commit) - Log - commit dd63f9bbfc95931e4f41558fbc7a2ffb68b0eef0 Author: Benjamin Kaduk Date: Mon May 11 09:29:24 2020 -0700 Fix FreeBSD build with --strict-warnings apps/lib/http_server.c needs to include string.h in order to get a prototype for strerror(). Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11797) --- Summary of changes: apps/lib/http_server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c index 6db11f4150..2b5c9f5dcd 100644 --- a/apps/lib/http_server.c +++ b/apps/lib/http_server.c @@ -17,6 +17,7 @@ # define _POSIX_C_SOURCE 2 #endif +#include #include #include "http_server.h" #include "internal/sockets.h"
[openssl] master update
The branch master has been updated via 3f2a8d971a44b9aac30a5725ae44cfcb1d4156f1 (commit) from 582311d7b469b4f57a29e9c3965c4d1eb4b477d4 (commit) - Log - commit 3f2a8d971a44b9aac30a5725ae44cfcb1d4156f1 Author: Beat Bolli Date: Thu May 7 14:19:22 2020 +0200 doc: fix two invalid tags Signed-off-by: Beat Bolli Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11759) --- Summary of changes: doc/man1/openssl-cms.pod.in | 2 +- doc/man3/EVP_DigestInit.pod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 15dd7799cb..4fbb7c0e16 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -107,7 +107,7 @@ Print out a usage message. Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in MIME format. The -actual CMS type is EnvelopedData. +actual CMS type is B. Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text. diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 6c0f136b1c..370b685bf8 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -226,7 +226,7 @@ EVP_DigestInit_ex() can be called to initialize a new digest operation. =item EVP_DigestFinalXOF() Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256. -It retrieves the digest value from I and places it in I-sized md. +It retrieves the digest value from I and places it in I-sized I. After calling this function no additional calls to EVP_DigestUpdate() can be made, but EVP_DigestInit_ex() can be called to initialize a new operation.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 69296e264e58334620f541d09a4e381ee45542d4 (commit) from 6b057f75074a9061147d7e64fc77db85e310db47 (commit) - Log - commit 69296e264e58334620f541d09a4e381ee45542d4 Author: Maximilian Blenk Date: Tue Apr 7 19:33:39 2020 +0200 Fix PEM certificate loading that sometimes fails As described in https://github.com/openssl/openssl/issues/9187, the loading of PEM certificates sometimes fails if a line of base64 content has the length of a multiple of 254. The problem is in get_header_and_data(). When such a line with a length of 254 (or a multiple) has been read, the next read will only read a newline. Due to this get_header_and_data() expects to be in the header not in the data area. This commit fixes that by checking if lines have been read completely or only partially. In case of a previous partial read, a newline will be ignored. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11741) (cherry picked from commit 0324ffc5d5d393111288eca2c9d67f2141ed65f5) --- Summary of changes: crypto/pem/pem_lib.c | 28 -- test/recipes/04-test_pem.t | 3 +++ .../04-test_pem_data/cert-254-chars-at-the-end.pem | 6 + .../cert-254-chars-in-the-middle.pem | 5 .../cert-oneline-multiple-of-254.pem | 3 +++ 5 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem create mode 100644 test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 64baf7108e..0d79f4aea0 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -791,7 +791,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, { BIO *tmp = *header; char *linebuf, *p; -int len, line, ret = 0, end = 0; +int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ enum header_status got_header = MAYBE_HEADER; unsigned int flags_mask; @@ -813,6 +813,14 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, goto err; } +/* + * Check if line has been read completely or if only part of the line + * has been read. Keep the previous value to ignore newlines that + * appear due to reading a line up until the char before the newline. + */ +prev_partial_line_read = partial_line_read; +partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n'; + if (got_header == MAYBE_HEADER) { if (memchr(linebuf, ':', len) != NULL) got_header = IN_HEADER; @@ -823,13 +831,19 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, /* Check for end of header. */ if (linebuf[0] == '\n') { -if (got_header == POST_HEADER) { -/* Another blank line is an error. */ -PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); -goto err; +/* + * If previous line has been read only partially this newline is a + * regular newline at the end of a line and not an empty line. + */ +if (!prev_partial_line_read) { +if (got_header == POST_HEADER) { +/* Another blank line is an error. */ +PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); +goto err; +} +got_header = POST_HEADER; +tmp = *data; } -got_header = POST_HEADER; -tmp = *data; continue; } diff --git a/test/recipes/04-test_pem.t b/test/recipes/04-test_pem.t index c32169..e26127564f 100644 --- a/test/recipes/04-test_pem.t +++ b/test/recipes/04-test_pem.t @@ -28,6 +28,8 @@ my %cert_expected = ( "cert-1023line.pem" => 1, "cert-1024line.pem" => 1, "cert-1025line.pem" => 1, +"cert-254-chars-at-the-end.pem" => 1, +"cert-254-chars-in-the-middle.pem" => 1, "cert-255line.pem" => 1, "cert-256line.pem" => 1, "cert-257line.pem" => 1, @@ -42,6 +44,7 @@ my %cert_expected = ( "cert-misalignedpad.pem" => 0, "cert-onecol
[openssl] master update
The branch master has been updated via 0324ffc5d5d393111288eca2c9d67f2141ed65f5 (commit) from 257e9d03b028402089c9f98f3acb25ba668c09af (commit) - Log - commit 0324ffc5d5d393111288eca2c9d67f2141ed65f5 Author: Maximilian Blenk Date: Tue Apr 7 19:33:39 2020 +0200 Fix PEM certificate loading that sometimes fails As described in https://github.com/openssl/openssl/issues/9187, the loading of PEM certificates sometimes fails if a line of base64 content has the length of a multiple of 254. The problem is in get_header_and_data(). When such a line with a length of 254 (or a multiple) has been read, the next read will only read a newline. Due to this get_header_and_data() expects to be in the header not in the data area. This commit fixes that by checking if lines have been read completely or only partially. In case of a previous partial read, a newline will be ignored. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11741) --- Summary of changes: crypto/pem/pem_lib.c | 28 -- test/recipes/04-test_pem.t | 3 +++ .../04-test_pem_data/cert-254-chars-at-the-end.pem | 6 + .../cert-254-chars-in-the-middle.pem | 5 .../cert-oneline-multiple-of-254.pem | 3 +++ 5 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem create mode 100644 test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index e059328aee..f5ed70d6b4 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -806,7 +806,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, { BIO *tmp = *header; char *linebuf, *p; -int len, line, ret = 0, end = 0; +int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ enum header_status got_header = MAYBE_HEADER; unsigned int flags_mask; @@ -828,6 +828,14 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, goto err; } +/* + * Check if line has been read completely or if only part of the line + * has been read. Keep the previous value to ignore newlines that + * appear due to reading a line up until the char before the newline. + */ +prev_partial_line_read = partial_line_read; +partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n'; + if (got_header == MAYBE_HEADER) { if (memchr(linebuf, ':', len) != NULL) got_header = IN_HEADER; @@ -838,13 +846,19 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, /* Check for end of header. */ if (linebuf[0] == '\n') { -if (got_header == POST_HEADER) { -/* Another blank line is an error. */ -PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); -goto err; +/* + * If previous line has been read only partially this newline is a + * regular newline at the end of a line and not an empty line. + */ +if (!prev_partial_line_read) { +if (got_header == POST_HEADER) { +/* Another blank line is an error. */ +PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); +goto err; +} +got_header = POST_HEADER; +tmp = *data; } -got_header = POST_HEADER; -tmp = *data; continue; } diff --git a/test/recipes/04-test_pem.t b/test/recipes/04-test_pem.t index 0e6e419519..d553bec0a8 100644 --- a/test/recipes/04-test_pem.t +++ b/test/recipes/04-test_pem.t @@ -28,6 +28,8 @@ my %cert_expected = ( "cert-1023line.pem" => 1, "cert-1024line.pem" => 1, "cert-1025line.pem" => 1, +"cert-254-chars-at-the-end.pem" => 1, +"cert-254-chars-in-the-middle.pem" => 1, "cert-255line.pem" => 1, "cert-256line.pem" => 1, "cert-257line.pem" => 1, @@ -43,6 +45,7 @@ my %cert_expected = ( "cert-misalignedpad.pem" => 0, "cert-onecolumn.pem" => 1, "cert-oneline.pem" => 1, +"cert-oneline-multip
[openssl] master update
The branch master has been updated via 35774d5594af9beeb73792742b7ed901d202be70 (commit) from 6763f9c7e62aeba0d083be1608c88d85110976cb (commit) - Log - commit 35774d5594af9beeb73792742b7ed901d202be70 Author: Benjamin Kaduk Date: Mon May 4 11:50:25 2020 -0700 Fix up whitespace nits introduced by PR #11416 Expand a couple literal tabs, and de-indent the body of a function. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11728) --- Summary of changes: ssl/ssl_lib.c | 10 +- ssl/ssl_local.h | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fde726e0ba..fef50eea7f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2305,11 +2305,11 @@ int SSL_renegotiate_pending(const SSL *s) int SSL_new_session_ticket(SSL *s) { -if (SSL_in_init(s) || SSL_IS_FIRST_HANDSHAKE(s) || !s->server -|| !SSL_IS_TLS13(s)) -return 0; -s->ext.extra_tickets_expected++; -return 1; +if (SSL_in_init(s) || SSL_IS_FIRST_HANDSHAKE(s) || !s->server +|| !SSL_IS_TLS13(s)) +return 0; +s->ext.extra_tickets_expected++; +return 1; } long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index de7e9fde48..e938504d3e 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1539,8 +1539,8 @@ struct ssl_st { /* RFC4507 session ticket expected to be received or sent */ int ticket_expected; - /* TLS 1.3 tickets requested by the application. */ - int extra_tickets_expected; +/* TLS 1.3 tickets requested by the application. */ +int extra_tickets_expected; # ifndef OPENSSL_NO_EC size_t ecpointformats_len; /* our list */
[openssl] master update
