Page MenuHomeFreeBSD
Files F110010388

D31430.diff
No OneTemporary
Actions

D31430.diff
View Options

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -2,7 +2,7 @@
PORTNAME= openssl
PORTVERSION= 1.1.1k
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security devel
MASTER_SITES= https://www.openssl.org/source/ \
diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls
--- a/security/openssl/files/extra-patch-ktls
+++ b/security/openssl/files/extra-patch-ktls
@@ -1,8 +1,8 @@
diff --git CHANGES CHANGES
-index 1ab64b35c9..a4a63a9bea 100644
+index 7d0129e687..7f8057bb6f 100644
--- CHANGES
+++ CHANGES
-@@ -427,6 +427,11 @@
+@@ -471,6 +471,11 @@
necessary to configure just to create a source distribution.
[Richard Levitte]
@@ -153,7 +153,7 @@
return sock;
}
diff --git crypto/bio/bss_conn.c crypto/bio/bss_conn.c
-index 807a82b23b..d478644280 100644
+index 807a82b23b..10cf20871c 100644
--- crypto/bio/bss_conn.c
+++ crypto/bio/bss_conn.c
@@ -11,6 +11,7 @@
@@ -216,9 +216,12 @@
data = (BIO_CONNECT *)b->ptr;
-@@ -520,6 +541,27 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
+@@ -518,8 +539,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
+ }
+ break;
case BIO_CTRL_EOF:
- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
break;
+# ifndef OPENSSL_NO_KTLS
+ case BIO_CTRL_SET_KTLS:
@@ -228,9 +231,9 @@
+ BIO_set_ktls_flag(b, num);
+ break;
+ case BIO_CTRL_GET_KTLS_SEND:
-+ return BIO_should_ktls_flag(b, 1);
++ return BIO_should_ktls_flag(b, 1) != 0;
+ case BIO_CTRL_GET_KTLS_RECV:
-+ return BIO_should_ktls_flag(b, 0);
++ return BIO_should_ktls_flag(b, 0) != 0;
+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG:
+ BIO_set_ktls_ctrl_msg_flag(b);
+ data->record_type = num;
@@ -244,8 +247,21 @@
default:
ret = 0;
break;
+diff --git crypto/bio/bss_fd.c crypto/bio/bss_fd.c
+index ccbe1626ba..8d03e48ce9 100644
+--- crypto/bio/bss_fd.c
++++ crypto/bio/bss_fd.c
+@@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
+ ret = 1;
+ break;
+ case BIO_CTRL_EOF:
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
+ break;
+ default:
+ ret = 0;
diff --git crypto/bio/bss_sock.c crypto/bio/bss_sock.c
-index 6251f3d46a..a1fc23c7c9 100644
+index 6251f3d46a..8de1f58292 100644
--- crypto/bio/bss_sock.c
+++ crypto/bio/bss_sock.c
@@ -11,6 +11,7 @@
@@ -321,7 +337,7 @@
switch (cmd) {
case BIO_C_SET_FD:
-@@ -153,6 +183,27 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
+@@ -153,8 +183,29 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
case BIO_CTRL_FLUSH:
ret = 1;
break;
@@ -333,9 +349,9 @@
+ BIO_set_ktls_flag(b, num);
+ break;
+ case BIO_CTRL_GET_KTLS_SEND:
-+ return BIO_should_ktls_flag(b, 1);
++ return BIO_should_ktls_flag(b, 1) != 0;
+ case BIO_CTRL_GET_KTLS_RECV:
-+ return BIO_should_ktls_flag(b, 0);
++ return BIO_should_ktls_flag(b, 0) != 0;
+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG:
+ BIO_set_ktls_ctrl_msg_flag(b);
+ b->ptr = (void *)num;
@@ -347,8 +363,11 @@
+ break;
+# endif
case BIO_CTRL_EOF:
- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
break;
+ default:
+ ret = 0;
diff --git crypto/err/openssl.txt crypto/err/openssl.txt
index 7e1776375d..b22e8a735c 100644
--- crypto/err/openssl.txt
@@ -440,41 +459,55 @@
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
-diff --git doc/man3/SSL_CTX_set_mode.pod doc/man3/SSL_CTX_set_mode.pod
-index 85e3353e0e..27eaebad1e 100644
---- doc/man3/SSL_CTX_set_mode.pod
-+++ doc/man3/SSL_CTX_set_mode.pod
-@@ -114,6 +114,22 @@ enables this behaviour to allow interoperability with such broken
- implementations. Please note that setting this option breaks interoperability
- with correct implementations. This option only applies to DTLS over SCTP.
-
-+=item SSL_MODE_NO_KTLS_TX
-+
-+Disable the use of the kernel TLS egress data-path.
-+By default kernel TLS is enabled if it is supported by the negotiated ciphersuites
-+and extensions and OpenSSL has been compiled with support for it.
-+The kernel TLS data-path implements the record layer,
-+and the crypto algorithm. The kernel will utilize the best hardware
-+available for crypto. Using the kernel data-path should reduce the memory
+diff --git doc/man3/SSL_CONF_cmd.pod doc/man3/SSL_CONF_cmd.pod
+index 900c4f3a56..a3f447a986 100644
+--- doc/man3/SSL_CONF_cmd.pod
++++ doc/man3/SSL_CONF_cmd.pod
+@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in
+ other ways and in such cases the built-in OpenSSL functionality is not required.
+ Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.
+
++B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported
++by the negotiated ciphersuites and extensions. Equivalent to
++B<SSL_OP_ENABLE_KTLS>.
++
+ =item B<VerifyMode>
+
+ The B<value> argument is a comma separated list of flags to set.
+diff --git doc/man3/SSL_CTX_set_options.pod doc/man3/SSL_CTX_set_options.pod
+index 969e0366c4..231fe92d8e 100644
+--- doc/man3/SSL_CTX_set_options.pod
++++ doc/man3/SSL_CTX_set_options.pod
+@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by
+ setting this option. This is a server-side opton only. It is ignored by
+ clients.
+
++=item SSL_OP_ENABLE_KTLS
++
++Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must
++have been compiled with support for it, and it must be supported by the
++negotiated ciphersuites and extensions. The specific ciphersuites and extensions
++that are supported may vary by platform and kernel version.
++
++The kernel TLS data-path implements the record layer, and the encryption
++algorithm. The kernel will utilize the best hardware
++available for encryption. Using the kernel data-path should reduce the memory
+footprint of OpenSSL because no buffering is required. Also, the throughput
+should improve because data copy is avoided when user data is encrypted into
-+kernel memory instead of the usual encrypt than copy to kernel.
++kernel memory instead of the usual encrypt then copy to kernel.
+
+Kernel TLS might not support all the features of OpenSSL. For instance,
+renegotiation, and setting the maximum fragment size is not possible as of
+Linux 4.20.
++
++Note that with kernel TLS enabled some cryptographic operations are performed
++by the kernel directly and not via any available OpenSSL Providers. This might
++be undesirable if, for example, the application requires all cryptographic
++operations to be performed by the FIPS provider.
+
=back
- All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
-@@ -134,6 +150,7 @@ L<SSL_write(3)>, L<SSL_get_error(3)>
- =head1 HISTORY
-
- SSL_MODE_ASYNC was added in OpenSSL 1.1.0.
-+SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0.
-
- =head1 COPYRIGHT
-
+ The following options no longer have any effect but their identifiers are
diff --git doc/man3/SSL_CTX_set_record_padding_callback.pod doc/man3/SSL_CTX_set_record_padding_callback.pod
index 13e56f0c57..247a39fc03 100644
--- doc/man3/SSL_CTX_set_record_padding_callback.pod
@@ -666,10 +699,10 @@
+#endif
diff --git include/internal/ktls.h include/internal/ktls.h
new file mode 100644
-index 0000000000..622d7be76d
+index 0000000000..5f9e3f91ed
--- /dev/null
+++ include/internal/ktls.h
-@@ -0,0 +1,400 @@
+@@ -0,0 +1,407 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
@@ -710,12 +743,11 @@
+# define OPENSSL_KTLS_AES_GCM_128
+# define OPENSSL_KTLS_AES_GCM_256
+# define OPENSSL_KTLS_TLS13
-+
-+/*
-+ * Only used by the tests in sslapitest.c.
-+ */
-+# define TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE 8
-+# define TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE 8
++# ifdef TLS_CHACHA20_IV_LEN
++# ifndef OPENSSL_NO_CHACHA
++# define OPENSSL_KTLS_CHACHA20_POLY1305
++# endif
++# endif
+
+typedef struct tls_enable ktls_crypto_info_t;
+
@@ -891,6 +923,11 @@
+# define OPENSSL_KTLS_TLS13
+# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
+# define OPENSSL_KTLS_AES_CCM_128
++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
++# ifndef OPENSSL_NO_CHACHA
++# define OPENSSL_KTLS_CHACHA20_POLY1305
++# endif
++# endif
+# endif
+# endif
+
@@ -924,6 +961,9 @@
+# ifdef OPENSSL_KTLS_AES_CCM_128
+ struct tls12_crypto_info_aes_ccm_128 ccm128;
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305;
++# endif
+ };
+ size_t tls_crypto_info_len;
+};
@@ -1127,32 +1167,21 @@
/* Padding modes */
#define EVP_PADDING_PKCS7 1
diff --git include/openssl/ssl.h include/openssl/ssl.h
-index fd0c5a9996..09620489bc 100644
+index fd0c5a9996..cfb87e6322 100644
--- include/openssl/ssl.h
+++ include/openssl/ssl.h
-@@ -493,6 +493,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
- * Support Asynchronous operation
- */
- # define SSL_MODE_ASYNC 0x00000100U
-+/*
-+ * Don't use the kernel TLS data-path for sending.