The branch master has been updated via e908f292de6383c5d4dbece9381b523d4ce41c69 (commit) via f0049b86cc5d745af97c087e54abaeb00de40b6b (commit) via 3bfacb5fd4679812a7b9ec61d296b1add64669c0 (commit) via 6250282f7fc37c5903d051174a69053a80e1b1bd (commit) from 90113096186e185cd07ee1c4c7267d0e68e67793 (commit) - Log - commit e908f292de6383c5d4dbece9381b523d4ce41c69 Author: Benjamin Kaduk Date: Wed Apr 1 17:08:10 2020 -0700 make update for SSL_new_session_ticket Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11416) commit f0049b86cc5d745af97c087e54abaeb00de40b6b Author: Benjamin Kaduk Date: Tue Mar 17 10:08:11 2020 -0700 Add test for SSL_new_session_ticket() Run a normal handshake and then request some extra tickets, checking that the new_session_cb is called the expected number of times. Since the tickets are generated in the same way as other tickets, there should not be a need to verify that these specific ones can be used to resume. Run the test with both zero and a non-zero number of tickets issued in the initial handshake. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11416) commit 3bfacb5fd4679812a7b9ec61d296b1add64669c0 Author: Benjamin Kaduk Date: Mon Mar 16 11:25:58 2020 -0700 Add SSL_new_session_ticket() API This API requests that the TLS stack generate a (TLS 1.3) NewSessionTicket message the next time it is safe to do so (i.e., we do not have other data pending write, which could be mid-record). For efficiency, defer actually generating/writing the ticket until there is other data to write, to avoid producing server-to-client traffic when not needed. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11416) commit 6250282f7fc37c5903d051174a69053a80e1b1bd Author: Benjamin Kaduk Date: Mon Mar 16 11:25:12 2020 -0700 Fix whitespace nit in ossl_statem_server_pre_work An 'if' clause was nestled against a previous closing brace as it if was an 'else if', but should properly stand on its own line. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11416) --- Summary of changes: doc/man3/SSL_CTX_set_num_tickets.pod | 27 ++- include/openssl/ssl.h| 1 + ssl/record/rec_layer_s3.c| 8 +- ssl/ssl_lib.c| 9 +++ ssl/ssl_local.h | 2 + ssl/statem/statem_srvr.c | 19 - test/sslapitest.c| 143 +++ util/libssl.num | 1 + 8 files changed, 199 insertions(+), 11 deletions(-) diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index 84afe4ae6a..5d4bd6f5be 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -5,7 +5,8 @@ SSL_set_num_tickets, SSL_get_num_tickets, SSL_CTX_set_num_tickets, -SSL_CTX_get_num_tickets +SSL_CTX_get_num_tickets, +SSL_new_session_ticket - control the number of TLSv1.3 session tickets that are issued =head1 SYNOPSIS @@ -16,6 +17,7 @@ SSL_CTX_get_num_tickets size_t SSL_get_num_tickets(SSL *s); int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets); size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx); + int SSL_new_session_ticket(SSL *s); =head1 DESCRIPTION @@ -40,14 +42,29 @@ handshake then SSL_set_num_tickets() can be called again prior to calling SSL_verify_client_post_handshake() to update the number of tickets that will be sent. +To issue tickets after other events (such as application-layer changes), +SSL_new_session_ticket() is used by a server application to request that a new +ticket be sent when it is safe to do so. New tickets are only allowed to be +sent in this manner after the initial handshake has completed, and only for TLS +1.3 connections. The ticket generation and transmission are delayed until the +server is starting a new write operation, so that it is bundled with other +application data being written and properly aligned to a record boundary. +SSL_new_session_ticket() can be called more than once to request additional +tickets be sent; all such requests are queued and written together when it is +safe to do so. Note that a successful return from SSL_new_session_ticket() +indicates only that the request to send a ticket was processed, not that the +ticket itself was sent. To be notified when the ticket itself is sent, a +new-session callback can be registered with L that +will be invoked as the ticket or tickets are generated. + SSL_CTX_get_num_tickets() and SSL_get_num_tickets() return the number of tickets set b
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 0f1f0bf99aad06008f840e1a5bf93a8745e9a774 (commit) from 1ab9298e43b6023f4083609493f20e354aa7faab (commit) - Log - commit 0f1f0bf99aad06008f840e1a5bf93a8745e9a774 Author: Benjamin Kaduk Date: Wed Apr 1 13:51:40 2020 -0700 sslapitest: only compile test when it will be used The test_ccs_change_cipher() test routine is used only when TLS 1.2 is enabled; to fix the strict-warnings build we should not try to compile it when TLS 1.2 is disabled, either. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11458) (cherry picked from commit fb121631e702352d47049ac8e2e709b11c3318e4) --- Summary of changes: test/sslapitest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 5c118108ef..b3cd30d9a8 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -590,7 +590,6 @@ end: return testresult; } -#endif /* * Very focused test to exercise a single case in the server-side state @@ -702,6 +701,7 @@ end: return testresult; } +#endif static int execute_test_large_message(const SSL_METHOD *smeth, const SSL_METHOD *cmeth,
[openssl] master update
The branch master has been updated via fb121631e702352d47049ac8e2e709b11c3318e4 (commit) from af0d413654d19acab7c8af0a3f0b3bac0574fe33 (commit) - Log - commit fb121631e702352d47049ac8e2e709b11c3318e4 Author: Benjamin Kaduk Date: Wed Apr 1 13:51:40 2020 -0700 sslapitest: only compile test when it will be used The test_ccs_change_cipher() test routine is used only when TLS 1.2 is enabled; to fix the strict-warnings build we should not try to compile it when TLS 1.2 is disabled, either. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11458) --- Summary of changes: test/sslapitest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index f9349bc59b..779176a0f1 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -659,7 +659,6 @@ end: return testresult; } -#endif /* * Very focused test to exercise a single case in the server-side state @@ -771,6 +770,7 @@ end: return testresult; } +#endif static int execute_test_large_message(const SSL_METHOD *smeth, const SSL_METHOD *cmeth,
[openssl] master update
The branch master has been updated via fa4d3fe46dfb4909c3c18c9d6141bb3b60a09eed (commit) from 09fafd06065b4de17ec8b2ae0004002f2a252dc8 (commit) - Log - commit fa4d3fe46dfb4909c3c18c9d6141bb3b60a09eed Author: Benjamin Kaduk Date: Wed Apr 8 10:05:27 2020 -0700 Fix krb5 external test Since commit c3845ceba84aab9ddeb43f043549238fd10de63b ("Build file templates: don't set OPENSSL_{ENGINES,MODULES}") the krb5 external test has been failing. This is because it relied on OPENSSL_MODULES already being set -- even though it did assign to OPENSSL_MODULES itself (and thus got skipped by the cleanup pass in that commit), it was doing so only to canonicalize the existing value to an absolute path, not as a de novo assignment. Catch up to the rest of the tree and just set it directly as the "providers" path from the build top (but still canonicalized to an absolute path). [extended tests] Fixes: 11492 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11499) --- Summary of changes: test/recipes/95-test_external_krb5.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/recipes/95-test_external_krb5.t b/test/recipes/95-test_external_krb5.t index 889626a1be..85bca44502 100644 --- a/test/recipes/95-test_external_krb5.t +++ b/test/recipes/95-test_external_krb5.t @@ -21,7 +21,7 @@ plan skip_all => "krb5 not available" plan tests => 1; -$ENV{OPENSSL_MODULES} = abs_path($ENV{OPENSSL_MODULES}); +$ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers")); $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-legacy.cnf")); ok(run(cmd([data_file("krb5.sh")])), "running krb5 tests");
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via d7b9a7a42d529ce44c5a4af49f6dee72f6619459 (commit) from ba4356ae4002a04e28642da60c551877eea804f7 (commit) - Log - commit d7b9a7a42d529ce44c5a4af49f6dee72f6619459 Author: Richard Könning Date: Fri Mar 20 20:17:50 2020 +0100 Use ctx2 instead ctx. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11372) (cherry picked from commit 402b00d57921a0c8cd641b190d36bf39ea5fb592) --- Summary of changes: apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 2248a432e2..243b170d5d 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1904,7 +1904,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); if (sdebug) -ssl_ctx_security_debug(ctx, sdebug); +ssl_ctx_security_debug(ctx2, sdebug); if (session_id_prefix) { if (strlen(session_id_prefix) >= 32)
[openssl] master update
The branch master has been updated via 402b00d57921a0c8cd641b190d36bf39ea5fb592 (commit) from 6f829f58effd958c75cb7bc3cf2781fbdae22b9b (commit) - Log - commit 402b00d57921a0c8cd641b190d36bf39ea5fb592 Author: Richard Könning Date: Fri Mar 20 20:17:50 2020 +0100 Use ctx2 instead ctx. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11372) --- Summary of changes: apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 0be414f890..bcc83e562c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1958,7 +1958,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); if (sdebug) -ssl_ctx_security_debug(ctx, sdebug); +ssl_ctx_security_debug(ctx2, sdebug); if (session_id_prefix) { if (strlen(session_id_prefix) >= 32)
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 2f0dab7e59cc50c89b6d54962b81cf96c30fe725 (commit) via 44bad9cbf7daa5ff7dd201e0c61e684b2e2eb971 (commit) via 910c8ffaf83a498667c10a28580dc18cbfd643c5 (commit) via a666af9f9df20c466ff5b5554610b5460cf3a362 (commit) via cf900cbc5c32bfd31a1d3d68a2bd94368a35aafe (commit) via d3133cc77cd0b052b6792d3e1edb9e5a202c6695 (commit) from 9011225188e0779833617516bdd76ab122fe2509 (commit) - Log - commit 2f0dab7e59cc50c89b6d54962b81cf96c30fe725 Author: Benjamin Kaduk Date: Fri Mar 6 13:19:45 2020 -0800 Add test that changes ciphers on CCS The TLS (pre-1.3) ChangeCipherState message is usually used to indicate the switch from the unencrypted to encrypted part of the handshake. However, it can also be used in cases where there is an existing session (such as during resumption handshakes) or when changing from one cipher to a different one (such as during renegotiation when the cipher list offered by the client has changed). This test serves to exercise such situations, allowing us to detect whether session objects are being modified in cases when they must remain immutable for thread-safety purposes. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit 3cd14e5e65011660ad8e3603cf871c8366b565fd) commit 44bad9cbf7daa5ff7dd201e0c61e684b2e2eb971 Author: Benjamin Kaduk Date: Fri Jan 24 13:44:27 2020 -0800 Code to thread-safety in ChangeCipherState The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this session gets resumed. However, writing to the session is only thread-safe for initial handshakes, as at other times the session object may be in a shared cache and in use by another thread at the same time. Reflect this invariant in the code by only writing to s->session->cipher when it is currently NULL (we do not cache sessions with no cipher). The code prior to this change would never actually change the (non-NULL) cipher value in a session object, since our server enforces that (pre-TLS-1.3) resumptions use the exact same cipher as the initial connection, and non-abbreviated renegotiations have produced a new session object before we get to this point. Regardless, include logic to detect such a condition and abort the handshake if it occurs, to avoid any risk of inadvertently using the wrong cipher on a connection. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit 2e3ec2e1578977fca830a47fd7f521e290540e6d) commit 910c8ffaf83a498667c10a28580dc18cbfd643c5 Author: Benjamin Kaduk Date: Fri Jan 24 13:25:53 2020 -0800 Don't write to the session when computing TLS 1.3 keys TLS 1.3 maintains a separate keys chedule in the SSL object, but was writing to the 'master_key_length' field in the SSL_SESSION when generating the per-SSL master_secret. (The generate_master_secret SSL3_ENC_METHOD function needs an output variable for the master secret length, but the TLS 1.3 implementation just uses the output size of the handshake hash function to get the lengths, so the only natural-looking thing to use as the output length was the field in the session. This would potentially involve writing to a SSL_SESSION object that was in the cache (i.e., resumed) and shared with other threads, though. The thread-safety impact should be minimal, since TLS 1.3 requires the hash from the original handshake to be associated with the resumption PSK and used for the subsequent connection. This means that (in the resumption case) the value being written would be the same value that was previously there, so the only risk would be on architectures that can produce torn writes/reads for aligned size_t values. Since the value is essentially ignored anyway, just provide the address of a local dummy variable to generate_master_secret() instead. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit d74014c4b8740f28a54b562f799ad1e754b517b9) commit a666af9f9df20c466ff5b5554610b5460cf3a362 Author: Benjamin Kaduk Date: Fri Jan 24 13:25:02 2020 -0800 Fix whitespace nit in ssl_generate_master_secret() Use a space after a comma. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit 1866a0d380fc361d9be2ca0509de0f2281505db5) commit cf900cbc5c32bfd31a1d3d68a2bd94368a35aafe Author: Benjamin Kaduk Date: Fri Jan 17 11:15:59 2020 -0800
[openssl] master update
The branch master has been updated via 3cd14e5e65011660ad8e3603cf871c8366b565fd (commit) via 2e3ec2e1578977fca830a47fd7f521e290540e6d (commit) via d74014c4b8740f28a54b562f799ad1e754b517b9 (commit) via 1866a0d380fc361d9be2ca0509de0f2281505db5 (commit) via fe41c06e69613b1a4814b3e3cdbf460f2678ec99 (commit) via 06f876837a8ec76b28c42953731a156c0c3700e2 (commit) from c08dea30d4d127412097b39d9974ba6090041a7c (commit) - Log - commit 3cd14e5e65011660ad8e3603cf871c8366b565fd Author: Benjamin Kaduk Date: Fri Mar 6 13:19:45 2020 -0800 Add test that changes ciphers on CCS The TLS (pre-1.3) ChangeCipherState message is usually used to indicate the switch from the unencrypted to encrypted part of the handshake. However, it can also be used in cases where there is an existing session (such as during resumption handshakes) or when changing from one cipher to a different one (such as during renegotiation when the cipher list offered by the client has changed). This test serves to exercise such situations, allowing us to detect whether session objects are being modified in cases when they must remain immutable for thread-safety purposes. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) commit 2e3ec2e1578977fca830a47fd7f521e290540e6d Author: Benjamin Kaduk Date: Fri Jan 24 13:44:27 2020 -0800 Code to thread-safety in ChangeCipherState The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this session gets resumed. However, writing to the session is only thread-safe for initial handshakes, as at other times the session object may be in a shared cache and in use by another thread at the same time. Reflect this invariant in the code by only writing to s->session->cipher when it is currently NULL (we do not cache sessions with no cipher). The code prior to this change would never actually change the (non-NULL) cipher value in a session object, since our server enforces that (pre-TLS-1.3) resumptions use the exact same cipher as the initial connection, and non-abbreviated renegotiations have produced a new session object before we get to this point. Regardless, include logic to detect such a condition and abort the handshake if it occurs, to avoid any risk of inadvertently using the wrong cipher on a connection. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) commit d74014c4b8740f28a54b562f799ad1e754b517b9 Author: Benjamin Kaduk Date: Fri Jan 24 13:25:53 2020 -0800 Don't write to the session when computing TLS 1.3 keys TLS 1.3 maintains a separate keys chedule in the SSL object, but was writing to the 'master_key_length' field in the SSL_SESSION when generating the per-SSL master_secret. (The generate_master_secret SSL3_ENC_METHOD function needs an output variable for the master secret length, but the TLS 1.3 implementation just uses the output size of the handshake hash function to get the lengths, so the only natural-looking thing to use as the output length was the field in the session. This would potentially involve writing to a SSL_SESSION object that was in the cache (i.e., resumed) and shared with other threads, though. The thread-safety impact should be minimal, since TLS 1.3 requires the hash from the original handshake to be associated with the resumption PSK and used for the subsequent connection. This means that (in the resumption case) the value being written would be the same value that was previously there, so the only risk would be on architectures that can produce torn writes/reads for aligned size_t values. Since the value is essentially ignored anyway, just provide the address of a local dummy variable to generate_master_secret() instead. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) commit 1866a0d380fc361d9be2ca0509de0f2281505db5 Author: Benjamin Kaduk Date: Fri Jan 24 13:25:02 2020 -0800 Fix whitespace nit in ssl_generate_master_secret() Use a space after a comma. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10943) commit fe41c06e69613b1a4814b3e3cdbf460f2678ec99 Author: Benjamin Kaduk Date: Fri Jan 17 11:15:59 2020 -0800 doc: fix spelling of TYPE_get_ex_new_index The generated macros are TYPE_get_ex_new_index() (to match CRYPTO_get_ex_new_index()), not TYPE_get_new_ex_index(), even though the latter spelling seems more natural. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openss
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 59f92fa27eb41a7513e584b665c87669171f60dd (commit) from f50f2725c03710e183d855760c32d8df6cab1f94 (commit) - Log - commit 59f92fa27eb41a7513e584b665c87669171f60dd Author: Benjamin Kaduk Date: Thu Jan 23 17:08:34 2020 -0800 openssl-config: add example libssl system-defaults Provide a "simple" example for affecting the systemwide default behavior of libssl. The large number of mandatory nested sections makes this less simple than the main description might suggest. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10937) (cherry picked from commit 3472082b4b6d73e0803a7c47f03e96ec0a69f77b) --- Summary of changes: doc/man5/config.pod | 16 1 file changed, 16 insertions(+) diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 992fdfccf9..732998e8f4 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -355,6 +355,22 @@ Simple OpenSSL library configuration example to enter FIPS mode: Note: in the above example you will get an error in non FIPS capable versions of OpenSSL. +Simple OpenSSL library configuration to make TLS 1.3 the system-default +minimum TLS version: + + # Toplevel section for openssl (including libssl) + openssl_conf = default_conf_section + + [default_conf_section] + # We only specify configuration for the "ssl module" + ssl_conf = ssl_section + + [ssl_section] + system_default = system_default_section + + [system_default_section] + MinProtocol = TLSv1.3 + More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: # Default appname: should match "appname" parameter (if any)
[openssl] master update
The branch master has been updated via 3472082b4b6d73e0803a7c47f03e96ec0a69f77b (commit) from c6fec81b88131d08c1022504ccf6effa95497afb (commit) - Log - commit 3472082b4b6d73e0803a7c47f03e96ec0a69f77b Author: Benjamin Kaduk Date: Thu Jan 23 17:08:34 2020 -0800 openssl-config: add example libssl system-defaults Provide a "simple" example for affecting the systemwide default behavior of libssl. The large number of mandatory nested sections makes this less simple than the main description might suggest. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10937) --- Summary of changes: doc/man5/config.pod | 16 1 file changed, 16 insertions(+) diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 1776439edd..680ad6578a 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -469,6 +469,22 @@ Simple OpenSSL library configuration example to enter FIPS mode: Note: in the above example you will get an error in non FIPS capable versions of OpenSSL. +Simple OpenSSL library configuration to make TLS 1.3 the system-default +minimum TLS version: + + # Toplevel section for openssl (including libssl) + openssl_conf = default_conf_section + + [default_conf_section] + # We only specify configuration for the "ssl module" + ssl_conf = ssl_section + + [ssl_section] + system_default = system_default_section + + [system_default_section] + MinProtocol = TLSv1.3 + More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: # Default appname: should match "appname" parameter (if any)