-+ */
-+# define SSL_MODE_NO_KTLS_TX 0x00000200U
-
- /*
- * When using DTLS/SCTP, include the terminating zero in the label
-@@ -506,6 +510,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
- * - OpenSSL 1.1.1 and 1.1.1a
- */
- # define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
-+/*
-+ * Don't use the kernel TLS data-path for receiving.
-+ */
-+# define SSL_MODE_NO_KTLS_RX 0x00000800U
-
- /* Cert related flags */
- /*
-@@ -1837,6 +1845,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
+@@ -303,7 +303,9 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
+ /* Allow initial connection to servers that don't support RI */
+ # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
+
+-/* Reserved value (until OpenSSL 1.2.0) 0x00000008U */
++/* Enable support for Kernel TLS */
++# define SSL_OP_ENABLE_KTLS 0x00000008U
++
+ # define SSL_OP_TLSEXT_PADDING 0x00000010U
+ /* Reserved value (until OpenSSL 1.2.0) 0x00000020U */
+ # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
+@@ -1837,6 +1839,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
size_t *readbytes);
__owur int SSL_peek(SSL *ssl, void *buf, int num);
__owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
@@ -1161,7 +1190,7 @@
__owur int SSL_write(SSL *ssl, const void *buf, int num);
__owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
__owur int SSL_write_early_data(SSL *s, const void *buf, size_t num,
-@@ -2123,7 +2133,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
+@@ -2123,7 +2127,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
@@ -1202,10 +1231,10 @@
+ENDIF
diff --git ssl/ktls.c ssl/ktls.c
new file mode 100644
-index 0000000000..7123ecac00
+index 0000000000..c7a440b79b
--- /dev/null
+++ ssl/ktls.c
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,251 @@
+/*
+ * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
@@ -1245,6 +1274,10 @@
+ case SSL_AES128GCM:
+ case SSL_AES256GCM:
+ return 1;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ return 1;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ if (s->ext.use_etm)
@@ -1279,6 +1312,12 @@
+ else
+ crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
+ break;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
++ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd);
++ break;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ switch (s->s3->tmp.new_cipher->algorithm_mac) {
@@ -1334,7 +1373,9 @@
+ return 0;
+ }
+
-+ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 */
++ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
++ * or Chacha20-Poly1305
++ */
+ switch (EVP_CIPHER_nid(c))
+ {
+# ifdef OPENSSL_KTLS_AES_CCM_128
@@ -1343,11 +1384,15 @@
+ return 0;
+# endif
+# ifdef OPENSSL_KTLS_AES_GCM_128
++ /* Fall through */
+ case NID_aes_128_gcm:
+# endif
+# ifdef OPENSSL_KTLS_AES_GCM_256
+ case NID_aes_256_gcm:
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case NID_chacha20_poly1305:
++# endif
+ return 1;
+ default:
+ return 0;
@@ -1420,6 +1465,20 @@
+ *rec_seq = crypto_info->ccm128.rec_seq;
+ return 1;
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case NID_chacha20_poly1305:
++ crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
++ crypto_info->chacha20poly1305.info.version = s->version;
++ crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
++ memcpy(crypto_info->chacha20poly1305.iv, iiv,
++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
++ memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c));
++ memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
++ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
++ if (rec_seq != NULL)
++ *rec_seq = crypto_info->chacha20poly1305.rec_seq;
++ return 1;
++# endif
+ default:
+ return 0;
+ }
@@ -1567,21 +1626,21 @@
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err;
-- }
--
-- /* Get a pointer to the start of this record excluding header */
-- recordstart = WPACKET_get_curr(thispkt) - len;
+ }
-
-- SSL3_RECORD_set_data(thiswr, recordstart);
-- SSL3_RECORD_reset_input(thiswr);
-- SSL3_RECORD_set_length(thiswr, len);
++
+ /* Get a pointer to the start of this record excluding header */
+ recordstart = WPACKET_get_curr(thispkt) - len;
+ SSL3_RECORD_set_data(thiswr, recordstart);
+ SSL3_RECORD_reset_input(thiswr);
+ SSL3_RECORD_set_length(thiswr, len);
-+ }
+ }
+-
+- /* Get a pointer to the start of this record excluding header */
+- recordstart = WPACKET_get_curr(thispkt) - len;
+-
+- SSL3_RECORD_set_data(thiswr, recordstart);
+- SSL3_RECORD_reset_input(thiswr);
+- SSL3_RECORD_set_length(thiswr, len);
}
if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) {
@@ -1890,6 +1949,20 @@
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
SSL_R_DATA_LENGTH_TOO_LONG);
return -1;
+diff --git ssl/ssl_conf.c ssl/ssl_conf.c
+index 0a3fef7c8c..8013c62f07 100644
+--- ssl/ssl_conf.c
++++ ssl/ssl_conf.c
+@@ -391,7 +391,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+ SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
+ SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
+- SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY)
++ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
++ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS)
+ };
+ if (value == NULL)
+ return -3;
diff --git ssl/ssl_err.c ssl/ssl_err.c
index 4b12ed1485..0561678c33 100644
--- ssl/ssl_err.c
@@ -1903,7 +1976,7 @@
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0),
diff --git ssl/ssl_lib.c ssl/ssl_lib.c
-index 98057921f8..382f4b6d7b 100644
+index 58f8f3c14c..3fc6549c80 100644
--- ssl/ssl_lib.c
+++ ssl/ssl_lib.c
@@ -11,6 +11,7 @@
@@ -1922,7 +1995,7 @@
const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
-@@ -1153,11 +1155,15 @@ void SSL_free(SSL *s)
+@@ -1159,11 +1161,15 @@ void SSL_free(SSL *s)
dane_final(&s->dane);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
@@ -1938,7 +2011,7 @@
BUF_MEM_free(s->init_buf);
-@@ -1214,8 +1220,6 @@ void SSL_free(SSL *s)
+@@ -1220,8 +1226,6 @@ void SSL_free(SSL *s)
if (s->method != NULL)
s->method->ssl_free(s);
@@ -1947,7 +2020,7 @@
SSL_CTX_free(s->ctx);
ASYNC_WAIT_CTX_free(s->waitctx);
-@@ -1355,6 +1359,15 @@ int SSL_set_fd(SSL *s, int fd)
+@@ -1361,6 +1365,15 @@ int SSL_set_fd(SSL *s, int fd)
}
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(s, bio, bio);
@@ -1963,7 +2036,7 @@
ret = 1;
err:
return ret;
-@@ -1374,6 +1387,15 @@ int SSL_set_wfd(SSL *s, int fd)
+@@ -1380,6 +1393,15 @@ int SSL_set_wfd(SSL *s, int fd)
}
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_wbio(s, bio);
@@ -1979,7 +2052,7 @@
} else {
BIO_up_ref(rbio);
SSL_set0_wbio(s, rbio);
-@@ -1955,6 +1977,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
+@@ -1961,6 +1983,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
}
}
@@ -2049,7 +2122,7 @@
int SSL_write(SSL *s, const void *buf, int num)
{
int ret;
-@@ -2199,6 +2284,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
+@@ -2205,6 +2290,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;
@@ -2060,7 +2133,7 @@
s->max_send_fragment = larg;
if (s->max_send_fragment < s->split_send_fragment)
s->split_send_fragment = s->max_send_fragment;
-@@ -4417,11 +4506,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
+@@ -4425,11 +4514,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
return 1;
}
@@ -2113,7 +2186,7 @@
__owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
__owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
diff --git ssl/t1_enc.c ssl/t1_enc.c
-index c85c0b0310..d461421068 100644
+index c85c0b0310..7d2eb381af 100644
--- ssl/t1_enc.c
+++ ssl/t1_enc.c
@@ -10,10 +10,14 @@
@@ -2190,16 +2263,12 @@
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
-@@ -312,6 +361,85 @@ int tls1_change_cipher_state(SSL *s, int which)
+@@ -312,6 +361,81 @@ int tls1_change_cipher_state(SSL *s, int which)
ERR_R_INTERNAL_ERROR);
goto err;
}
+#ifndef OPENSSL_NO_KTLS
-+ if (s->compress)
-+ goto skip_ktls;
-+
-+ if (((which & SSL3_CC_READ) && (s->mode & SSL_MODE_NO_KTLS_RX))
-+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
++ if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0)
+ goto skip_ktls;
+
+ /* ktls supports only the maximum fragment size */
@@ -2277,7 +2346,7 @@
#ifdef SSL_DEBUG
diff --git ssl/tls13_enc.c ssl/tls13_enc.c
-index b8fb07f210..d9f050ee34 100644
+index b8fb07f210..39530237d8 100644
--- ssl/tls13_enc.c
+++ ssl/tls13_enc.c
@@ -9,6 +9,8 @@
@@ -2386,14 +2455,15 @@
/* SSLfatal() already called */
goto err;
}
-@@ -714,8 +722,51 @@ int tls13_change_cipher_state(SSL *s, int which)
+@@ -714,8 +722,52 @@ int tls13_change_cipher_state(SSL *s, int which)