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 017015ceecaf2b4464aeeeb9a051dbe91d17f6e2 (commit) from 56c59ddd99da05c2f30832cccaffb873a8481555 (commit) - Log - commit 017015ceecaf2b4464aeeeb9a051dbe91d17f6e2 Author: Benjamin Kaduk Date: Tue Jan 14 16:22:52 2020 -0800 Update SSL_CTX_sess_set_new_cb(3) docs for refcounts The existing documentation for the new-session callback was unclear about the requirements on the callback with respect to reference-handling of the session object being created. Be more explicit about the (non-)requirements on the callback code for "success" (1) and "ignore" (0) return values. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10848) (cherry picked from commit 188d4ec82a9b0085ac5841cce3eda95efb94f2b4) --- Summary of changes: doc/man3/SSL_CTX_sess_set_get_cb.pod | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_sess_set_get_cb.pod b/doc/man3/SSL_CTX_sess_set_get_cb.pod index 774c4b120f..11eda7e141 100644 --- a/doc/man3/SSL_CTX_sess_set_get_cb.pod +++ b/doc/man3/SSL_CTX_sess_set_get_cb.pod @@ -54,12 +54,18 @@ session cache is realized via callback functions. Inside these callback functions, session can be saved to disk or put into a database using the L interface. -The new_session_cb() is called, whenever a new session has been negotiated -and session caching is enabled (see -L). -The new_session_cb() is passed the B connection and the ssl session -B. If the callback returns B<0>, the session will be immediately -removed again. Note that in TLSv1.3, sessions are established after the main +The new_session_cb() is called whenever a new session has been negotiated and +session caching is enabled (see L). The +new_session_cb() is passed the B connection and the ssl session B. +Since sessions are reference-counted objects, the reference count on the +session is incremented before the callback, on behalf of the application. If +the callback returns B<0>, the session will be immediately removed from the +internal cache and the reference count released. If the callback returns B<1>, +the application retains the reference (for an entry in the +application-maintained "external session cache"), and is responsible for +calling SSL_SESSION_free() when the session reference is no longer in use. + +Note that in TLSv1.3, sessions are established after the main handshake has completed. The server decides when to send the client the session information and this may occur some time after the end of the handshake (or not at all). This means that applications should expect the new_session_cb()
[openssl] master update
The branch master has been updated via 188d4ec82a9b0085ac5841cce3eda95efb94f2b4 (commit) from 437ad983c6ca254cd1d4367fb1d68338c82e8ee3 (commit) - Log - commit 188d4ec82a9b0085ac5841cce3eda95efb94f2b4 Author: Benjamin Kaduk Date: Tue Jan 14 16:22:52 2020 -0800 Update SSL_CTX_sess_set_new_cb(3) docs for refcounts The existing documentation for the new-session callback was unclear about the requirements on the callback with respect to reference-handling of the session object being created. Be more explicit about the (non-)requirements on the callback code for "success" (1) and "ignore" (0) return values. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10848) --- Summary of changes: doc/man3/SSL_CTX_sess_set_get_cb.pod | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_sess_set_get_cb.pod b/doc/man3/SSL_CTX_sess_set_get_cb.pod index 0186aa002f..98fbfb57bf 100644 --- a/doc/man3/SSL_CTX_sess_set_get_cb.pod +++ b/doc/man3/SSL_CTX_sess_set_get_cb.pod @@ -54,12 +54,18 @@ session cache is realized via callback functions. Inside these callback functions, session can be saved to disk or put into a database using the L interface. -The new_session_cb() is called, whenever a new session has been negotiated -and session caching is enabled (see -L). -The new_session_cb() is passed the B connection and the ssl session -B. If the callback returns B<0>, the session will be immediately -removed again. Note that in TLSv1.3, sessions are established after the main +The new_session_cb() is called whenever a new session has been negotiated and +session caching is enabled (see L). The +new_session_cb() is passed the B connection and the ssl session B. +Since sessions are reference-counted objects, the reference count on the +session is incremented before the callback, on behalf of the application. If +the callback returns B<0>, the session will be immediately removed from the +internal cache and the reference count released. If the callback returns B<1>, +the application retains the reference (for an entry in the +application-maintained "external session cache"), and is responsible for +calling SSL_SESSION_free() when the session reference is no longer in use. + +Note that in TLSv1.3, sessions are established after the main handshake has completed. The server decides when to send the client the session information and this may occur some time after the end of the handshake (or not at all). This means that applications should expect the new_session_cb()
[openssl] master update
The branch master has been updated via 3e73f558af600ea068bb2132988c31ddb444e13e (commit) from b2a00f62209add348deb8283c588ddbd572dc216 (commit) - Log - commit 3e73f558af600ea068bb2132988c31ddb444e13e Author: Benjamin Kaduk Date: Mon Dec 23 10:35:48 2019 -0800 Update the krb5 submodule Bring us up to date with upstream's 1.17.1 release. Among other things, it includes commit c2497d46b4bad473e164943d67b58cd1ae261c3a which fixes several issues that affect running the test suite under Travis CI. Hopefully those will work transitively for us as well. [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10690) --- Summary of changes: krb5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krb5 b/krb5 index b9ad6c4950..890ca2f401 16 --- a/krb5 +++ b/krb5 @@ -1 +1 @@ -Subproject commit b9ad6c49505c96a088326b62a52568e3484f2168 +Subproject commit 890ca2f401924cdcb88f493950b04700bbe52db3
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 328fd8833395b95bf0b07490b008c1dc927ce362 (commit) from f6f371d472262e9525107074d93828b68acdbbdf (commit) - Log - commit 328fd8833395b95bf0b07490b008c1dc927ce362 Author: Benjamin Kaduk Date: Wed Nov 13 09:42:19 2019 -0800 Fix a race condition in SNI handling As was done for ciphers, supported groups, and EC point formats in https://github.com/openssl/openssl/pull/9162, only write the negotiated SNI hostname value to the session object when not resuming, even for TLS 1.3 resumptions. Otherwise, when using a stateful session cache (as is done by default when 0-RTT data is enabled), we can have multiple SSLs active using the same in-memory session object, which leads to double-frees and similar race conditions in the SNI handler prior to this commit. Fortunately, since draft-ietf-tls-tls13-22, there is no requirement that the SNI hostname be preserved across TLS 1.3 resumption, and thus not a need to continually update the session object with the "current" value (to be used when producing session tickets, so that the subsequent resumption can be checked against the current value). So we can just relax the logic and only write to the session object for initial handshakes. This still leaves us in a somewhat inconsistent state, since if the SNI value does change across handshakes, the session object will continue to record the initial handshake's value, even if that bears no relation to the current handshake. The current SSL_get_servername() implementation prefers the value from the session if s->hit, but a more complete fix for that and related issues is underway in https://github.com/openssl/openssl/pull/10018; there is no need to wait for the complete fix for SNI name handling in order to close the race condition and avoid runtime crashes. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10441) (cherry picked from commit 2a5385511051d33be8d2b20d7669d8b1862fe510) --- Summary of changes: ssl/statem/extensions.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 1ac37fe246..86a737a6a0 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -950,7 +950,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (s->server) { /* TODO(OpenSSL1.2) revisit !sent case */ -if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) { +if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) { /* Only store the hostname in the session if we accepted it. */ OPENSSL_free(s->session->ext.hostname); s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
[openssl] master update
The branch master has been updated via 2a5385511051d33be8d2b20d7669d8b1862fe510 (commit) from bd65afdb21942676e7e4ce77adaaec697624b65f (commit) - Log - commit 2a5385511051d33be8d2b20d7669d8b1862fe510 Author: Benjamin Kaduk Date: Wed Nov 13 09:42:19 2019 -0800 Fix a race condition in SNI handling As was done for ciphers, supported groups, and EC point formats in https://github.com/openssl/openssl/pull/9162, only write the negotiated SNI hostname value to the session object when not resuming, even for TLS 1.3 resumptions. Otherwise, when using a stateful session cache (as is done by default when 0-RTT data is enabled), we can have multiple SSLs active using the same in-memory session object, which leads to double-frees and similar race conditions in the SNI handler prior to this commit. Fortunately, since draft-ietf-tls-tls13-22, there is no requirement that the SNI hostname be preserved across TLS 1.3 resumption, and thus not a need to continually update the session object with the "current" value (to be used when producing session tickets, so that the subsequent resumption can be checked against the current value). So we can just relax the logic and only write to the session object for initial handshakes. This still leaves us in a somewhat inconsistent state, since if the SNI value does change across handshakes, the session object will continue to record the initial handshake's value, even if that bears no relation to the current handshake. The current SSL_get_servername() implementation prefers the value from the session if s->hit, but a more complete fix for that and related issues is underway in https://github.com/openssl/openssl/pull/10018; there is no need to wait for the complete fix for SNI name handling in order to close the race condition and avoid runtime crashes. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10441) --- Summary of changes: ssl/statem/extensions.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index d5f6e1afba..e2e704543e 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -949,7 +949,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (s->server) { /* TODO(OpenSSL1.2) revisit !sent case */ -if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) { +if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) { /* Only store the hostname in the session if we accepted it. */ OPENSSL_free(s->session->ext.hostname); s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 915430a0a9b3602017689cdd65934b3582ea1e01 (commit) via 572492aaf0657fd40c96b889966350ce20d310b4 (commit) via 9863b41989968fd88d1b772ac7e20e3cdaea8beb (commit) from 2a5f63c9a61be7582620c4b5da202bb3fd7e4138 (commit) - Log - commit 915430a0a9b3602017689cdd65934b3582ea1e01 Author: Benjamin Kaduk Date: Thu Jun 13 12:26:12 2019 -0700 Move 'shared_sigalgs' from cert_st to ssl_st It was only ever in cert_st because ssl_st was a public structure and could not be modified without breaking the API. However, both structures are now opaque, and thus we can freely change their layout without breaking applications. In this case, keeping the shared sigalgs in the SSL object prevents complications wherein they would inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run during a cert_cb). Fixes #9099 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) (cherry picked from commit 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990) commit 572492aaf0657fd40c96b889966350ce20d310b4 Author: Benjamin Kaduk Date: Thu Jun 13 12:04:52 2019 -0700 Revert "Delay setting the sig algs until after the cert_cb has been called" This reverts commit 524006dd1b80c1a86a20119ad988666a80d8d8f5. While this change did prevent the sigalgs from getting inadvertently clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be set when the cert_cb runs. This, in turn, caused significant breakage, such as SSL_check_chain() failing to find any valid chain. An alternate approach to fixing the issue from #7244 will follow. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) (cherry picked from commit 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505) commit 9863b41989968fd88d1b772ac7e20e3cdaea8beb Author: Benjamin Kaduk Date: Thu Jun 13 12:02:03 2019 -0700 Add regression test for #9099 Augment the cert_cb sslapitest to include a run that uses SSL_check_chain() to inspect the certificate prior to installing it on the SSL object. If the check shows the certificate as not valid in that context, we do not install a certificate at all, so the handshake will fail later on in processing (tls_choose_sigalg()), exposing the indicated regression. Currently it fails, since we have not yet set the shared sigalgs by the time the cert_cb runs. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) (cherry picked from commit 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4) --- Summary of changes: ssl/ssl_cert.c | 3 --- ssl/ssl_lib.c| 6 + ssl/ssl_locl.h | 13 ++- ssl/statem/statem_srvr.c | 32 -- ssl/t1_lib.c | 60 +++- test/sslapitest.c| 40 ++-- 6 files changed, 95 insertions(+), 59 deletions(-) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 3314507..4805c6a 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -154,8 +154,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; -/* Shared sigalgs also NULL */ -ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); @@ -240,7 +238,6 @@ void ssl_cert_free(CERT *c) ssl_cert_clear_certs(c); OPENSSL_free(c->conf_sigalgs); OPENSSL_free(c->client_sigalgs); -OPENSSL_free(c->shared_sigalgs); OPENSSL_free(c->ctype); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 40ab874..4e945dc 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -628,6 +628,11 @@ int SSL_clear(SSL *s) /* Clear the verification result peername */ X509_VERIFY_PARAM_move_peername(s->param, NULL); +/* Clear any shared connection state */ +OPENSSL_free(s->shared_sigalgs); +s->shared_sigalgs = NULL; +s->shared_sigalgslen = 0; + /* * Check to see if we were changed into a different method, if so, revert * back. @@ -1173,6 +1178,7 @@ void SSL_free(SSL *s) clear_ciphers(s); ssl_cert_free(s->cert); +OPENSSL_free(s->shared_sigalgs); /* Free up if allocated */ OPENSSL_free(s->ext.hostname); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index fa0f6d0..1c42ba6 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1474,6 +1474,13
[openssl] master update
The branch master has been updated via 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990 (commit) via 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505 (commit) via 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4 (commit) from b11327929294cf825e4759d97af6f174bd6b081c (commit) - Log - commit 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990 Author: Benjamin Kaduk Date: Thu Jun 13 12:26:12 2019 -0700 Move 'shared_sigalgs' from cert_st to ssl_st It was only ever in cert_st because ssl_st was a public structure and could not be modified without breaking the API. However, both structures are now opaque, and thus we can freely change their layout without breaking applications. In this case, keeping the shared sigalgs in the SSL object prevents complications wherein they would inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run during a cert_cb). Fixes #9099 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) commit 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505 Author: Benjamin Kaduk Date: Thu Jun 13 12:04:52 2019 -0700 Revert "Delay setting the sig algs until after the cert_cb has been called" This reverts commit 524006dd1b80c1a86a20119ad988666a80d8d8f5. While this change did prevent the sigalgs from getting inadvertently clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be set when the cert_cb runs. This, in turn, caused significant breakage, such as SSL_check_chain() failing to find any valid chain. An alternate approach to fixing the issue from #7244 will follow. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) commit 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4 Author: Benjamin Kaduk Date: Thu Jun 13 12:02:03 2019 -0700 Add regression test for #9099 Augment the cert_cb sslapitest to include a run that uses SSL_check_chain() to inspect the certificate prior to installing it on the SSL object. If the check shows the certificate as not valid in that context, we do not install a certificate at all, so the handshake will fail later on in processing (tls_choose_sigalg()), exposing the indicated regression. Currently it fails, since we have not yet set the shared sigalgs by the time the cert_cb runs. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9157) --- Summary of changes: ssl/ssl_cert.c | 3 --- ssl/ssl_lib.c| 6 + ssl/ssl_locl.h | 13 ++- ssl/statem/statem_srvr.c | 32 -- ssl/t1_lib.c | 60 +++- test/sslapitest.c| 40 ++-- 6 files changed, 95 insertions(+), 59 deletions(-) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 04963f1..5538e4d 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -154,8 +154,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; -/* Shared sigalgs also NULL */ -ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); @@ -240,7 +238,6 @@ void ssl_cert_free(CERT *c) ssl_cert_clear_certs(c); OPENSSL_free(c->conf_sigalgs); OPENSSL_free(c->client_sigalgs); -OPENSSL_free(c->shared_sigalgs); OPENSSL_free(c->ctype); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d15b743..211a828 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -629,6 +629,11 @@ int SSL_clear(SSL *s) /* Clear the verification result peername */ X509_VERIFY_PARAM_move_peername(s->param, NULL); +/* Clear any shared connection state */ +OPENSSL_free(s->shared_sigalgs); +s->shared_sigalgs = NULL; +s->shared_sigalgslen = 0; + /* * Check to see if we were changed into a different method, if so, revert * back. @@ -1182,6 +1187,7 @@ void SSL_free(SSL *s) clear_ciphers(s); ssl_cert_free(s->cert); +OPENSSL_free(s->shared_sigalgs); /* Free up if allocated */ OPENSSL_free(s->ext.hostname); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index a61987f..269f542 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1661,6 +1661,13 @@ struct ssl_st { /* Callback for SSL async handling */ SSL_async_callback_fn async_cb; void *async_cb_arg; + +/* + * Signature algorithms shared by client and server: cached because these + * are used most often. + */
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 33a37a6179bcef6917a28edf7c90a65dcd89ff4a (commit) via a649b52f86a2aa039a15d9c8c0de5b6786bac0fc (commit) from cd01707b7f7e71b6c5df013212c9b3613e9eab7c (commit) - Log - commit 33a37a6179bcef6917a28edf7c90a65dcd89ff4a Author: Benjamin Kaduk Date: Mon Oct 22 11:54:20 2018 -0500 Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives. However, it erroneously converted an addition of -1 (for s->session_ctx->stats.sess_accept) to an addition of +1, since that is the only counter API provided by the internal tsan_assist.h header until the previous commit. This means that for each accepted (initial) connection, the session_ctx's counter would get doubly incremented, and the (switched) ctx's counter would also get incremented. Restore the counter decrement so that each accepted connection increments exactly one counter exactly once (in net effect). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) (cherry picked from commit 2aaa0b146b967397a6e61fa8df969e7847f82086) commit a649b52f86a2aa039a15d9c8c0de5b6786bac0fc Author: Benjamin Kaduk Date: Mon Oct 22 11:51:35 2018 -0500 Add tsan_decr() API, counterpart of tsan_counter() The existing tsan_counter() API increments a reference counter. Provide a new API, tsan_decr(), to decrement such a reference counter. This can be used, for example, when a reference is added to the session_ctx's sess_accept stats but should more properly be tracked in the regular ctx's statistics. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) (cherry picked from commit 95658c32436017aeeef3d8598957071baf6769a9) --- Summary of changes: include/internal/tsan_assist.h | 6 ++ ssl/statem/extensions.c| 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index 2c76383..f30ffe3 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -57,6 +57,7 @@ # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) # define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) +# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,6 +70,7 @@ # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) # define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) +# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,8 +115,11 @@ # pragma intrinsic(_InterlockedExchangeAdd64) # define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ : _InterlockedExchangeAdd((ptr), 1)) +# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ + : _InterlockedExchangeAdd((ptr), -1)) # else # define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) +# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -129,6 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) +# define tsan_decr(ptr) ((*(ptr))--) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 8d4939d..ad4256d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -962,7 +962,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { tsan_counter(&s->ctx->stats.sess_accept); -tsan_counter(&s->session_ctx->stats.sess_accept); +tsan_decr(&s->session_ctx->stats.sess_accept); }
[openssl-commits] [openssl] master update