s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;
else
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
+#ifndef OPENSSL_NO_KTLS
+# if defined(OPENSSL_KTLS_TLS13)
-+ if (!(which & SSL3_CC_WRITE) || !(which & SSL3_CC_APPLICATION)
-+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
++ if (!(which & SSL3_CC_WRITE)
++ || !(which & SSL3_CC_APPLICATION)
++ || (s->options & SSL_OP_ENABLE_KTLS) == 0)
+ goto skip_ktls;
+
+ /* ktls supports only the maximum fragment size */
@@ -2438,7 +2508,7 @@
OPENSSL_cleanse(secret, sizeof(secret));
return ret;
}
-@@ -729,6 +780,7 @@ int tls13_update_key(SSL *s, int sending)
+@@ -729,6 +781,7 @@ int tls13_update_key(SSL *s, int sending)
#endif
const EVP_MD *md = ssl_handshake_md(s);
size_t hashlen = EVP_MD_size(md);
@@ -2446,7 +2516,7 @@
unsigned char *insecret, *iv;
unsigned char secret[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *ciph_ctx;
-@@ -753,8 +805,8 @@ int tls13_update_key(SSL *s, int sending)
+@@ -753,8 +806,8 @@ int tls13_update_key(SSL *s, int sending)
if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s),
s->s3->tmp.new_sym_enc, insecret, NULL,
application_traffic,
@@ -2457,7 +2527,7 @@
/* SSLfatal() already called */
goto err;
}
-@@ -764,6 +816,7 @@ int tls13_update_key(SSL *s, int sending)
+@@ -764,6 +817,7 @@ int tls13_update_key(SSL *s, int sending)
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
ret = 1;
err:
@@ -2492,7 +2562,7 @@
plan tests => 1;
diff --git test/sslapitest.c test/sslapitest.c
-index 4a27ee1ba2..f846bcb4ee 100644
+index 4a27ee1ba2..1388219551 100644
--- test/sslapitest.c
+++ test/sslapitest.c
@@ -7,6 +7,7 @@
@@ -2517,13 +2587,12 @@
#include "../ssl/ssl_local.h"
#ifndef OPENSSL_NO_TLS1_3
-@@ -779,6 +782,409 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
+@@ -779,6 +782,433 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
return testresult;
}
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
+ !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
-+#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
+/* sock must be connected */
+static int ktls_chk_platform(int sock)
+{
@@ -2532,26 +2601,26 @@
+ return 1;
+}
+
-+static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
++static int ping_pong_query(SSL *clientssl, SSL *serverssl)
+{
+ static char count = 1;
+ unsigned char cbuf[16000] = {0};
+ unsigned char sbuf[16000];
+ size_t err = 0;
-+ char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
++ char crec_wseq_before[SEQ_NUM_SIZE];
++ char crec_wseq_after[SEQ_NUM_SIZE];
++ char crec_rseq_before[SEQ_NUM_SIZE];
++ char crec_rseq_after[SEQ_NUM_SIZE];
++ char srec_wseq_before[SEQ_NUM_SIZE];
++ char srec_wseq_after[SEQ_NUM_SIZE];
++ char srec_rseq_before[SEQ_NUM_SIZE];
++ char srec_rseq_after[SEQ_NUM_SIZE];
+
+ cbuf[0] = count++;
-+ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
-+ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
++ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
+
+ if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
+ goto end;
@@ -2571,53 +2640,56 @@
+ }
+ }
+
-+ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
-+ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
++ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
+
+ /* verify the payload */
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
+ goto end;
+
-+ /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
-+ if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
-+ if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
-+ crec_wseq_after, rec_seq_size))
++ /*
++ * If ktls is used then kernel sequences are used instead of
++ * OpenSSL sequences
++ */
++ if (!BIO_get_ktls_send(clientssl->wbio)) {
++ if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
++ crec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
-+ crec_wseq_after, rec_seq_size))
++ if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
++ crec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
-+ if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
-+ srec_wseq_after, rec_seq_size))
++ if (!BIO_get_ktls_send(serverssl->wbio)) {
++ if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
++ srec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
-+ srec_wseq_after, rec_seq_size))
++ if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
++ srec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
-+ if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
-+ crec_rseq_after, rec_seq_size))
++ if (!BIO_get_ktls_recv(clientssl->wbio)) {
++ if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
++ crec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
-+ crec_rseq_after, rec_seq_size))
++ if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
++ crec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
-+ if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
-+ srec_rseq_after, rec_seq_size))
++ if (!BIO_get_ktls_recv(serverssl->wbio)) {
++ if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
++ srec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
-+ srec_rseq_after, rec_seq_size))
++ if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
++ srec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
@@ -2626,92 +2698,110 @@
+ return 0;
+}
+
-+static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
-+ int sis_ktls_tx, int sis_ktls_rx,
-+ int tls_version, const char *cipher,
-+ int rec_seq_size)
++static int execute_test_ktls(int cis_ktls, int sis_ktls,
++ int tls_version, const char *cipher)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
-+ int testresult = 0;
-+ int cfd, sfd;
++ int ktls_used = 0, testresult = 0;
++ int cfd = -1, sfd = -1;
++ int rx_supported;
+
+ if (!TEST_true(create_test_sockets(&cfd, &sfd)))
+ goto end;
+
+ /* Skip this test if the platform does not support ktls */
-+ if (!ktls_chk_platform(cfd))
-+ return 1;
++ if (!ktls_chk_platform(cfd)) {
++ TEST_info("Kernel does not support KTLS");
++ testresult = 1;
++ goto end;
++ }
+
+ /* Create a session based on SHA-256 */
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ tls_version, tls_version,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
-+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
-+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
-+ &clientssl, sfd, cfd)))
++ &sctx, &cctx, cert, privkey)))
+ goto end;
+
-+ if (!cis_ktls_tx) {
-+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
++ if (tls_version == TLS1_3_VERSION) {
++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
+ goto end;
-+ }
-+
-+ if (!sis_ktls_tx) {
-+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
++ } else {
++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
+ goto end;
+ }
+
-+ if (!cis_ktls_rx) {
-+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
++ &clientssl, sfd, cfd)))
++ goto end;
++
++ if (cis_ktls) {
++ if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
+ goto end;
+ }
+
-+ if (!sis_ktls_rx) {
-+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
++ if (sis_ktls) {
++ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
+ goto end;
+ }
+
-+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
-+ if (!cis_ktls_tx) {
++ /*
++ * The running kernel may not support a given cipher suite
++ * or direction, so just check that KTLS isn't used when it
++ * isn't enabled.
++ */
++ if (!cis_ktls) {
+ if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
-+ goto end;
++ if (BIO_get_ktls_send(clientssl->wbio))
++ ktls_used = 1;
+ }
+
-+ if (!sis_ktls_tx) {
++ if (!sis_ktls) {
+ if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
-+ goto end;
++ if (BIO_get_ktls_send(serverssl->wbio))
++ ktls_used = 1;
+ }
+
-+ if (!cis_ktls_rx) {
++#if defined(OPENSSL_NO_KTLS_RX)
++ rx_supported = 0;
++#else
++ rx_supported = (tls_version != TLS1_3_VERSION);
++#endif
++ if (!cis_ktls || !rx_supported) {
+ if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
-+ goto end;
++ if (BIO_get_ktls_send(clientssl->rbio))
++ ktls_used = 1;
+ }
+
-+ if (!sis_ktls_rx) {
++ if (!sis_ktls || !rx_supported) {
+ if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
-+ goto end;
++ if (BIO_get_ktls_send(serverssl->rbio))
++ ktls_used = 1;
+ }
+
-+ if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
-+ rec_seq_size)))
++ if ((cis_ktls || sis_ktls) && !ktls_used) {
++ TEST_info("KTLS not supported for %s cipher %s",
++ tls_version == TLS1_3_VERSION ? "TLS 1.3" :
++ "TLS 1.2", cipher);
++ testresult = 1;
++ goto end;
++ }
++
++ if (!TEST_true(ping_pong_query(clientssl, serverssl)))
+ goto end;
+
+ testresult = 1;
@@ -2727,6 +2817,10 @@