The branch master has been updated via 2aaa0b146b967397a6e61fa8df969e7847f82086 (commit) via 95658c32436017aeeef3d8598957071baf6769a9 (commit) from 681e8cacdbdc44ac00af29b6656fc52745a9baa2 (commit) - Log - commit 2aaa0b146b967397a6e61fa8df969e7847f82086 Author: Benjamin Kaduk Date: Mon Oct 22 11:54:20 2018 -0500 Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives. However, it erroneously converted an addition of -1 (for s->session_ctx->stats.sess_accept) to an addition of +1, since that is the only counter API provided by the internal tsan_assist.h header until the previous commit. This means that for each accepted (initial) connection, the session_ctx's counter would get doubly incremented, and the (switched) ctx's counter would also get incremented. Restore the counter decrement so that each accepted connection increments exactly one counter exactly once (in net effect). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) commit 95658c32436017aeeef3d8598957071baf6769a9 Author: Benjamin Kaduk Date: Mon Oct 22 11:51:35 2018 -0500 Add tsan_decr() API, counterpart of tsan_counter() The existing tsan_counter() API increments a reference counter. Provide a new API, tsan_decr(), to decrement such a reference counter. This can be used, for example, when a reference is added to the session_ctx's sess_accept stats but should more properly be tracked in the regular ctx's statistics. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) --- Summary of changes: include/internal/tsan_assist.h | 6 ++ ssl/statem/extensions.c| 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index 2c76383..f30ffe3 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -57,6 +57,7 @@ # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) # define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) +# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,6 +70,7 @@ # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) # define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) +# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,8 +115,11 @@ # pragma intrinsic(_InterlockedExchangeAdd64) # define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ : _InterlockedExchangeAdd((ptr), 1)) +# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ + : _InterlockedExchangeAdd((ptr), -1)) # else # define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) +# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -129,6 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) +# define tsan_decr(ptr) ((*(ptr))--) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 8d4939d..ad4256d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -962,7 +962,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { tsan_counter(&s->ctx->stats.sess_accept); -tsan_counter(&s->session_ctx->stats.sess_accept); +tsan_decr(&s->session_ctx->stats.sess_accept); } /* _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit) from 737a37f7f170121769875e8e6f5fe7389701dff8 (commit) - Log - commit 77078e6bbfa686dba00cf379f0c96bd2833133a6 Author: Benjamin Kaduk Date: Thu Oct 4 13:49:21 2018 -0500 apps: allow empty attribute values with -subj Historically (i.e., OpenSSL 1.0.x), the openssl applications would allow for empty subject attributes to be passed via the -subj argument, e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite to the parse_name() helper function that parses these strings, but in the process dropped a check that would skip attributes with no associated value. As a result, such strings are now treated as hard errors and the operation fails. Restore the check to skip empty attribute values and restore the historical behavior. Document the behavior for empty subject attribute values in the corresponding applications' manual pages. (cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142) (cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7368) --- Summary of changes: apps/apps.c | 6 ++ doc/apps/ca.pod | 6 -- doc/apps/req.pod | 6 -- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index a162b16..94efa5a 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1770,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) opt_getprog(), typestr); continue; } +if (*valstr == '\0') { +BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); +continue; +} if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 9918a13..9885bb2 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -243,8 +243,10 @@ for all available algorithms. =item B<-subj arg> supersedes subject name given in the request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. =item B<-utf8> diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 0a28aea..00ec1a8 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -213,8 +213,10 @@ see L. sets subject name for new request or supersedes the subject name when processing a request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. =item B<-multivalue-rdn> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a5fcce6b953458a0f06a76d74c5fabfc355a1a41 (commit) from 5c1bd555d3c81cbd46d5032e84c29d16bb4a8f06 (commit) - Log - commit a5fcce6b953458a0f06a76d74c5fabfc355a1a41 Author: Benjamin Kaduk Date: Tue Oct 9 09:27:11 2018 -0500 mkdef: bsd-gcc uses solaris symbol version scripts As for linux, make bsd-gcc an alias to the solaris semantics for shared library symbol version handling. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7376) --- Summary of changes: util/mkdef.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/util/mkdef.pl b/util/mkdef.pl index 635e3e9..b40fd26 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -108,6 +108,7 @@ my %OS_data = ( platforms => { UNIX => 1, EXPORT_VAR_AS_FUNCTION => 0 } }, linux => 'solaris', # alias +"bsd-gcc" => 'solaris', # alias aix => { writer => \&writer_aix, sort => sorter_unix(), platforms => { UNIX => 1, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a7ee1ef61b1893038008691a4a6979cf2da91439 (commit) from 521738e990a5ef36334ee0296706697b49b48e4a (commit) - Log - commit a7ee1ef61b1893038008691a4a6979cf2da91439 Author: Benjamin Kaduk Date: Thu Oct 4 13:49:21 2018 -0500 apps: allow empty attribute values with -subj Historically (i.e., OpenSSL 1.0.x), the openssl applications would allow for empty subject attributes to be passed via the -subj argument, e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite to the parse_name() helper function that parses these strings, but in the process dropped a check that would skip attributes with no associated value. As a result, such strings are now treated as hard errors and the operation fails. Restore the check to skip empty attribute values and restore the historical behavior. Document the behavior for empty subject attribute values in the corresponding applications' manual pages. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7349) (cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142) --- Summary of changes: apps/apps.c | 6 ++ doc/man1/ca.pod | 6 -- doc/man1/req.pod | 6 -- doc/man1/storeutl.pod | 7 +-- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 9be6560..653e397 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) opt_getprog(), typestr); continue; } +if (*valstr == '\0') { +BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); +continue; +} if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 9b282e6..e998eab 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -250,8 +250,10 @@ for all available algorithms. =item B<-subj arg> Supersedes subject name given in the request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. =item B<-utf8> diff --git a/doc/man1/req.pod b/doc/man1/req.pod index 113cd9b..c76d63d 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -221,8 +221,10 @@ see L. Sets subject name for new request or supersedes the subject name when processing a request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. =item B<-multivalue-rdn> diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod index 3f26ab5..083f028 100644 --- a/doc/man1/storeutl.pod +++ b/doc/man1/storeutl.pod @@ -82,8 +82,11 @@ returned. =item B<-subject arg> Search for an object having the subject name B. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted but are ignored for the search. That is, +a search with an empty value will have the same effect as not specifying +the type at all. =item B<-issuer arg> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 3d362f190306b62a17aa2fd475b2bc8b3faa8142 (commit) from 4fef4981f8cc614559b86a06532b0eeac6ffd0d9 (commit) - Log - commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142 Author: Benjamin Kaduk Date: Thu Oct 4 13:49:21 2018 -0500 apps: allow empty attribute values with -subj Historically (i.e., OpenSSL 1.0.x), the openssl applications would allow for empty subject attributes to be passed via the -subj argument, e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite to the parse_name() helper function that parses these strings, but in the process dropped a check that would skip attributes with no associated value. As a result, such strings are now treated as hard errors and the operation fails. Restore the check to skip empty attribute values and restore the historical behavior. Document the behavior for empty subject attribute values in the corresponding applications' manual pages. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7349) --- Summary of changes: apps/apps.c | 6 ++ doc/man1/ca.pod | 6 -- doc/man1/req.pod | 6 -- doc/man1/storeutl.pod | 7 +-- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 9be6560..653e397 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) opt_getprog(), typestr); continue; } +if (*valstr == '\0') { +BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); +continue; +} if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 9b282e6..e998eab 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -250,8 +250,10 @@ for all available algorithms. =item B<-subj arg> Supersedes subject name given in the request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. =item B<-utf8> diff --git a/doc/man1/req.pod b/doc/man1/req.pod index 113cd9b..c76d63d 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -221,8 +221,10 @@ see L. Sets subject name for new request or supersedes the subject name when processing a request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. =item B<-multivalue-rdn> diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod index 3f26ab5..083f028 100644 --- a/doc/man1/storeutl.pod +++ b/doc/man1/storeutl.pod @@ -82,8 +82,11 @@ returned. =item B<-subject arg> Search for an object having the subject name B. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted but are ignored for the search. That is, +a search with an empty value will have the same effect as not specifying +the type at all. =item B<-issuer arg> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 1766493bbd92cfcee6fca068ffe972092d43892c (commit) from f560ff623b900b2460aa043441b527e304735eb1 (commit) - Log - commit 1766493bbd92cfcee6fca068ffe972092d43892c Author: Benjamin Kaduk Date: Wed Sep 19 09:02:04 2018 -0500 Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7270) (cherry picked from commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21) --- Summary of changes: ssl/ssl_lib.c | 4 1 file changed, 4 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d75158e..ec5b155 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; +if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { +SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); +return 0; +} sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, &(ctx->cipher_list), _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2340ed277b7c5365e83a32eb7d5fa32c4071fb21 (commit) from 0db957dbbcf6a432086ab913378c23636d8c374c (commit) - Log - commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21 Author: Benjamin Kaduk Date: Wed Sep 19 09:02:04 2018 -0500 Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7270) --- Summary of changes: ssl/ssl_lib.c | 4 1 file changed, 4 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d75158e..ec5b155 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; +if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { +SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); +return 0; +} sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, &(ctx->cipher_list), _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 (commit) from d706faf38da07083cb2116f4d30422081bc8ae1d (commit) - Log - commit dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 Author: Benjamin Kaduk Date: Thu Aug 16 15:42:55 2018 -0500 Avoid shadowing 'free' in X509_LOOKUP_met_set_free gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6991) (cherry picked from commit 50f3994b513ead4da94845bf38222bb71c440fb3) --- Summary of changes: crypto/x509/x509_meth.c| 4 ++-- include/openssl/x509_vfy.