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ serverssl = clientssl = NULL;
++ if (cfd != -1)
++ close(cfd);
++ if (sfd != -1)
++ close(sfd);
+ return testresult;
+}
+
@@ -2734,13 +2828,13 @@
+#define SENDFILE_CHUNK (4 * 4096)
+#define min(a,b) ((a) > (b) ? (b) : (a))
+
-+static int test_ktls_sendfile(int tls_version, const char *cipher)
++static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ unsigned char *buf, *buf_dst;
+ BIO *out = NULL, *in = NULL;
-+ int cfd, sfd, ffd, err;
++ int cfd = -1, sfd = -1, ffd, err;
+ ssize_t chunk_size = 0;
+ off_t chunk_off = 0;
+ int testresult = 0;
@@ -2754,6 +2848,7 @@
+
+ /* Skip this test if the platform does not support ktls */
+ if (!ktls_chk_platform(sfd)) {
++ TEST_info("Kernel does not support KTLS");
+ testresult = 1;
+ goto end;
+ }
@@ -2762,19 +2857,40 @@
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ tls_version, tls_version,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
-+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
-+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
-+ &clientssl, sfd, cfd)))
++ &sctx, &cctx, cert, privkey)))
++ goto end;
++
++ if (tls_version == TLS1_3_VERSION) {
++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
++ goto end;
++ } else {
++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
++ goto end;
++ }
++
++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
++ &clientssl, sfd, cfd)))
++ goto end;
++
++ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE))
-+ || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
++ SSL_ERROR_NONE)))
+ goto end;
+
++ if (!BIO_get_ktls_send(serverssl->wbio)) {
++ TEST_info("Failed to enable KTLS for %s cipher %s",
++ tls_version == TLS1_3_VERSION ? "TLS 1.3" :
++ "TLS 1.2", cipher);
++ testresult = 1;
++ goto end;
++ }
++
+ RAND_bytes(buf, SENDFILE_SZ);
++
+ out = BIO_new_file(tmpfilename, "wb");
+ if (!TEST_ptr(out))
+ goto end;
@@ -2830,118 +2946,96 @@
+ serverssl = clientssl = NULL;
+ BIO_free(out);
+ BIO_free(in);
++ if (cfd != -1)
++ close(cfd);
++ if (sfd != -1)
++ close(sfd);
+ OPENSSL_free(buf);
+ OPENSSL_free(buf_dst);
+ return testresult;
+}
+
-+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
++static struct ktls_test_cipher {
++ int tls_version;
++ const char *cipher;
++} ktls_test_ciphers[] = {
++# if !defined(OPENSSL_NO_TLS1_2)
++# ifdef OPENSSL_KTLS_AES_GCM_128
++ { TLS1_2_VERSION, "AES128-GCM-SHA256" },
++# endif
++# ifdef OPENSSL_KTLS_AES_CCM_128
++ { TLS1_2_VERSION, "AES128-CCM"},
++# endif
++# ifdef OPENSSL_KTLS_AES_GCM_256
++ { TLS1_2_VERSION, "AES256-GCM-SHA384"},
++# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
++# endif
++# endif
++# if !defined(OPENSSL_NO_TLS1_3)
++# ifdef OPENSSL_KTLS_AES_GCM_128
++ { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
++# endif
++# ifdef OPENSSL_KTLS_AES_CCM_128
++ { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
++# endif
++# ifdef OPENSSL_KTLS_AES_GCM_256
++ { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
++# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
++# endif
++# endif
++};
++
++#define NUM_KTLS_TEST_CIPHERS \
++ (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
++
+static int test_ktls(int test)
+{
-+ int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
-+ int tlsver, testresult;
++ struct ktls_test_cipher *cipher;
++ int cis_ktls, sis_ktls;
+
-+ if (test > 15) {
-+#if defined(OPENSSL_NO_TLS1_3)
-+ return 1;
-+#else
-+ test -= 16;
-+ tlsver = TLS1_3_VERSION;
-+#endif
-+ } else {
-+#if defined(OPENSSL_NO_TLS1_2)
-+ return 1;
-+#else
-+ tlsver = TLS1_2_VERSION;
-+#endif
-+ }
++ OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS);
++ cipher = &ktls_test_ciphers[test / 4];
+
-+ cis_ktls_tx = (test & 1) != 0;
-+ cis_ktls_rx = (test & 2) != 0;
-+ sis_ktls_tx = (test & 4) != 0;
-+ sis_ktls_rx = (test & 8) != 0;
++ cis_ktls = (test & 1) != 0;
++ sis_ktls = (test & 2) != 0;
+
-+#if defined(OPENSSL_NO_KTLS_RX)
-+ if (cis_ktls_rx || sis_ktls_rx)
-+ return 1;
-+#endif
-+#if !defined(OPENSSL_NO_TLS1_3)
-+ if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
-+ return 1;
-+#endif
-+
-+ testresult = 1;
-+#ifdef OPENSSL_KTLS_AES_GCM_128
-+ testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
-+ sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