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_meth.c b/crypto/x509/x509_meth.c index 05ed4bf..9dc587a 100644 --- a/crypto/x509/x509_meth.c +++ b/crypto/x509/x509_meth.c @@ -58,9 +58,9 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) int X509_LOOKUP_meth_set_free( X509_LOOKUP_METHOD *method, -void (*free) (X509_LOOKUP *ctx)) +void (*free_fn) (X509_LOOKUP *ctx)) { -method->free = free; +method->free = free_fn; return 1; } diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index d91581c..131b6cf 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -397,7 +397,7 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, - void (*free) (X509_LOOKUP *ctx)); + void (*free_fn) (X509_LOOKUP *ctx)); void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 50f3994b513ead4da94845bf38222bb71c440fb3 (commit) from d2b863643d94704abd9840519cfc54d22d0481fe (commit) - Log - commit 50f3994b513ead4da94845bf38222bb71c440fb3 Author: Benjamin Kaduk Date: Thu Aug 16 15:42:55 2018 -0500 Avoid shadowing 'free' in X509_LOOKUP_met_set_free gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6991) --- Summary of changes: crypto/x509/x509_meth.c| 4 ++-- include/openssl/x509_vfy.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_meth.c b/crypto/x509/x509_meth.c index 05ed4bf..9dc587a 100644 --- a/crypto/x509/x509_meth.c +++ b/crypto/x509/x509_meth.c @@ -58,9 +58,9 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) int X509_LOOKUP_meth_set_free( X509_LOOKUP_METHOD *method, -void (*free) (X509_LOOKUP *ctx)) +void (*free_fn) (X509_LOOKUP *ctx)) { -method->free = free; +method->free = free_fn; return 1; } diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index a657ec2..2adb155 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -401,7 +401,7 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, - void (*free) (X509_LOOKUP *ctx)); + void (*free_fn) (X509_LOOKUP *ctx)); void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a75be9fd34b5d66f349186f21cd8d063d2fa87a4 (commit) via 45a2353056da3f357a924131578ad0a4a2e5fbb7 (commit) from 9d91530d2d7da1447b7be8631b269599023430e7 (commit) - Log - commit a75be9fd34b5d66f349186f21cd8d063d2fa87a4 Author: Benjamin Kaduk Date: Wed Jul 25 21:00:45 2018 -0500 Improve backwards compat for SSL_get_servername() Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process and store SNI information during the handshake, so that a hostname is only saved in the SSL_SESSION structure if that SNI value has actually been negotiated. SSL_get_servername() was adjusted to match, with a new conditional being added to handle the case when the handshake processing is ongoing, and a different location should be consulted for the offered SNI value. This was done in an attempt to preserve the historical behavior of SSL_get_servername(), a function whose behavior only mostly matches its documentation, and whose documentation is both lacking and does not necessarily reflect the actual desired behavior for such an API. Unfortunately, sweeping changes that would bring more sanity to this space are not possible until OpenSSL 1.2.0, for ABI compatibility reasons, so we must attempt to maintain the existing behavior to the extent possible. The above-mentioned commit did not take into account the behavior of SSL_get_servername() during resumption handshakes for TLS 1.2 and prior, where no SNI negotiation is performed. In that case we would not properly parse the incoming SNI and erroneously return NULL as the servername, when instead the logical session is associated with the SNI value cached in the SSL_SESSION. (Note that in some cases an SNI callback may not need to do anything in a TLS 1.2 or prior resumption flow, but we are calling the callbacks and did not provide any guidance that they should no-op if the connection is being resumed, so we must handle this case in a usable fashion.) Update our behavior accordingly to return the session's cached value during the handshake, when resuming. This fixes the boringssl tests. [extended tests] Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6792) commit 45a2353056da3f357a924131578ad0a4a2e5fbb7 Author: Benjamin Kaduk Date: Wed Jul 25 14:48:30 2018 -0500 Fix ossl_shim SNI handling To start with, actually set an SNI callback (copied from bssl_shim); we weren't actually testing much otherwise (and just happened to have been passing due to buggy libssl behavior prior to commit 1c4aa31d79821dee9be98e915159d52cc30d8403). Also use proper C++ code for handling C strings -- when a C API (SSL_get_servername()) returns NULL instead of a string, special-case that instead of blindly trying to compare NULL against a std::string, and perform the comparsion using the std::string operators instead of falling back to pointer comparison. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6792) --- Summary of changes: ssl/ssl_lib.c | 5 - test/ossl_shim/ossl_shim.cc | 21 - 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 10a7694..15380e1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2618,8 +2618,11 @@ const char *SSL_get_servername(const SSL *s, const int type) * peer send" and "what was actually negotiated"; we should have * a clear distinction amongst those three. */ -if (SSL_in_init(s)) +if (SSL_in_init(s)) { +if (s->hit) +return s->session->ext.hostname; return s->ext.hostname; +} return (s->session != NULL && s->ext.hostname == NULL) ? s->session->ext.hostname : s->ext.hostname; } diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index b1067e8..90d1f1e 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -459,6 +459,20 @@ static int CustomExtensionParseCallback(SSL *ssl, unsigned extension_value, return 1; } +static int ServerNameCallback(SSL *ssl, int *out_alert, void *arg) { + // SNI must be accessible from the SNI callback. + const TestConfig *config = GetTestConfig(ssl); + const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + if (server_name == nullptr || + std::string(server_name) != config->expected_server_name) { +fprintf(stderr, "servername mismatch (got %s; want %s)\n", server_name, +config->expected_server_name.c_str()); +return SSL_TLSEXT_E
[openssl-commits] [openssl] master update
The branch master has been updated via c5d1fb78fd0fdbe1f1e61211bd56192a0f95bc91 (commit) via 1c4aa31d79821dee9be98e915159d52cc30d8403 (commit) via 4cc968df403ed9321d0df722aba33323ae575ce0 (commit) from f20aa69e33a7b418e052cf210374e2267cb93a5c (commit) - Log - commit c5d1fb78fd0fdbe1f1e61211bd56192a0f95bc91 Author: Benjamin Kaduk Date: Wed May 30 11:12:22 2018 -0500 Add TODO comment for a nonsensical public API The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6378) commit 1c4aa31d79821dee9be98e915159d52cc30d8403 Author: Benjamin Kaduk Date: Wed May 30 09:49:29 2018 -0500 Normalize SNI hostname handling for SSL and SSL_SESSION In particular, adhere to the rule that we must not modify any property of an SSL_SESSION object once it is (or might be) in a session cache. Such modifications are thread-unsafe and have been observed to cause crashes at runtime. To effect this change, standardize on the property that SSL_SESSION->ext.hostname is set only when that SNI value has been negotiated by both parties for use with that session. For session resumption this is trivially the case, so only new handshakes are affected. On the client, the new semantics are that the SSL->ext.hostname is for storing the value configured by the caller, and this value is used when constructing the ClientHello. On the server, SSL->ext.hostname is used to hold the value received from the client. Only if the SNI negotiation is successful will the hostname be stored into the session object; the server can do this after it sends the ServerHello, and the client after it has received and processed the ServerHello. This obviates the need to remove the hostname from the session object in case of failed negotiation (a change that was introduced in commit 9fb6cb810b769abbd60f11ef6e936a4e4456b19d in order to allow TLS 1.3 early data when SNI was present in the ClientHello but not the session being resumed), which was modifying cached sessions in certain cases. (In TLS 1.3 we always produce a new SSL_SESSION object for new connections, even in the case of resumption, so no TLS 1.3 handshakes were affected.) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6378) commit 4cc968df403ed9321d0df722aba33323ae575ce0 Author: Benjamin Kaduk Date: Wed May 30 09:28:03 2018 -0500 const-ify some input SSL * arguments These tiny functions only read from the input SSL, and we are about to use them from functions that only have a const SSL* available, so propagate const a bit further. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6378) --- Summary of changes: doc/man3/SSL_in_init.pod | 6 +++--- include/openssl/ssl.h| 6 +++--- ssl/s3_lib.c | 9 + ssl/ssl_lib.c| 10 +- ssl/ssl_sess.c | 9 - ssl/statem/extensions.c | 25 ++--- ssl/statem/extensions_srvr.c | 19 --- ssl/statem/statem.c | 6 +++--- 8 files changed, 61 insertions(+), 29 deletions(-) diff --git a/doc/man3/SSL_in_init.pod b/doc/man3/SSL_in_init.pod index 37ebff6..d8467a9 100644 --- a/doc/man3/SSL_in_init.pod +++ b/doc/man3/SSL_in_init.pod @@ -14,9 +14,9 @@ SSL_get_state #include - int SSL_in_init(SSL *s); - int SSL_in_before(SSL *s); - int SSL_is_init_finished(SSL *s); + int SSL_in_init(const SSL *s); + int SSL_in_before(const SSL *s); + int SSL_is_init_finished(const SSL *s); int SSL_in_connect_init(SSL *s); int SSL_in_accept_init(SSL *s); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 2376828..155d651 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1058,9 +1058,9 @@ typedef enum { /* Is the SSL_connection established? */ # define SSL_in_connect_init(a) (SSL_in_init(a) && !SSL_is_server(a)) # define SSL_in_accept_init(a) (SSL_in_init(a) && SSL_is_server(a)) -int SSL_in_init(SSL *s); -int SSL_in_before(SSL *s); -int SSL_is_init_finished(SSL *s); +int SSL_in_init(const SSL *s); +int SSL_in_before(const SSL *s); +int SSL_is_init_finished(const SSL *s); /* * The following 3 states are kept in s