-+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
-+#endif
-+#ifdef OPENSSL_KTLS_AES_CCM_128
-+ testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
-+ sis_ktls_rx, tlsver, "AES128-CCM",
-+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
-+#endif
-+#ifdef OPENSSL_KTLS_AES_GCM_256
-+ testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
-+ sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
-+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
-+#endif
-+ return testresult;
++ return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
++ cipher->cipher);
+}
+
-+static int test_ktls_sendfile_anytls(int tst)
++static int test_ktls_sendfile(int tst)
+{
-+ char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
-+ int tlsver;
++ struct ktls_test_cipher *cipher;
+
-+ if (tst > 2) {
-+#if defined(OPENSSL_NO_TLS1_3)
-+ return 1;
-+#else
-+ tst -= 3;
-+ tlsver = TLS1_3_VERSION;
-+#endif
-+ } else {
-+#if defined(OPENSSL_NO_TLS1_2)
-+ return 1;
-+#else
-+ tlsver = TLS1_2_VERSION;
-+#endif
-+ }
++ OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS);
++ cipher = &ktls_test_ciphers[tst];
+
-+#ifndef OPENSSL_KTLS_AES_GCM_128
-+ if(tst == 0) return 1;
-+#endif
-+#ifndef OPENSSL_KTLS_AES_CCM_128
-+ if(tst == 1) return 1;
-+#endif
-+#ifndef OPENSSL_KTLS_AES_GCM_256
-+ if(tst == 2) return 1;
-+#endif
-+ return test_ktls_sendfile(tlsver, cipher[tst]);
++ return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
+}
-+
-+#endif
+#endif
+
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
-@@ -6747,6 +7153,12 @@ int setup_tests(void)
+@@ -6747,6 +7177,12 @@ int setup_tests(void)
return 0;
}
+#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
-+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
-+ ADD_ALL_TESTS(test_ktls, 32);
-+ ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
-+#endif
++# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
++ ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
++ ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
++# endif
+#endif
ADD_TEST(test_large_message_tls);
ADD_TEST(test_large_message_tls_read_ahead);
#ifndef OPENSSL_NO_DTLS
diff --git test/ssltestlib.c test/ssltestlib.c
-index 456afdf471..bae39823d2 100644
+index 456afdf471..a13fdbc4cc 100644
--- test/ssltestlib.c
+++ test/ssltestlib.c
@@ -16,6 +16,14 @@
@@ -2959,7 +3053,7 @@
static ossl_inline void ossl_sleep(unsigned int millis)
{
-@@ -763,6 +771,114 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+@@ -763,6 +771,113 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
#define MAXLOOPS 1000000
@@ -2975,16 +3069,13 @@
+ return flags;
+}
+
-+int create_test_sockets(int *cfd, int *sfd)
++int create_test_sockets(int *cfdp, int *sfdp)
+{
+ struct sockaddr_in sin;
+ const char *host = "127.0.0.1";
+ int cfd_connected = 0, ret = 0;
+ socklen_t slen = sizeof(sin);
-+ int afd = -1;
-+
-+ *cfd = -1;
-+ *sfd = -1;
++ int afd = -1, cfd = -1, sfd = -1;
+
+ memset ((char *) &sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
@@ -3003,37 +3094,39 @@
+ if (listen(afd, 1) < 0)
+ goto out;
+
-+ *cfd = socket(AF_INET, SOCK_STREAM, 0);
-+ if (*cfd < 0)
++ cfd = socket(AF_INET, SOCK_STREAM, 0);
++ if (cfd < 0)
+ goto out;
+
+ if (set_nb(afd) == -1)
+ goto out;
+
-+ while (*sfd == -1 || !cfd_connected ) {
-+ *sfd = accept(afd, NULL, 0);
-+ if (*sfd == -1 && errno != EAGAIN)
++ while (sfd == -1 || !cfd_connected ) {
++ sfd = accept(afd, NULL, 0);
++ if (sfd == -1 && errno != EAGAIN)
+ goto out;
+
-+ if (!cfd_connected && connect(*cfd, (struct sockaddr*)&sin, sizeof(sin)) < 0)
++ if (!cfd_connected && connect(cfd, (struct sockaddr*)&sin, sizeof(sin)) < 0)
+ goto out;
+ else
+ cfd_connected = 1;
+ }
+
-+ if (set_nb(*cfd) == -1 || set_nb(*sfd) == -1)
++ if (set_nb(cfd) == -1 || set_nb(sfd) == -1)
+ goto out;
+ ret = 1;
++ *cfdp = cfd;
++ *sfdp = sfd;
+ goto success;
+
+out:
-+ if (*cfd != -1)
-+ close(*cfd);
-+ if (*sfd != -1)
-+ close(*sfd);
++ if (cfd != -1)
++ close(cfd);
++ if (sfd != -1)
++ close(sfd);
+success:
-+ if (afd != -1)
-+ close(afd);
++ if (afd != -1)
++ close(afd);
+ return ret;
+}
+

File Metadata

Mime Type
text/plain
Expires
Thu, Feb 13, 10:51 AM (20 h, 39 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16626651
Default Alt Text
D31430.diff (43 KB)

Event Timeline