[openssl-commits] [openssl] master update
The branch master has been updated via 5281bb2252be6575ebb7a8b683e6bd160476fa2a (commit) from 8794be2ed8d2e044d8b0135ddb7e903e81335c94 (commit) - Log - commit 5281bb2252be6575ebb7a8b683e6bd160476fa2a Author: Benjamin Kaduk Date: Sun Jul 1 12:49:24 2018 -0500 Address coverity-reported NULL dereference in SSL_SESSION_print() We need to check the provided SSL_SESSION* for NULL before attempting to derference it to see if it's a TLS 1.3 session. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6622) --- Summary of changes: ssl/ssl_txt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 3856491..cf6e4c3 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -33,10 +33,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { size_t i; const char *s; -int istls13 = (x->ssl_version == TLS1_3_VERSION); +int istls13; if (x == NULL) goto err; +istls13 = (x->ssl_version == TLS1_3_VERSION); if (BIO_puts(bp, "SSL-Session:\n") <= 0) goto err; s = ssl_protocol_to_string(x->ssl_version); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5295b99b5606e3502b9af06a2cf54acf2187a34a (commit) from 09fb65d5e413b7b87bf26f01ec441b44a03d4ee2 (commit) - Log - commit 5295b99b5606e3502b9af06a2cf54acf2187a34a Author: Benjamin Kaduk Date: Sun Jun 17 20:00:02 2018 -0500 ecdsa_ossl: address coverity nit BN_CTX_end() does not handle NULL input, so we must manually check before calling from the cleanup handler. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6502) --- Summary of changes: crypto/ec/ecdsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index 277ac16..dfb0d19 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -336,7 +336,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECDSA_SIG_free(ret); ret = NULL; } -BN_CTX_end(ctx); +if (ctx != NULL) +BN_CTX_end(ctx); BN_CTX_free(ctx); BN_clear_free(kinv); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via bf87bf45f181fa130af27739f5c38aba88f88cfd (commit) from 14e55560cf9ee85f0b7816ba2b41ff1755b68e15 (commit) - Log - commit bf87bf45f181fa130af27739f5c38aba88f88cfd Author: Benjamin Kaduk Date: Mon Apr 16 07:32:02 2018 -0500 Fix regression with session cache use by clients Commit d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra checks into the session-cache update procedure, intended to prevent the caching of sessions whose resumption would lead to a handshake failure, since if the server is authenticating the client, there needs to be an application-set "session id context" to match up to the authentication context. While that change is effective for its stated purpose, there was also some collatoral damage introduced along with the fix -- clients that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so their usage of session caching was erroneously denied. Fix the scope of the original commit by limiting it to only acting when the SSL is a server SSL. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5967) (cherry picked from commit c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d) --- Summary of changes: ssl/ssl_lib.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a1a514f..543a46c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3035,12 +3035,13 @@ void ssl_update_cache(SSL *s, int mode) /* * If sid_ctx_length is 0 there is no specific application context * associated with this session, so when we try to resume it and - * SSL_VERIFY_PEER is requested, we have no indication that this is - * actually a session for the proper application context, and the - * *handshake* will fail, not just the resumption attempt. - * Do not cache these sessions that are not resumable. + * SSL_VERIFY_PEER is requested to verify the client identity, we have no + * indication that this is actually a session for the proper application + * context, and the *handshake* will fail, not just the resumption attempt. + * Do not cache (on the server) these sessions that are not resumable + * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). */ -if (s->session->sid_ctx_length == 0 +if (s->server && s->session->sid_ctx_length == 0 && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d (commit) from 0e5c1a66f7911352a4db3bda2293b91858b9f33c (commit) - Log - commit c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d Author: Benjamin Kaduk Date: Mon Apr 16 07:32:02 2018 -0500 Fix regression with session cache use by clients Commit d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra checks into the session-cache update procedure, intended to prevent the caching of sessions whose resumption would lead to a handshake failure, since if the server is authenticating the client, there needs to be an application-set "session id context" to match up to the authentication context. While that change is effective for its stated purpose, there was also some collatoral damage introduced along with the fix -- clients that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so their usage of session caching was erroneously denied. Fix the scope of the original commit by limiting it to only acting when the SSL is a server SSL. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5967) --- Summary of changes: ssl/ssl_lib.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 1e24f84..2a57831 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3336,12 +3336,13 @@ void ssl_update_cache(SSL *s, int mode) /* * If sid_ctx_length is 0 there is no specific application context * associated with this session, so when we try to resume it and - * SSL_VERIFY_PEER is requested, we have no indication that this is - * actually a session for the proper application context, and the - * *handshake* will fail, not just the resumption attempt. - * Do not cache these sessions that are not resumable. + * SSL_VERIFY_PEER is requested to verify the client identity, we have no + * indication that this is actually a session for the proper application + * context, and the *handshake* will fail, not just the resumption attempt. + * Do not cache (on the server) these sessions that are not resumable + * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). */ -if (s->session->sid_ctx_length == 0 +if (s->server && s->session->sid_ctx_length == 0 && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 88b8d83e9e8869c60c556a86bee09f92c56c5a64 (commit) via 2cb8445ab56f3962f887589fb211c8777a5032c6 (commit) via 0f1c0cf1549c9b53d830828030c30cb5ea40d94b (commit) from f2633200eb223f9fe7453de24ecd2e4f657040d9 (commit) - Log - commit 88b8d83e9e8869c60c556a86bee09f92c56c5a64 Author: Vitezslav Cizek Date: Tue Jan 9 20:18:24 2018 +0100 BIO_s_accept.pod: add documentation for the new macros Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/5007) commit 2cb8445ab56f3962f887589fb211c8777a5032c6 Author: Vitezslav Cizek Date: Tue Jan 9 17:56:57 2018 +0100 Document BIO_{get,set}_conn_ip_family macros. Add BIO_get_conn_ip_family and BIO_set_conn_ip_family macros to util/private.num and document them in BIO_s_connect.pod. Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/5007) commit 0f1c0cf1549c9b53d830828030c30cb5ea40d94b Author: Vitezslav Cizek Date: Tue Jan 2 14:43:18 2018 +0100 Update the BIO_s_connect documentation after the BIO refactoring. The BIO was refactored in 417be660e1cd21a2ee085569ff98b0c4249b5416, but the manual wasn't fully updated to reflect some of the changes. Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/5007) --- Summary of changes: doc/man3/BIO_s_accept.pod | 18 +--- doc/man3/BIO_s_connect.pod | 51 +- util/private.num | 6 ++ 3 files changed, 53 insertions(+), 22 deletions(-) diff --git a/doc/man3/BIO_s_accept.pod b/doc/man3/BIO_s_accept.pod index ce9995d..695b7e6 100644 --- a/doc/man3/BIO_s_accept.pod +++ b/doc/man3/BIO_s_accept.pod @@ -4,6 +4,8 @@ BIO_s_accept, BIO_set_accept_name, BIO_set_accept_port, BIO_get_accept_name, BIO_get_accept_port, BIO_new_accept, BIO_set_nbio_accept, BIO_set_accept_bios, +BIO_get_peer_name, BIO_get_peer_port, +BIO_get_accept_ip_family, BIO_set_accept_ip_family, BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept - accept BIO =head1 SYNOPSIS @@ -23,6 +25,11 @@ BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept - accept BIO long BIO_set_nbio_accept(BIO *b, int n); long BIO_set_accept_bios(BIO *b, char *bio); + char *BIO_get_peer_name(BIO *b); + char *BIO_get_peer_port(BIO *b); + long BIO_get_accept_ip_family(BIO *b); + long BIO_set_accept_ip_family(BIO *b, long family); + long BIO_set_bind_mode(BIO *b, long mode); long BIO_get_bind_mode(BIO *b); @@ -145,18 +152,23 @@ accepted a connection and retry the call. BIO_set_accept_name(), BIO_get_accept_name(), BIO_set_accept_port(), BIO_get_accept_port(), BIO_set_nbio_accept(), BIO_set_accept_bios(), +BIO_get_peer_name(), BIO_get_peer_port(), +BIO_get_accept_ip_family(), BIO_set_accept_ip_family(), BIO_set_bind_mode(), BIO_get_bind_mode() and BIO_do_accept() are macros. =head1 RETURN VALUES BIO_do_accept(), BIO_set_accept_name(), BIO_set_accept_port(), BIO_set_nbio_accept(), -BIO_set_accept_bios(), and BIO_set_bind_mode(), return 1 for success and 0 or --1 for failure. +BIO_set_accept_bios(), BIO_set_accept_ip_family(), and BIO_set_bind_mode() +return 1 for success and 0 or -1 for failure. BIO_get_accept_name() returns the accept name or NULL on error. +BIO_get_peer_name() returns the peer name or NULL on error. -BIO_get_accept_port() returns the port as a string or NULL on error. +BIO_get_accept_port() returns the accept port as a string or NULL on error. +BIO_get_peer_port() returns the peer port as a string or NULL on error. +BIO_get_accept_ip_family() returns the IP family or -1 on error. BIO_get_bind_mode() returns the set of B flags, or -1 on failure. diff --git a/doc/man3/BIO_s_connect.pod b/doc/man3/BIO_s_connect.pod index be2f4e5..e67f622 100644 --- a/doc/man3/BIO_s_connect.pod +++ b/doc/man3/BIO_s_connect.pod @@ -4,8 +4,8 @@ BIO_set_conn_address, BIO_get_conn_address, BIO_s_connect, BIO_new_connect, BIO_set_conn_hostname, BIO_set_conn_port, -BIO_get_conn_hostname, -BIO_get_conn_port, +BIO_set_conn_ip_family, BIO_get_conn_ip_family, +BIO_get_conn_hostname, BIO_get_conn_port, BIO_set_nbio, BIO_do_connect - connect BIO =head1 SYNOPSIS @@ -19,9 +19,11 @@ BIO_set_nbio, BIO_do_connect - connect BIO long BIO_set_conn_hostname(BIO *b, char *name); long BIO_set_conn_port(BIO *b, char *port); long BIO_set_conn_address(BIO *b, BIO_ADDR *addr); + long BIO_set_conn_ip_family(BIO *b, long family); const char *BIO_get_conn_hostname(BIO *b); const char *BIO_get_conn_port(BIO *b); const BIO_ADDR *BIO_get_conn_address(BIO *b); + const long BIO_get_conn_ip_family(BIO *b); long BIO_set_nbio(BIO *b, long n); @@ -69,6 +71,8 @@ li